Malware Analysis Report

2025-05-28 16:27

Sample ID 230714-lynncsdb22
Target Onetap CS GO HACK.rar
SHA256 ee3ff39ca8758381c9005d3a8861c167aafcf33d681a86ed29569508b9456a37
Tags
agilenet themida xmrig evasion miner trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee3ff39ca8758381c9005d3a8861c167aafcf33d681a86ed29569508b9456a37

Threat Level: Known bad

The file Onetap CS GO HACK.rar was found to be: Known bad.

Malicious Activity Summary

agilenet themida xmrig evasion miner trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 09:56

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 09:56

Reported

2023-07-14 09:58

Platform

win10-20230703-en

Max time kernel

105s

Max time network

111s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4196 created 3252 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\Explorer.EXE
PID 4196 created 3252 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\Explorer.EXE
PID 4076 created 3252 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4196 set thread context of 316 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 328 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 328 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 328 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
PID 328 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
PID 4240 wrote to memory of 4440 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 4440 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 3428 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 3428 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 3472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4240 wrote to memory of 3472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4196 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\explorer.exe
PID 3420 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 3420 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 3420 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 3420 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
PID 3420 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
PID 4936 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4936 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\onetap.exe

"C:\Users\Admin\AppData\Local\Temp\onetap.exe"

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 536

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\onetap.exe

"C:\Users\Admin\AppData\Local\Temp\onetap.exe"

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 128

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/328-122-0x0000000000370000-0x0000000001658000-memory.dmp

memory/328-123-0x0000000077364000-0x0000000077365000-memory.dmp

memory/328-124-0x0000000000370000-0x0000000001658000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

memory/864-131-0x0000000000400000-0x0000000000BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

MD5 5478e8d1f4b167b894193583c24673a4
SHA1 fdd50bb3d379e3a54061caff7f5f15706c763179
SHA256 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA512 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6

memory/328-135-0x0000000000370000-0x0000000001658000-memory.dmp

memory/4196-137-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-136-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-139-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp

memory/864-138-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/864-140-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4196-141-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/864-142-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4196-143-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-144-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-146-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-147-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-148-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp

memory/316-152-0x0000000000DE0000-0x0000000000E00000-memory.dmp

memory/4196-151-0x00007FF7C0080000-0x00007FF7C1261000-memory.dmp

memory/4196-154-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp

memory/316-157-0x0000000002A60000-0x0000000002AA0000-memory.dmp

memory/316-159-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/316-161-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/316-162-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/316-163-0x0000000013A50000-0x0000000013A70000-memory.dmp

memory/3420-164-0x0000000000370000-0x0000000001658000-memory.dmp

memory/3420-165-0x0000000000370000-0x0000000001658000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

MD5 5478e8d1f4b167b894193583c24673a4
SHA1 fdd50bb3d379e3a54061caff7f5f15706c763179
SHA256 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA512 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

MD5 5478e8d1f4b167b894193583c24673a4
SHA1 fdd50bb3d379e3a54061caff7f5f15706c763179
SHA256 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA512 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

MD5 5478e8d1f4b167b894193583c24673a4
SHA1 fdd50bb3d379e3a54061caff7f5f15706c763179
SHA256 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA512 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6

memory/316-176-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/3420-175-0x0000000000370000-0x0000000001658000-memory.dmp

memory/4076-177-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/4076-179-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/316-180-0x0000000013A50000-0x0000000013A70000-memory.dmp

memory/4076-182-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp

memory/4364-181-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4364-178-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4076-183-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/4364-184-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4076-185-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/316-187-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/4076-186-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/4076-189-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/316-192-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/4076-193-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/4076-196-0x00007FF76D090000-0x00007FF76E271000-memory.dmp

memory/4076-197-0x00007FFD42C80000-0x00007FFD42E5B000-memory.dmp

memory/316-199-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

memory/4364-201-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/316-202-0x00007FF601FB0000-0x00007FF60279F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 09:56

Reported

2023-07-14 09:59

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3024 created 3240 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\Explorer.EXE
PID 3024 created 3240 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3024 set thread context of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 3652 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 3652 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe
PID 3652 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
PID 3652 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\onetap.exe C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe
PID 2156 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2156 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2156 wrote to memory of 784 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2156 wrote to memory of 784 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2156 wrote to memory of 1436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2156 wrote to memory of 1436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe C:\Windows\explorer.exe
PID 2156 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2156 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\onetap.exe

"C:\Users\Admin\AppData\Local\Temp\onetap.exe"

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

"C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe"

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

"C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4112 -ip 4112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 152

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
DE 2.16.241.76:443 assets.msn.com tcp
US 8.8.8.8:53 76.241.16.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/3652-133-0x0000000000730000-0x0000000001A18000-memory.dmp

memory/3652-134-0x0000000077EB4000-0x0000000077EB6000-memory.dmp

memory/3652-135-0x0000000000730000-0x0000000001A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

memory/4112-146-0x0000000000400000-0x0000000000BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

MD5 5478e8d1f4b167b894193583c24673a4
SHA1 fdd50bb3d379e3a54061caff7f5f15706c763179
SHA256 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA512 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6

C:\Users\Admin\AppData\Local\Temp\@myagkiy_protected.exe

MD5 e90fae32382eb76fa61f8af25cb08403
SHA1 cf6762b5ce07b55d4ab2ae663458ea26fb5ddb0f
SHA256 ef47509edc8c5231c49701377fd83ea19125f1dc2eeb08ccef7fb58ff8c32c66
SHA512 36f24d11a497ac7c1b618c8c9ba38c75c52f97f4f994657aab89db4aa5dbb184f0695680c6f56bf329f6fc1e73556e259f55b9e988fb3b05ecaf834d703a698a

C:\Users\Admin\AppData\Local\Temp\cryptpls_protected.exe

MD5 5478e8d1f4b167b894193583c24673a4
SHA1 fdd50bb3d379e3a54061caff7f5f15706c763179
SHA256 7cebddc53d178955b1cf3d0428bac2650d50132f42cefc83749e1387b7742d1a
SHA512 2b2ca6316629dc870cb7a17cd42de10f2ecb57cd867c4eba9256026ae8f700f796e8c3d9ae4465731dcad1a800031db9bc9a4a3b3bb1d547701678f0b67163d6

memory/3652-155-0x0000000000730000-0x0000000001A18000-memory.dmp

memory/3024-156-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/3024-158-0x00007FFF06410000-0x00007FFF06605000-memory.dmp

memory/4112-157-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4112-160-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/3024-159-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/4112-161-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/3024-162-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/3024-163-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/3024-164-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/4112-165-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/3024-166-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/3024-167-0x00007FFF06410000-0x00007FFF06605000-memory.dmp

memory/5080-171-0x0000000002D40000-0x0000000002D60000-memory.dmp

memory/3024-170-0x00007FF69CDB0000-0x00007FF69DF91000-memory.dmp

memory/3024-172-0x00007FFF06410000-0x00007FFF06605000-memory.dmp

memory/5080-173-0x0000000002E80000-0x0000000002EA0000-memory.dmp

memory/5080-174-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-175-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-176-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-177-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-178-0x0000000013D80000-0x0000000013DA0000-memory.dmp

memory/5080-179-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-180-0x0000000013D80000-0x0000000013DA0000-memory.dmp

memory/5080-181-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-182-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-183-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-184-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-185-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-186-0x00007FF673D30000-0x00007FF67451F000-memory.dmp

memory/5080-187-0x00007FF673D30000-0x00007FF67451F000-memory.dmp