Malware Analysis Report

2025-01-22 14:03

Sample ID 240224-cp45bafc3z
Target 05e8c507d40aa6d05720a1f6bdf7f52e.exe
SHA256 ffceb132ec57dd0f810dc46054662db58a25cfc0e7960d2d865a0bc60fb1c405
Tags
agenttesla zgrat njrat hacked evasion keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ffceb132ec57dd0f810dc46054662db58a25cfc0e7960d2d865a0bc60fb1c405

Threat Level: Known bad

The file 05e8c507d40aa6d05720a1f6bdf7f52e.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla zgrat njrat hacked evasion keylogger persistence rat spyware stealer trojan

Detect ZGRat V1

Agenttesla family

Zgrat family

ZGRat

njRAT/Bladabindi

AgentTesla payload

AgentTesla

AgentTesla payload

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Kills process with taskkill

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 02:16

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 02:16

Reported

2024-02-24 02:18

Platform

win7-20240215-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

njRAT/Bladabindi

trojan njrat

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 764 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 764 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 764 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 764 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 764 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 764 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 764 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 764 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 764 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 2380 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2380 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2380 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2588 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2588 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2588 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
PID 672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe C:\Windows\system32\netsh.exe
PID 672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe C:\Windows\system32\netsh.exe
PID 672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe

"C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

"C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"

C:\Windows\system32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
GB 142.250.187.225:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 pcpanel.hackcrack.io udp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp
US 147.185.221.18:32544 pcpanel.hackcrack.io tcp

Files

memory/764-0-0x0000000000360000-0x00000000006D6000-memory.dmp

memory/764-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ee76425b767c9ab812a53c133b8363f8
SHA1 1daa4700a5f1849eb7e810986ac24bd58786da61
SHA256 f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747
SHA512 004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

MD5 6e916f0cd1ac95cc15fabd7bb03f63e4
SHA1 db7798128559847181b9d1f5c12630ddd98b7cb4
SHA256 4c7bf38fa20dde78f0ef32674d6f8c3e4f2f34404e569f5dcf8be148797d77b3
SHA512 fb5b3a2f81261ae8baa559d0394bad394d61dc5587d5b1a80adcde576f8ff9f0ce110d6c3c92dd02a8fb71ff18c63962451755c6b90039afb827df4732e05800

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

MD5 da3725bb70ed56821687eaf2cba15c78
SHA1 f557e7e8693d969735d32f99c8f42d5ba01d1fae
SHA256 e3e6d51994bc22985115fbe9a4a3e05da5a28cd3e516847d64eba894158b37d9
SHA512 588b3d9037bf45c63d70d8f1ca60fe37f580f794fa440201ce6af2c2ebfc7bfe87de9d0439a93499db01254d643214a0a3b18442b06c573588a12b27fb0a8613

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

MD5 1fcf21d204fe08aa3e82cd5c7f6935b9
SHA1 6c40be116f8b7a63d5d6365b4e13b1e523bd3002
SHA256 8dc48ac87178f7ad37d1cd9a79a3ce686ac8ca6e7b3ad3ee75bdc306c0a6c6aa
SHA512 3eed29657fc7074a8bb76f2dedabef77fe9dd0438fe9bda15854a525726d38f64490229017222540eb59d15616987a672537b7510f693c65617bfd23afe1d7df

memory/2544-19-0x0000000000150000-0x000000000017A000-memory.dmp

memory/2380-18-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2544-20-0x000000001A850000-0x000000001A8D0000-memory.dmp

memory/2380-13-0x0000000000DC0000-0x0000000000E38000-memory.dmp

memory/2556-21-0x0000000001260000-0x0000000001556000-memory.dmp

memory/764-23-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2544-24-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2556-31-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/2380-32-0x000000001B060000-0x000000001B0E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 f36e535fdc82208fca08acfa44f790c6
SHA1 a3cc1aa7d614094faebada2aed1e6c519bd18c94
SHA256 51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc
SHA512 631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

memory/2588-38-0x0000000000240000-0x0000000000248000-memory.dmp

memory/2588-37-0x0000000000D40000-0x0000000000D96000-memory.dmp

memory/2588-40-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2588-39-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2380-41-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2556-42-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2556-43-0x0000000005020000-0x0000000005216000-memory.dmp

memory/2556-45-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2556-48-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2556-49-0x0000000009010000-0x00000000090C0000-memory.dmp

memory/2556-44-0x0000000000B00000-0x0000000000B1A000-memory.dmp

memory/2556-50-0x0000000074BB0000-0x000000007529E000-memory.dmp

memory/2588-51-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2588-52-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2556-53-0x0000000004D00000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 a9b0d84f4872b4352371e33a973cfdda
SHA1 6a2f976500c939987ed0427a5c7c88103e79471a
SHA256 937c2943f9773d84a1ad3540115abe9447c74085a08f1c5f5ec19c5d6145b1bb
SHA512 f56ef1f698c8bfd8e047f19b1e5da6dc1fb8f07e441bc2efebda2beb6f63725e385ee28946baa0841cad007288fd8524c799504708bce880e2358bdac2505662

memory/2588-64-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2036-65-0x000007FEEF670000-0x000007FEF000D000-memory.dmp

memory/2036-67-0x0000000000360000-0x000000000036C000-memory.dmp

memory/2036-66-0x00000000009F0000-0x0000000000A70000-memory.dmp

memory/2036-68-0x000007FEEF670000-0x000007FEF000D000-memory.dmp

memory/672-76-0x0000000001F30000-0x0000000001FB0000-memory.dmp

memory/2036-75-0x000007FEEF670000-0x000007FEF000D000-memory.dmp

memory/672-74-0x000007FEEF670000-0x000007FEF000D000-memory.dmp

memory/672-77-0x000007FEEF670000-0x000007FEF000D000-memory.dmp

memory/672-78-0x0000000001F30000-0x0000000001FB0000-memory.dmp

memory/672-79-0x000007FEEF670000-0x000007FEF000D000-memory.dmp

memory/672-80-0x0000000001F30000-0x0000000001FB0000-memory.dmp

memory/672-81-0x0000000001F30000-0x0000000001FB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 02:16

Reported

2024-02-24 02:18

Platform

win10v2004-20240221-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2988 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2988 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe
PID 4200 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 4200 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 3068 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 3068 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 3572 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 3572 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1252 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1252 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 3080 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe \??\c:\windows\system32\cmstp.exe
PID 3080 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe \??\c:\windows\system32\cmstp.exe
PID 4804 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe C:\Windows\System32\cmd.exe
PID 4972 wrote to memory of 3320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 3320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 4160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 4160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 5020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 5020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe

"C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

"C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 804

\??\c:\windows\system32\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\btcddvl5.inf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 proxy-cheap.blogspot.com udp
GB 142.250.187.225:443 proxy-cheap.blogspot.com tcp
GB 142.250.187.225:443 proxy-cheap.blogspot.com tcp
US 8.8.8.8:53 amazonhost.thedreamsop.com udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 107.180.41.239:80 amazonhost.thedreamsop.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/2988-0-0x0000000000E80000-0x00000000011F6000-memory.dmp

memory/2988-1-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ee76425b767c9ab812a53c133b8363f8
SHA1 1daa4700a5f1849eb7e810986ac24bd58786da61
SHA256 f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747
SHA512 004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

memory/3068-14-0x0000000000AE0000-0x0000000000B58000-memory.dmp

memory/3068-15-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/3068-17-0x0000000001490000-0x00000000014A0000-memory.dmp

memory/3068-16-0x00000000012F0000-0x000000000131A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 25a25e54462e43a7131262562bd56473
SHA1 ec00d244dc3d17f11d4332127bd81eb7ebdeda5e
SHA256 42b4fec4e9d567c55b8b217e542e4f90e0a8246f74e4df2080dc72be9bd4c1be
SHA512 be0a71a5c6e32f574879727e2d8b2fa16e9354819dc37d58efb5581ecc61cda4386e4014742e87accfc55c44ae07e70dfdd5b658a8aabc4d82224131edbf54ac

memory/4200-22-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/4200-23-0x0000000002F20000-0x0000000002F30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 3c72d96e7d3235e26d41d12694a4a9cc
SHA1 d38ebf556229cbd8797c222f5049548a08eaf611
SHA256 79f4240ad5f4835c18d31ac3c0f3a740f81d99c3abaa59590e6e5a2c8dbdcaf2
SHA512 2cb9c904c16f8668c95c17563a181b79577c02fedd538d6775dcda4ac85b2f7be7dc95c5d5a1654efcdaa565bf25467d48016c8b95dac9e3f32e89b35c9ec36c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 f36e535fdc82208fca08acfa44f790c6
SHA1 a3cc1aa7d614094faebada2aed1e6c519bd18c94
SHA256 51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc
SHA512 631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

MD5 1c67b3cb7b2ca716143c87936efb2f13
SHA1 0174a42eddfffe3d372755dc4a7151e4b6498ff6
SHA256 b23a2be216aaff1286381bc16d3701d221364842750d15eba4f18b4df6aafd42
SHA512 4cd12ea21fd990f9cb34180ddcde2502336c9391486497d53fe5bc828afa5cde36ff0a458b98e47e52ddcbd07ff32874473b30d69f7450c351487a61ba31e3e0

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

MD5 8805585bc23dfd63946dcd7030ef368c
SHA1 23e7242ac7b255ecfd4b9d40f112dc7c3fcd66f2
SHA256 5dbaef496dffee435f6b944a0b9198a4c71b1cc8147a38b8ec0cdd5d9c0d5f54
SHA512 9ad6b297535cf832411734d5b96f062015f4107a338f7b71f6d3854982994376f61f85ce5bf6edc3e6eb84d487435dd0bdc54a623a23cdf4a3ae05dbcea018a0

memory/2988-38-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

MD5 a1814c03d8d16639b62d770e246e1bdd
SHA1 89670fc4cd0673219f92945e2cbc4a40efcaeaae
SHA256 4c45a9ae842dd14a49e3231890a734e09ea285c48f9e867d865ca74ae358ab2b
SHA512 5e7a92f3dc1b99cfc6cbc407b56162b8982ce367cc23700c4745f6e3959d6c5bf0f1a876e08d33964b4ca30e51d72afcf83fcff8b837ecf31b9bc9d5e59cb1fe

C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe

MD5 8b1aed71eaebd88df17b86786a33934e
SHA1 5eb3251fc71671dbe9697fb6a22e9b81f1d24bed
SHA256 6b54333664bd6b3e626b0c2ba8386348bb8a6cee848123b9419202da4ca7086e
SHA512 c65b5389ce75829b566834705f62321ead0d74ec2475a6949a4e8e58193cf21f471dc1e1dc9c0755187b3a3e4f1d6cded65dfc0a37f89d298295dc4699e74bf9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

MD5 7ca69c3a50dd1e107b36424371d545aa
SHA1 af96b7133f339588b8de9e29be762dd8fbe2da08
SHA256 fb56bfa6682034270cd833c70e9ab03a606372aef15b2e305da0318873394664
SHA512 bf3b5a590335e671cd44f244bf20fc30028a56c55f69f4f8b0a46aba787b248c343391998ed5267b5ca9aa0075697e169056120c18837ddc3ca97c5ace83c6fd

memory/1252-46-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/4200-47-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/3572-50-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/1252-49-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

memory/3068-48-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/1252-43-0x0000000000AF0000-0x0000000000B46000-memory.dmp

memory/2256-51-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2256-52-0x0000000000E30000-0x0000000001126000-memory.dmp

memory/2256-53-0x0000000006010000-0x00000000065B4000-memory.dmp

memory/2256-54-0x0000000005B40000-0x0000000005BD2000-memory.dmp

memory/2256-55-0x0000000003510000-0x0000000003520000-memory.dmp

memory/2256-56-0x0000000005CD0000-0x0000000005CDA000-memory.dmp

memory/2256-57-0x0000000005DB0000-0x0000000005FA6000-memory.dmp

memory/2256-58-0x0000000003510000-0x0000000003520000-memory.dmp

memory/2256-59-0x0000000009BD0000-0x0000000009BEA000-memory.dmp

memory/2256-62-0x0000000009D80000-0x0000000009E30000-memory.dmp

memory/1252-63-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/3572-64-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/2256-65-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2256-66-0x0000000003510000-0x0000000003520000-memory.dmp

memory/2256-67-0x0000000003510000-0x0000000003520000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 a9b0d84f4872b4352371e33a973cfdda
SHA1 6a2f976500c939987ed0427a5c7c88103e79471a
SHA256 937c2943f9773d84a1ad3540115abe9447c74085a08f1c5f5ec19c5d6145b1bb
SHA512 f56ef1f698c8bfd8e047f19b1e5da6dc1fb8f07e441bc2efebda2beb6f63725e385ee28946baa0841cad007288fd8524c799504708bce880e2358bdac2505662

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

MD5 3d3435b18469b7d581bcaffea5397df0
SHA1 6b22009c0b6bc7f7fff9cf1bd4f749300d8cad7c
SHA256 7c7d6e28fbee6b1a0686950ab4ea4b954b7f3a52c770e439b84e77e74cf574c9
SHA512 2833ca96cdfb39d211c2e678e643f5530664d5122d914d4be507a928ab5819bd23f27b365d47d79b649ac7dfa936cc186d4f71c2fdf0de469fe684d57d3eb515

memory/3572-84-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 cafd74774ee92e32d33d986aa1d02887
SHA1 4eba3d811e150ea0e03193916820ceb1353d7d3a
SHA256 a9a2445fa2c7695be72695fb46f2d5fbb7106691d7840d454fac2b91ddd014b0
SHA512 27baef4953ca7ffd10dfc22d6ee2e6b961c1c08aa2a9813737afb4a265bfa9dfa56d577b20b0aefa84c157ab8fbc3fc4a7456c4e5093dd480f22c3fbdef30bf6

memory/1252-87-0x00007FFD037D0000-0x00007FFD04291000-memory.dmp

memory/3080-88-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/3080-89-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/3080-90-0x00000000016A0000-0x00000000016B0000-memory.dmp

memory/3080-91-0x000000001BE00000-0x000000001BEA6000-memory.dmp

memory/3080-94-0x000000001CAD0000-0x000000001CF9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\btcddvl5.inf

MD5 6f1420f2133f3e08fd8cdea0e1f5fe27
SHA1 3aa41ec75adc0cf50e001ca91bbfa7f763adf70b
SHA256 aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242
SHA512 d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

memory/3080-101-0x00000000016A0000-0x00000000016B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

MD5 10d90137afcca51c429a2c0aa78c92d6
SHA1 c7cb2762e0a31b06aaca0c440db5556fd23df24f
SHA256 44a4f73cc6a5a89208372ded41ed5e3cecc8bf2064ee1224275f21061dae11a1
SHA512 c914381e197450f3e576d3c77f103796be594444499ff2397e0bb74f9249baff973ea5c66ab42540835e060ad6032694fc2b8d01c95795d71adf6f1c91d000b0

memory/4804-107-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/4804-108-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4804-109-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/4804-111-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/2860-112-0x00007FFD01550000-0x00007FFD02011000-memory.dmp

memory/3320-114-0x000002C166A50000-0x000002C166A60000-memory.dmp

memory/3320-115-0x000002C166A50000-0x000002C166A60000-memory.dmp

memory/4508-116-0x000001ABE0A10000-0x000001ABE0A20000-memory.dmp

memory/4160-117-0x000001F4B25F0000-0x000001F4B2600000-memory.dmp

memory/2860-113-0x000001EAA5E20000-0x000001EAA5E30000-memory.dmp

memory/2860-118-0x000001EAA5E20000-0x000001EAA5E30000-memory.dmp

memory/3320-128-0x00007FFD01550000-0x00007FFD02011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zqljbvg.1ki.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2860-129-0x000001EA8DCC0000-0x000001EA8DCE2000-memory.dmp

memory/4508-130-0x00007FFD01550000-0x00007FFD02011000-memory.dmp

memory/4160-149-0x00007FFD01550000-0x00007FFD02011000-memory.dmp

memory/2136-150-0x0000028993D10000-0x0000028993D20000-memory.dmp

memory/2136-151-0x0000028993D10000-0x0000028993D20000-memory.dmp

memory/5020-152-0x000001941F180000-0x000001941F190000-memory.dmp

memory/2136-162-0x00007FFD01550000-0x00007FFD02011000-memory.dmp

memory/5020-181-0x00007FFD01550000-0x00007FFD02011000-memory.dmp

memory/2860-182-0x000001EAA5E20000-0x000001EAA5E30000-memory.dmp

memory/3080-183-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/4508-184-0x000001ABE0A10000-0x000001ABE0A20000-memory.dmp

memory/3080-185-0x00007FFCFDFA0000-0x00007FFCFE941000-memory.dmp

memory/5020-186-0x000001941F180000-0x000001941F190000-memory.dmp

memory/3080-187-0x00000000016A0000-0x00000000016B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 377c375f814a335a131901ed5d5eca44
SHA1 9919811b18b4f8153541b332232ae88eec42f9f7
SHA256 7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10
SHA512 c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249