Analysis Overview
SHA256
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
Threat Level: Known bad
The file 34468074c946943518ab33be24c01ef9.bin.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Amadey
Blocklisted process makes network request
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 19:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 19:16
Reported
2024-03-24 19:18
Platform
win7-20240221-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Amadey
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380037004100430035004600380031002d0030003800390033002d0034003800340030002d0039004600320044002d003100440035004300330037004400420043003700340046007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Users\Admin\1000071002\nativecrypt6.exe
"C:\Users\Admin\1000071002\nativecrypt6.exe"
C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
"C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\658372521424_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| RU | 5.42.65.68:29093 | tcp | |
| RU | 5.42.65.68:29093 | tcp | |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/2972-1-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2972-2-0x0000000000B20000-0x0000000000B8F000-memory.dmp
memory/2972-3-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2972-5-0x0000000002490000-0x0000000002491000-memory.dmp
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 34468074c946943518ab33be24c01ef9 |
| SHA1 | 742cf7ff13dcab6a99b372dc99f362f45be3d69c |
| SHA256 | 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99 |
| SHA512 | b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b |
memory/2972-17-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2556-20-0x0000000000C70000-0x0000000000D70000-memory.dmp
memory/2972-19-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2556-21-0x0000000000400000-0x0000000000B17000-memory.dmp
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 5cab432821c94450adf1b2314cd42092 |
| SHA1 | 84cd4da52c31664244d87601624415cb8642d088 |
| SHA256 | bd584435de36eb1f093953e99307736e7793772296f026d06b00627cb0323095 |
| SHA512 | 172d11aab49f8185c91f06dc704da84331aede0bcad388b9d34f1fe9b0e04bcf8a044c88d9c27e9ac335f2743ee22958be477bb3ed34e02a6d32fb27c32f5450 |
C:\Users\Admin\1000071002\nativecrypt6.exe
| MD5 | ef4b0d33ed0eb8ec64c7073ea8409cad |
| SHA1 | b3c1b0b7e282a26bcc4ddb84cfac0437e3cff209 |
| SHA256 | 37c593afa2791249363f27cb2818fe560338c9abdfb2b270b26a88696a87c3e9 |
| SHA512 | 21076c222c0ee27ad88b682639bc82d8be50a0d369a5eec7a66023b0a8ced6cc9348b5b6cc7794c22269adc9b9faa38503276ba4b2d7e922beb1ce0e575a6228 |
C:\Users\Admin\AppData\Local\Temp\658372521424
| MD5 | cc0e6473b2d9f62575bf6c26bf67acf6 |
| SHA1 | 9a97c7cb4ccc16e78defea8398546f2d4bd40ec1 |
| SHA256 | 6adb22b6c7c1af88b6246ade10ad7d351f809a8db3a42ec68d8046e3fb02c4be |
| SHA512 | 5db5194bd60edfa903db04a8f928fa100ccce299a5025e6bb71f4053b60d47af0a3216b4e8a5a948f4ffc26b51ecbaf0cd7687e2e4cffe77f97a6fc639805b92 |
memory/2444-52-0x0000000000CD0000-0x0000000000DD0000-memory.dmp
memory/2444-61-0x0000000000220000-0x000000000027F000-memory.dmp
memory/2444-62-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/2796-72-0x0000000000C60000-0x0000000000D60000-memory.dmp
memory/2796-73-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/2796-74-0x0000000004EE0000-0x0000000004F38000-memory.dmp
memory/2796-75-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/2444-77-0x0000000004FD0000-0x0000000005026000-memory.dmp
memory/2444-78-0x0000000002810000-0x0000000002850000-memory.dmp
memory/2444-76-0x0000000002810000-0x0000000002850000-memory.dmp
memory/2796-79-0x0000000004FC0000-0x0000000005000000-memory.dmp
memory/2444-80-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/2444-81-0x0000000002810000-0x0000000002850000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp6C5A.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1658372521-4246568289-2509113762-1000\76b53b3ec448f7ccdda2063b15d2bfc3_f4bfc772-1e14-4cb7-967a-2360098b659f
| MD5 | bbc8da7d36df3f91c460984c2abe8419 |
| SHA1 | 9a247c3d293022fde4f3abc8b56259275c4ef97c |
| SHA256 | 0399ccf5e780949a63400736a46cce7d1879903d0f45c6b7d194c960ba4dddc2 |
| SHA512 | facbe33baa35fccf8072fe207a4d5eda2a64c4ed067c8eecb23e49cb003747be4c3772cb4ae2dfb87f91aa711b9a8371a2e0d76dc40830e275098172318d7cb4 |
memory/2556-107-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 6ba3d481e8a0c753967f3e002044b050 |
| SHA1 | 3630d082e516fac7273d5e5c2a09c972ad3fcac5 |
| SHA256 | d62a26be85ee3bb0b7d4504f4367f505180adee48ddaf8cb72e301263114adfe |
| SHA512 | 33e7defd57654fa57a2e04ecfba0222a28103794dc1236272e0eaf493d92f130132e90a20244e2ed7c2704a34aaab681bc931671816a6c03a2bd8fd405a4a61c |
memory/2796-123-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/2556-128-0x0000000000C70000-0x0000000000D70000-memory.dmp
memory/2556-129-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2444-134-0x0000000000CD0000-0x0000000000DD0000-memory.dmp
memory/2116-135-0x000000001B390000-0x000000001B672000-memory.dmp
memory/2116-136-0x0000000002650000-0x0000000002658000-memory.dmp
memory/2116-137-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp
memory/2116-138-0x0000000002870000-0x00000000028F0000-memory.dmp
memory/2116-139-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp
memory/2116-140-0x0000000002870000-0x00000000028F0000-memory.dmp
memory/2116-141-0x0000000002870000-0x00000000028F0000-memory.dmp
memory/2116-142-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp
memory/2796-144-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/2796-146-0x0000000000C60000-0x0000000000D60000-memory.dmp
memory/2796-147-0x0000000004FC0000-0x0000000005000000-memory.dmp
memory/2444-148-0x0000000002810000-0x0000000002850000-memory.dmp
memory/2796-149-0x0000000004FC0000-0x0000000005000000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
memory/2444-164-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/2444-165-0x0000000002810000-0x0000000002850000-memory.dmp
memory/2556-168-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2444-169-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/2444-170-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/2444-171-0x0000000000CD0000-0x0000000000DD0000-memory.dmp
memory/2796-175-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/2796-176-0x0000000000C60000-0x0000000000D60000-memory.dmp
memory/2796-177-0x0000000073310000-0x00000000739FE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 19:16
Reported
2024-03-24 19:18
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe | N/A |
Enumerates physical storage devices
Program crash
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\1000071002\nativecrypt6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1240
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1016
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1688
C:\Users\Admin\1000071002\nativecrypt6.exe
"C:\Users\Admin\1000071002\nativecrypt6.exe"
C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
"C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1688
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1412
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1856 -ip 1856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1744
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2004 -ip 2004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1028
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 96.39.123.93.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 5.42.65.68:29093 | tcp | |
| RU | 5.42.65.68:29093 | tcp | |
| US | 8.8.8.8:53 | 68.65.42.5.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
memory/3576-1-0x0000000000DF0000-0x0000000000EF0000-memory.dmp
memory/3576-2-0x0000000002890000-0x00000000028FF000-memory.dmp
memory/3576-3-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3576-5-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 34468074c946943518ab33be24c01ef9 |
| SHA1 | 742cf7ff13dcab6a99b372dc99f362f45be3d69c |
| SHA256 | 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99 |
| SHA512 | b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b |
memory/1768-17-0x0000000000CF0000-0x0000000000DF0000-memory.dmp
memory/3576-18-0x0000000000DF0000-0x0000000000EF0000-memory.dmp
memory/1768-19-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3576-20-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3576-21-0x0000000002890000-0x00000000028FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\808065738166
| MD5 | 4a31957fcc6a12c7f3712f94c819972a |
| SHA1 | cf6d343b57f93351c28ee8fa52b66cc93576e40a |
| SHA256 | 4744156cf8d830a386449b871e48a577e6fe3673526f2663ab34030124f374b4 |
| SHA512 | a0453268d32a9038337ea30d62c51ef421910c0e1b6c6697a3c61c2bbad1e252680538d14b7abb991200499480d87c0b98fc76a9de61f516c18a99ab67e13ac9 |
C:\Users\Admin\1000071002\nativecrypt6.exe
| MD5 | ef4b0d33ed0eb8ec64c7073ea8409cad |
| SHA1 | b3c1b0b7e282a26bcc4ddb84cfac0437e3cff209 |
| SHA256 | 37c593afa2791249363f27cb2818fe560338c9abdfb2b270b26a88696a87c3e9 |
| SHA512 | 21076c222c0ee27ad88b682639bc82d8be50a0d369a5eec7a66023b0a8ced6cc9348b5b6cc7794c22269adc9b9faa38503276ba4b2d7e922beb1ce0e575a6228 |
memory/1768-41-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\1000071002\nativecrypt6.exe
| MD5 | d6ec14d4006c215ddf5f25e757b6a0d2 |
| SHA1 | d18387a6a2ab4513708d2460c2f889af2181d959 |
| SHA256 | 52eb5cc828a0a8e6df0578bdec79ae42cb44409b6386caad0f3a1c59025374b4 |
| SHA512 | 30a9305d1530c0b38b570339b4db2dacc1760de0eb05ed6b09706479a71c4292e19825fbe5123ed0267a4bb3c45ef3dc4ab9fe8abe129f033e220f0e4de32b9e |
C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
| MD5 | 1ba155e110194b1bd5c3a0fafb22efb1 |
| SHA1 | f0ca22993de08e42aca63d2ba61fb508887d9063 |
| SHA256 | a33b4d15c3704e9ae986a88192cc569290d9e7533c790ba7736840c8a5d93782 |
| SHA512 | 583c34880322b943e484a50cc76269888ef2a9207cf8252cf1df5ab7f4fedaf277e668819a32585a482975f01304ce5aea0a0fe370fa5e626b2d20a7e51f0ee5 |
C:\Users\Admin\1000071002\nativecrypt6.exe
| MD5 | d861509fb4c8a898ec17fe11f46f891b |
| SHA1 | ca985d8833e78683a3252d7374eed1f985fa6668 |
| SHA256 | 8ecb93da4817ca5e198151ef894492d76c984ee6f4cc024bdcb9b45f7338ce83 |
| SHA512 | 10d5accc5d404e39f0cf7590bc970b6e8771c16e2afd49721bc0103c6e724b28b65c0f5f32b79fabe674592e8d0412124ba08cc1a097b31c7f72d01879d359ba |
C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
| MD5 | ed56868f8ebed80e3b21042f95dc7e8a |
| SHA1 | 246a89723f0a891a38e13f50c54fddbd58202cb9 |
| SHA256 | 9da26dd076198e05ce2927db85cd3072b6a174c2b07ab85efcd7e3f766982753 |
| SHA512 | 008ac4ccc314b2f5e12a468a65a9e119750ba08122af0e797f84d6d2813bc69894a0b489e7732b0ff07bb869916c1856f7127a696a9287e5d07aa16e4ae8c242 |
memory/4136-66-0x0000000000D40000-0x0000000000E40000-memory.dmp
memory/4136-67-0x0000000000CA0000-0x0000000000CFF000-memory.dmp
memory/996-68-0x0000000000DE0000-0x0000000000EE0000-memory.dmp
memory/4136-69-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/996-70-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/4136-71-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/996-72-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/4136-74-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/4136-75-0x0000000002D50000-0x0000000002DA8000-memory.dmp
memory/996-73-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/1768-76-0x0000000000CF0000-0x0000000000DF0000-memory.dmp
memory/996-77-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/4136-79-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/996-78-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/1768-81-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/996-80-0x00000000052B0000-0x0000000005854000-memory.dmp
memory/996-82-0x0000000005860000-0x00000000058B6000-memory.dmp
memory/996-83-0x00000000058C0000-0x0000000005952000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | d7c1ce5b7af6d9aa0d802381fe9a0662 |
| SHA1 | 95b8176ad64ae9f0e3a59cb8305e9c36b397c8dc |
| SHA256 | 757253bcca7fd7b8af775e895354ec005722e335fd9cd43ace4e7ec59a34fec7 |
| SHA512 | de80de49a76f72d93d71573310d23d95cd7130c679e1afcac08f7acb3f71e1d3aee2d203beb0593a2ab5d33c1a8bf7b7163e8d9956857a6fec9dddbefc4f29e1 |
memory/996-92-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/4136-93-0x00000000053B0000-0x00000000053C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 5ece0da4e5b348dace429b4c35f688e5 |
| SHA1 | 7c2e0fb80cb99100353139081b1e564e22d82bb0 |
| SHA256 | 5261ffc545d7047d36768251d0edcb67502c06e3214dbb225ba2bf815525b598 |
| SHA512 | 55f38e6aacfb6bbadfd558dc91a3ac490ea3372488842b227bc9f838524a63b3f574c6524a1b210f83063c0552a1568c2ec68bb155e7fe21cbce0137697c9b97 |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 264996a9e67e97b9d84517aaffe7db7f |
| SHA1 | 8167c6752d065b3ec57118fc2705b38e4d61fe06 |
| SHA256 | babee9cf7cd304c182da1e854602469d577abe5da37ea2e0b9f29dc90f31b7b3 |
| SHA512 | 7a87ffd7ad36f35c566f682413281ff73613de6a88596f066c1ff4ea3523b6c02c896b5f1ee99078f68d5d3265882368799db0930a9fa07e09b1bbc580067244 |
memory/996-97-0x0000000005AE0000-0x0000000005AEA000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 389b16e8c79f728ae26d054305e9e9fe |
| SHA1 | 5a849b5a890368b64de0c8617919489413c9ef1b |
| SHA256 | b11c0973de4a1292a5ea8dfebf749c20ccbb09b76ae05dfc11597b16363ed66f |
| SHA512 | 9266e0e85f993d21ad3cfa6e14fd88d6190d2890edbdd87b0937933daa71e0288378c476a4e597bf68f49e3cfa0995683ffa4fd195aadd26fc4645434be54fe6 |
C:\Users\Admin\AppData\Local\Temp\Tmp5FAF.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/996-131-0x0000000005FF0000-0x0000000006066000-memory.dmp
memory/1100-132-0x0000022BFBEF0000-0x0000022BFBF12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f55scjh.z4n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1100-142-0x00007FFA03E70000-0x00007FFA04931000-memory.dmp
memory/4136-144-0x0000000000D40000-0x0000000000E40000-memory.dmp
memory/1100-143-0x0000022BFBF30000-0x0000022BFBF40000-memory.dmp
memory/996-145-0x00000000069E0000-0x00000000069FE000-memory.dmp
memory/996-148-0x0000000006A00000-0x0000000007018000-memory.dmp
memory/996-149-0x00000000070A0000-0x00000000071AA000-memory.dmp
memory/4136-150-0x00000000071E0000-0x00000000071F2000-memory.dmp
memory/996-151-0x0000000007200000-0x000000000723C000-memory.dmp
memory/4136-152-0x0000000007260000-0x00000000072AC000-memory.dmp
memory/1100-153-0x0000022BFC410000-0x0000022BFC422000-memory.dmp
memory/1100-154-0x0000022BFBF20000-0x0000022BFBF2A000-memory.dmp
memory/1100-160-0x00007FFA03E70000-0x00007FFA04931000-memory.dmp
memory/1768-161-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/996-162-0x0000000000DE0000-0x0000000000EE0000-memory.dmp
memory/4136-163-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/4136-166-0x0000000072B60000-0x0000000073310000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
memory/4136-177-0x00000000073B0000-0x0000000007416000-memory.dmp
memory/4136-178-0x00000000076D0000-0x0000000007720000-memory.dmp
memory/996-179-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/4136-180-0x0000000007A60000-0x0000000007C22000-memory.dmp
memory/4136-181-0x0000000007C40000-0x000000000816C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
memory/4136-185-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/996-187-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/1768-186-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nativecrypt6.exe.log
| MD5 | e34b053c93dcb4160094249280888117 |
| SHA1 | bd7cd93042c200c5fb012bccf3cd9f72d7e79cef |
| SHA256 | 2bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8 |
| SHA512 | f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2 |
memory/4136-190-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/996-191-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/996-192-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/1856-196-0x0000000000CE0000-0x0000000000DE0000-memory.dmp
memory/4136-195-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/1856-197-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/1856-198-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2004-219-0x0000000000BC0000-0x0000000000CC0000-memory.dmp
memory/2004-220-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2004-221-0x0000000000400000-0x0000000000B17000-memory.dmp