Analysis Overview
SHA256
2d7fddd25a9bac1ad50e479cded38aebb623ce2a7a77e058b5a735fa4628f089
Threat Level: Known bad
The file h.zip was found to be: Known bad.
Malicious Activity Summary
Amadey
SectopRAT payload
Amadey family
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
SectopRAT
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-20 23:36
Signatures
Amadey family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 23:36
Reported
2024-10-20 23:40
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Amadey
Rhadamanthys
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 924 created 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | C:\Windows\system32\sihost.exe |
| PID 628 created 2924 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
| PID 3928 created 2924 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe | N/A |
| N/A | N/A | C:\ProgramData\downloaddemo_test\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe | N/A |
| N/A | N/A | C:\ProgramData\Svclocalv4\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1940 set thread context of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe |
| PID 320 set thread context of 428 | N/A | C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4848 set thread context of 396 | N/A | C:\ProgramData\downloaddemo_test\msn.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 224 set thread context of 4224 | N/A | C:\ProgramData\Svclocalv4\msn.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3496 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4224 set thread context of 3612 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\downloaddemo_test\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Svclocalv4\msn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe | N/A |
| N/A | N/A | C:\ProgramData\downloaddemo_test\msn.exe | N/A |
| N/A | N/A | C:\ProgramData\Svclocalv4\msn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
"C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
"C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 432
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
"C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\'
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe
"C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe"
C:\ProgramData\downloaddemo_test\msn.exe
C:\ProgramData\downloaddemo_test\msn.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\'
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe
"C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe"
C:\ProgramData\Svclocalv4\msn.exe
C:\ProgramData\Svclocalv4\msn.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
"C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.158.208.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer-files.digital | udp |
| US | 104.21.46.78:443 | transfer-files.digital | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.46.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| LT | 194.165.16.25:15647 | tcp | |
| US | 8.8.8.8:53 | 25.16.165.194.in-addr.arpa | udp |
| LT | 194.165.16.25:9000 | 194.165.16.25 | tcp |
| US | 8.8.8.8:53 | remindydivir.biz | udp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 8.8.8.8:53 | 104.4.21.104.in-addr.arpa | udp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\932230532004
| MD5 | 2b15f54ac3c94aeb176c382cd56c7c36 |
| SHA1 | 5a576bbb81baf5d4ee3b2f239a7274efa346dd7b |
| SHA256 | 416f6b1f61e6da40ea5564958571d5d850002a60602ca5786fe1d1e669cd6c4b |
| SHA512 | 44494c68c1bb904d0add190134511f140e8a1db4d07e886bdddd803f1a6b44b9f6346ef74cafc5a3dfbeabbc86d4e71c63b3b16cf4776261527f6fd131cf1ee2 |
memory/924-11-0x0000000000400000-0x000000000047E000-memory.dmp
memory/924-12-0x0000000000400000-0x000000000047E000-memory.dmp
memory/924-13-0x0000000000400000-0x000000000047E000-memory.dmp
memory/924-14-0x0000000000400000-0x000000000047E000-memory.dmp
memory/924-15-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/924-17-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/924-16-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/924-18-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/924-19-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/5060-22-0x0000000000850000-0x0000000000859000-memory.dmp
memory/924-21-0x0000000075DA0000-0x0000000075FB5000-memory.dmp
memory/5060-24-0x00000000024E0000-0x00000000028E0000-memory.dmp
memory/5060-28-0x0000000075DA0000-0x0000000075FB5000-memory.dmp
memory/5060-26-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/5060-29-0x00000000024E0000-0x00000000028E0000-memory.dmp
memory/5060-25-0x00000000024E0000-0x00000000028E0000-memory.dmp
memory/5060-30-0x00000000024E0000-0x00000000028E0000-memory.dmp
memory/924-31-0x00000000037A0000-0x0000000003BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip
| MD5 | f169e93956f90c9b4fee4800e4fb655f |
| SHA1 | fb0005f2d2213f1e486c3d1c2992cf35b8450591 |
| SHA256 | 61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1 |
| SHA512 | ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38 |
memory/3640-39-0x00007FFC2F093000-0x00007FFC2F095000-memory.dmp
memory/3640-40-0x0000027333350000-0x0000027333372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zrjiv3f.p5a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3640-46-0x00007FFC2F090000-0x00007FFC2FB51000-memory.dmp
memory/3640-51-0x00007FFC2F090000-0x00007FFC2FB51000-memory.dmp
memory/3640-52-0x0000027333830000-0x0000027333842000-memory.dmp
memory/3640-53-0x0000027319150000-0x000002731915A000-memory.dmp
memory/3640-67-0x00007FFC2F090000-0x00007FFC2FB51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
| MD5 | e634616d3b445fc1cd55ee79cf5326ea |
| SHA1 | ca27a368d87bc776884322ca996f3b24e20645f4 |
| SHA256 | 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 |
| SHA512 | 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll
| MD5 | 4b262612db64f26ea1168ca569811110 |
| SHA1 | 8e59964d1302a3109513cd4fd22c1f313e79654c |
| SHA256 | a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f |
| SHA512 | 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll
| MD5 | c39b26fd913f74e1b80df54a3c58cfb7 |
| SHA1 | d81a62a78fbe5294c9298721e588ed9b38aafd9e |
| SHA256 | eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68 |
| SHA512 | 4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq
| MD5 | b23152452b6c798ee1b57352cc5ebce1 |
| SHA1 | 219a30751cda0df049fecc8247daf34fe57d1f4a |
| SHA256 | c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a |
| SHA512 | c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm
| MD5 | d272096a4ad0ba0c3001c21804b11835 |
| SHA1 | 3b3933a81cf97301e1e1a4f3c37df2dbb32d3679 |
| SHA256 | 975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f |
| SHA512 | 6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48 |
memory/4836-76-0x00007FFC2F7D0000-0x00007FFC2F942000-memory.dmp
memory/4836-86-0x00007FFC2F950000-0x00007FFC2FC05000-memory.dmp
memory/4836-85-0x00007FFC36320000-0x00007FFC36354000-memory.dmp
memory/4836-84-0x00007FF62EDE0000-0x00007FF62EED8000-memory.dmp
memory/320-94-0x00007FFC2F7D0000-0x00007FFC2F942000-memory.dmp
memory/320-95-0x00007FFC2F7D0000-0x00007FFC2F942000-memory.dmp
memory/320-98-0x00007FFC310B0000-0x00007FFC310E4000-memory.dmp
memory/320-99-0x00007FFC2F950000-0x00007FFC2FC05000-memory.dmp
memory/320-97-0x00007FF7F2500000-0x00007FF7F25F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\386e1c43
| MD5 | 7764f11da1384e4966b23481b9ba9774 |
| SHA1 | be799fe9e79fe7d9cb1efbfb2a564fe83a7c05d3 |
| SHA256 | bf0fe6f0d0a7302dacf28cbcaff75c404b4ea5d2bf4e3aa84c4e8a613c031d63 |
| SHA512 | 405e245e740c27bb5126c5cf55cb50726bc54c4d09c3a3cc958005f944e62ad30543393bf59139aef769fd2b119535e3ac0c2f3ee0f313a7d5903d6befa0d800 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip
| MD5 | 03138e3ecc2df5643bfb9dc41722d6cf |
| SHA1 | d8d52a348adb94ef66a285e976876396dcde0634 |
| SHA256 | 48ede0e3a4e2b696205f639bb5f826825d83f587c5b86d5b6fea31ef5ae4e1dc |
| SHA512 | c53f09588fe9fd7bd5328140f0b235686b36be30fa09a430015fa319c1e3dbb20ab58e84ec4ed7515c39c1168e316d808a744875ac3f375c443786a9b584f6f1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fe3aab3ae544a134b68e881b82b70169 |
| SHA1 | 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6 |
| SHA256 | bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b |
| SHA512 | 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0912bdcdbfa8d76ed3ab2ff4d8aa479d |
| SHA1 | 5a4debb7128aff994c0f1024f62e7aa5714352c8 |
| SHA256 | 00e4b652fa67392304e72b044806f909ac2ede9efed271f304e060b13ee1da1e |
| SHA512 | f276b688c1661fcebec6750637329256ef166b57527066c5bdc70bdb9fa4959d446e240d1b0ee80ef4491c796c1afe23e18833f29f37e335083c62ccb91d90ae |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe
| MD5 | 537915708fe4e81e18e99d5104b353ed |
| SHA1 | 128ddb7096e5b748c72dc13f55b593d8d20aa3fb |
| SHA256 | 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74 |
| SHA512 | 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\MSNCore.dll
| MD5 | deaa38a71c85d2f9d4ba71343d1603da |
| SHA1 | bdbb492512cee480794e761d1bea718db14013ec |
| SHA256 | 1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65 |
| SHA512 | 87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msidcrl40.dll
| MD5 | f1f8d156bbdd5945a4f933ac7fa7cc41 |
| SHA1 | e581235e9f1a3a8a63b8a470eaed882bc93b9085 |
| SHA256 | 344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a |
| SHA512 | 86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\contactsUX.dll
| MD5 | 54ee6a204238313dc6aca21c7e036c17 |
| SHA1 | 531fd1c18e2e4984c72334eb56af78a1048da6c7 |
| SHA256 | 0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd |
| SHA512 | 19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\gld
| MD5 | 06a62106f0d01ed3a971415b57366a8b |
| SHA1 | 9d905a38a4f53961a3828b2f759062b428dd25a9 |
| SHA256 | 6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93 |
| SHA512 | 4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\bqbr
| MD5 | 0180c5a2f5b002e8755c60a3786c4975 |
| SHA1 | 64bcbe91e3dd1dcd21709cbf189c032bb47501a2 |
| SHA256 | 6eff0ca0c63ce6c712dc5f1f892b68d43894d13b681f75ab585b6c611dc16476 |
| SHA512 | 8dbdfef7906be474ecadb7848042f3736483ef9b4ea05f4f60a3ae049a99bf1a8bcd57507b334e229c972784b6355b9dcf647c5992e56518a35d9ff0d639e1ff |
memory/1948-145-0x0000000073390000-0x000000007350B000-memory.dmp
memory/1948-146-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msvcr80.dll
| MD5 | 43143abb001d4211fab627c136124a44 |
| SHA1 | edb99760ae04bfe68aaacf34eb0287a3c10ec885 |
| SHA256 | cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03 |
| SHA512 | ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6 |
memory/4848-167-0x0000000073390000-0x000000007350B000-memory.dmp
memory/4848-168-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/428-169-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1
| MD5 | a60bfbb12614cbc931e3b427054b1e0c |
| SHA1 | a44ca11bf0cf1eb0ed7c1fb25db7be381772188a |
| SHA256 | e67c9b0a7133b40d4119b02b79366e9e526651682d28d80f66a2ffaffe0985cc |
| SHA512 | c2f273b49a77c2c2582ed9cf8a080ce503af585dfc616d92ba9ce24b6f038c859809866601d91c8231e04977aa81bdc0e53f0fc9b7faee8fd8e2d615a99c9fa1 |
memory/4120-176-0x0000000004620000-0x0000000004656000-memory.dmp
memory/4120-177-0x0000000004C90000-0x00000000052B8000-memory.dmp
memory/4120-178-0x0000000004BE0000-0x0000000004C02000-memory.dmp
memory/4120-180-0x0000000005520000-0x0000000005586000-memory.dmp
memory/4120-179-0x00000000053B0000-0x0000000005416000-memory.dmp
memory/4120-190-0x0000000005590000-0x00000000058E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 445026770286e20a8cf920fad9f581a6 |
| SHA1 | bbf4f9542dbc62c0026828cb71a829a8ba2c70ea |
| SHA256 | dbded32cb499b65562b29acea1cab7840ec0f2ecf7462bd9845914c925352c76 |
| SHA512 | ec2a16a24ead7807172d356b2e0bdb6d6acfbd54d2c38b38679ae346a144d249b79fe3ecf2abb934e1d98714ad5a5bd8a95f9a916fac85d08b412e45fab8fbba |
memory/4120-192-0x0000000005B80000-0x0000000005B9E000-memory.dmp
memory/4120-193-0x0000000005BC0000-0x0000000005C0C000-memory.dmp
memory/4120-195-0x0000000006D40000-0x0000000006D72000-memory.dmp
memory/4120-196-0x000000006EC00000-0x000000006EC4C000-memory.dmp
memory/4120-206-0x0000000006D80000-0x0000000006D9E000-memory.dmp
memory/4120-207-0x0000000006DA0000-0x0000000006E43000-memory.dmp
memory/4120-208-0x0000000007500000-0x0000000007B7A000-memory.dmp
memory/4120-209-0x0000000006EE0000-0x0000000006EFA000-memory.dmp
memory/4120-210-0x0000000006F20000-0x0000000006F2A000-memory.dmp
memory/4120-211-0x0000000007150000-0x00000000071E6000-memory.dmp
memory/4120-212-0x00000000070B0000-0x00000000070C1000-memory.dmp
memory/4848-213-0x0000000073390000-0x000000007350B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6f6c8ae7
| MD5 | 400f8a50a5e576877a41ccc485be3297 |
| SHA1 | 6a564a70e756d967183fb83025c2822a10daa4cc |
| SHA256 | b4f48e40e10385dc325ce80421315cf87d978c1d613892a1bd7b1cca766085e3 |
| SHA512 | 7c2745d0d6214b87aceef2fcc6cba7e4c754b77fae8fbef61879ee6ee00843828daf1943ab1d0ba3f5267b52b90ed4c9a24439d2b8b78bef7eb831cdc7c37e84 |
memory/4120-216-0x00000000070F0000-0x00000000070FE000-memory.dmp
memory/4120-217-0x0000000007100000-0x0000000007114000-memory.dmp
memory/4120-218-0x00000000071F0000-0x000000000720A000-memory.dmp
memory/4120-219-0x0000000007130000-0x0000000007138000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip
| MD5 | 2b304594003a38de9d5bbdafcd5428bd |
| SHA1 | 8d65aa7dd39c6d180f4211d9633bc8d0f42ece0f |
| SHA256 | dc083a97abcc87f3d153b21cf4b0ff19ca7cadc3f698b9ecfd1402b93884ac58 |
| SHA512 | f8f2ded019926010b264daa2887b591a7118c9c059e631c565d131bc3ea3727374f989c9bda92cab2427666193f796de6417a1a90333acd48db11009758be6dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ed0ce6cdf157b8d7b3bc3f0e75e74eb6 |
| SHA1 | 49a011809331fc7bcb7c8c544405b1cd50c68500 |
| SHA256 | 6a7e1bfdfaade4f94b22759197953d1d5fcbbe3a30bea0eabb73e062e10dfc45 |
| SHA512 | 006affc28af326b1f6e72759f2ef754745d7ae214dba0fd288fbd4df4b52ae96baf7ac696cae0694850f6ea3ef8bc0d74f35773ab5d2c18fa8d644f5c8196e52 |
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\bqbr
| MD5 | 3a05d26d5f082069d4c556b9858c5fdc |
| SHA1 | 37c11326ee5279ce552261f145fe49e1fc49d05c |
| SHA256 | a4da5697b73c5d24e98dfeeaae89ae41c18d5105d0b130562c48b75f7e3a0b39 |
| SHA512 | 1bdc73e784894d9934834b1c9416313b25eab515f010c48df08efe5b7b570cd10766cceb672268daf7fdf916672f086dcb581f7a9ad237d2dc18e4f3a895beba |
memory/868-272-0x0000000073390000-0x000000007350B000-memory.dmp
memory/868-273-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/224-287-0x0000000073390000-0x000000007350B000-memory.dmp
memory/224-288-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/396-289-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/396-290-0x0000000073390000-0x000000007350B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1
| MD5 | 1576644cd260cd1d79d00d014d3cc23b |
| SHA1 | bc944bfe0ac7c4e1c87c8917b9c902f47aaed571 |
| SHA256 | dd6a49c132fceccf999c30a7f6d7ee9d0ce2dc8a14d9155200741373a0a7101a |
| SHA512 | f6a78ccb2ba72476387988308d64478ddce4861b979f0755c289b5ceb125a76191f817c68b6dfb33de95a0b9e82d81d05426bca6e2d20acf1f4e06250c1af540 |
memory/2992-299-0x0000000005810000-0x0000000005B64000-memory.dmp
memory/2992-308-0x0000000005EB0000-0x0000000005EFC000-memory.dmp
memory/428-309-0x0000000073390000-0x000000007350B000-memory.dmp
memory/2992-310-0x000000006E890000-0x000000006E8DC000-memory.dmp
memory/2992-320-0x0000000007010000-0x00000000070B3000-memory.dmp
memory/2992-321-0x0000000007340000-0x0000000007351000-memory.dmp
memory/2992-322-0x0000000007390000-0x00000000073A4000-memory.dmp
memory/224-324-0x0000000073390000-0x000000007350B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip
| MD5 | e0a6c369447034f1b7f2749620c420cc |
| SHA1 | 15b88a23dca33d84bdb2c256e67aee6705a4f122 |
| SHA256 | 3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603 |
| SHA512 | 374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a |
memory/4072-363-0x00007FFC2EA10000-0x00007FFC2EB82000-memory.dmp
memory/628-365-0x0000000000F30000-0x0000000000FB0000-memory.dmp
memory/3496-377-0x00007FFC2EA10000-0x00007FFC2EB82000-memory.dmp
memory/4224-378-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/396-381-0x0000000073390000-0x000000007350B000-memory.dmp
memory/3496-382-0x00007FFC2EA10000-0x00007FFC2EB82000-memory.dmp
memory/628-384-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/628-385-0x0000000000F30000-0x0000000000FB0000-memory.dmp
memory/3928-387-0x0000000000E00000-0x0000000000E80000-memory.dmp
memory/3928-388-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/3020-389-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/3928-390-0x0000000000E00000-0x0000000000E80000-memory.dmp
memory/628-393-0x0000000000F30000-0x0000000000FB0000-memory.dmp
memory/628-395-0x00000000041E0000-0x00000000045E0000-memory.dmp
memory/628-398-0x0000000075DA0000-0x0000000075FB5000-memory.dmp
memory/628-402-0x0000000000F30000-0x0000000000FB0000-memory.dmp
memory/4632-403-0x00000000025D0000-0x00000000029D0000-memory.dmp
memory/4632-404-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp
memory/4632-406-0x0000000075DA0000-0x0000000075FB5000-memory.dmp
memory/3928-420-0x0000000000E00000-0x0000000000E80000-memory.dmp
memory/3612-426-0x0000000000BB0000-0x0000000000C76000-memory.dmp
memory/3612-427-0x00000000051B0000-0x0000000005242000-memory.dmp
memory/3612-428-0x0000000005800000-0x0000000005DA4000-memory.dmp
memory/3612-429-0x00000000054D0000-0x0000000005692000-memory.dmp
memory/3612-430-0x0000000005250000-0x00000000052C6000-memory.dmp
memory/3612-431-0x0000000005300000-0x0000000005350000-memory.dmp
memory/3612-432-0x0000000005140000-0x000000000514A000-memory.dmp
memory/3612-433-0x00000000063E0000-0x000000000690C000-memory.dmp
memory/3612-435-0x0000000005ED0000-0x0000000005EEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA6AE.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/3612-452-0x0000000007B90000-0x0000000007B9A000-memory.dmp
memory/3612-459-0x00000000053B0000-0x00000000053C2000-memory.dmp
memory/3612-460-0x0000000005410000-0x000000000544C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 23:36
Reported
2024-10-20 23:40
Platform
win11-20241007-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Amadey
Rhadamanthys
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1980 created 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | C:\Windows\system32\sihost.exe |
| PID 4764 created 2936 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
| PID 4948 created 2936 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe | N/A |
| N/A | N/A | C:\ProgramData\downloaddemo_test\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe | N/A |
| N/A | N/A | C:\ProgramData\Svclocalv4\msn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5012 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe |
| PID 1388 set thread context of 4596 | N/A | C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4892 set thread context of 1628 | N/A | C:\ProgramData\downloaddemo_test\msn.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3580 set thread context of 3636 | N/A | C:\ProgramData\Svclocalv4\msn.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1952 set thread context of 3956 | N/A | C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3636 set thread context of 1008 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\downloaddemo_test\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Svclocalv4\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe | N/A |
| N/A | N/A | C:\ProgramData\downloaddemo_test\msn.exe | N/A |
| N/A | N/A | C:\ProgramData\Svclocalv4\msn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
"C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
"C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 452
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
"C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\'
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe
"C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe"
C:\ProgramData\downloaddemo_test\msn.exe
C:\ProgramData\downloaddemo_test\msn.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\'
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe
"C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe"
C:\ProgramData\Svclocalv4\msn.exe
C:\ProgramData\Svclocalv4\msn.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
"C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| US | 8.8.8.8:53 | 96.158.208.185.in-addr.arpa | udp |
| US | 104.21.46.78:443 | transfer-files.digital | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| LT | 194.165.16.25:15647 | tcp | |
| LT | 194.165.16.25:9000 | 194.165.16.25 | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\973800497271
| MD5 | ac3587c579ee7bd49b6ddd5f8f1e7474 |
| SHA1 | 92e383cd666d0add99dfdf232382a1b38114604a |
| SHA256 | 025c4e229034e369972d2cf524354810a670507752c82f8e16eb1ead7fedf210 |
| SHA512 | f27ad4bb1c27988e3ca5f4eb8db1f32f4f899ad0c040b0df9bcc6e734cbbbeece5e708fbb59ab4b109190291a86d0612de65a2a3f2122faefcadc1afe0a09fe1 |
memory/1980-11-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1980-13-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1980-12-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1980-14-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1980-15-0x0000000003C70000-0x0000000004070000-memory.dmp
memory/1980-16-0x0000000003C70000-0x0000000004070000-memory.dmp
memory/1980-17-0x0000000003C70000-0x0000000004070000-memory.dmp
memory/1980-22-0x0000000077660000-0x00000000778B2000-memory.dmp
memory/2000-23-0x0000000000470000-0x0000000000479000-memory.dmp
memory/2000-25-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/1980-20-0x00007FFB654C1000-0x00007FFB655EA000-memory.dmp
memory/1980-19-0x0000000003C70000-0x0000000004070000-memory.dmp
memory/1980-18-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/2000-26-0x00000000020D0000-0x00000000024D0000-memory.dmp
memory/2000-29-0x0000000077660000-0x00000000778B2000-memory.dmp
memory/2000-30-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/2000-31-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/1980-32-0x0000000003C70000-0x0000000004070000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip
| MD5 | f169e93956f90c9b4fee4800e4fb655f |
| SHA1 | fb0005f2d2213f1e486c3d1c2992cf35b8450591 |
| SHA256 | 61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1 |
| SHA512 | ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otquwfzz.cdd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/312-45-0x000001A4CEB50000-0x000001A4CEB72000-memory.dmp
memory/312-50-0x000001A4E70D0000-0x000001A4E70DA000-memory.dmp
memory/312-49-0x000001A4E7200000-0x000001A4E7212000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
| MD5 | e634616d3b445fc1cd55ee79cf5326ea |
| SHA1 | ca27a368d87bc776884322ca996f3b24e20645f4 |
| SHA256 | 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 |
| SHA512 | 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll
| MD5 | 4b262612db64f26ea1168ca569811110 |
| SHA1 | 8e59964d1302a3109513cd4fd22c1f313e79654c |
| SHA256 | a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f |
| SHA512 | 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll
| MD5 | c39b26fd913f74e1b80df54a3c58cfb7 |
| SHA1 | d81a62a78fbe5294c9298721e588ed9b38aafd9e |
| SHA256 | eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68 |
| SHA512 | 4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm
| MD5 | d272096a4ad0ba0c3001c21804b11835 |
| SHA1 | 3b3933a81cf97301e1e1a4f3c37df2dbb32d3679 |
| SHA256 | 975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f |
| SHA512 | 6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq
| MD5 | b23152452b6c798ee1b57352cc5ebce1 |
| SHA1 | 219a30751cda0df049fecc8247daf34fe57d1f4a |
| SHA256 | c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a |
| SHA512 | c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d |
memory/128-72-0x00007FFB56580000-0x00007FFB566FA000-memory.dmp
memory/128-82-0x00007FFB59CE0000-0x00007FFB59D14000-memory.dmp
memory/128-81-0x00007FF7DBD50000-0x00007FF7DBE48000-memory.dmp
memory/1388-90-0x00007FFB56580000-0x00007FFB566FA000-memory.dmp
memory/128-83-0x00007FFB51710000-0x00007FFB519C5000-memory.dmp
memory/1388-91-0x00007FFB56580000-0x00007FFB566FA000-memory.dmp
memory/1388-93-0x00007FF727C50000-0x00007FF727D48000-memory.dmp
memory/1388-95-0x00007FFB44DE0000-0x00007FFB45095000-memory.dmp
memory/1388-94-0x00007FFB56BE0000-0x00007FFB56C14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\780bba76
| MD5 | cd85d1730b041a0787347414b970582c |
| SHA1 | 41732caed5e98b4249eb43e73071192d7ca9a53f |
| SHA256 | 294d49577a4511b81b6216c60ab07d2a95bf3574f315ac55d9e921b51ee644b5 |
| SHA512 | 16723d71da421709f7b2461162ee72fb47fe5b8377e281b7efc5948b16cd1e233da26857582dbe576c05d17cb5f6c655238fe97b4412371c48419c1168592560 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip
| MD5 | 03138e3ecc2df5643bfb9dc41722d6cf |
| SHA1 | d8d52a348adb94ef66a285e976876396dcde0634 |
| SHA256 | 48ede0e3a4e2b696205f639bb5f826825d83f587c5b86d5b6fea31ef5ae4e1dc |
| SHA512 | c53f09588fe9fd7bd5328140f0b235686b36be30fa09a430015fa319c1e3dbb20ab58e84ec4ed7515c39c1168e316d808a744875ac3f375c443786a9b584f6f1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ae626d9a72417b14570daa8fcd5d34a4 |
| SHA1 | c103ebaf4d760df722d620df87e6f07c0486439f |
| SHA256 | 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a |
| SHA512 | a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b58e6de9cf9aa1c43c15c4e5bacebd1 |
| SHA1 | 706600fc3b8d7551ff18452f1025e8a0480b3e6d |
| SHA256 | e04e22e7bcc9ddb67fb534f1eb10e4af31d9f07d0c6f2b54d133dd5996ba0be9 |
| SHA512 | dbef32d4a09bb46e999a7bee2aec0e54431dec644f54aa9a1e9833a1b0ee340589ee76cd32e2b5fddb6fc64e641777c96e43cc93d2e805f8443d58ef5a4095fe |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe
| MD5 | 537915708fe4e81e18e99d5104b353ed |
| SHA1 | 128ddb7096e5b748c72dc13f55b593d8d20aa3fb |
| SHA256 | 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74 |
| SHA512 | 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\MSNCore.dll
| MD5 | deaa38a71c85d2f9d4ba71343d1603da |
| SHA1 | bdbb492512cee480794e761d1bea718db14013ec |
| SHA256 | 1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65 |
| SHA512 | 87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\contactsUX.dll
| MD5 | 54ee6a204238313dc6aca21c7e036c17 |
| SHA1 | 531fd1c18e2e4984c72334eb56af78a1048da6c7 |
| SHA256 | 0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd |
| SHA512 | 19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msidcrl40.dll
| MD5 | f1f8d156bbdd5945a4f933ac7fa7cc41 |
| SHA1 | e581235e9f1a3a8a63b8a470eaed882bc93b9085 |
| SHA256 | 344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a |
| SHA512 | 86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\gld
| MD5 | 06a62106f0d01ed3a971415b57366a8b |
| SHA1 | 9d905a38a4f53961a3828b2f759062b428dd25a9 |
| SHA256 | 6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93 |
| SHA512 | 4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74 |
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\bqbr
| MD5 | 0180c5a2f5b002e8755c60a3786c4975 |
| SHA1 | 64bcbe91e3dd1dcd21709cbf189c032bb47501a2 |
| SHA256 | 6eff0ca0c63ce6c712dc5f1f892b68d43894d13b681f75ab585b6c611dc16476 |
| SHA512 | 8dbdfef7906be474ecadb7848042f3736483ef9b4ea05f4f60a3ae049a99bf1a8bcd57507b334e229c972784b6355b9dcf647c5992e56518a35d9ff0d639e1ff |
memory/3132-140-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/3132-141-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msvcr80.dll
| MD5 | 43143abb001d4211fab627c136124a44 |
| SHA1 | edb99760ae04bfe68aaacf34eb0287a3c10ec885 |
| SHA256 | cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03 |
| SHA512 | ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6 |
memory/4596-160-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/4892-163-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/4892-164-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1
| MD5 | a60bfbb12614cbc931e3b427054b1e0c |
| SHA1 | a44ca11bf0cf1eb0ed7c1fb25db7be381772188a |
| SHA256 | e67c9b0a7133b40d4119b02b79366e9e526651682d28d80f66a2ffaffe0985cc |
| SHA512 | c2f273b49a77c2c2582ed9cf8a080ce503af585dfc616d92ba9ce24b6f038c859809866601d91c8231e04977aa81bdc0e53f0fc9b7faee8fd8e2d615a99c9fa1 |
memory/1012-171-0x00000000021F0000-0x0000000002226000-memory.dmp
memory/1012-172-0x0000000004C70000-0x000000000529A000-memory.dmp
memory/1012-173-0x0000000004B70000-0x0000000004B92000-memory.dmp
memory/1012-174-0x0000000005410000-0x0000000005476000-memory.dmp
memory/1012-175-0x00000000053A0000-0x0000000005406000-memory.dmp
memory/1012-184-0x00000000054B0000-0x0000000005807000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e40b61b377cb484afda94f3877f7a82 |
| SHA1 | 6b0bc316c54fe7ab0d3c2de016742718bcb7571a |
| SHA256 | e7cb313e0fe42ca5221e36c3baa8f3ee5d4fa0b35a2e712a0c804abcc911ca00 |
| SHA512 | a476333712e64550a694615411dd7f990fd81ab415dba5466b7d83535789d5e4563daaad2d1262ee8603526bf20346b10c1d56b86b6ce498031fcdc5ac1599f6 |
memory/1012-186-0x00000000059F0000-0x0000000005A0E000-memory.dmp
memory/1012-187-0x0000000005A10000-0x0000000005A5C000-memory.dmp
memory/1012-189-0x0000000006BF0000-0x0000000006C24000-memory.dmp
memory/1012-190-0x000000006F260000-0x000000006F2AC000-memory.dmp
memory/1012-199-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
memory/1012-200-0x0000000006C30000-0x0000000006CD4000-memory.dmp
memory/1012-201-0x00000000073F0000-0x0000000007A6A000-memory.dmp
memory/1012-202-0x0000000006D40000-0x0000000006D5A000-memory.dmp
memory/1012-203-0x0000000006DB0000-0x0000000006DBA000-memory.dmp
memory/4892-204-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/1012-206-0x0000000006FF0000-0x0000000007086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\afd74d97
| MD5 | 5f57c8cd46cce093754b43558dff7cc1 |
| SHA1 | d706b86e5cd0136abc06cabae06dc8f27f4595af |
| SHA256 | fe66d9ec713cf89eb1d73577c01ec48e5765c22427392bc237252ebcefa34ca4 |
| SHA512 | ad185de7d9d739490cb11d9f593d2d5c9df74863039c95e18e18e93ff31cf8a90b8ce5b35e2b11adf1544ade670139fb69ee26c8ffbd1ef5f93dacebc37fb1bd |
memory/1012-208-0x0000000006F50000-0x0000000006F61000-memory.dmp
memory/1012-209-0x0000000006F80000-0x0000000006F8E000-memory.dmp
memory/1012-210-0x0000000006F90000-0x0000000006FA5000-memory.dmp
memory/1012-211-0x0000000007090000-0x00000000070AA000-memory.dmp
memory/1012-212-0x0000000006FD0000-0x0000000006FD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip
| MD5 | 2b304594003a38de9d5bbdafcd5428bd |
| SHA1 | 8d65aa7dd39c6d180f4211d9633bc8d0f42ece0f |
| SHA256 | dc083a97abcc87f3d153b21cf4b0ff19ca7cadc3f698b9ecfd1402b93884ac58 |
| SHA512 | f8f2ded019926010b264daa2887b591a7118c9c059e631c565d131bc3ea3727374f989c9bda92cab2427666193f796de6417a1a90333acd48db11009758be6dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 799cc63b5c9cdca789882b66eb748766 |
| SHA1 | 82a7e0f7c83af37a685125972922d5152af0d674 |
| SHA256 | e97e3d2412a9624bd30f1478cd35b7d3829e9d410a1c8ff70c8c2333b2cfc54c |
| SHA512 | 83f744282ccd3694d58b5f668ced067931b44505c1e309ff5d5bd7125d5805ee623833ee5656ee0f2ca585d7dead2c8d7cdc7195a7ffedf206e82f1f30b11f8c |
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\bqbr
| MD5 | 3a05d26d5f082069d4c556b9858c5fdc |
| SHA1 | 37c11326ee5279ce552261f145fe49e1fc49d05c |
| SHA256 | a4da5697b73c5d24e98dfeeaae89ae41c18d5105d0b130562c48b75f7e3a0b39 |
| SHA512 | 1bdc73e784894d9934834b1c9416313b25eab515f010c48df08efe5b7b570cd10766cceb672268daf7fdf916672f086dcb581f7a9ad237d2dc18e4f3a895beba |
memory/3348-266-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/3348-267-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/3580-281-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/3580-282-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/1628-283-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/1628-284-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/4596-286-0x0000000073940000-0x0000000073ABD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1
| MD5 | 1576644cd260cd1d79d00d014d3cc23b |
| SHA1 | bc944bfe0ac7c4e1c87c8917b9c902f47aaed571 |
| SHA256 | dd6a49c132fceccf999c30a7f6d7ee9d0ce2dc8a14d9155200741373a0a7101a |
| SHA512 | f6a78ccb2ba72476387988308d64478ddce4861b979f0755c289b5ceb125a76191f817c68b6dfb33de95a0b9e82d81d05426bca6e2d20acf1f4e06250c1af540 |
memory/4920-301-0x0000000005990000-0x0000000005CE7000-memory.dmp
memory/4920-302-0x0000000005ED0000-0x0000000005F1C000-memory.dmp
memory/4920-303-0x000000006EE30000-0x000000006EE7C000-memory.dmp
memory/4920-312-0x0000000006E50000-0x0000000006EF4000-memory.dmp
memory/4920-313-0x0000000007380000-0x0000000007391000-memory.dmp
memory/4920-314-0x00000000073D0000-0x00000000073E5000-memory.dmp
memory/3580-315-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/4764-319-0x0000000000FD0000-0x0000000001050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip
| MD5 | e0a6c369447034f1b7f2749620c420cc |
| SHA1 | 15b88a23dca33d84bdb2c256e67aee6705a4f122 |
| SHA256 | 3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603 |
| SHA512 | 374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a |
memory/1672-356-0x00007FFB560F0000-0x00007FFB5626A000-memory.dmp
memory/1952-368-0x00007FFB560F0000-0x00007FFB5626A000-memory.dmp
memory/3636-369-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/4764-372-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/1628-373-0x0000000073940000-0x0000000073ABD000-memory.dmp
memory/4764-374-0x0000000000FD0000-0x0000000001050000-memory.dmp
memory/1952-375-0x00007FFB560F0000-0x00007FFB5626A000-memory.dmp
memory/4948-378-0x0000000000710000-0x0000000000790000-memory.dmp
memory/3956-379-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/4948-381-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/4948-383-0x0000000000710000-0x0000000000790000-memory.dmp
memory/4764-385-0x00000000043A0000-0x00000000047A0000-memory.dmp
memory/4764-388-0x0000000077660000-0x00000000778B2000-memory.dmp
memory/4764-391-0x0000000000FD0000-0x0000000001050000-memory.dmp
memory/968-393-0x0000000002950000-0x0000000002D50000-memory.dmp
memory/968-394-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp
memory/968-396-0x0000000077660000-0x00000000778B2000-memory.dmp
memory/1008-398-0x0000000071A30000-0x0000000072D47000-memory.dmp
memory/1008-401-0x0000000001100000-0x00000000011C6000-memory.dmp
memory/1008-402-0x00000000057D0000-0x0000000005862000-memory.dmp
memory/1008-403-0x0000000005E20000-0x00000000063C6000-memory.dmp
memory/1008-404-0x0000000005A40000-0x0000000005C02000-memory.dmp
memory/1008-405-0x0000000005870000-0x00000000058E6000-memory.dmp
memory/1008-406-0x00000000058F0000-0x0000000005940000-memory.dmp
memory/1008-407-0x00000000056F0000-0x00000000056FA000-memory.dmp
memory/1008-408-0x0000000006A00000-0x0000000006F2C000-memory.dmp
memory/1008-409-0x0000000005DF0000-0x0000000005E0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA41E.tmp
| MD5 | 22be08f683bcc01d7a9799bbd2c10041 |
| SHA1 | 2efb6041cf3d6e67970135e592569c76fc4c41de |
| SHA256 | 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457 |
| SHA512 | 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936 |
memory/1008-428-0x0000000008280000-0x000000000828A000-memory.dmp
memory/4948-438-0x0000000000710000-0x0000000000790000-memory.dmp
memory/1008-449-0x0000000005960000-0x0000000005972000-memory.dmp
memory/1008-450-0x0000000005CD0000-0x0000000005D0C000-memory.dmp