amadey | 138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2023 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
Size

531KB
MD5

a544d2c23c55904dbf0f0190f42eaac6
SHA1

e9d920e5400b36562dfe81b900b99d35b70576b9
SHA256

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a
SHA512

21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5
SSDEEP

12288:fz9JHhp3l7Nt0P78PyCp3qkxD+XYaVikoSG6s7XuwMefn:fzXtNeP7v6XZMYackkX/

Score

10^/10

amadey zgrat discovery rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.12

http://brodoyouevenlift.co.za

Attributes

install_dir
ce3eb8f6b2
install_file
Utsysc.exe
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
url_paths
/g9sdjScV2/index.php

/vdhe8ejs3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1772-171-0x0000018078750000-0x0000018078850000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeOpesi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Opesi.exe

Executes dropped EXE 15 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeOpesi.exeOpesi.exeUtsysc.exeUtsysc.exeWlssejinnvz.exeWlssejinnvz.exeUtsysc.exeUtsysc.exeTypeId.exeTypeId.exe

pid	process
3200	Utsysc.exe
1056	Utsysc.exe
4620	Utsysc.exe
3592	Utsysc.exe
4724	Utsysc.exe
4392	Opesi.exe
2312	Opesi.exe
1344	Utsysc.exe
492	Utsysc.exe
3088	Wlssejinnvz.exe
1772	Wlssejinnvz.exe
1916	Utsysc.exe
1148	Utsysc.exe
1116	TypeId.exe
4360	TypeId.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeUtsysc.exeOpesi.exeUtsysc.exeWlssejinnvz.exeUtsysc.exeTypeId.exe

description	pid	process	target process
PID 904 set thread context of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 3200 set thread context of 1056	3200	Utsysc.exe	Utsysc.exe
PID 4620 set thread context of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4392 set thread context of 2312	4392	Opesi.exe	Opesi.exe
PID 1344 set thread context of 492	1344	Utsysc.exe	Utsysc.exe
PID 3088 set thread context of 1772	3088	Wlssejinnvz.exe	Wlssejinnvz.exe
PID 1916 set thread context of 1148	1916	Utsysc.exe	Utsysc.exe
PID 1116 set thread context of 4360	1116	TypeId.exe	TypeId.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opesi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Opesi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Opesi.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1860 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4408 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Utsysc.exeOpesi.exeWlssejinnvz.exeTypeId.exe

pid process

4620 Utsysc.exe
4620 Utsysc.exe
2312 Opesi.exe
2312 Opesi.exe
3088 Wlssejinnvz.exe
1116 TypeId.exe

pid	process
1860	schtasks.exe

pid	process
4408	timeout.exe

pid	process
4620	Utsysc.exe
4620	Utsysc.exe
2312	Opesi.exe
2312	Opesi.exe
3088	Wlssejinnvz.exe
1116	TypeId.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeUtsysc.exeOpesi.exeUtsysc.exeWlssejinnvz.exeWlssejinnvz.exeUtsysc.exeTypeId.exe

description	pid	process
Token: SeDebugPrivilege	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
Token: SeDebugPrivilege	3200	Utsysc.exe
Token: SeDebugPrivilege	4620	Utsysc.exe
Token: SeDebugPrivilege	4392	Opesi.exe
Token: SeDebugPrivilege	1344	Utsysc.exe
Token: SeDebugPrivilege	3088	Wlssejinnvz.exe
Token: SeDebugPrivilege	1772	Wlssejinnvz.exe
Token: SeDebugPrivilege	1916	Utsysc.exe
Token: SeDebugPrivilege	1116	TypeId.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

pid process

1636 138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

pid	process
1636	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exeUtsysc.exeUtsysc.exeUtsysc.exeOpesi.exeOpesi.execmd.exeUtsysc.exe

description	pid	process	target process
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 904 wrote to memory of 1636	904	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
PID 1636 wrote to memory of 3200	1636	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	Utsysc.exe
PID 1636 wrote to memory of 3200	1636	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	Utsysc.exe
PID 1636 wrote to memory of 3200	1636	138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 3200 wrote to memory of 1056	3200	Utsysc.exe	Utsysc.exe
PID 1056 wrote to memory of 1860	1056	Utsysc.exe	schtasks.exe
PID 1056 wrote to memory of 1860	1056	Utsysc.exe	schtasks.exe
PID 1056 wrote to memory of 1860	1056	Utsysc.exe	schtasks.exe
PID 4620 wrote to memory of 3592	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 3592	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 3592	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 4620 wrote to memory of 4724	4620	Utsysc.exe	Utsysc.exe
PID 1056 wrote to memory of 4392	1056	Utsysc.exe	Opesi.exe
PID 1056 wrote to memory of 4392	1056	Utsysc.exe	Opesi.exe
PID 1056 wrote to memory of 4392	1056	Utsysc.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 4392 wrote to memory of 2312	4392	Opesi.exe	Opesi.exe
PID 2312 wrote to memory of 1088	2312	Opesi.exe	cmd.exe
PID 2312 wrote to memory of 1088	2312	Opesi.exe	cmd.exe
PID 2312 wrote to memory of 1088	2312	Opesi.exe	cmd.exe
PID 1088 wrote to memory of 4408	1088	cmd.exe	timeout.exe
PID 1088 wrote to memory of 4408	1088	cmd.exe	timeout.exe
PID 1088 wrote to memory of 4408	1088	cmd.exe	timeout.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe
PID 1344 wrote to memory of 492	1344	Utsysc.exe	Utsysc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
"C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
C:\Users\Admin\AppData\Local\Temp\138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:1860

C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe" & del "C:\ProgramData\*.dll"" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
8⤵
- Delays execution with timeout.exe
PID:4408

C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:492

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
2⤵
- Executes dropped EXE
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wlssejinnvz.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log

Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe

Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\811856890180

Filesize
84KB

MD5
442147dc966aabce10b543761541db71

SHA1
aa2b3a5102c5c626cbbe16844fc3be0a1932e71c

SHA256
5a7663e1aaee0656ffe74e6fcae7a437c5517c58dae6dc6f3dcc103834c01214

SHA512
6adf79c5aef99006d5c9d30e2b06986ce6ebe43b9fb17b855c06f8a86f96a3b3d7af80227cbb007522bf5845441f677c1e6af101072b974e2a2d0d63509dfa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
memory/492-126-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/492-128-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/492-129-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/904-1-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/904-11-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/904-7-0x0000000005700000-0x0000000005760000-memory.dmp

Filesize
384KB

Download
memory/904-6-0x00000000055A0000-0x0000000005600000-memory.dmp

Filesize
384KB

Download
memory/904-5-0x0000000005520000-0x000000000559A000-memory.dmp

Filesize
488KB

Download
memory/904-4-0x00000000054A0000-0x0000000005518000-memory.dmp

Filesize
480KB

Download
memory/904-16-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/904-10-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/904-0-0x00000000009C0000-0x0000000000A4C000-memory.dmp

Filesize
560KB

Download
memory/904-9-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/904-3-0x0000000005420000-0x0000000005498000-memory.dmp

Filesize
480KB

Download
memory/904-8-0x0000000005760000-0x00000000057AC000-memory.dmp

Filesize
304KB

Download
memory/904-2-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1056-157-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-147-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-70-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-39-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1056-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1116-199-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/1116-192-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/1148-189-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1148-186-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1148-187-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1344-122-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/1344-123-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1344-127-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/1636-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1636-17-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1636-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1636-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1636-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1772-167-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1772-177-0x0000018078A40000-0x0000018078A94000-memory.dmp

Filesize
336KB

Download
memory/1772-180-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/1772-176-0x0000018078850000-0x00000180788A6000-memory.dmp

Filesize
344KB

Download
memory/1772-173-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/1772-175-0x000001805E6E0000-0x000001805E6E8000-memory.dmp

Filesize
32KB

Download
memory/1772-171-0x0000018078750000-0x0000018078850000-memory.dmp

Filesize
1024KB

Download
memory/1772-174-0x0000018078930000-0x0000018078940000-memory.dmp

Filesize
64KB

Download
memory/1916-182-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/1916-183-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/1916-188-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/2312-90-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2312-94-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2312-96-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2312-99-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2312-100-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2312-102-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2312-120-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3088-172-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/3088-165-0x0000025877C60000-0x0000025877D30000-memory.dmp

Filesize
832KB

Download
memory/3088-164-0x0000025877B70000-0x0000025877C58000-memory.dmp

Filesize
928KB

Download
memory/3088-163-0x0000025877A80000-0x0000025877B68000-memory.dmp

Filesize
928KB

Download
memory/3088-162-0x0000025877990000-0x0000025877A78000-memory.dmp

Filesize
928KB

Download
memory/3088-161-0x000002585F070000-0x000002585F080000-memory.dmp

Filesize
64KB

Download
memory/3088-166-0x0000025877E30000-0x0000025877F00000-memory.dmp

Filesize
832KB

Download
memory/3088-160-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/3088-159-0x000002585D420000-0x000002585D518000-memory.dmp

Filesize
992KB

Download
memory/3200-38-0x0000000073330000-0x0000000073AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3200-32-0x0000000073330000-0x0000000073AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3200-33-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/4360-198-0x0000015431390000-0x00000154313A0000-memory.dmp

Filesize
64KB

Download
memory/4360-197-0x00007FFAFE6C0000-0x00007FFAFF181000-memory.dmp

Filesize
10.8MB

Download
memory/4392-89-0x00000000053A0000-0x00000000053DC000-memory.dmp

Filesize
240KB

Download
memory/4392-85-0x0000000005140000-0x0000000005194000-memory.dmp

Filesize
336KB

Download
memory/4392-84-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4392-82-0x00000000008A0000-0x0000000000906000-memory.dmp

Filesize
408KB

Download
memory/4392-83-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4392-95-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4392-88-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/4392-87-0x0000000005200000-0x0000000005254000-memory.dmp

Filesize
336KB

Download
memory/4392-86-0x00000000051B0000-0x0000000005204000-memory.dmp

Filesize
336KB

Download
memory/4620-59-0x0000000072D10000-0x00000000734C0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-51-0x0000000072D10000-0x00000000734C0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-52-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4724-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4724-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4724-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download