amadey | 138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
Size

531KB
MD5

a544d2c23c55904dbf0f0190f42eaac6
SHA1

e9d920e5400b36562dfe81b900b99d35b70576b9
SHA256

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a
SHA512

21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5
SSDEEP

12288:fz9JHhp3l7Nt0P78PyCp3qkxD+XYaVikoSG6s7XuwMefn:fzXtNeP7v6XZMYackkX/

Score

10^/10

amadey zgrat discovery rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.12

http://brodoyouevenlift.co.za

Attributes

install_dir
ce3eb8f6b2
install_file
Utsysc.exe
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
url_paths
/g9sdjScV2/index.php

/vdhe8ejs3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4572-168-0x000001A932460000-0x000001A932560000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exeUtsysc.exeOpesi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	Opesi.exe

Executes dropped EXE 12 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeOpesi.exeOpesi.exeUtsysc.exeUtsysc.exeWlssejinnvz.exeWlssejinnvz.exeTypeId.exeTypeId.exe

pid	process
1924	Utsysc.exe
3192	Utsysc.exe
2256	Utsysc.exe
4624	Utsysc.exe
4984	Opesi.exe
3548	Opesi.exe
2164	Utsysc.exe
3396	Utsysc.exe
1124	Wlssejinnvz.exe
4572	Wlssejinnvz.exe
3936	TypeId.exe
2636	TypeId.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 9 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exeUtsysc.exeUtsysc.exeOpesi.exeUtsysc.exeWlssejinnvz.exeTypeId.exeTypeId.exeAddInUtil.exe

description	pid	process	target process
PID 3388 set thread context of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 1924 set thread context of 3192	1924	Utsysc.exe	Utsysc.exe
PID 2256 set thread context of 4624	2256	Utsysc.exe	Utsysc.exe
PID 4984 set thread context of 3548	4984	Opesi.exe	Opesi.exe
PID 2164 set thread context of 3396	2164	Utsysc.exe	Utsysc.exe
PID 1124 set thread context of 4572	1124	Wlssejinnvz.exe	Wlssejinnvz.exe
PID 3936 set thread context of 2636	3936	TypeId.exe	TypeId.exe
PID 2636 set thread context of 3860	2636	TypeId.exe	AddInUtil.exe
PID 3860 set thread context of 4916	3860	AddInUtil.exe	AddInUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opesi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Opesi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Opesi.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3340 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1912 timeout.exe

pid	process
3340	schtasks.exe

pid	process
1912	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exeOpesi.exeWlssejinnvz.exeTypeId.exeAddInUtil.exe

pid	process
3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
3548	Opesi.exe
3548	Opesi.exe
1124	Wlssejinnvz.exe
3936	TypeId.exe
3860	AddInUtil.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exeUtsysc.exeUtsysc.exeOpesi.exeUtsysc.exeWlssejinnvz.exeWlssejinnvz.exeTypeId.exeTypeId.exeAddInUtil.exeAddInUtil.exe

description	pid	process
Token: SeDebugPrivilege	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
Token: SeDebugPrivilege	1924	Utsysc.exe
Token: SeDebugPrivilege	2256	Utsysc.exe
Token: SeDebugPrivilege	4984	Opesi.exe
Token: SeDebugPrivilege	2164	Utsysc.exe
Token: SeDebugPrivilege	1124	Wlssejinnvz.exe
Token: SeDebugPrivilege	4572	Wlssejinnvz.exe
Token: SeDebugPrivilege	3936	TypeId.exe
Token: SeDebugPrivilege	2636	TypeId.exe
Token: SeDebugPrivilege	3860	AddInUtil.exe
Token: SeDebugPrivilege	4916	AddInUtil.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe

pid process

4508 SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe

pid	process
4508	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exeSecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exeUtsysc.exeUtsysc.exeUtsysc.exeOpesi.exeOpesi.execmd.exeUtsysc.exe

description	pid	process	target process
PID 3388 wrote to memory of 3888	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 3888	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 3888	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 2564	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 2564	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 2564	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 3388 wrote to memory of 4508	3388	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
PID 4508 wrote to memory of 1924	4508	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	Utsysc.exe
PID 4508 wrote to memory of 1924	4508	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	Utsysc.exe
PID 4508 wrote to memory of 1924	4508	SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 1924 wrote to memory of 3192	1924	Utsysc.exe	Utsysc.exe
PID 3192 wrote to memory of 3340	3192	Utsysc.exe	schtasks.exe
PID 3192 wrote to memory of 3340	3192	Utsysc.exe	schtasks.exe
PID 3192 wrote to memory of 3340	3192	Utsysc.exe	schtasks.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 2256 wrote to memory of 4624	2256	Utsysc.exe	Utsysc.exe
PID 3192 wrote to memory of 4984	3192	Utsysc.exe	Opesi.exe
PID 3192 wrote to memory of 4984	3192	Utsysc.exe	Opesi.exe
PID 3192 wrote to memory of 4984	3192	Utsysc.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 4984 wrote to memory of 3548	4984	Opesi.exe	Opesi.exe
PID 3548 wrote to memory of 2564	3548	Opesi.exe	cmd.exe
PID 3548 wrote to memory of 2564	3548	Opesi.exe	cmd.exe
PID 3548 wrote to memory of 2564	3548	Opesi.exe	cmd.exe
PID 2564 wrote to memory of 1912	2564	cmd.exe	timeout.exe
PID 2564 wrote to memory of 1912	2564	cmd.exe	timeout.exe
PID 2564 wrote to memory of 1912	2564	cmd.exe	timeout.exe
PID 2164 wrote to memory of 3396	2164	Utsysc.exe	Utsysc.exe
PID 2164 wrote to memory of 3396	2164	Utsysc.exe	Utsysc.exe
PID 2164 wrote to memory of 3396	2164	Utsysc.exe	Utsysc.exe
PID 2164 wrote to memory of 3396	2164	Utsysc.exe	Utsysc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
2⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
2⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.2313.4774.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:3340

C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe" & del "C:\ProgramData\*.dll"" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
8⤵
- Delays execution with timeout.exe
PID:1912

C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3396

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AddInUtil.exe.log
Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log
Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wlssejinnvz.exe.log
Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log
Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Opesi.exe
Filesize
385KB

MD5
51367ff68633e00c8a084cb52534182f

SHA1
52a06ba919a3ff357e456022493f66289acee4b3

SHA256
3c16def99c05de25b1b8dfb73757f3356bad519c9c39292752aa07fab0653936

SHA512
c3262d84da25a1b93575b81dae14f3478a6a2c09dfd399c17b4acb23825f898cdb0e2c4676b35d0279106bf54c35580c7cde608e311bc61bc5071bbc0e0eb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Wlssejinnvz.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Local\Temp\125601242331
Filesize
79KB

MD5
85cde6930ec7983bd76e7120f28ada17

SHA1
ed9d99d61066cc2f55307afc6d10f31d08e7c7b3

SHA256
5882f338178cc37ff22226903caf3a4b354baae7703b8e50631b3c1650154ba3

SHA512
c56cea18ba68750ce2df81391d37242de2118207271e6771b11f815ab8749ac92115ec0ea7fb9b7c8775bbe04a104c09ad8fbd166cea8b5431cb11f9a99def77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
Filesize
531KB

MD5
a544d2c23c55904dbf0f0190f42eaac6

SHA1
e9d920e5400b36562dfe81b900b99d35b70576b9

SHA256
138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a

SHA512
21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
Filesize
977KB

MD5
b4ce50927cd3a7ab60d2d6522070cd69

SHA1
e18b3c9b952a6096a34aae2afba7e0a136ef40de

SHA256
78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67

SHA512
d71932a1550af611ded83eb7abe0e2c7502bc8e0d3c709e04f2dec1005392f2fd891094fc9be7c90c3bd3fe3a83bf96fb7fa2eb0cb560631332460b176b3c223

Download Submit
memory/1124-160-0x000001C9F69E0000-0x000001C9F6AC8000-memory.dmp

Filesize
928KB

Download
memory/1124-157-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/1124-159-0x000001C9F6110000-0x000001C9F61F8000-memory.dmp

Filesize
928KB

Download
memory/1124-156-0x000001C9F4330000-0x000001C9F4428000-memory.dmp

Filesize
992KB

Download
memory/1124-158-0x000001C9F4820000-0x000001C9F4830000-memory.dmp

Filesize
64KB

Download
memory/1124-161-0x000001C9F6AD0000-0x000001C9F6BB8000-memory.dmp

Filesize
928KB

Download
memory/1124-162-0x000001C9F6BC0000-0x000001C9F6C90000-memory.dmp

Filesize
832KB

Download
memory/1124-163-0x000001C9F6D90000-0x000001C9F6E60000-memory.dmp

Filesize
832KB

Download
memory/1124-169-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/1924-33-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1924-39-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1924-32-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2164-129-0x0000000073C30000-0x00000000743E0000-memory.dmp

Filesize
7.7MB

Download
memory/2164-124-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2164-123-0x0000000073C30000-0x00000000743E0000-memory.dmp

Filesize
7.7MB

Download
memory/2256-53-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2256-52-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2256-59-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2636-186-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/2636-187-0x0000027050A30000-0x0000027050A40000-memory.dmp

Filesize
64KB

Download
memory/2636-190-0x0000027050A30000-0x0000027050A40000-memory.dmp

Filesize
64KB

Download
memory/2636-193-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/3192-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-49-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-153-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-83-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-144-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3388-6-0x00000000052B0000-0x0000000005310000-memory.dmp

Filesize
384KB

Download
memory/3388-0-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-10-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/3388-11-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/3388-17-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-8-0x0000000005480000-0x00000000054CC000-memory.dmp

Filesize
304KB

Download
memory/3388-7-0x0000000005410000-0x0000000005470000-memory.dmp

Filesize
384KB

Download
memory/3388-9-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/3388-5-0x0000000005230000-0x00000000052AA000-memory.dmp

Filesize
488KB

Download
memory/3388-4-0x00000000051B0000-0x0000000005228000-memory.dmp

Filesize
480KB

Download
memory/3388-3-0x0000000005130000-0x00000000051A8000-memory.dmp

Filesize
480KB

Download
memory/3388-1-0x0000000000720000-0x00000000007AC000-memory.dmp

Filesize
560KB

Download
memory/3388-2-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3396-128-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3396-130-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3396-127-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3548-121-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3548-100-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3548-93-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3548-103-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3548-101-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3548-97-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3548-99-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3860-192-0x00000179FBE60000-0x00000179FBE70000-memory.dmp

Filesize
64KB

Download
memory/3860-191-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/3936-188-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/3936-181-0x000002AF2CB80000-0x000002AF2CB90000-memory.dmp

Filesize
64KB

Download
memory/3936-180-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/4508-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4508-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4508-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4508-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4508-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4572-172-0x000001A932410000-0x000001A932418000-memory.dmp

Filesize
32KB

Download
memory/4572-168-0x000001A932460000-0x000001A932560000-memory.dmp

Filesize
1024KB

Download
memory/4572-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4572-173-0x000001A94AE00000-0x000001A94AE56000-memory.dmp

Filesize
344KB

Download
memory/4572-174-0x000001A94AEB0000-0x000001A94AF04000-memory.dmp

Filesize
336KB

Download
memory/4572-177-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/4572-171-0x000001A932420000-0x000001A932430000-memory.dmp

Filesize
64KB

Download
memory/4572-170-0x00007FFFA96A0000-0x00007FFFAA161000-memory.dmp

Filesize
10.8MB

Download
memory/4624-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4624-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4624-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4984-98-0x0000000073C30000-0x00000000743E0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-86-0x0000000073C30000-0x00000000743E0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-88-0x0000000004D00000-0x0000000004D54000-memory.dmp

Filesize
336KB

Download
memory/4984-92-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/4984-91-0x0000000004DF0000-0x0000000004E2C000-memory.dmp

Filesize
240KB

Download
memory/4984-85-0x0000000000440000-0x00000000004A6000-memory.dmp

Filesize
408KB

Download
memory/4984-90-0x0000000004DA0000-0x0000000004DF4000-memory.dmp

Filesize
336KB

Download
memory/4984-89-0x0000000004D50000-0x0000000004DA4000-memory.dmp

Filesize
336KB

Download
memory/4984-87-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download