Malware Analysis Report

2025-01-22 10:23

Sample ID 240123-ct9klaehhn
Target amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
SHA256 fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
Tags
amadey redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic evasion infostealer persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b

Threat Level: Known bad

The file amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic evasion infostealer persistence rat stealer trojan

RedLine

RisePro

ZGRat

Detect ZGRat V1

RedLine payload

Amadey

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 02:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 02:23

Reported

2024-01-23 02:25

Platform

win7-20231215-en

Max time kernel

33s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amer.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2388 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2388 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2388 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2388 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2388 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2388 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2388 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2388 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2388 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
PID 2388 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
PID 2388 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
PID 2388 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
PID 2388 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 2388 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 2388 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 2388 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 2388 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2388 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2388 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2388 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2388 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 2388 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 2388 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 2388 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 1960 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1960 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1960 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2388 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 2388 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 2388 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 2388 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 2388 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 2388 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 2388 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\amer.exe

"C:\Users\Admin\AppData\Local\Temp\amer.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

"C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2A4C381A-B37F-47D9-8F3D-8DFBDAC82E30} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=flesh.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 92

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 141.95.211.148:46011 tcp
DE 20.113.35.45:38357 tcp
NL 94.156.66.203:13781 tcp
NL 80.79.4.61:18236 tcp
NL 94.156.66.203:13781 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
GB 92.123.242.110:443 learn.microsoft.com tcp
NL 94.156.66.203:13781 tcp
NL 94.156.66.203:13781 tcp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 144.76.1.85:25894 tcp

Files

memory/3036-1-0x0000000000130000-0x0000000000538000-memory.dmp

memory/3036-2-0x0000000000130000-0x0000000000538000-memory.dmp

memory/3036-4-0x0000000000920000-0x0000000000921000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 6878df738defcf088ba56b4d214ca1bd
SHA1 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2
SHA256 fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
SHA512 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78

memory/3036-13-0x0000000000130000-0x0000000000538000-memory.dmp

memory/2388-14-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/2388-15-0x0000000000CF0000-0x00000000010F8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 3c8848de99ad1951939a07fd9a025de1
SHA1 9ccae854293564363820fabc3b8ddfb8b7f8b1cd
SHA256 4075431bcb0bebd74026f45b573af4155ded5300f90011997e9cc6d3b51080c7
SHA512 31b931c59109238116f6347004c5d93cb7bece2e0fcbee9c3d1226690cd20978b0bd6cffd6641be9233c7fdc81547a9a745d1912212e6aa1c6f022b4f129042c

memory/2388-33-0x00000000048B0000-0x0000000004D93000-memory.dmp

memory/2772-36-0x0000000000A30000-0x0000000000F13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 c00a7f3ab736d0481a905a6bb4c7bdcf
SHA1 913889e6bba2be9e980f9f583d0918c764a8ca48
SHA256 ab353b22ae95cf4c8fe5571d101bcbbcc8c5baf52277412f5cced37b57f28443
SHA512 76eef3176d3962ec2dfa86a38ccf936c96c8f92b64c33a4247ebcedd87f862c5f64e0938f29ee0e542c5440093e27e1141b4a7e2a461ed67f8aa6f605879c483

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 bd72d1bd8b5cca1952eeec38ac8033c4
SHA1 78c58f11f3615c014a9c5e24bc2bef1da65dbdbe
SHA256 eb0d2fe20b8b287bb2b41b2c3dbfaeb6f3d0788fa25ccae72a30bd02d8266be4
SHA512 33a4ea56cb7a24a29edd9bd75f6e51811808993221927515c4d7643e663505338a70290a82d4b8c22ed528796a87a1e68b55203b5c1b2d3753ac31895fb6a882

\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 ee89a8cd1c10bd9d30b1e77ab2280d15
SHA1 efc4cb345e1464ce53860595a02bce183f8ca128
SHA256 f1cdaee43d361f891d4ff099b50fc29524ea45c756ca8cfc51fcf43cbb6edd03
SHA512 01b2c535b34929ce9746dad4ddddfe3adb20f04f730d452bd631c43f2bb1f3d4c0ecba685219e8f7a0f75ad128625cb9cdefbde50ca1716dfba8ac8aa8917ceb

\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 67a719077a95b4efbc0f863adb032b10
SHA1 106a919bd1a0830ad6e29cb0f392645ff54797ec
SHA256 bddfa1af4b01465284d3a12a1278e548d3bd30b13adcfedd8b3a2dc5a5d37122
SHA512 9a49fa4b48f845b0e2d49225eae19af072fc87e8418745c49e453c038c9e4c6d838cb7f5a3456a1951aca12f9ac4395189a00227577c5b9bbec870c4ba7e04bb

memory/2388-53-0x00000000048F0000-0x000000000532D000-memory.dmp

memory/2388-54-0x00000000048F0000-0x000000000532D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 8d5d19f37fad2100214a5bfac93425ef
SHA1 da78c395f4df87578c4870198dafc41515e5014e
SHA256 df392937beff7a9e5a1beda3795abde2d16abf89e1853fa124d187f95beb7ce5
SHA512 70163f059a1213a56c177cc8c0a6c18451a5f03e594b6305022c26edc8534f0c0eea13d0f10dc662d0827f9a49a21c12626e3644d7885dc64bd4409d5b04b687

\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 af0b54991f2317150d57c2ee9e42fa0f
SHA1 a18e78675d099ec5b5d551c09b0afeab711e4e61
SHA256 223a27d277c304d07dbf7db6028e75c8cb23666704ef72f7b38e8388866d904b
SHA512 ed5a16dd0db4367e6f84db80655bf5717d6aa64b17cb91489ca2b05d1dbefc28e19960fbdbf7e9a91e0ab6be715bdc11fbd87b3663957cd592eedf610e6cf0ae

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 c7df23f798cfeb937f01f9403d2e5e45
SHA1 c76ae5e7c2898a57e5f1e272c49dc75991fc9705
SHA256 7a5431b37c8e76a5e290f3144c3b9d10337856e706a418e20e439cccc4c1c89a
SHA512 fc4666d91a163880931c89ef895961f82becc3770ea16e7da503060794f67f92231f6b40fe2308df54e949a2e032b8df09e2d364ca8ebf10892fd39aa71ee4e2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 4dc62aa51086843a31d87236c87f21e4
SHA1 c7cdc373668dd8f7373a433ed0f3703843b67c10
SHA256 5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27
SHA512 a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 59c818c763496a9670b30342c4e8093d
SHA1 2968b698421aacb212ad6440bba1b1b09a5da605
SHA256 9a084882f1409fa792f28ac7d40fdc75331bfcfc3d8d69e7d1c3610b15442509
SHA512 ec65ccf02b5bf8ced7d7d1efd3a601f560e5f192afd87c6945682f62cef8428552ae242d12dc73152f0ed49848668ed9bb01338905840220282c872b5f7dd397

\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 76b018eb49c18259722ff9fbe10d1ed7
SHA1 cbfc470085736e7578120a4d7c244d8c49a8207a
SHA256 8db26b1a4734c0b3c277a490bfd4ed6346431097766bdac9525158b02beb4a86
SHA512 f4cbbbe0e147d364297d65042fe6289fae80ee7429fee6f6a3780762e8d64d0061a4191b8600df0ba8e8f6aba264c9fa2b7ec78878f89c2cbaa731f58b61bdc3

memory/2388-94-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/1032-93-0x000000013F660000-0x000000014009D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/1588-104-0x0000000000BD0000-0x0000000000C34000-memory.dmp

memory/1528-111-0x00000000013E0000-0x0000000001436000-memory.dmp

memory/2488-112-0x0000000000E50000-0x0000000000F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 c68dfce4915de42226c6bd4f469a9778
SHA1 4e191edaf69d05c5ea5ab6fe528405f579cf5f94
SHA256 15c8bc23ba9d6b2b16b17d2cb175b947c86710157a9afc9023cada046aa4749c
SHA512 2820a50e9a31a88e598812e975b08930724fe3e626f8669956ca32fe19af6762fe0fbe1e371da34936ad7a37a259437070d546c1246a68c1cd34b39bbef71d90

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 52a71b80940ec44fd56d18d96186b9a7
SHA1 018438b92f1c011d50e1dd4880b50f08353e648a
SHA256 5e47d09973b46fcb05ade92223b1f0b028814d0b902aafe6c880ee4c6a31dd35
SHA512 f98c810074b738681c0a32daf88988a17a00441ba3095c4c9fccdbf25c8aaa922ef0011edae47ea749d62b018e0ed1a83a3e6271734e88cff3f767c663093e39

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 afa4b5293faaade81fdcfb074a0f68f8
SHA1 f92b8bb183029f98ea497513e4e625354f44a20e
SHA256 ad54b9c45e35baf130eb1f5f5ffa49681ee47426e0df07c664e78f9105e452ee
SHA512 9c80fe269b6379d425c24a5ff123f8f594d41ad993d91005430aa4ee6f77bd834a9886bae40023441607ffbbf1fcb0e32aef1b39afd1789a003f2f46139e95c5

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 09798643b32adac9fa941aa5d67c3130
SHA1 5150a5ff6ebe5f621a968b0b200b385f4b39e675
SHA256 b0f465eae77a72032993908c846cd0df140cf8ca4868e48db8d03fced1fbcbea
SHA512 427a3606fe59dd352b82e035310021767faf91f9c993eb686362b89f75746347d31588362b6a79bc344a3b0fb640c7b39775bf66a34627bba918a5ebf61334ec

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 53ab9ae11ce5123215e977250cabed8e
SHA1 3872fed78506f89f68076f186b9618b21e88f623
SHA256 1b198d179fe5e7730b2c83754d0da6647c44a8b46ed3bf7840a99d15b7003790
SHA512 d4ebb48d0ce89c6262d79b027149af786a02411fa9a37c4515d8f95608457abba0a5035bcbc99912dd9a45f0129e5c7c6b00a608315c12a02a8b33a9438ebb47

memory/1032-115-0x000000013F660000-0x000000014009D000-memory.dmp

memory/2408-128-0x000000013FBB0000-0x00000001405ED000-memory.dmp

memory/1588-135-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2772-136-0x0000000000A30000-0x0000000000F13000-memory.dmp

memory/1528-139-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2764-140-0x0000000001280000-0x00000000012D4000-memory.dmp

memory/2488-138-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2764-137-0x0000000074200000-0x00000000748EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 d8337d7ca38eddace5472f7a274b3943
SHA1 273fc254a6051aaf13d74b6f426fd9f1a58dee19
SHA256 3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202
SHA512 c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589

memory/2388-154-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/2388-157-0x0000000000CF0000-0x00000000010F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/1588-178-0x0000000002220000-0x0000000004220000-memory.dmp

memory/2772-180-0x0000000000A30000-0x0000000000F13000-memory.dmp

memory/568-179-0x00000000001D0000-0x000000000022A000-memory.dmp

memory/2028-184-0x0000000000400000-0x0000000000452000-memory.dmp

memory/884-191-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2028-196-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2028-201-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2028-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/884-193-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2028-190-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2028-189-0x0000000000400000-0x0000000000452000-memory.dmp

memory/884-188-0x0000000000400000-0x0000000000454000-memory.dmp

memory/884-187-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2028-186-0x0000000000400000-0x0000000000452000-memory.dmp

memory/884-206-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2028-204-0x0000000000400000-0x0000000000452000-memory.dmp

memory/884-203-0x0000000000400000-0x0000000000454000-memory.dmp

memory/884-209-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1528-211-0x0000000002840000-0x0000000004840000-memory.dmp

memory/1528-210-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2388-212-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/2764-213-0x0000000004E80000-0x0000000004EC0000-memory.dmp

memory/2488-215-0x0000000004900000-0x0000000004940000-memory.dmp

memory/2388-214-0x00000000048B0000-0x0000000004D93000-memory.dmp

memory/2488-216-0x0000000004780000-0x000000000487C000-memory.dmp

memory/2488-217-0x0000000004D20000-0x0000000004E1C000-memory.dmp

memory/2488-218-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-219-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-221-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-223-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-225-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-227-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-229-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-240-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-242-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-245-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-247-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-249-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-251-0x0000000004D20000-0x0000000004E17000-memory.dmp

memory/2488-253-0x0000000004D20000-0x0000000004E17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 774510bcff294f80e47a210a19483749
SHA1 0de009eca6fe604d132b052a424479b76ca72448
SHA256 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955
SHA512 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741

\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 c66d64e2e166a7f78fe25ffaf1b5ba80
SHA1 ac7fbaaf171af92e46129ba59af6b15992ae692b
SHA256 2808ad7368cdd818932673d3837979942de9faee39d6ad29cc7fcf2d9a7c63f5
SHA512 738212d7b2963030e39b71e3fcde8a584fc14e2e0d324291d3ac2aaa55616a3634f9d1858e80e251307e2124f552537432968d0886c43f4f702fc25f85ebbba2

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2488-260-0x0000000004D20000-0x0000000004E17000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 9f6ec1a0c98e630b9c74c6b8f89d293c
SHA1 8b55978a3a72bbfce49d0b1d1db7d1019202ed43
SHA256 24ca60d031def82962a832edb5ca9311cb6c2ff5bdece015c4c0d6c06c7458a5
SHA512 52590caecf3c1eaf24fee663ac8fb57b204d873fc9aac6625e148498c319fb41c80bb9bff9d0676a5da4b75bb457ff4b9fb9da5ecd9c05b30bb864cb2041fe70

memory/2556-279-0x00000000020F0000-0x0000000002132000-memory.dmp

memory/2556-285-0x00000000046A0000-0x00000000046DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 49c62cb71eb18dbea83583f18d16a428
SHA1 733cce0c5cdb1e5160e8e616efddbb3da4d5b6b8
SHA256 efdda448b6a59a726f734e59ab03dc9421212cfe2e0e644d505363916c0a66c8
SHA512 61c044bb2c10c58fb5bc91efe5fe1801197a262d7c153fb8484234679f0f663782f47916b39a0b6f1cd6dd3a077c82904f21478d24944fe62e48a2e374992ec5

memory/2528-302-0x000000013F260000-0x000000013FC9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 1897853bae0a4adaf356405c4786a24d
SHA1 614a1654a58abf8730231edc0af5788376bf4982
SHA256 74449aef9a54cd1a1f64f9997821a39448a8d7e76bbf5b1c419c2465630148fe
SHA512 b1be06610aa877e365784e6d0ade46ee186f1bc8ed7084cad3b3c595d0544b6f2ccb430d284e56278d3524508726226cfd3558f148ddd44f07d8beaf69fd7725

memory/1644-308-0x0000000001060000-0x00000000010CC000-memory.dmp

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 4253fc822a39e7baadb7977cde00e99a
SHA1 6b25efef13e2feae5951ac55be55d28f3de878b2
SHA256 596ebcbbd3c111b34001048c763fdcc621161721930c6f24d95cd4aa94d3a8e7
SHA512 ac60c2b01b1bef3857028b7e6885ed6eaf626a408cdff06b9e036b599a8454ee0fbd7e2a618ab2210ecd7fd659e3018d66917654a807fdf3ff2af835b62db433

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 a1cfa7fe3389a266004f4063615f0d86
SHA1 05e5f41bdb8798a28034e8e7f437b2356fdd75dd
SHA256 75c73a861896b3c1c750b15bcb749db041d6fc933a73a782dc0adeef102bc2e6
SHA512 6e7f126ef93a32c1c31a94c4b3744f9919d55780aabdf6f6d0ca799924252aa0ebc0670609f90bcf9cb11b61297cc903ac01baba153e4e92a47f7929c5dcd034

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 6100cf1c34acb287caa6a7cdc7ec51a5
SHA1 0207792e053162a0dda39bb784f8df76f92c7943
SHA256 dcb4c821180e7de31a5fef0abc84b85c629e362c5d1951782c5801406e7acad7
SHA512 990551e46e4201e51c12e03287dd8600a74f088943eed063622f9191a27808e9d091362991739df6e4f1eb82d22f8783ed9caf0b8792e487655ad7dd0d9fd334

memory/2452-337-0x000000013F940000-0x000000014037D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 edaed7c4a2c7f9f06fbac4102911a111
SHA1 2d4f0be406397f8fc363b7716114fa29e03a8bfd
SHA256 683d6cfbb11ee35b6b72b833b7213fafdc5b74f05501dc42437770f0de39c8b7
SHA512 725ae40d14c37797fd06caa2b0cf39e6cf2a98e2a9be51000d96b821437eebe6fb868a2e8f4ff8a718dbd967023b839f75cfcf79e1660f6e90cf2d4b224f5df5

\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 a5d383274867d14856ddd2f616521d5d
SHA1 f85e45b7d4b7e7c9a6cb2df1ebb1e1c490afa3ce
SHA256 b2900c482cbf6aebd7eaafb78f4dd4c167d1189bfd23b6e87fc0167cd8292401
SHA512 e3a2fca4c8a154a044702fb5ff3cc756990f3d32d1ca380f38bfca4660416e8be729756c9f5b08384a0b4fa210209083c265096f67f04adeb6ae04e298de677a

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 c2283f7b55869abcfdba70de41756506
SHA1 00efeb5d1bfec5ab35e98441c12780f14a7ca3ee
SHA256 102f907ba6816b80945a698780240467a3a7fc70ae1770780c458a9498e48e8c
SHA512 e8b5bd1c138c542e733310cee21220240732791e2ba56988b17dc1d76c4d5ccb302703b20ae2d975ee1eff9b6a50c8c27a46461c6dc13a3e3856f42bb9df10f4

memory/2616-356-0x0000000001310000-0x0000000001930000-memory.dmp

memory/1128-370-0x0000000002230000-0x0000000002272000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 7617b7406cf7f977f64370a54b17168e
SHA1 0477f60822e1f0a99a6563434d9f4c876e721477
SHA256 c576ed1a9c4380bc9abb37eb97537bf40b500088846c3adc9113a1feb9cc6ed6
SHA512 27d4320c2fa37a219247f9bccce45f514b56263007bc490c65140bc25d02c6da2eeeee7f52cec5c32dee0344c289870e94dde5879ab3a13e23b938d47ca0e85b

C:\Users\Admin\AppData\Local\Temp\Cab61C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1117.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caeb1c6bf76e0000703798f331a2a998
SHA1 fe437ae23837d630bfb1bc1ecaef2bd99d42b877
SHA256 321fab9b148ff3270e658b919c05e2a3c04c400a46654f5d752722a317f7855a
SHA512 93bdbaa70046fbafe7f3665b46c3943017074216d033ebf1c4b9255ec65d61a13e4101ab1bb3dda30be2b0a9cbe3a0349a9f9694a26faf5769c1b93a01c09df2

memory/2616-433-0x00000000059F0000-0x0000000005C28000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6665dbd1218ca856c9166145833be9f0
SHA1 076f3afbe96fa6f66506ab662ad5d89e183d9b8b
SHA256 98be2d1f08363465061d744ffdfbde9f9350100d7a54c2bab6616415e873b1c9
SHA512 8da7dd8711353e2b2a257a7b74a1b0188ee26280b71f22af421886aaba22e79f1887756b8461097a5d76b6d5c974f03d739c123e339b2e43266cfe494ab36037

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bddbb952e9744bf4f8bd364229e54ec
SHA1 8dbefbf6627d07c0e50285421fa16c5704a910ec
SHA256 db6de8112725ce1acb506391d2b0c66df4ae58e7e3e9a98ecd6f7a9db0ca4826
SHA512 f4fa012dcb8d00d674daf5050d47452f946b0aca7c38be308f99deddb99dd51c037076169cd00c378ac994eddd9ce047039697680065604812f5fae05882524c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3aeeb270171693a57a36e2f64bc0deb9
SHA1 8c84f717aa32c95beba15788ab23dce24e0cc149
SHA256 e2aed436dfaa978bc4e79d48eaa6e9893529373cf933a31675f2176f14c0defe
SHA512 c58e51342bdf086fe5474cc7b304ae24791f754b01bfc32d88e8a4951d0594a5455cd11c18627d9faa6edf12b717a036017eee875fd3b05bc66650e7be20bad4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c90bac33a439b88116e1e281aed7af9
SHA1 d035049dd522f24140e77757699054cd7e361d4a
SHA256 c8c6e50bf2029d9a8bd3f27432bd282351b807fe7e0a6c673cb5f3ac37d49cb0
SHA512 fa3ea47d7ad4e32398863d224ba51eb36e320f815892ff7ac73325afc2c17dd2c10283db47a73709615baba793b13caf053489d24ff7f561448c1de528260fec

memory/2616-568-0x0000000006C30000-0x0000000006DC2000-memory.dmp

memory/2616-573-0x0000000000520000-0x0000000000530000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2556-600-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/596-610-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1644-611-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2616-615-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2616-616-0x0000000004DF9000-0x0000000004DFD000-memory.dmp

memory/2616-617-0x00000000070A0000-0x00000000070D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 02:23

Reported

2024-01-23 02:25

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amer.exe"

Signatures

Amadey

trojan amadey

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\amer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\amer.exe

"C:\Users\Admin\AppData\Local\Temp\amer.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/3652-0-0x0000000000650000-0x0000000000A58000-memory.dmp

memory/3652-1-0x0000000000650000-0x0000000000A58000-memory.dmp

memory/3652-2-0x0000000000650000-0x0000000000A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 6878df738defcf088ba56b4d214ca1bd
SHA1 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2
SHA256 fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
SHA512 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78

memory/3652-16-0x0000000000650000-0x0000000000A58000-memory.dmp

memory/2060-15-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-17-0x0000000000640000-0x0000000000A48000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

memory/2060-20-0x0000000000640000-0x0000000000A48000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2060-29-0x0000000000640000-0x0000000000A48000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2060-41-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/3556-44-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/3556-47-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-48-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-49-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-50-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-51-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-52-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-53-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/4760-55-0x0000000000640000-0x0000000000A48000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4760-59-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-60-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-61-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-62-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-63-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-64-0x0000000000640000-0x0000000000A48000-memory.dmp

memory/2060-65-0x0000000000640000-0x0000000000A48000-memory.dmp