Analysis Overview
SHA256
fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
Threat Level: Known bad
The file amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b was found to be: Known bad.
Malicious Activity Summary
RedLine
RisePro
ZGRat
Detect ZGRat V1
RedLine payload
Amadey
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 02:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 02:23
Reported
2024-01-23 02:25
Platform
win7-20231215-en
Max time kernel
33s
Max time network
155s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1528 set thread context of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1588 set thread context of 884 | N/A | C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\amer.exe
"C:\Users\Admin\AppData\Local\Temp\amer.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {2A4C381A-B37F-47D9-8F3D-8DFBDAC82E30} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=flesh.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 92
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 141.95.211.148:46011 | tcp | |
| DE | 20.113.35.45:38357 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| GB | 92.123.242.110:443 | learn.microsoft.com | tcp |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 144.76.1.85:25894 | tcp |
Files
memory/3036-1-0x0000000000130000-0x0000000000538000-memory.dmp
memory/3036-2-0x0000000000130000-0x0000000000538000-memory.dmp
memory/3036-4-0x0000000000920000-0x0000000000921000-memory.dmp
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 6878df738defcf088ba56b4d214ca1bd |
| SHA1 | 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2 |
| SHA256 | fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b |
| SHA512 | 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78 |
memory/3036-13-0x0000000000130000-0x0000000000538000-memory.dmp
memory/2388-14-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/2388-15-0x0000000000CF0000-0x00000000010F8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | 3c8848de99ad1951939a07fd9a025de1 |
| SHA1 | 9ccae854293564363820fabc3b8ddfb8b7f8b1cd |
| SHA256 | 4075431bcb0bebd74026f45b573af4155ded5300f90011997e9cc6d3b51080c7 |
| SHA512 | 31b931c59109238116f6347004c5d93cb7bece2e0fcbee9c3d1226690cd20978b0bd6cffd6641be9233c7fdc81547a9a745d1912212e6aa1c6f022b4f129042c |
memory/2388-33-0x00000000048B0000-0x0000000004D93000-memory.dmp
memory/2772-36-0x0000000000A30000-0x0000000000F13000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | c00a7f3ab736d0481a905a6bb4c7bdcf |
| SHA1 | 913889e6bba2be9e980f9f583d0918c764a8ca48 |
| SHA256 | ab353b22ae95cf4c8fe5571d101bcbbcc8c5baf52277412f5cced37b57f28443 |
| SHA512 | 76eef3176d3962ec2dfa86a38ccf936c96c8f92b64c33a4247ebcedd87f862c5f64e0938f29ee0e542c5440093e27e1141b4a7e2a461ed67f8aa6f605879c483 |
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | bd72d1bd8b5cca1952eeec38ac8033c4 |
| SHA1 | 78c58f11f3615c014a9c5e24bc2bef1da65dbdbe |
| SHA256 | eb0d2fe20b8b287bb2b41b2c3dbfaeb6f3d0788fa25ccae72a30bd02d8266be4 |
| SHA512 | 33a4ea56cb7a24a29edd9bd75f6e51811808993221927515c4d7643e663505338a70290a82d4b8c22ed528796a87a1e68b55203b5c1b2d3753ac31895fb6a882 |
\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | ee89a8cd1c10bd9d30b1e77ab2280d15 |
| SHA1 | efc4cb345e1464ce53860595a02bce183f8ca128 |
| SHA256 | f1cdaee43d361f891d4ff099b50fc29524ea45c756ca8cfc51fcf43cbb6edd03 |
| SHA512 | 01b2c535b34929ce9746dad4ddddfe3adb20f04f730d452bd631c43f2bb1f3d4c0ecba685219e8f7a0f75ad128625cb9cdefbde50ca1716dfba8ac8aa8917ceb |
\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | 67a719077a95b4efbc0f863adb032b10 |
| SHA1 | 106a919bd1a0830ad6e29cb0f392645ff54797ec |
| SHA256 | bddfa1af4b01465284d3a12a1278e548d3bd30b13adcfedd8b3a2dc5a5d37122 |
| SHA512 | 9a49fa4b48f845b0e2d49225eae19af072fc87e8418745c49e453c038c9e4c6d838cb7f5a3456a1951aca12f9ac4395189a00227577c5b9bbec870c4ba7e04bb |
memory/2388-53-0x00000000048F0000-0x000000000532D000-memory.dmp
memory/2388-54-0x00000000048F0000-0x000000000532D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 8d5d19f37fad2100214a5bfac93425ef |
| SHA1 | da78c395f4df87578c4870198dafc41515e5014e |
| SHA256 | df392937beff7a9e5a1beda3795abde2d16abf89e1853fa124d187f95beb7ce5 |
| SHA512 | 70163f059a1213a56c177cc8c0a6c18451a5f03e594b6305022c26edc8534f0c0eea13d0f10dc662d0827f9a49a21c12626e3644d7885dc64bd4409d5b04b687 |
\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | af0b54991f2317150d57c2ee9e42fa0f |
| SHA1 | a18e78675d099ec5b5d551c09b0afeab711e4e61 |
| SHA256 | 223a27d277c304d07dbf7db6028e75c8cb23666704ef72f7b38e8388866d904b |
| SHA512 | ed5a16dd0db4367e6f84db80655bf5717d6aa64b17cb91489ca2b05d1dbefc28e19960fbdbf7e9a91e0ab6be715bdc11fbd87b3663957cd592eedf610e6cf0ae |
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | c7df23f798cfeb937f01f9403d2e5e45 |
| SHA1 | c76ae5e7c2898a57e5f1e272c49dc75991fc9705 |
| SHA256 | 7a5431b37c8e76a5e290f3144c3b9d10337856e706a418e20e439cccc4c1c89a |
| SHA512 | fc4666d91a163880931c89ef895961f82becc3770ea16e7da503060794f67f92231f6b40fe2308df54e949a2e032b8df09e2d364ca8ebf10892fd39aa71ee4e2 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 4dc62aa51086843a31d87236c87f21e4 |
| SHA1 | c7cdc373668dd8f7373a433ed0f3703843b67c10 |
| SHA256 | 5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27 |
| SHA512 | a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658 |
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 59c818c763496a9670b30342c4e8093d |
| SHA1 | 2968b698421aacb212ad6440bba1b1b09a5da605 |
| SHA256 | 9a084882f1409fa792f28ac7d40fdc75331bfcfc3d8d69e7d1c3610b15442509 |
| SHA512 | ec65ccf02b5bf8ced7d7d1efd3a601f560e5f192afd87c6945682f62cef8428552ae242d12dc73152f0ed49848668ed9bb01338905840220282c872b5f7dd397 |
\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 76b018eb49c18259722ff9fbe10d1ed7 |
| SHA1 | cbfc470085736e7578120a4d7c244d8c49a8207a |
| SHA256 | 8db26b1a4734c0b3c277a490bfd4ed6346431097766bdac9525158b02beb4a86 |
| SHA512 | f4cbbbe0e147d364297d65042fe6289fae80ee7429fee6f6a3780762e8d64d0061a4191b8600df0ba8e8f6aba264c9fa2b7ec78878f89c2cbaa731f58b61bdc3 |
memory/2388-94-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/1032-93-0x000000013F660000-0x000000014009D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
memory/1588-104-0x0000000000BD0000-0x0000000000C34000-memory.dmp
memory/1528-111-0x00000000013E0000-0x0000000001436000-memory.dmp
memory/2488-112-0x0000000000E50000-0x0000000000F4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | c68dfce4915de42226c6bd4f469a9778 |
| SHA1 | 4e191edaf69d05c5ea5ab6fe528405f579cf5f94 |
| SHA256 | 15c8bc23ba9d6b2b16b17d2cb175b947c86710157a9afc9023cada046aa4749c |
| SHA512 | 2820a50e9a31a88e598812e975b08930724fe3e626f8669956ca32fe19af6762fe0fbe1e371da34936ad7a37a259437070d546c1246a68c1cd34b39bbef71d90 |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 52a71b80940ec44fd56d18d96186b9a7 |
| SHA1 | 018438b92f1c011d50e1dd4880b50f08353e648a |
| SHA256 | 5e47d09973b46fcb05ade92223b1f0b028814d0b902aafe6c880ee4c6a31dd35 |
| SHA512 | f98c810074b738681c0a32daf88988a17a00441ba3095c4c9fccdbf25c8aaa922ef0011edae47ea749d62b018e0ed1a83a3e6271734e88cff3f767c663093e39 |
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | afa4b5293faaade81fdcfb074a0f68f8 |
| SHA1 | f92b8bb183029f98ea497513e4e625354f44a20e |
| SHA256 | ad54b9c45e35baf130eb1f5f5ffa49681ee47426e0df07c664e78f9105e452ee |
| SHA512 | 9c80fe269b6379d425c24a5ff123f8f594d41ad993d91005430aa4ee6f77bd834a9886bae40023441607ffbbf1fcb0e32aef1b39afd1789a003f2f46139e95c5 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 09798643b32adac9fa941aa5d67c3130 |
| SHA1 | 5150a5ff6ebe5f621a968b0b200b385f4b39e675 |
| SHA256 | b0f465eae77a72032993908c846cd0df140cf8ca4868e48db8d03fced1fbcbea |
| SHA512 | 427a3606fe59dd352b82e035310021767faf91f9c993eb686362b89f75746347d31588362b6a79bc344a3b0fb640c7b39775bf66a34627bba918a5ebf61334ec |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 53ab9ae11ce5123215e977250cabed8e |
| SHA1 | 3872fed78506f89f68076f186b9618b21e88f623 |
| SHA256 | 1b198d179fe5e7730b2c83754d0da6647c44a8b46ed3bf7840a99d15b7003790 |
| SHA512 | d4ebb48d0ce89c6262d79b027149af786a02411fa9a37c4515d8f95608457abba0a5035bcbc99912dd9a45f0129e5c7c6b00a608315c12a02a8b33a9438ebb47 |
memory/1032-115-0x000000013F660000-0x000000014009D000-memory.dmp
memory/2408-128-0x000000013FBB0000-0x00000001405ED000-memory.dmp
memory/1588-135-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2772-136-0x0000000000A30000-0x0000000000F13000-memory.dmp
memory/1528-139-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2764-140-0x0000000001280000-0x00000000012D4000-memory.dmp
memory/2488-138-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2764-137-0x0000000074200000-0x00000000748EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | d8337d7ca38eddace5472f7a274b3943 |
| SHA1 | 273fc254a6051aaf13d74b6f426fd9f1a58dee19 |
| SHA256 | 3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202 |
| SHA512 | c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589 |
memory/2388-154-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/2388-157-0x0000000000CF0000-0x00000000010F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/1588-178-0x0000000002220000-0x0000000004220000-memory.dmp
memory/2772-180-0x0000000000A30000-0x0000000000F13000-memory.dmp
memory/568-179-0x00000000001D0000-0x000000000022A000-memory.dmp
memory/2028-184-0x0000000000400000-0x0000000000452000-memory.dmp
memory/884-191-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2028-196-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2028-201-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2028-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/884-193-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2028-190-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2028-189-0x0000000000400000-0x0000000000452000-memory.dmp
memory/884-188-0x0000000000400000-0x0000000000454000-memory.dmp
memory/884-187-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2028-186-0x0000000000400000-0x0000000000452000-memory.dmp
memory/884-206-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2028-204-0x0000000000400000-0x0000000000452000-memory.dmp
memory/884-203-0x0000000000400000-0x0000000000454000-memory.dmp
memory/884-209-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1528-211-0x0000000002840000-0x0000000004840000-memory.dmp
memory/1528-210-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2388-212-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/2764-213-0x0000000004E80000-0x0000000004EC0000-memory.dmp
memory/2488-215-0x0000000004900000-0x0000000004940000-memory.dmp
memory/2388-214-0x00000000048B0000-0x0000000004D93000-memory.dmp
memory/2488-216-0x0000000004780000-0x000000000487C000-memory.dmp
memory/2488-217-0x0000000004D20000-0x0000000004E1C000-memory.dmp
memory/2488-218-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-219-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-221-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-223-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-225-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-227-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-229-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-240-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-242-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-245-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-247-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-249-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-251-0x0000000004D20000-0x0000000004E17000-memory.dmp
memory/2488-253-0x0000000004D20000-0x0000000004E17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | 774510bcff294f80e47a210a19483749 |
| SHA1 | 0de009eca6fe604d132b052a424479b76ca72448 |
| SHA256 | 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955 |
| SHA512 | 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741 |
\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | c66d64e2e166a7f78fe25ffaf1b5ba80 |
| SHA1 | ac7fbaaf171af92e46129ba59af6b15992ae692b |
| SHA256 | 2808ad7368cdd818932673d3837979942de9faee39d6ad29cc7fcf2d9a7c63f5 |
| SHA512 | 738212d7b2963030e39b71e3fcde8a584fc14e2e0d324291d3ac2aaa55616a3634f9d1858e80e251307e2124f552537432968d0886c43f4f702fc25f85ebbba2 |
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2488-260-0x0000000004D20000-0x0000000004E17000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | 9f6ec1a0c98e630b9c74c6b8f89d293c |
| SHA1 | 8b55978a3a72bbfce49d0b1d1db7d1019202ed43 |
| SHA256 | 24ca60d031def82962a832edb5ca9311cb6c2ff5bdece015c4c0d6c06c7458a5 |
| SHA512 | 52590caecf3c1eaf24fee663ac8fb57b204d873fc9aac6625e148498c319fb41c80bb9bff9d0676a5da4b75bb457ff4b9fb9da5ecd9c05b30bb864cb2041fe70 |
memory/2556-279-0x00000000020F0000-0x0000000002132000-memory.dmp
memory/2556-285-0x00000000046A0000-0x00000000046DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 49c62cb71eb18dbea83583f18d16a428 |
| SHA1 | 733cce0c5cdb1e5160e8e616efddbb3da4d5b6b8 |
| SHA256 | efdda448b6a59a726f734e59ab03dc9421212cfe2e0e644d505363916c0a66c8 |
| SHA512 | 61c044bb2c10c58fb5bc91efe5fe1801197a262d7c153fb8484234679f0f663782f47916b39a0b6f1cd6dd3a077c82904f21478d24944fe62e48a2e374992ec5 |
memory/2528-302-0x000000013F260000-0x000000013FC9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | 1897853bae0a4adaf356405c4786a24d |
| SHA1 | 614a1654a58abf8730231edc0af5788376bf4982 |
| SHA256 | 74449aef9a54cd1a1f64f9997821a39448a8d7e76bbf5b1c419c2465630148fe |
| SHA512 | b1be06610aa877e365784e6d0ade46ee186f1bc8ed7084cad3b3c595d0544b6f2ccb430d284e56278d3524508726226cfd3558f148ddd44f07d8beaf69fd7725 |
memory/1644-308-0x0000000001060000-0x00000000010CC000-memory.dmp
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 4253fc822a39e7baadb7977cde00e99a |
| SHA1 | 6b25efef13e2feae5951ac55be55d28f3de878b2 |
| SHA256 | 596ebcbbd3c111b34001048c763fdcc621161721930c6f24d95cd4aa94d3a8e7 |
| SHA512 | ac60c2b01b1bef3857028b7e6885ed6eaf626a408cdff06b9e036b599a8454ee0fbd7e2a618ab2210ecd7fd659e3018d66917654a807fdf3ff2af835b62db433 |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | a1cfa7fe3389a266004f4063615f0d86 |
| SHA1 | 05e5f41bdb8798a28034e8e7f437b2356fdd75dd |
| SHA256 | 75c73a861896b3c1c750b15bcb749db041d6fc933a73a782dc0adeef102bc2e6 |
| SHA512 | 6e7f126ef93a32c1c31a94c4b3744f9919d55780aabdf6f6d0ca799924252aa0ebc0670609f90bcf9cb11b61297cc903ac01baba153e4e92a47f7929c5dcd034 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 6100cf1c34acb287caa6a7cdc7ec51a5 |
| SHA1 | 0207792e053162a0dda39bb784f8df76f92c7943 |
| SHA256 | dcb4c821180e7de31a5fef0abc84b85c629e362c5d1951782c5801406e7acad7 |
| SHA512 | 990551e46e4201e51c12e03287dd8600a74f088943eed063622f9191a27808e9d091362991739df6e4f1eb82d22f8783ed9caf0b8792e487655ad7dd0d9fd334 |
memory/2452-337-0x000000013F940000-0x000000014037D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | edaed7c4a2c7f9f06fbac4102911a111 |
| SHA1 | 2d4f0be406397f8fc363b7716114fa29e03a8bfd |
| SHA256 | 683d6cfbb11ee35b6b72b833b7213fafdc5b74f05501dc42437770f0de39c8b7 |
| SHA512 | 725ae40d14c37797fd06caa2b0cf39e6cf2a98e2a9be51000d96b821437eebe6fb868a2e8f4ff8a718dbd967023b839f75cfcf79e1660f6e90cf2d4b224f5df5 |
\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | a5d383274867d14856ddd2f616521d5d |
| SHA1 | f85e45b7d4b7e7c9a6cb2df1ebb1e1c490afa3ce |
| SHA256 | b2900c482cbf6aebd7eaafb78f4dd4c167d1189bfd23b6e87fc0167cd8292401 |
| SHA512 | e3a2fca4c8a154a044702fb5ff3cc756990f3d32d1ca380f38bfca4660416e8be729756c9f5b08384a0b4fa210209083c265096f67f04adeb6ae04e298de677a |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | c2283f7b55869abcfdba70de41756506 |
| SHA1 | 00efeb5d1bfec5ab35e98441c12780f14a7ca3ee |
| SHA256 | 102f907ba6816b80945a698780240467a3a7fc70ae1770780c458a9498e48e8c |
| SHA512 | e8b5bd1c138c542e733310cee21220240732791e2ba56988b17dc1d76c4d5ccb302703b20ae2d975ee1eff9b6a50c8c27a46461c6dc13a3e3856f42bb9df10f4 |
memory/2616-356-0x0000000001310000-0x0000000001930000-memory.dmp
memory/1128-370-0x0000000002230000-0x0000000002272000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 7617b7406cf7f977f64370a54b17168e |
| SHA1 | 0477f60822e1f0a99a6563434d9f4c876e721477 |
| SHA256 | c576ed1a9c4380bc9abb37eb97537bf40b500088846c3adc9113a1feb9cc6ed6 |
| SHA512 | 27d4320c2fa37a219247f9bccce45f514b56263007bc490c65140bc25d02c6da2eeeee7f52cec5c32dee0344c289870e94dde5879ab3a13e23b938d47ca0e85b |
C:\Users\Admin\AppData\Local\Temp\Cab61C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar1117.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | caeb1c6bf76e0000703798f331a2a998 |
| SHA1 | fe437ae23837d630bfb1bc1ecaef2bd99d42b877 |
| SHA256 | 321fab9b148ff3270e658b919c05e2a3c04c400a46654f5d752722a317f7855a |
| SHA512 | 93bdbaa70046fbafe7f3665b46c3943017074216d033ebf1c4b9255ec65d61a13e4101ab1bb3dda30be2b0a9cbe3a0349a9f9694a26faf5769c1b93a01c09df2 |
memory/2616-433-0x00000000059F0000-0x0000000005C28000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6665dbd1218ca856c9166145833be9f0 |
| SHA1 | 076f3afbe96fa6f66506ab662ad5d89e183d9b8b |
| SHA256 | 98be2d1f08363465061d744ffdfbde9f9350100d7a54c2bab6616415e873b1c9 |
| SHA512 | 8da7dd8711353e2b2a257a7b74a1b0188ee26280b71f22af421886aaba22e79f1887756b8461097a5d76b6d5c974f03d739c123e339b2e43266cfe494ab36037 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bddbb952e9744bf4f8bd364229e54ec |
| SHA1 | 8dbefbf6627d07c0e50285421fa16c5704a910ec |
| SHA256 | db6de8112725ce1acb506391d2b0c66df4ae58e7e3e9a98ecd6f7a9db0ca4826 |
| SHA512 | f4fa012dcb8d00d674daf5050d47452f946b0aca7c38be308f99deddb99dd51c037076169cd00c378ac994eddd9ce047039697680065604812f5fae05882524c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3aeeb270171693a57a36e2f64bc0deb9 |
| SHA1 | 8c84f717aa32c95beba15788ab23dce24e0cc149 |
| SHA256 | e2aed436dfaa978bc4e79d48eaa6e9893529373cf933a31675f2176f14c0defe |
| SHA512 | c58e51342bdf086fe5474cc7b304ae24791f754b01bfc32d88e8a4951d0594a5455cd11c18627d9faa6edf12b717a036017eee875fd3b05bc66650e7be20bad4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c90bac33a439b88116e1e281aed7af9 |
| SHA1 | d035049dd522f24140e77757699054cd7e361d4a |
| SHA256 | c8c6e50bf2029d9a8bd3f27432bd282351b807fe7e0a6c673cb5f3ac37d49cb0 |
| SHA512 | fa3ea47d7ad4e32398863d224ba51eb36e320f815892ff7ac73325afc2c17dd2c10283db47a73709615baba793b13caf053489d24ff7f561448c1de528260fec |
memory/2616-568-0x0000000006C30000-0x0000000006DC2000-memory.dmp
memory/2616-573-0x0000000000520000-0x0000000000530000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/2556-600-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/596-610-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1644-611-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2616-615-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2616-616-0x0000000004DF9000-0x0000000004DFD000-memory.dmp
memory/2616-617-0x00000000070A0000-0x00000000070D9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 02:23
Reported
2024-01-23 02:25
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
154s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\amer.exe
"C:\Users\Admin\AppData\Local\Temp\amer.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/3652-0-0x0000000000650000-0x0000000000A58000-memory.dmp
memory/3652-1-0x0000000000650000-0x0000000000A58000-memory.dmp
memory/3652-2-0x0000000000650000-0x0000000000A58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 6878df738defcf088ba56b4d214ca1bd |
| SHA1 | 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2 |
| SHA256 | fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b |
| SHA512 | 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78 |
memory/3652-16-0x0000000000650000-0x0000000000A58000-memory.dmp
memory/2060-15-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-17-0x0000000000640000-0x0000000000A48000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
memory/2060-20-0x0000000000640000-0x0000000000A48000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2060-29-0x0000000000640000-0x0000000000A48000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2060-41-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/3556-44-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/3556-47-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-48-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-49-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-50-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-51-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-52-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-53-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/4760-55-0x0000000000640000-0x0000000000A48000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4760-59-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-60-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-61-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-62-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-63-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-64-0x0000000000640000-0x0000000000A48000-memory.dmp
memory/2060-65-0x0000000000640000-0x0000000000A48000-memory.dmp