amadey | 3c2e54cf5340c3b1c1a013e1748db7359339eb1280d73f7f3278eab8c40f7b63

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
Size

791KB
MD5

ec2c94a21a52027c229a7824d4a1c5ca
SHA1

b17aa25017bf7d0af7ffb946bcace0d51331d351
SHA256

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
SHA512

f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761
SSDEEP

24576:Skt2zwjdnAwQ4x2K3yWds0JkKyV0+mZbmNrUCV+7d9/1:PnnAlpadsLK+mZSgfpF

Score

10^/10

amadey redline risepro xmrig zgrat discovery evasion infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1808-236-0x0000000002030000-0x000000000212E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-250-0x0000000004610000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-306-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-307-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-311-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-314-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-317-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-332-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-330-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-328-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-326-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-324-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1808-321-0x0000000002030000-0x0000000002128000-memory.dmp	family_zgrat_v1
behavioral1/memory/1868-614-0x0000000000250000-0x0000000000350000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2552-72-0x0000000001E90000-0x0000000001ED2000-memory.dmp	family_redline
behavioral1/memory/2552-102-0x0000000004830000-0x0000000004870000-memory.dmp	family_redline
behavioral1/memory/2552-151-0x0000000002120000-0x000000000215E000-memory.dmp	family_redline
behavioral1/memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2484-292-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-293-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-296-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-295-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-294-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-297-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-299-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-298-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-302-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-316-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2484-319-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 2480 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
7	2480	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

moto.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe

Executes dropped EXE 24 IoCs

Processes:

explorhe.exenum.exerback.exeleg221.exeleg221.exe7z.exeGzxzuhejdab.exe7z.execrypted.exe7z.exeexplorhe.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exexfAk7rC2FeEN35Y8o.exemoto.exeiojmibhyhiws.exeqemu-ga.exeexplorhe.exe

pid	process
2784	explorhe.exe
2580	num.exe
1728	rback.exe
2552	leg221.exe
2140	leg221.exe
1744	7z.exe
1808	Gzxzuhejdab.exe
2372	7z.exe
2156	crypted.exe
2380	7z.exe
1992	explorhe.exe
1984	7z.exe
924	7z.exe
1980	7z.exe
3004	7z.exe
1632	7z.exe
2180	7z.exe
1868	xfAk7rC2FeEN35Y8o.exe
2984	moto.exe
472
2980	iojmibhyhiws.exe
1992	explorhe.exe
2384	qemu-ga.exe
2568	explorhe.exe

Loads dropped DLL 35 IoCs

Processes:

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exeexplorhe.execmd.exe7z.exe7z.exe7z.exeexplorhe.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exerundll32.exeRegAsm.exe

pid	process
1588	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
2784	explorhe.exe
2784	explorhe.exe
2784	explorhe.exe
2784	explorhe.exe
1732	cmd.exe
2784	explorhe.exe
1744	7z.exe
1732	cmd.exe
2372	7z.exe
2784	explorhe.exe
1732	cmd.exe
2380	7z.exe
1732	cmd.exe
1992	explorhe.exe
1732	cmd.exe
1984	7z.exe
1732	cmd.exe
924	7z.exe
1732	cmd.exe
1980	7z.exe
1732	cmd.exe
3004	7z.exe
1732	cmd.exe
1632	7z.exe
1732	cmd.exe
2180	7z.exe
2784	explorhe.exe
2784	explorhe.exe
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe
472
2216	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000564001\\num.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000567001\\rback.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

rback.exeexplorhe.exe

pid	process
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe
1728	rback.exe
2784	explorhe.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

crypted.exeiojmibhyhiws.exexfAk7rC2FeEN35Y8o.exe

description	pid	process	target process
PID 2156 set thread context of 2216	2156	crypted.exe	RegAsm.exe
PID 2980 set thread context of 2492	2980	iojmibhyhiws.exe	conhost.exe
PID 2980 set thread context of 2484	2980	iojmibhyhiws.exe	conhost.exe
PID 1868 set thread context of 1784	1868	xfAk7rC2FeEN35Y8o.exe	RegSvcs.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2808 sc.exe
2732 sc.exe
468 sc.exe
580 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2444 schtasks.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

xfAk7rC2FeEN35Y8o.exe

pid process

1868 xfAk7rC2FeEN35Y8o.exe

pid	process
2808	sc.exe
2732	sc.exe
468	sc.exe
580	sc.exe

pid	process
2444	schtasks.exe

pid	process
1868	xfAk7rC2FeEN35Y8o.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

moto.exeiojmibhyhiws.execonhost.exeRegAsm.exeRegSvcs.exe

pid	process
2984	moto.exe
2984	moto.exe
2984	moto.exe
2984	moto.exe
2984	moto.exe
2980	iojmibhyhiws.exe
2980	iojmibhyhiws.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2216	RegAsm.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
1784	RegSvcs.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe
2484	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

472

pid	process
472

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

7z.exe7z.exe7z.exeexplorhe.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeGzxzuhejdab.execonhost.exeRegAsm.exeRegSvcs.exe

description	pid	process
Token: SeRestorePrivilege	1744	7z.exe
Token: 35	1744	7z.exe
Token: SeSecurityPrivilege	1744	7z.exe
Token: SeSecurityPrivilege	1744	7z.exe
Token: SeRestorePrivilege	2372	7z.exe
Token: 35	2372	7z.exe
Token: SeSecurityPrivilege	2372	7z.exe
Token: SeSecurityPrivilege	2372	7z.exe
Token: SeRestorePrivilege	2380	7z.exe
Token: 35	2380	7z.exe
Token: SeSecurityPrivilege	2380	7z.exe
Token: SeSecurityPrivilege	2380	7z.exe
Token: SeRestorePrivilege	1992	explorhe.exe
Token: 35	1992	explorhe.exe
Token: SeSecurityPrivilege	1992	explorhe.exe
Token: SeSecurityPrivilege	1992	explorhe.exe
Token: SeRestorePrivilege	1984	7z.exe
Token: 35	1984	7z.exe
Token: SeSecurityPrivilege	1984	7z.exe
Token: SeSecurityPrivilege	1984	7z.exe
Token: SeRestorePrivilege	924	7z.exe
Token: 35	924	7z.exe
Token: SeSecurityPrivilege	924	7z.exe
Token: SeSecurityPrivilege	924	7z.exe
Token: SeRestorePrivilege	1980	7z.exe
Token: 35	1980	7z.exe
Token: SeSecurityPrivilege	1980	7z.exe
Token: SeSecurityPrivilege	1980	7z.exe
Token: SeRestorePrivilege	3004	7z.exe
Token: 35	3004	7z.exe
Token: SeSecurityPrivilege	3004	7z.exe
Token: SeSecurityPrivilege	3004	7z.exe
Token: SeRestorePrivilege	1632	7z.exe
Token: 35	1632	7z.exe
Token: SeSecurityPrivilege	1632	7z.exe
Token: SeSecurityPrivilege	1632	7z.exe
Token: SeRestorePrivilege	2180	7z.exe
Token: 35	2180	7z.exe
Token: SeSecurityPrivilege	2180	7z.exe
Token: SeSecurityPrivilege	2180	7z.exe
Token: SeDebugPrivilege	1808	Gzxzuhejdab.exe
Token: SeLockMemoryPrivilege	2484	conhost.exe
Token: SeDebugPrivilege	2216	RegAsm.exe
Token: SeDebugPrivilege	1784	RegSvcs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe

pid process

1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exeexplorhe.exerback.exeexplorhe.exeexplorhe.exe

pid process

1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
2784 explorhe.exe
1728 rback.exe
1992 explorhe.exe
2568 explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exeexplorhe.exenum.execmd.exe

description	pid	process	target process
PID 1588 wrote to memory of 2784	1588	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 1588 wrote to memory of 2784	1588	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 1588 wrote to memory of 2784	1588	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 1588 wrote to memory of 2784	1588	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 2784 wrote to memory of 2444	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 2444	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 2444	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 2444	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 2580	2784	explorhe.exe	num.exe
PID 2784 wrote to memory of 2580	2784	explorhe.exe	num.exe
PID 2784 wrote to memory of 2580	2784	explorhe.exe	num.exe
PID 2784 wrote to memory of 2580	2784	explorhe.exe	num.exe
PID 2784 wrote to memory of 1728	2784	explorhe.exe	rback.exe
PID 2784 wrote to memory of 1728	2784	explorhe.exe	rback.exe
PID 2784 wrote to memory of 1728	2784	explorhe.exe	rback.exe
PID 2784 wrote to memory of 1728	2784	explorhe.exe	rback.exe
PID 2784 wrote to memory of 2552	2784	explorhe.exe	leg221.exe
PID 2784 wrote to memory of 2552	2784	explorhe.exe	leg221.exe
PID 2784 wrote to memory of 2552	2784	explorhe.exe	leg221.exe
PID 2784 wrote to memory of 2552	2784	explorhe.exe	leg221.exe
PID 2580 wrote to memory of 1732	2580	num.exe	cmd.exe
PID 2580 wrote to memory of 1732	2580	num.exe	cmd.exe
PID 2580 wrote to memory of 1732	2580	num.exe	cmd.exe
PID 2580 wrote to memory of 1732	2580	num.exe	cmd.exe
PID 2784 wrote to memory of 2140	2784	explorhe.exe	leg221.exe
PID 2784 wrote to memory of 2140	2784	explorhe.exe	leg221.exe
PID 2784 wrote to memory of 2140	2784	explorhe.exe	leg221.exe
PID 2784 wrote to memory of 2140	2784	explorhe.exe	leg221.exe
PID 1732 wrote to memory of 2008	1732	cmd.exe	mode.com
PID 1732 wrote to memory of 2008	1732	cmd.exe	mode.com
PID 1732 wrote to memory of 2008	1732	cmd.exe	mode.com
PID 1732 wrote to memory of 1744	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1744	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1744	1732	cmd.exe	7z.exe
PID 2784 wrote to memory of 1808	2784	explorhe.exe	Gzxzuhejdab.exe
PID 2784 wrote to memory of 1808	2784	explorhe.exe	Gzxzuhejdab.exe
PID 2784 wrote to memory of 1808	2784	explorhe.exe	Gzxzuhejdab.exe
PID 2784 wrote to memory of 1808	2784	explorhe.exe	Gzxzuhejdab.exe
PID 1732 wrote to memory of 2372	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 2372	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 2372	1732	cmd.exe	7z.exe
PID 2784 wrote to memory of 2156	2784	explorhe.exe	crypted.exe
PID 2784 wrote to memory of 2156	2784	explorhe.exe	crypted.exe
PID 2784 wrote to memory of 2156	2784	explorhe.exe	crypted.exe
PID 2784 wrote to memory of 2156	2784	explorhe.exe	crypted.exe
PID 1732 wrote to memory of 2380	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 2380	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 2380	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1992	1732	cmd.exe	explorhe.exe
PID 1732 wrote to memory of 1992	1732	cmd.exe	explorhe.exe
PID 1732 wrote to memory of 1992	1732	cmd.exe	explorhe.exe
PID 1732 wrote to memory of 1984	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1984	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1984	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 924	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 924	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 924	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1980	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1980	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1980	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 3004	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 3004	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 3004	1732	cmd.exe	7z.exe
PID 1732 wrote to memory of 1632	1732	cmd.exe	7z.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

868 attrib.exe

pid	process
868	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2444

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p4632370330209207692137030328 -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\attrib.exe
attrib +H "xfAk7rC2FeEN35Y8o.exe"
5⤵
- Views/modifies file attributes
PID:868

C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe
"xfAk7rC2FeEN35Y8o.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"
3⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"
3⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:2808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
4⤵
PID:2548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1704

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:468

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2480

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2492

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\taskeng.exe
taskeng.exe {26E75C87-5A32-40B2-A05C-DB3831445712} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
Filesize
2.6MB

MD5
b65204b855a9031d3a1e8480899ed0ce

SHA1
bae418328b0bd303dc712a1861771451da0df0dc

SHA256
39dd749c32c81af709f676a0bcb808191244439090f6404aabb445d16723a2e2

SHA512
43c5309c42bacf69df58880b9dafdf2652fe3d66acad779c95bce29272de696d94cdb5bd3437ab192db99cf44eedf3da4b3e7483db15cdcbe22ea3d721210a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
Filesize
1.7MB

MD5
cb0c32dbd9299ced29a49721c9665815

SHA1
0c90839639eed636b94f8f2ca43dee0f495e6218

SHA256
7d87e7dbcb78412a71770d9b6361611af4062ef29ece3878c9ed921fbe5672da

SHA512
a90c2bf577c6c5f1161863025dc8fb48fe253a5cb4a071a425f009599495fea17a2cbb1017317e162fc3ef99c090ed6e63dda2071e802def364654d4cd59df12

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
Filesize
1.2MB

MD5
d5af5fe1f4a7f598abfefdba5f2c755d

SHA1
fbf50fd43a5ac059b35f239e1ad7c710289800cb

SHA256
d4027a5e8436b4887830bc890345cb061a0b6d38962f76f68990424345a8b840

SHA512
db3dea30f75728a0010f31d72981342a2b851d2b6f41718b8bd9351e6153ff3fdb03509bde8ee5fed52c12f3522790562a6508e7140a50486218ef01bf5626d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
Filesize
793KB

MD5
dc41db2f1a79d6a6fe0d35c842b39adc

SHA1
59b155df668de78669f45a741dc1581f835d674d

SHA256
fcc65263f1b2ce58bf23b3c1da6ac08b8b10ff1824d100a4852f01a9832013a3

SHA512
361a79323e6cb03a01ae2d641cd7952425bf41ede79de770c2e79312c67f8338a72c3d979da86feaa3a224661623533a222891d547e61fbe237e395f5fdd84ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
Filesize
1.0MB

MD5
2fadc3984b71f0fd08c832adeedf2b52

SHA1
cc1fc06a55af72364fb0a1266d3f5936577162f9

SHA256
34f47e63788cdb398c48ad06f3878ec9bce9fd0e261306b2c81b3796925f9240

SHA512
63e8127e2d44cd98cd6225eb8d1f348f5e3e7d7f86900e2f949329f6d35a943147aa1fb72061a8868cfcd9e53fde536dc870b3a9c9248b6aab067774b1654685

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
Filesize
576KB

MD5
219bbf6cbe4a20ce93e50137a47c9be3

SHA1
25d68c1f11d5624bcc94e5bf9d382fad55d3058f

SHA256
47d7c430478b2cc240f9077f22051146c30412868ada9289c819c9ec16c612ae

SHA512
17df2bd3a6d83f91690ec806056b34a9860216c259a16c7e7cfcc1a8f7ce823e5e58474b4ae38b876fb0f5ec8f338f819e69276fb63b635b757e26351127ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
Filesize
192KB

MD5
f4ec0a6240099958d490c053e0a1b6d4

SHA1
b00d1d9ec4991c6156d508504276f7fb6428096a

SHA256
99b156a2926cc2dd2be7df741563a66aef1af075f835cb2b42835eba792f2f70

SHA512
60193ad4993cb45a8f859336d38c1af29e9528cd65350c804e856846fcb74276f3e44f470ada4ebe353eeba8f6c6e644c3d500ad695f6951a25516c190189bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
ec2c94a21a52027c229a7824d4a1c5ca

SHA1
b17aa25017bf7d0af7ffb946bcace0d51331d351

SHA256
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e

SHA512
f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
Filesize
2.2MB

MD5
49de8961e3d7dcbc6a0bc6d5800c17dd

SHA1
7b5b96d1217b8a6fc1587a8920ea587d86a804c3

SHA256
bf26a770ef4fdd475d4789eb9e9572c6b3dba2d81159f4e2e15bdd4bc11b3b95

SHA512
bbee597d3940403a51ad4defdd9e8b56cb575d44d7513a630ad82def0a401a4eeade58d93e7d2819d7e6c0d55a430916ab0a9cf9bb6f69d0b510a84ddab2b118

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
Filesize
97KB

MD5
22a25a629e495aed50731591b05c997a

SHA1
cb93590710e0b2b142fe252f775015237dad10da

SHA256
16a82ffd653bacaa05e181ec61b0900077955187288908e75c332d3fb54a368d

SHA512
64d71421cf124e3b4c66020e8ab7a6760625ec40cbb2e960e87d5ad5683cdd09f37bd26353dd98a5a5068ae712c0b6a05a5deff08dea1d4a4cb7da837c6376d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
Filesize
97KB

MD5
24ca7dbb6f0cc43aa650807593091ff2

SHA1
db0e37151a82120c3519f3b587b8ad452e96fc75

SHA256
216f5cd816b0bbc83a27d4d9198994a85eca951e571983e82e3d9fa51a1aac8f

SHA512
2b13d8e66979ede339338f786db9d8788ac4aac3d383ed2e491c51418022c6342484d659cdc4fd55f3b03141286cfc245187a978ef5fdf9c9d015dbd1dea9d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
Filesize
98KB

MD5
eb8ae67add0315dd587f99d81e0f53f7

SHA1
8d2e1afc03e3549775065f541417778eea6c3e6e

SHA256
95379f57e916b94e093e3bef9f4a7d92869951b6c369c5801fedd48a72b5efde

SHA512
4485773f12fcb34a1fed8e9b764c98e629239e51d99623deba17c237e59d1ad23ad2d755cd0917cb6789b0c52471c9b21f8c0ff2898c8e74ea0b577930d2079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
Filesize
98KB

MD5
781e90fd2d92487c572cb80b35067285

SHA1
0b436e2afdd1cc954ddc86b22500540624d0e598

SHA256
037ecc54896d74db57489337f7ffff292ad7f8e650833689efc763293e0ae6f1

SHA512
13f47e023297520eb0a0f3aff657158d91c92cb770ed706ad73b95e087bec22e0475e28f427af853c2786b9b2fa8cb7f2fa06ccde847f3f3e32d93d7fe10685a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
Filesize
98KB

MD5
29d5a47c9a1eccdbd25c49cd540f742f

SHA1
81332aed09c142f8ee235c0303c9cae2466a96f3

SHA256
bd48f756c7c1d7883b2ae5934260ce04b08e488108ca75953a8e8fe9ee89770c

SHA512
051039bc5e23fdc0273c7f6e78655c285de84f2b64358af857d5a25d9df01515fedd5ec0f91c7e8d9a8faf00c9a2412d3b0c322a4110ce335fae4abd6fecd089

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
Filesize
98KB

MD5
fe835c127049c665c997e7bf7b5b85f5

SHA1
fe1b418c2b5eca8f800db39a3740b276c95a41ea

SHA256
620d0bb3e2f0f8ac7e96623f89842433a4bea299f9d8c8481fba868ba15f8930

SHA512
284244c3887ce3f10d387c56e59969f763de33517f36c2393e4bee56fb91306f3e0c5b2e162f37c07b490e6a354e57edd71b31317509191eaa4879140c08a680

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
Filesize
98KB

MD5
11f1ca0c43391dc92905d9f728428e68

SHA1
2287377b147573503e20abd97330a681eca88b9d

SHA256
704255efb181a254b7ee6da512ea67db6243881c8dfddd520337d1a3aa4ee9b5

SHA512
14ef19ebb5eb017edeb203f263c4f64f9f58adb5715ce11dab258ff09b51bcdf072cc9678ca110fcc0cf4e43f9c64726d0b719b95408b2c321c1bb5baf8cc62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
Filesize
98KB

MD5
aaa97cae61f10770ab65892fb10b827d

SHA1
0f5f5b27b4603a2a9a6d778263ca402d22fc964f

SHA256
96767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3

SHA512
dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
Filesize
1.1MB

MD5
40235b44032f0152340cf8abf962b5cc

SHA1
a47551c300cb4491e9dc82734466d243e8eee584

SHA256
3a424ab07ae35d2f8ecee2b7117b477b092c429d49323eba29ba0afe15a1ad22

SHA512
82fdf657ba3c6be68d266218c15c58b2fb758d82241e86459f0a30e6c2bb4728a62f2c14a1a52df79c118cf2c9e6e19690e5f8a408acf5cf9a4455cd7145eaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\xfAk7rC2FeEN35Y8o.exe
Filesize
246KB

MD5
54ce50e8d50599046a20a47555dfb5eb

SHA1
96a891edc54ba1f6d66fbdde47c884e535c83ebe

SHA256
3662c80499b08fe24e982ab558897cfca2cd5e7198b1519bc4490a8551b486ac

SHA512
e787782b960dd3d36972616c42be13e66ad15c3ae6c3e3c8c8f04c5667529568a8c7ecceca8a2971fc71b039aea63cb6ebfb49c3263d82a9fb2f654ccb133892

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
1.7MB

MD5
5adb0fa82d102152c869f831bdf2ad89

SHA1
bba32248250524ba6ef6dd499462ddc02e2bc720

SHA256
2055429dc5a7506e14e3fc328a278c61992147ed12a368243f1a5e5535f7a327

SHA512
e20d652ff39c95ca34c8ad6378e15b24853f23ad34c1e610eead1bee39f0aaef1187abc120e9b3a96e16b58ec38d929d71e220e17ad968f8c8f7a5f328cb9681

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
514B

MD5
4b3a5b96f9eedd8626a8c12976765b56

SHA1
85307e380d233c8229f9e0de16ed82821221a0be

SHA256
1651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef

SHA512
b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
5cac70fbe2fc9869397bf1989e592841

SHA1
cc522bec3c1772269465799d35268630248e801b

SHA256
17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806

SHA512
f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9

Download Submit
\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
Filesize
1.1MB

MD5
73102c5b3abea202c716dc000639501f

SHA1
9f25b23dc8c3132f707490b747bdc110aa0a1bf4

SHA256
47ead837fbf7d50b81ee8cde52fc82fe07134b3a522e1ca5fe80f0c9ff55df30

SHA512
90e999b71ae0aa7ac6cf7488ace95d571ec57360cfdd8d889c467945f908272204e276c167ff4621f14e3d22d3366d482d3cb962f1d3a7261a822e77b2a59163

Download Submit
\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
Filesize
768KB

MD5
5eca966dd56f0189904b8240878cba81

SHA1
770520d011c21409b93a77bf45fc858ccaaaa8af

SHA256
b09dd6fd6cb440cd5263f442082effb1089961d2c1ff86dd5cc5e47e78aa350e

SHA512
99cdf082fe098418a33eeba18799b6ccf22e08de99cab546f0add72d941fec7363c0a8d073283369c7cbd66d67ebdb0803215d19944aa30db576d467a65c2953

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.2MB

MD5
931afc729d4dc9c815f25a6e71605882

SHA1
cb03ffc5bdfad24ea2f85bc72302b8b518b8c841

SHA256
e6610aee9c7eccfd728c524ef30047f1fff02f5023e80a6f7f0dc41a9642dbff

SHA512
7071d8d9ed5c8a63ac4cbbc16ee53417b4e2c8fb5007f901e5d538f43859d343816758d22e96a9ef3d3e22318206068cdca1a213be77da8d382bde0d851622ad

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.4MB

MD5
e27ed9139b5deae4b799ef17880eb82f

SHA1
210f8087ce88aeb5eb0cdd8a7992adbd3cb35e1e

SHA256
b293901df19277cd5908ea67aa9503839631ae19f312eaf378296f0642f18ead

SHA512
4fa7c75230a7f5a8b760534a28cc74f7beff2fc302c9ac70e6de9544e4d892e09387351ace4d523c4f0e18c2bdff5fffc0f15bf680cad88dc54a65b3a978167e

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
64KB

MD5
2ac9bea08704210b2537fcbd3f244496

SHA1
8ee3e4f4b2a582c97b80a3f5a0e2344c43d6bfa3

SHA256
c3c3ac7c56ca6e9387dbf41b1a3e3708ece828b6260a30f8a5d67d4ae27763fd

SHA512
7db3f1988b0384046a837c9df0917be5810b1596477643eaa2fa40fd2e21a52756a1d58616b8445d1c08aada48bf5ba972bfa3f6dba392f448f9678bab441682

Download Submit
memory/1588-13-0x0000000004520000-0x0000000004928000-memory.dmp

Filesize
4.0MB

Download
memory/1588-3-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1588-14-0x0000000000260000-0x0000000000668000-memory.dmp

Filesize
4.0MB

Download
memory/1588-1-0x0000000000260000-0x0000000000668000-memory.dmp

Filesize
4.0MB

Download
memory/1588-0-0x0000000000260000-0x0000000000668000-memory.dmp

Filesize
4.0MB

Download
memory/1728-234-0x0000000001120000-0x0000000001603000-memory.dmp

Filesize
4.9MB

Download
memory/1728-310-0x0000000001120000-0x0000000001603000-memory.dmp

Filesize
4.9MB

Download
memory/1728-223-0x0000000001120000-0x0000000001603000-memory.dmp

Filesize
4.9MB

Download
memory/1728-305-0x0000000001120000-0x0000000001603000-memory.dmp

Filesize
4.9MB

Download
memory/1728-49-0x0000000001120000-0x0000000001603000-memory.dmp

Filesize
4.9MB

Download
memory/1784-621-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-627-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-624-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1784-623-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-328-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-330-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-324-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-573-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1808-477-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-163-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1808-321-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-314-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-332-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-326-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-317-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-131-0x0000000000990000-0x0000000000A9A000-memory.dmp

Filesize
1.0MB

Download
memory/1808-306-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-311-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-134-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-307-0x0000000002030000-0x0000000002128000-memory.dmp

Filesize
992KB

Download
memory/1808-236-0x0000000002030000-0x000000000212E000-memory.dmp

Filesize
1016KB

Download
memory/1868-614-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1992-318-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/1992-626-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2140-254-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-308-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2140-164-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2140-103-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2140-313-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2140-101-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-574-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2156-161-0x0000000001300000-0x000000000136C000-memory.dmp

Filesize
432KB

Download
memory/2156-235-0x0000000002770000-0x0000000004770000-memory.dmp

Filesize
32.0MB

Download
memory/2156-157-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2156-286-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2156-174-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/2216-272-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2216-268-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2216-267-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2384-582-0x00000000013D0000-0x00000000013D8000-memory.dmp

Filesize
32KB

Download
memory/2384-600-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-295-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-303-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2484-319-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-293-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-296-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-291-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-294-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-297-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-299-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-298-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-302-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-292-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-639-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2484-316-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2484-577-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2492-284-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2492-285-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2492-283-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2492-282-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2492-287-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2492-290-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2552-253-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-98-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-72-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/2552-86-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-102-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-273-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-104-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-575-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-165-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/2552-151-0x0000000002120000-0x000000000215E000-memory.dmp

Filesize
248KB

Download
memory/2552-233-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-637-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2784-304-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2784-48-0x0000000004730000-0x0000000004C13000-memory.dmp

Filesize
4.9MB

Download
memory/2784-252-0x0000000004610000-0x000000000504D000-memory.dmp

Filesize
10.2MB

Download
memory/2784-125-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2784-620-0x0000000004610000-0x000000000504D000-memory.dmp

Filesize
10.2MB

Download
memory/2784-12-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2784-251-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2784-250-0x0000000004610000-0x000000000504D000-memory.dmp

Filesize
10.2MB

Download
memory/2784-133-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2784-622-0x0000000004610000-0x000000000504D000-memory.dmp

Filesize
10.2MB

Download
memory/2784-215-0x0000000004730000-0x0000000004C13000-memory.dmp

Filesize
4.9MB

Download
memory/2784-15-0x00000000001D0000-0x00000000005D8000-memory.dmp

Filesize
4.0MB

Download
memory/2980-281-0x000000013FF70000-0x00000001409AD000-memory.dmp

Filesize
10.2MB

Download
memory/2980-301-0x000000013FF70000-0x00000001409AD000-memory.dmp

Filesize
10.2MB

Download
memory/2984-266-0x000000013FCD0000-0x000000014070D000-memory.dmp

Filesize
10.2MB

Download
memory/2984-255-0x000000013FCD0000-0x000000014070D000-memory.dmp

Filesize
10.2MB

Download