Malware Analysis Report

2025-06-16 02:13

Sample ID 240126-gy7c9affg2
Target 5c1e965d21ddfb6972824827a6ad3ed5
SHA256 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
Tags
amadey djvu redline risepro smokeloader xmrig zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) pub1 backdoor discovery evasion infostealer miner persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

Threat Level: Known bad

The file 5c1e965d21ddfb6972824827a6ad3ed5 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline risepro smokeloader xmrig zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) pub1 backdoor discovery evasion infostealer miner persistence ransomware rat stealer trojan

RedLine payload

SmokeLoader

xmrig

Detect ZGRat V1

Amadey

ZGRat

RisePro

RedLine

Djvu Ransomware

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Modifies file permissions

Loads dropped DLL

.NET Reactor proctector

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 06:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 06:13

Reported

2024-01-26 06:16

Platform

win7-20231129-en

Max time kernel

0s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nso5F9F.tmp

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8A8EB882-E5C4-47BC-9D5B-E3160E19C6AC} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\nso5F9F.tmp

C:\Users\Admin\AppData\Local\Temp\nso5F9F.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 88

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\E34D.exe

C:\Users\Admin\AppData\Local\Temp\E34D.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\2B94.exe

C:\Users\Admin\AppData\Local\Temp\2B94.exe

C:\Users\Admin\AppData\Local\Temp\2B94.exe

C:\Users\Admin\AppData\Local\Temp\2B94.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4aafdf41-350e-4edb-a90b-bf13c6a64bc0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2B94.exe

"C:\Users\Admin\AppData\Local\Temp\2B94.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2B94.exe

"C:\Users\Admin\AppData\Local\Temp\2B94.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 185.172.128.19:80 tcp
DE 141.95.211.148:46011 tcp
DE 95.179.241.203:80 tcp
NL 94.156.67.230:13781 tcp
DE 185.172.128.90:80 tcp
AT 5.42.64.33:80 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
RU 185.215.113.68:80 185.215.113.68 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
RU 158.160.118.17:80 trad-einmyus.com tcp
DE 20.79.30.95:33223 tcp
NL 80.79.4.61:18236 tcp
DE 144.76.1.85:25894 tcp
NL 195.20.16.103:20440 tcp
RU 158.160.118.17:80 tcp
GB 173.222.13.40:80 tcp
US 8.8.8.8:53 brusuax.com udp
MX 189.232.10.46:80 brusuax.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
FR 163.172.171.111:10943 zeph-eu2.nanopool.org tcp
US 172.67.34.170:443 pastebin.com tcp
FR 163.172.171.111:10943 zeph-eu2.nanopool.org tcp
DE 146.0.41.68:80 tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
MX 189.232.10.46:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
PE 190.12.87.61:80 habrafa.com tcp
GB 96.17.179.184:80 tcp
GB 92.123.241.137:80 tcp

Files

memory/2948-1-0x0000000000EA0000-0x00000000012A8000-memory.dmp

memory/2948-2-0x0000000000EA0000-0x00000000012A8000-memory.dmp

memory/2948-4-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2044-16-0x0000000000800000-0x0000000000C08000-memory.dmp

memory/2948-15-0x0000000005450000-0x0000000005858000-memory.dmp

memory/2948-13-0x0000000000EA0000-0x00000000012A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 95f8e0b5a5b337b3f01c16c987aeb5ab
SHA1 2921561d966eada57d39d55778df4901d03a743b
SHA256 0bfdef954815e84d283f8c9058222dbd8db176b27d6d44180bf4c4aa40a0b0cd
SHA512 da52cdfff3952edcb4aab831c3e6e303e4a8e065f8f7f822cb3a70625e0bd88159631e1acf8f1182e0940412269b68bf0958b36c07ec5a47a2322727b657a796

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

memory/2044-17-0x0000000000800000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 f683dc9fd61ace6d808b0eb31c6e066f
SHA1 7a373eb1a782bff878d69b89a6c384284fc6a203
SHA256 ba5c1b195e2eaeab39d93da89cfa51894c4d243a95ff16edc7fdb6cdf2b867e0
SHA512 dbf9f33398dc08a4201f6fa6db3dd0343cc5b0679c83960297f90d5bc03760351b8540b77649a0829868f1a6426eea67fe466e9eec465451301008ba4cdb6baa

memory/2044-14-0x0000000000800000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 f6172da8e484c2a5c924dc17d4efb5cc
SHA1 325774cc774c8f21334fd355856bafd79da2e718
SHA256 55784bac22bab49e4be203c6b7b7db9003de8a94ea7821e8f2c4c0a6629708d5
SHA512 22f521fd1c6104bc92379ef96bfa0bae48c5cd3f0ad960b8326cdb5e38e66ac9438e86b2d22e9669769cc9db812bb945d4b69f08036c2a7d25711ed631f23eec

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 5c1e965d21ddfb6972824827a6ad3ed5
SHA1 3267ccd4de8c23ab99433235d5529937409162e7
SHA256 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
SHA512 2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

MD5 b342f28820cbc6bea5246167741f9532
SHA1 8d7ae000aa9e9ca91d7e1dc158bcfb113b9074a0
SHA256 d34a415a65adc49ced6db78443a15d448183a8e86edc5c4c5c7eeddea9487183
SHA512 3ac2e19fbe8a5d116bdac6362376ba4af8a2228982d5112c7d7cf68f0cb1bad5b868c1d2c4175a32293e92a2ff8ef8904c541febc8ddda19f7bb6326cf4ea7d5

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 c49b8f782a724c1807c5ef4a274fddd0
SHA1 9c0243b8efd33bef478c87a3af310ea98fc73bff
SHA256 38cb16276dcce227b18d6691ca5cd150a788c57463329daf417e1a6e1691a669
SHA512 1cd7e06c8078df8617ace86798624cdfc2129043fb483c7b9415be30cb66bae06f48642f27aeb3c51efb0a14f9d5a475614a22a7d29e488b5af2e23ee0fbd9d3

memory/2696-32-0x0000000000800000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

MD5 16937afb0337320aaae3c02aadd8e950
SHA1 7a2fd1dfe49f76494d00d2beb8ed1e18f1b25c15
SHA256 96a6200c559b5ca41ff79e5556d63cd35c39105ca0308f43ff0d943ed6f1ae09
SHA512 399c42ed1ce3aa7b577142ddad2c140947be1e6aacc0448cb4aa460fbbcb7a6cb4c1b6a919d96fa2c883a878af8e1234289d5839f92e666ebd4a83afd3a18f51

\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

MD5 26fd8b6948f054cc5441dd29327b7212
SHA1 43628f2999382b6cda7df20cf6288a14e3ae84f5
SHA256 e7d6b65d0195b65610ff18ebbb531a16d9f323944b6f2ff3a581e9d9bcfe80b4
SHA512 4f3d49bc08bac406d9e6d6a0f59cc8bdc035aaf28504042686b17c61e736e3c80a8f87b1a51aaf049407cf8c8ca0332678f73910391d01cb1b3287b79d4cac58

memory/2696-34-0x0000000000800000-0x0000000000C08000-memory.dmp

memory/2468-43-0x0000000001320000-0x0000000001803000-memory.dmp

memory/2696-42-0x0000000000800000-0x0000000000C08000-memory.dmp

memory/2044-39-0x0000000005600000-0x0000000005AE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 6ae1b087159aa458c81205556cde2563
SHA1 0576b33d8a14710eb84e34e14af3047dc9bcef4a
SHA256 670004a6bd7fab2c2e091252993ec7b70e43384679e231ecec7af3e2805d31eb
SHA512 75c655fc9bb840ba5591afee09649f7ffc17555b8bad42320a8fa820f95e5a385429ced19fbe058a471e6375cb80675201c779a80dc1a94a47dd80201959b6b9

\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 273406e453f2a6ac154d185f509752dd
SHA1 f629aebb5cf3d074f01d94c6e1e4cacd28a0f238
SHA256 172c2acd7149e655efd70ace8392afb320e0f7d443d50e63071d6b6b2f6a4f92
SHA512 57018e675a38e9248f853bab094854c856c79028b3946d23f4c82d75edde927812789dc41534e3a000aa009bfdd150e5d31deb5f777c4829268573854ecd53dd

memory/2044-62-0x00000000057D0000-0x000000000620D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 d8b1955a4f574f2ac7c0c1168d504416
SHA1 d4f1643b78295615684408aa58f3275e14e97c6d
SHA256 70f87390d132957ab9db310c784c540c243c0838b717db38768ea1513cb11464
SHA512 c98731d963e7c0c7c4bbf48eb479e822e5a816e49baad8051bdd3ba2bd4a05e43d77b4b395a2cc8fbd9c6df06a62abb3b8f180f44fa365bd58bdfb9b07224591

memory/2044-63-0x00000000057D0000-0x000000000620D000-memory.dmp

memory/1204-64-0x000000013FDD0000-0x000000014080D000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 3d693864d785e55d530864de86af0a3e
SHA1 95ac30289a4251344fd12beb69ddcab9811adbac
SHA256 33b3a98502e167b473398f8dac5feeb1a4222afb1da6c284f2a2c2a980406a5b
SHA512 9c3186b7c6d88962ff4c8467135c752fc9ad43a2d0ff9c97f0d0dbea81d8651ec482e33ceaadc1c22c39b078cee1b91c0533ab54bc8c2ef7a768f76ab074fac4

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 2bed6239d71dae194aa9391344be9d5b
SHA1 c0d1c4c22a72bef8e7cb4c166e50c6a12caf555f
SHA256 9e7914f585941760f22cd4d1c5032359ea73710702bfea9a9d9be82605dcf17b
SHA512 49fefeab9d3ddd4aea8b38f0206162de2611bd5c0885562df6903862c0d488eef5ea6417d81d0dd3c7f120187dec3971cbffa2a82eb2554a6afcc7a0d0f20520

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 c742f38955184ca29791ecc5e6689f21
SHA1 4932089566a091bc840762f3fd6551ae6bd54c5b
SHA256 4d6d132e93e3250b0ca946e4495ea00c2bb0b58e84fdd18c88540aed31dbfabf
SHA512 dedbb7d10ad6274c18b1a32f6d5db7a40f31cf9a457a4c4cf318d2231af66ed2747c080af228015b168c090fae53366ad4e5a161aa78e108dd95609d5eac99ab

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 e29d98237bf2fe611f50f37e29078d8e
SHA1 d975263409ad243d0ac0da792998401cd25339d8
SHA256 9b29d99f4c842be50735ff2ebdb2559c6bdeb3dbf2365df1a4bfe5b3b8abfc23
SHA512 e7dbf4e54c8d277306d067daa145dd3de3ba489ada7e865cf609451f1a477bb8f0be2f8ca2b128cef37815dc65596a72fdff66c0cf65b7f03673db619ce402b3

memory/2412-80-0x0000000000880000-0x00000000008EC000-memory.dmp

memory/2412-81-0x0000000073E60000-0x000000007454E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 91705f1c8327f3f9343e35452958439e
SHA1 5be68c4854bf75114becaf30be0c7dffc0a9085c
SHA256 54da3772429dec1b64d60074515dd3a76ba52f9111d25ef1c2a2bc9792c4370c
SHA512 76aa2194396237d6ee7f5e7e6c9f67ce0c4dc9c226d409be1d219ddf474017ed68dc21bd3402e39d462a1eaea5949e9a1442acefa073f9a57e7d4b601026e71a

memory/2412-83-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2412-86-0x0000000002150000-0x0000000004150000-memory.dmp

memory/1204-89-0x000000013FDD0000-0x000000014080D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 6a2cb8fb50d4caa2a8f68ee61ac18c6d
SHA1 2bb2ae0f85fbff241d299af1072f91a0d017eaaa
SHA256 d7da2d6e8740cbc6edea4beda00f953956d903f9eff26d0d5cb1b5b5e0c75c9a
SHA512 979bcf1d75a41497f361e336deb34b25ce67648d6074c4c30e83ef3504c74aef294e961e02b8e19cabb4a6878c6539c063b4aeb61619bc826f2c8a9fa40c24db

memory/596-93-0x000000013F700000-0x000000014013D000-memory.dmp

memory/1520-94-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1520-95-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1520-96-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1520-97-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1520-98-0x0000000140000000-0x000000014000D000-memory.dmp

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 ac6b2208f5a2e3643ba8fca77bb4f9f5
SHA1 177d39eda11facf6ce6fd060f0e17ad7fabec7d9
SHA256 8c37086e18b9128082b04cf3a5f1594f166f78fd18d37fc06c03212b0ee6ce72
SHA512 5321f5ad82c3a30baf6f047585ff09bff021de74a3a13188b4e9331c9d94f296b9be235dc9b40dbaf35d95dd8b411b6b91ce3e508dc3f574457df42914746d23

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 cb22f6b0bd0869051e577036437027e0
SHA1 dfdc3b9f9026b3b235e25e002cf1864ee55e70de
SHA256 2bd8764ef6197a1da78c424a2f0993cab34b626f70f2c32bf919c6f704d9e64c
SHA512 90986afdc87e69994588d7437489ac7f35eeacb0332dd19a5f61f8488c6672579bd10789f312ccc89bc0a797a49a676fcc6610fabad87fdad91c089cc7c858b3

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 5d5e088fb615aa67cbc798f9f0d3134e
SHA1 7b864b0737dc9ccfba06819214f8d2eaa443f212
SHA256 b6f6b8c516cbff100b12aab468b80fbac4ce5fca69632b578f174982292e18e6
SHA512 b46bdaa1fc289753f4e544c218a721fcea965b209a559ced10355856398cc86fdee67f4a582e8a060dc9edffcec03ab6bc34a64437f6d6cb25f9be7a20da99cf

memory/1520-110-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1040-113-0x0000000140000000-0x0000000140840000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 850c473964a6d5606dfa79e43c121c87
SHA1 70af6755d79f429cfb447880343a2e9b9824ec20
SHA256 aefd77ef9b77493528f47a4802df355e4aa8b04f0759de4612e08b02cafe502a
SHA512 c44ccffcfce2ac53656c9e869d2952845462a3c2ebf8474e28830ce2d4f822415caba40790fe5361f1e1ccb1355ec2a6bf7dcdc41fecc847a4596238460005ba

memory/1040-115-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-111-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-116-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-122-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-123-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-124-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-125-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-121-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-127-0x0000000140000000-0x0000000140840000-memory.dmp

memory/596-129-0x000000013F700000-0x000000014013D000-memory.dmp

memory/1040-128-0x00000000003C0000-0x00000000003E0000-memory.dmp

memory/1040-130-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-131-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-132-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-133-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1040-134-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-136-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2224-137-0x00000000003F0000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 38dca2fda81e972e6bac7c02ac40846e
SHA1 00b699053ca9cb013096ce7352ca10b72cd8da88
SHA256 1d5292e9db8ade7632bdce7489a13817a8d854c74b7c7913050dcb972d51561e
SHA512 29b1e196017bef7a803dda5d4f9a7293d58ee4c7bb1c9a251711b0cf602493ac31fd1690674bc4e804dc33b0fb281c2e007ebe1b142d705f9a834a0c65fe3f16

\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 2fae5c90e44ebcfb84666976086dc2de
SHA1 6cf530774d263f13ad26d2a251ab07ece6688f12
SHA256 6cc6baba224c9cbde3f2014aa142babebd0ce207fa04c4feaf0b9fbf54973062
SHA512 0ea68b31c504ab28c6ceab984be076a523b9d72c561ba0ad04c83a8a08575aa5b8e77212eb8a8729c18e667ff0734ad9ce8d14a05afe338d79a29ff5b0d2ef2b

memory/2800-150-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 e4cb958deb709a3ef366a297c83b838f
SHA1 05a30080c44284cf0a17ceca428764e3dea071f1
SHA256 f176915684d4cd648d90b1274cf65e6eef84e8f0e21e27fcc3c933965b624002
SHA512 642729c07e24b6724407a3df235f1cc6904eb9b4a456ead92f92e663d00697085447ec1ccc1e18f24c7dbd8cbf6295736d87e8c82cc4d4f14b7fdadbfe2ecc29

memory/2800-154-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2224-153-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2800-155-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2172-156-0x0000000004DE0000-0x0000000004F8C000-memory.dmp

memory/2044-157-0x0000000005600000-0x0000000005AE3000-memory.dmp

memory/2800-159-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2172-160-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2172-162-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2800-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2468-166-0x0000000001320000-0x0000000001803000-memory.dmp

memory/2800-167-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2172-176-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2800-180-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2412-182-0x0000000073E60000-0x000000007454E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 f2d1c6a232cbf06a0274e702ba71da36
SHA1 8cca82153e10b30a57d6fd57ab13f26b9185ff74
SHA256 6f4ef83b8d327345ce69a506ee536af023c4c31014a3b09fabaf308ddbdce7ed
SHA512 a992b45bf4e8817bda97abdf35a9618bde57fad930b9d7b33e4e080c189b6a9709873e11dcb21f15416868f92c5bb59e14646439b41089405827ced973cd805e

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 714bcc361e0dc93279134c7ceddc3128
SHA1 3f39d890667a8fdaff433991d43c3461ac994c60
SHA256 4cffc72e64521e45ba0841c56bf68383ba6007bea068cd547880be7181aeaa4e
SHA512 4ae1aec216c0fb970fabf2dc54c3cf0b843851e3140cdc5735dc78b37a0e88acd1e5baff56c75cf4fbf8dd6e784557ecb595fa8f3e763ea95d3756fe0ba52b6e

memory/2324-190-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2044-196-0x00000000057D0000-0x000000000620D000-memory.dmp

memory/2948-197-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2044-193-0x0000000000800000-0x0000000000C08000-memory.dmp

memory/2948-198-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2324-199-0x0000000002240000-0x0000000004240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 8440dc55d4757ec504b9823dcbd3f4c0
SHA1 3f7e782f7ca1ec55cef8173d120ba15ae1188c05
SHA256 8d41cac2b51e5670c4161116954e8d3b5b0dcad8a5f005bc7f6fe803f8ba06df
SHA512 ef76950ce1a31d8b869e49afcf05105dbec6d42bd0cd6b95fd2f60bcfa23e1700b76ac702c5505003a1074d04507fe53badf4f431db67d0c41c63d9e52fa88c0

memory/2948-201-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2948-210-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2172-192-0x0000000004C30000-0x0000000004DDC000-memory.dmp

memory/2172-191-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2948-222-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2948-228-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 13391c1c6a15dbe722853b3536e52b53
SHA1 e1c7dc2aa794f5b10aebe8821b7d69f18e6f5311
SHA256 6d5934ed8f9b2289053edd04b66381f5cdfff3f0dff0dde6d186cce1f0c9bde4
SHA512 988619f58aa97d76439d9914edfc53672079864a34a05afdd3bf1b247f3fe479a88d1f742cb99a765eaddc50940581fb891c52d91a49155e5044ebeaa559cfec

\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 65acc7437dd3b14c337809649180d631
SHA1 b2f0dc9e05a0eeaf806459f4f6c90db9a8b90b5e
SHA256 ddd08b6b72478815cd0518b27a015f712961e6c753430d8b6a43d793b24a5276
SHA512 e0eef2daf8013651e0ce6c8e00fb620a27b1fcbd37885c54f34b405bf41a0d4b3ca3c002d2d7f19b8f902ecd008b0e3e9f9449a0be802dc4177dfedaa6e2c28c

memory/2324-232-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2204-233-0x0000000001D80000-0x0000000001DC2000-memory.dmp

memory/2204-234-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2172-238-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2172-240-0x0000000004C30000-0x0000000004DD5000-memory.dmp

memory/2172-244-0x0000000004C30000-0x0000000004DD5000-memory.dmp

memory/2468-243-0x0000000001320000-0x0000000001803000-memory.dmp

memory/2204-247-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/2172-246-0x0000000004C30000-0x0000000004DD5000-memory.dmp

memory/2204-242-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/2204-239-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/2172-237-0x0000000004C30000-0x0000000004DD5000-memory.dmp

memory/2204-236-0x0000000002070000-0x00000000020AE000-memory.dmp

memory/2204-235-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/2948-231-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1040-252-0x0000000000F50000-0x0000000000F70000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2324-189-0x00000000000D0000-0x0000000000126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/2800-187-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 79d1928edf3b058aeb71ea33162e0d97
SHA1 eef965da9e7e6778c42844b11fe27f01980c838d
SHA256 9a053bccc9bce0280d49b9170d61c816738fe0a1a708c89a3a53fb09017b1ac9
SHA512 dbaf28f218c403f530304d768bd3135ebf27b0b1a79da669628b70690d353efed41fd08c43e889b8d46ac4b52e7cf057ccf21f3cec669207efce5c6e81bc4614

\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 c3baa536e952eeefdd1abfc45e356db9
SHA1 b95834e114efcc48f2901adda4c8157a66c0ce56
SHA256 07d4a3d86a8ae0ebf7283083932871acf9223ec129b1de01da93df9506d07a97
SHA512 d7b3fce9923663e5ce620670914f460eae6cd2526e8a217151fa2042c7281d7b83c8efd896ce1400138fe5a390a1d16f5a22a2aff627f60c79c13c1118a370ab

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 aa6192ae30ed7074de4dec68f9def943
SHA1 da4b4de486f20996ffd5691391bec700423c0e77
SHA256 7ee9607c1d3a802a32026c5b246bb81fb8110c766b398f70f7a63a01bbd92ca2
SHA512 770e7fb905f02979303944601098f3bea79ea407ff83a3c571603976cc1d1143e5806e15b714ccf3dd09fdac099cea192d471d01e3e8bfd23d4aab6423fc9a60

memory/2044-82-0x0000000000800000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 129c5a0f092b1dff8c176d26aea9c76d
SHA1 9931e8d981ea24d79cd2ffcfdf46766742c2a3e0
SHA256 98c5e6aeee0f466e6a27ef12f7bc0d9f57f4e97431c109e2569f39f9ff425daf
SHA512 2d1ddd21b4dd0b312ed732b020c4e626631f1867f0b8e3a84c8667875b435111f6beca8dcb981a872f9cc3be4c907e6f71a0ea2ecee94e7e63123e7cdd63f419

memory/2092-268-0x0000000000D40000-0x0000000001688000-memory.dmp

memory/2224-269-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2092-270-0x0000000073E60000-0x000000007454E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 fcc52b464bceb4b40920b6bf05f3bb51
SHA1 919ceeaeebdb090496f049f7a1b36c80367efb63
SHA256 bb1e8b632d133d2cecc918736e8ed65caaa887d74060871881769881c7e56445
SHA512 36b2b346853e175e350aa0fd142055523e86a8a1c5f5e35ae8ccd4d80c0f9e3727e13b496d4f7cdd33d06c105be0de21024ff860f6c0a0f9507b32e70950b570

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 b42b486e8e55035076114f5b8da97c63
SHA1 98aecc3c7bfc55dff0f718769310eac122ae35e5
SHA256 48701fb4c814e8f3e50efb83ad11bf30d8bf09dce0b990a5aa36f7b6603130c6
SHA512 422de2a874389a44b1c92a07b7b5b8d8b1a7006ff919e4b513d5def827966a9ff698d9655315caa9eee1fc59d39fd69d799092c578ec7b06ec4228435879d77c

\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 d17d7b19b23f9151e81d16762918019b
SHA1 a88d26b38bf322bb9fa0b1b41439aa66c39c1046
SHA256 6a67bc33a4f7042478899264555d9037c4a4f4bd85c7ed04416220df5810361b
SHA512 36dbce8e47917cd15480d4566cba8f6998e1eaad4dc1ad6a93101814aff3951b7dae6289408e601891c1db8c6650ef67df1ad7c2e579dfe8a44ddcb72f014c04

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 52e215e3da8b1a8c436f8f66231b8440
SHA1 62640abb02ed3956a64663245ea335df09ddccb2
SHA256 fda8c285019056c445ea628028dd77b243a2c76cf19d71beb30cf436cd7c2167
SHA512 1106871f5811040366a3d0a3c596f787b74da041412f43bfe187c84ce8c0331754fadd1d5f28bc03b23ec8ad6f1293e6ccd1132c2dfb49e9cc8a75fdd4a5cf4b

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 a5fe0eef4e5dadbc9f0d6374dad7ee55
SHA1 90fc0afd14f77f623a43a8e4798384cec47d842e
SHA256 7acbb4cb2d89e1092384df9329c425069ae547f9d48c93d784a3f812ed05f8ab
SHA512 33844114eaaf932c8844e0995abd3b4574284901598adb78d9a1422ce3c723b91ab948143b39474b00dcc5373740362fb459304961c4f4549cf31928e84beefd

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 eaecc88c61652f37ed8aadc291e1fb13
SHA1 c123945f742bb3d0021d9a28db6c74b7ed145683
SHA256 fb5f10472fdc1f78baf282c73f0e69350a2418aee9405261e707831caea2f495
SHA512 944355dd7a101487617148bfb1408dfaed798002df2dbc50c9bc506fffc5bb38779d175ce391c18a54609cf90906449d3730773a47dd947d1d574c3e6ff94d30

\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 a98a79fc808e98c970de875b364eed33
SHA1 9d3e09032f8c3203b1e536a9c2f037e9cd1b08f6
SHA256 c997d13ee39a23f8751ceaa39ed42609d73c7e9d788353f00e7e6b46710c2a60
SHA512 b760b76eeeee718907e7e8848ed0653f84e5a17b9cbb1fcc40b49036f4ad3884f2096683d5b0fe869f5161fa14244dbcfee0b4c80490cd530da52caf7ff0ba43

\Users\Admin\AppData\Local\Temp\nsd46F0.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 22b7905112e6a2553a912efbaaf542e0
SHA1 348877ab9e510008a954198c9e4af92934047989
SHA256 3632a1b9b2e70dfcc33c6692185d7a7e365ca3492b1d438b9535d2326704b65d
SHA512 6a207b05bb3f930813c6186b43f3a65b0f2e3d319f6e4241fb13f306736f9a3023f5a206a1432ce481485c278d7a17e5256dea119767ef5e2172c801f8d8b405

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 806e9385d96a562e419843d5abb9a1fa
SHA1 dd8d4039cbb9cc42af9a856c964ccb1064ce3e36
SHA256 3a93686fbc7a28969534eddd83f5084d05c1a45c797aa2511b6171b91fa9a117
SHA512 4b5df0ff459005624a80b48d56b0e74faff814add32aa27419977bbee54fae4fb16e891a2727301daffa35dbcbc33ced48c006cba2fab7f2007606b48519769e

memory/1452-305-0x0000000073E60000-0x000000007454E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 2715d23657f24a340a54b3bd6b3609a4
SHA1 8d09a5089f2fb8a89cf2dac5d441e7e6bc48a019
SHA256 17195be14c0405e985eb1c4152f64dc3405203b2859b6ec3117c981d5d2db0b6
SHA512 2935fca4da382f91a66fafa9e05d369b06f7f6e88db8d8f8345a3b19faf5130dcceb950484d0f6379d9704514e40a6cfdd8fec9683d11491b5b98baefd7cad5e

memory/1452-312-0x0000000002150000-0x0000000002190000-memory.dmp

memory/2172-314-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/1060-316-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2172-315-0x0000000004BF0000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 12ba3beab3e708cd31d749d62c011ea6
SHA1 5fed810c7d8e50f941f6b5e1b3fa310c5f4cacc7
SHA256 92781038c2c3ccd4b5de18a6a576a015c89504b5b4e0c0a82d4ee0369d7347c5
SHA512 70f31f91d335e0f24f06e907c04bd54ba461883ba8699d6f561256a7cf2afbab0772aba42f801630d64e996b5ebfd638af3ad9f70be66936f7b5753bb3e1f944

memory/2172-327-0x0000000004BF0000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 7b924d1ed2b54c2bda257bdb3efb6564
SHA1 fafe65fb0b045c375aa77e1968bde89fa484a1c6
SHA256 08101ea407c3994c3391cac2302ad0d20cb78faea6479d54fbdcd3ee7df7ca00
SHA512 1961dead8948e979a39410326f8dfbe19745ab323cb3424e60f2d6f7973a0b477da29545e8d95ecc3845883702cfe9dd0d75b0a6e36957ed92fd904edf298ce1

memory/1452-340-0x0000000002150000-0x0000000002190000-memory.dmp

memory/2172-338-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2204-345-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/540-347-0x00000000010D0000-0x00000000014C8000-memory.dmp

memory/540-349-0x0000000002BF0000-0x00000000034DB000-memory.dmp

memory/916-350-0x00000000001B0000-0x00000000001BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 6b8b7ca4eb388a5a0644875814c57425
SHA1 bde53490423edba7cba4307196c69d42f754de41
SHA256 0e1abf28188a3f1ad5a258e4791f052b8f32b59df629c5e1f2dc649f7b74e160
SHA512 f39a901a52f6b1d99dcf913089f8775b3965c92ed0d0d73a602fa7ca77a19e39a58398f73b84f262cc7e434e56f897a59b53ed2d763514fd6e72328485246c23

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 7d9826e20caf09928d31b51e78641bea
SHA1 47e0ccad770f7de1b28f7aa59b92c63745042010
SHA256 923e8f57492f6932c4cf13efeed93a4e2f77b36f350b728208033731145d9fe2
SHA512 9c480b09f1dc59c9d43522dac0485f8fc2aa5ef38c4c8b91a6897a84ae9095543a3424c084f4ea1001ffa76ab7e474c49a52fee9340cc468b55c9e8679e8bf46

memory/2204-352-0x00000000048A0000-0x00000000048E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 ce959b3b40b1c529f714e547048f4d41
SHA1 1ca1fdb14fdf92e46f7bba1baf5648550fab4d20
SHA256 23c743aea2df008f8788dd6de24f9c116c6c21804ca1774dd876a92d037cf39f
SHA512 c771721bee960796c72f4c21a2a2e6f9e274128aead30c5d33ace65a31223ea698831841ae8b5080bfd0e7b23ae99493e2288f3f8be90328089355f9ddaad70a

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 cbb15b4575a6a05ac4670071406905a4
SHA1 04c968693ebf3a2a3b556a692be91c6198ea5b43
SHA256 eadd1bfa8c231db527aa955e4ac2da7226eba3e2eb3f1e74b5c978daab7507bf
SHA512 8ca5aa5dc1b48cd1f579a246e612846af1dc7c3359dc8743b586d8050b35f77914646989d721bd22eec85db2a8a398b56c0d1a66eace34a568b16ec833d919da

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 f7b8c2605acf32953ed9e1984629f716
SHA1 f5cce8940417353f8041d3c6007870d4f753a8b7
SHA256 87fc553bdf49af0ca4ba60075cb31a4b5ce3fae8d9d57bf0a2f6357942a57243
SHA512 ebe344533379995e7b08f36b515a59d7015349ca0a18be1781363c83c21595b6cf13a3daa844d9c7553ad340b934d69226a81df81343c60d064fa47301cd45bd

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 611d6d1b123da0e8dda779f5fd58a4c6
SHA1 d707aa3815acfad9f83e4edf6495217aea55e1b9
SHA256 78f76b9d604875b6e8a4f0155b45676c6ea93cd44e0ead27aa40ccb7ffb51e9a
SHA512 093a3c28ab9449eb9affffb4579990d8fddc775274a2976bc461329eb3befd0091dbfa439736a5c03e92db463641732d548da5bf120e6ad28953c7c262f2cc48

memory/1452-329-0x0000000002150000-0x0000000002190000-memory.dmp

memory/1452-326-0x00000000022A0000-0x0000000002346000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d49e8cb6d6163852082a168c48dd51c9
SHA1 5e0ffb1ef2c4718e146cf33eeea5ec5a8712fa3a
SHA256 64ea72dfe2e67413d8b233f0b0b59324381d5e42e468d730a1e4cd192e591e51
SHA512 93099bf9eca29ff9ee954cb3ea61e5ea9330b15dc8ea2fe2da16d7aa87174ace367b8a4ac08103d258fd6f7fb5acedcf590e4ccf10ff1904cf88827610702a19

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 6c1b55574b119400f17c931cc63c9943
SHA1 60b9e4f5061a7b44179a3902833b1e6e2a734639
SHA256 829c3ea13ec21671ca9528e21bb7f7d48623da68af9fad08b99789f0e31f27a0
SHA512 10aa0de244de72b82aafc020d64378b35890aeb4ef3e85f036ed946604e434c837ebeb18c23dd7433d4c23256f52d75582b68e5638b304a55f662543a654c348

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1da0199c627218775c545ec5dd59b16e
SHA1 0fed84eb725b62aa30ef3a448c4b8495d5b08caf
SHA256 964bdac26ae9055beb551a816fee3e0e258b4f195060d31fe74108e33521f5bb
SHA512 89f6e4939eee03cbf3f630edb334f65ae4f775fb5ee933b90687a2a59851106f37c5efdf839ea596441fae24e64f2da67907a35d2d80a57d11f2ff88b54b7093

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5b2dabee9a224aa491f8f208732b6446
SHA1 db43c23217f798afe69daba26b6d124fba555932
SHA256 b379bc8bdf56cedb08fded65ba64fe16c4f1cfb44af027beea6d3a28ce8446ea
SHA512 70431de26502d92296f6849635e8242dafec1320abd52ac6fe1ddd930f94e6a288c1d235c101efa55014bd4762a0162824a13e0d5d3676aa1e77fe65a3deaed2

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 84882b3d9b7e165aa7ab6ea05a73d0ea
SHA1 c85d09901a0fd4d4bd47c218ae59603d1bb9921c
SHA256 9c3b4258413a244c5fefa0f2eb382b59037f9c1baf831f1738f6b50747920c43
SHA512 5edcb80d2f73080463a693aede2ae233fea5ccfee4791150deb10d4b083de303ab77bee4e08e0d2bf9e99334fb7605916399db7e7af5aa6ad9ecc47b771a7b74

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 5b57997402c16a534f467e840ecd0b6e
SHA1 e3fe5b3c4ede6e3fe3c3966c41e1af988337f988
SHA256 7c0a549370eb69ce974c8497239dc3ada77f32e0f74ea620d9126a27db358473
SHA512 61c71f2de84e3d03c8426cf5fe8136fbf4fc0a1b1585756885e0681ed362b5d46a06e15fb3cdb48adfdf2833cd06c3c92837b6e2c3713bdf7498e8873424eccf

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 8900fb01ffce3a3cbc69a3ccc3c05fa9
SHA1 e201ae845546ab474dcd720db70b808550574145
SHA256 9a8d7acf0ea1db59142bf32047c075cd212523d0a189ff559cd2c317629a7480
SHA512 89c4d55cfdc6847a4dfb6239b1d71d541661bd57e3bbc3263d2f2845af1e7d8cfaadb44c04cc0af9c00c60eab08c34c04f3b7939bf40a6a0d8c188e53bacadce

memory/1452-304-0x0000000004960000-0x0000000004A06000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 4c239197a61ba090d57b398ee8a0a547
SHA1 1c9e6489a34916fa115304f53f0f93a2c72ade83
SHA256 bcd21f09763a772578a76818a20dea2f40e918d01ab1bf2cfd9451e0b33d68f8
SHA512 c59586bd746346fc4e2e902e0c887a2be3c6fbcc718b666e275fb9d67002ee0c4a54899621b14cca93bc5e8e8c50fa6d7d0886f4f00498f6292ca381249e7972

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 8899ec76175e078119488ed8199ee813
SHA1 4c4258c1e301ef52f7a3ae7adf1a41ed75e9ca04
SHA256 9b5af7ccea3c5b66774e79070eafbb21dac7443d02552164bc8be3dde5feb69d
SHA512 6afd5f6ec7cccf6d1d09eaefc9dfa521842082eee6d16c64380fc8bc8cc69b9be044090b01924f7123959a2cca36ca3e7ae9be577b0c960d03989478177cbb6f

\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 212e03e6db1cc6f60a5b8d0c9be5cd1e
SHA1 939f647f2cd804eb8eb27836e36dcd75c74127d9
SHA256 1c3be09e6551e162620a47c05a9b37b9fe3559fb336265add0bfbc8da276e0be
SHA512 7fd2e944661ed7ce7198fa8a259e7b1b0a6c5785620caab12942692173a92a1faaab24be4773ba84bdc550fcf3c5bdbd8c1ba6c31acb57c9ef7d81dea1edcd77

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 e4dd16740093f131960997b2fae1533e
SHA1 69940b0c2a9dd0ae17227e1f1387f0cb2fc07055
SHA256 118ff8b003f016b824af840773b7ca0f5b660f1501c1b57724c33a0c554d3b91
SHA512 4165dab102fdf7b39e96e233c7135d342b66f8559b88219a1f9f5381d532d3efa6f6a895e3f97fc7dca8ecc3ef7e11356b8c31f1cb056a4b90c999daeb58c240

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 cf9c44ec9e6f8f9b8e4bafc69694c9f1
SHA1 ab4a12ac203f85e7bff87f762f35e8d02a72c4c3
SHA256 d315458099dee7c952420205be0b6a107610c53854972d031a9978188410d242
SHA512 99da5806f947e4356622192ee14aeb96fea0d4358f00ea5e76adcab1e90f0b3efb9f5e6d342785208c1cdc8b76ade2533375227b9b8bdd3ec7e3762e79fb175d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 9bf7bece7594c1e00b70c0acc3310bee
SHA1 30a2450656851c10196d3aa314840da496c206f1
SHA256 2ef2689174c19eecb0ad1c1ec891f9fb06bfeae6eedb20501432c87480e3d25e
SHA512 c91258dc7433e7d3ca1008d23c03684fe0c9a85b6d2efffb7b911854ae15bbf98f970ce11ecfdc7c4325d72b626b41040b2a633502ea79f068ff647161fa2fad

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 91c3a64ef9ee69f565f8568fa86013c2
SHA1 bc3313a796e037495efc8258d69b99a0ee001c8a
SHA256 8056d5acff3dbecff9c92ac3a5c870277066bf6b4119b23c296717e7a189ee56
SHA512 37825092888e70c64d1a6959cdc435b05908f5a31142489544c843a2e04997864e048188d86da55151668ed4f9ed658bfe66b7b83c13a23e2f65dbc9b9760425

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 7d27b95360b76b633db5daafd7c7ad9f
SHA1 54a1fb81c892455032361993e4cd3541f9b592f6
SHA256 1db5c8324ac591041ffc507ee140c380b781ec8d804b3213c75778a938cfe42b
SHA512 f3d3c977b075a628aa3a22b5c231802f2ad8cc456c88456d6a4560ff5853ca3b35f306c78e58ace2e6aca4ec9e92ea44ec1fb1ad9be445f9da71f6c60539b3e6

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 06fc4d65788b41fff67e95391989ad77
SHA1 0cca314b748d4e9efb7f944319303057a964d6da
SHA256 42c288b3150de9fcc9ae9b5a8599a6d857b4260f4f62b81dfb4fc50689811fe7
SHA512 7a02ff70c99ac6bba80a8b771406fbdc0b813e765f629300c7b76f1edcf42ce15f2e09bf52de67ecaf358d323f4310a80d50c29e81d7e20f877a6d9d9ed85001

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\nso5F9F.tmp

MD5 2844f2495ecaff3b5091c22ed6ba6ff5
SHA1 b7752158bb25986a409603c020f687a27b50913d
SHA256 7a8e2a01551b30cabd68b6b423055eb0a985f8b4e1b2402c1c1ed652324f1355
SHA512 c546cce218d5dd5622b14aa4e858d0aaba645780c4965450f521c4c8da057ec768b0baf9cb840520bc2d483afe078a3cf025e788ae19c3f62d526d4408e9566e

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 531618877230d456e7b83dd4b2b4080e
SHA1 fdb4443d26a28e3e9c5718bdb6faa937e1af94cd
SHA256 28442c35497939e0f398fd759e9ffb7039f98780bcb47b2f956fc29fe7674957
SHA512 9835c223ace2ae2a810f33b9f3e9cf6ff50099da99cddf68f8d0a2349743621e7518b99a3fcd5470378c422a2e28dbe0af820130a5143607fb868a7ccd9d71e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarE278.tmp

MD5 f8ffd0961aa8c5c5c1445326023f8a76
SHA1 24fde8e8c861ed0c04c458455bc1f91c481a38d9
SHA256 970efd4dbbc79126fdc6e595172018c6d06d9b148cd935613f623ce156e8ccee
SHA512 33570321c0342938857bd91420abaf72a99ef86b52b8dc5b1290b72b26fc4017b8584b5d902cd80519e919e56db6b6f45151cb4b8abeace9fd16e65e07379144

C:\Users\Admin\AppData\Local\Temp\E34D.exe

MD5 98db9e4c6492e97cf33653476c730030
SHA1 17ede2c1f56dbb7fc671b37969f8baec5b7e678b
SHA256 75a2fba50cfc795267ae7cc62238ee02d791891fa6e045435a1aed928fe91212
SHA512 65c0d6694569c19995ef2aeb8ad98318cf48340dcabe6547fbaa663e02d66f14299e51f48386d3268052b4fe09bf65e6c9814631e54754e1f58c2132f899266e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 fbde4cf0659a71462acf5b6dcdaeed4f
SHA1 3fb7034003cafa1b3e507c2f8cb7e3aaa6289c8c
SHA256 ef0c76ffc19c4fba919edf7cf2b7c3e58484557799bb954f8261f247f7647998
SHA512 5dfb3cf38dce9d6bd21b90418c5bf5852180a9e3b24d406f2fa637b8bacbe05832991c0e08fd8e2460c427a078c709867b2c332b0ef9f747b9fd8b1983ec5e5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e7d70fdd98fdd1689184c8a16b63620
SHA1 45e5e00a9229ef86cad032b06068a497daa542e6
SHA256 4fa42f0eef2d61e068b9db8fe8a34c94fc1fb74149c607e67fb9324d879cf1d3
SHA512 113f54c8f4ba40a45e7b7ffb84770472a491cdaf8121ad0feeba574ebc5c1a1067c42a68112c7fe114adc96cf6130ed21fd694000ef8d21c065daffc6bd4eafe

C:\Users\Admin\AppData\Local\Temp\2B94.exe

MD5 bfa7c969a2fcbbe24cf112d46c4a1b1f
SHA1 da6d11fc126bab5cdd579175e5fbcb7fc297e11a
SHA256 8ac959a8bd613d92b05ffdefd21c1aa520c85ffa3414a774e4eec54260c0d764
SHA512 967e1e647c9d83210005d5f587af92b82108859322c4e0d60efeb66436b8ec24bd604dc79d3c88daefbf3a3eecae35ca0cc835cd4e65bb56a6abc4848ab37fc4

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 06:13

Reported

2024-01-26 06:16

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

Signatures

Amadey

trojan amadey

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1628-0-0x00000000005E0000-0x00000000009E8000-memory.dmp

memory/1628-1-0x00000000005E0000-0x00000000009E8000-memory.dmp

memory/1628-2-0x00000000005E0000-0x00000000009E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 88fbb02d941a0f38a33fccc25444cd80
SHA1 90e72ce9200c0d56bc61103b18a1e5253cbca54a
SHA256 fa2822a2d1d0d44f9adbf057ee65440a72fd2fe679c671c8a3cc64111166ea10
SHA512 295f88d886f601966c490417bbba515b1b051ac72344d0f61fa3a50503c28d3b9aadc308db65c310c55916e43211e393b49581b3c1c3a868789bd32e7f8c8c36

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e55ca13bf3e791836f5aa14950dc51b0
SHA1 58737c9e1c2620dc8623059c68aee34121924038
SHA256 9a17f5fd4a7f6b3700daf2711bad9797baf403611399d7125d2e4130d1ee5073
SHA512 2a1ea15fac8f993d3f578d5faccf8b6637550c997398bb2539087c2a5bbab01703dc50c627bf61304e0455ca148f78d4a53c960e68fb1ed3b99c3e5fc090987e

memory/1628-15-0x00000000005E0000-0x00000000009E8000-memory.dmp

memory/2824-16-0x0000000000D10000-0x0000000001118000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e70444cbec942f2b4bca5bc0130566bf
SHA1 4bb96d4f482d19c097ba7ca9e42ed3b840e771ac
SHA256 6b25140c7cdd2fa9233682dbb13a305c5eb22dd0198e26b3f1db7dad3c36d5d4
SHA512 020b7d9c55ae050a46d2a53212e30f52756f429c36c176adb2bd221bdc0630e7fb247d978c581b885f42099bd8e101f6171f1cdc0cbf8a8e39b435688a404324

memory/2824-14-0x0000000000D10000-0x0000000001118000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2824-27-0x0000000000D10000-0x0000000001118000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2824-39-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-40-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-41-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-42-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-43-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-44-0x0000000000D10000-0x0000000001118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 5c1e965d21ddfb6972824827a6ad3ed5
SHA1 3267ccd4de8c23ab99433235d5529937409162e7
SHA256 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
SHA512 2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0

memory/2044-47-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2044-50-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-51-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-52-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-53-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-54-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-55-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-56-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2828-59-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2828-62-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-63-0x0000000000D10000-0x0000000001118000-memory.dmp

memory/2824-64-0x0000000000D10000-0x0000000001118000-memory.dmp