Analysis Overview
SHA256
cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
Threat Level: Known bad
The file 8dce9705c0c4c3f6175d0ac758a7aaad was found to be: Known bad.
Malicious Activity Summary
xmrig
Detect ZGRat V1
Amadey
RisePro
RedLine
RedLine payload
ZGRat
SmokeLoader
XMRig Miner payload
Stops running service(s)
Creates new service(s)
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
.NET Reactor proctector
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 07:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 07:05
Reported
2024-01-26 07:08
Platform
win7-20231215-en
Max time kernel
18s
Max time network
153s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1404 set thread context of 2324 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nstBF1D.tmp |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe
"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\taskeng.exe
taskeng.exe {4F0B185F-A7FC-46EB-BE3E-519C11DB5019} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 264
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Users\Admin\AppData\Local\Temp\nstBF1D.tmp
C:\Users\Admin\AppData\Local\Temp\nstBF1D.tmp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 88
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\5D7B.exe
C:\Users\Admin\AppData\Local\Temp\5D7B.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| NL | 195.20.16.103:20440 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
Files
memory/1540-1-0x0000000000BF0000-0x0000000000FF8000-memory.dmp
memory/1540-0-0x0000000000BF0000-0x0000000000FF8000-memory.dmp
memory/1540-2-0x0000000000BF0000-0x0000000000FF8000-memory.dmp
memory/1540-4-0x0000000000310000-0x0000000000311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 8dce9705c0c4c3f6175d0ac758a7aaad |
| SHA1 | 6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b |
| SHA256 | cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea |
| SHA512 | f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731 |
memory/1540-12-0x0000000000BF0000-0x0000000000FF8000-memory.dmp
memory/1540-15-0x0000000004E50000-0x0000000005258000-memory.dmp
memory/2204-14-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/2204-16-0x0000000000CE0000-0x00000000010E8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
| MD5 | 00d8cb98d324168a33056cb564adec37 |
| SHA1 | ad9b8b7ab175cf0175baa930fc8cfb5f66f70b65 |
| SHA256 | 9ff998e527c7f5af3ebf6c1f846f059ed40685467b5cc8df098240547ea46a35 |
| SHA512 | c5d7e3e9843a01fd3aa9fa54562ea898fc83e8245ea852edcf0a286301b61092db1d8cfb8053d24b987dbd1d36726ad3573cef7ff1fe6ae4e90f2f12747412d6 |
memory/816-35-0x0000000000BF0000-0x00000000010D3000-memory.dmp
memory/2204-34-0x00000000048A0000-0x0000000004D83000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 2eafb4926d78feb0b61d5b995d0fe6ee |
| SHA1 | f6e75678f1dafcb18408452ea948b9ad51b5d83e |
| SHA256 | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30 |
| SHA512 | 1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e |
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/2204-68-0x0000000004750000-0x000000000518D000-memory.dmp
memory/2204-70-0x0000000004750000-0x000000000518D000-memory.dmp
memory/3004-71-0x000000013F7D0000-0x000000014020D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | a615f2eee64c5d7449a8792cc782b6d6 |
| SHA1 | cf1dff4fbbf172c6870c30fc3784bdbd53d49a69 |
| SHA256 | 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389 |
| SHA512 | 9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c |
memory/632-88-0x0000000001000000-0x0000000001052000-memory.dmp
memory/1808-87-0x00000000011B0000-0x000000000121C000-memory.dmp
memory/1808-98-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2204-99-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/632-101-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/3004-109-0x000000013F7D0000-0x000000014020D000-memory.dmp
memory/1056-110-0x0000000004DB0000-0x0000000004F5C000-memory.dmp
memory/1056-113-0x0000000004D70000-0x0000000004DB0000-memory.dmp
memory/2204-114-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2204-124-0x00000000048A0000-0x0000000004D83000-memory.dmp
memory/1056-125-0x0000000004D70000-0x0000000004DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | e359b20dbb49efd52e025be35c4d0887 |
| SHA1 | 6c0361d641a2c429c065033f9a3702df9cca6462 |
| SHA256 | 8a51c90caa1ad9ec87005a0d5c0d0fd0e72d7e52ffb92c5838911a19a58cb60b |
| SHA512 | 61a40e03ff12a2453bb2cbb293f10d98c077528d5a0817308d9e3c28d0ab9064e396c898b5307a4330d72c8d3dc2c6f8ec0bf68aa45503987e184cee6c4b22f0 |
memory/1056-115-0x0000000004D70000-0x0000000004DB0000-memory.dmp
memory/632-147-0x00000000003F0000-0x0000000000430000-memory.dmp
memory/1808-151-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 2149cad9389c08a45b531eb27cae403a |
| SHA1 | 0046f2f476ca9b662862369930324c15ac407bc0 |
| SHA256 | 6b598f21152dada10b081937a88b3c66b58fe7f0176dce0452a7b886cf01761e |
| SHA512 | 8f1aabe670465257c91682495717b357229843ea9bec6cde3ece161d1b543f4a102bcc50bdcc364e37c94ab41bcbafb52622e4091f6e7d9c782358f1a23df751 |
memory/2748-169-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2064-174-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-185-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-184-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-183-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-182-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-181-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-179-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-176-0x0000000140000000-0x0000000140840000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2064-175-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
memory/1808-170-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2748-168-0x0000000000BD0000-0x0000000000C26000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 91ecc5efbd1ee04efa062057b4622e55 |
| SHA1 | 308891e1e4c5f8157c2df383a78b957f7e9584f9 |
| SHA256 | 0045b4da46cb505353101665c067e8b68bf0d39699a0bccc0d18a7359541aa49 |
| SHA512 | 5bb508c3021b2cbe3ba8bed558774f05ca6ab1cbec882c94ca65fd4891794b20c0abb740eb45123213b4eeee0b6235d4a1970fe99f9d799158f0741b355ea214 |
memory/2204-166-0x0000000004750000-0x000000000518D000-memory.dmp
memory/2324-165-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1404-164-0x000000013FCC0000-0x00000001406FD000-memory.dmp
memory/2324-162-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2324-161-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2324-160-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2324-159-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2324-158-0x0000000140000000-0x000000014000D000-memory.dmp
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 399b8281fae0797459ec280e0706487b |
| SHA1 | c3a1122a812a9227d861e4c1592dacd6373cef76 |
| SHA256 | e95a063d6b5c9d301718ce167f3551a4bedbae0103d8c48f2e3d9f7b8d1828ed |
| SHA512 | d7169a763434fe15d0a9f4dcfe124c3873bd03d0bdc6640db3af9dbc69a01b93db59a5f48de2b6fcf8004f6cd336292ed83276aca13bb1fb6cc138b67dce742d |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 1897853bae0a4adaf356405c4786a24d |
| SHA1 | 614a1654a58abf8730231edc0af5788376bf4982 |
| SHA256 | 74449aef9a54cd1a1f64f9997821a39448a8d7e76bbf5b1c419c2465630148fe |
| SHA512 | b1be06610aa877e365784e6d0ade46ee186f1bc8ed7084cad3b3c595d0544b6f2ccb430d284e56278d3524508726226cfd3558f148ddd44f07d8beaf69fd7725 |
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | a89435afcb443eb8f4f0555016f56854 |
| SHA1 | 837cb919d71c419baaa0c1fedf9f6102686dcc6c |
| SHA256 | d60a44b02e834e0a59eb637d770c39b1dcc8b2c8936e94d3b981886791863450 |
| SHA512 | ad0631dde2173788290173b160c52daee635de1881e755b09c0e315766b393473d2f83d371970d272ec47dcb3893de752474521ca3b5d7f81446f89e7e0458a6 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | d289077948b563c16bae38983af67841 |
| SHA1 | 655c1a8a86d5917ba470284dfdbf6304c2467806 |
| SHA256 | a4dd3ad1fa5aaf2510506fe4a3e3aaaf2103f6a445d711a21c52017fd34c6dd8 |
| SHA512 | 69048b9282ea0b251169a9f268df6910ff8dd7f6685d2b6846dd6342a4d0eb8231b305fd7a245d559fe276e2d756982413fa50fc6b2ebb0a5bce32549606bf26 |
memory/816-137-0x0000000000BF0000-0x00000000010D3000-memory.dmp
memory/1056-136-0x0000000004BC0000-0x0000000004D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 0f6b510284c72a95538597e04c158a70 |
| SHA1 | 06efb99318b29d3e6ba344c2d0adb7d1f31cbfd0 |
| SHA256 | 7985397e575f58289e2de2ca2cc0202794fa69c1d57b9b7ab60da1ba99b4cd2f |
| SHA512 | 58d22b02306e3bf715060bb7d4d1201730cda3aca926df48a304fdc822f3e39b4d296c7a2f7671cd6c9c8e5b9d1f0069e244f298dc73d6afc9822363bd1c9d5b |
memory/2204-112-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/2956-200-0x000000013FCC0000-0x00000001406FD000-memory.dmp
memory/2204-199-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/1540-111-0x0000000004E50000-0x0000000005258000-memory.dmp
memory/1056-106-0x0000000073CB0000-0x000000007439E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 010c80cee5537031e96e47bf32f8a22f |
| SHA1 | 0da0a3b45380a47516c6f72cdfde9bff7c347435 |
| SHA256 | 1e2417a68516d2ee011ef3a9239e515b4f8b94e309a7eb681a20eca37e60c41a |
| SHA512 | 57b8de161331f948d7d79082696205d4708435c04affba4e1ec81d6427fa7e4d2e0156200eccb0a07652f00f8511b82b34c110bf29181cbc64cba3b3994a3221 |
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | dee63473a06ba61e8c176166609f3dbc |
| SHA1 | 40d399b25974e5d969a1f97604b35e93e19b82d3 |
| SHA256 | 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b |
| SHA512 | 416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c |
\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | b375aa0ecb891d8b398e5a31965cd6a2 |
| SHA1 | 57f7967e86528b7728ade0ae54a247278e8d7c9f |
| SHA256 | 49578c2ac1ec496d8cb8d6df1062cde958b6564aef3222bc0681d4095fe99959 |
| SHA512 | b8bde0773726d458f91627e1d21a8f1dda589c4f77684c3280149bbcf6348eef2d3886400e9e8ccbbc63e4af2f906bd10e89a660025aa7d7bfd64b1042af90d1 |
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | f7a149f04452a0a5eecdf05d17886ca2 |
| SHA1 | 30740e9af4ef9807ace08cfd2f8e4e5e7675cd9e |
| SHA256 | 847c77654735a426ddcb7d9f5ac95f2b8aa28e693c7424992617ee7ba7431e3c |
| SHA512 | c755071cdc83651131a45a04912ce685e438a1fb91503af28ecad7f5fa61a02945ea29c9de143163b974dbe4b79118ea3c81826f3893bdf8046baa2304563134 |
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | cd3fda8ccf2d2f7e2020c8bc07773001 |
| SHA1 | 5ca95de49f10f9f58d15758477b07ac5a105e049 |
| SHA256 | 8a654990cddf943e8fa08cbab83bd33fd8fe4c492c6359704e69ba3507f1e025 |
| SHA512 | cac38ab2a5cfc3704d166e568ed3f763f10addb664d4e5cd37c0d5c0b0ecac793b7bf85dd789eea523245dc010569da9b36555d14eb3751d67b5ee610b957a9d |
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | b2e4173c9ccb8b719864f5602c9c988b |
| SHA1 | ea4b215f218155ffccfdcfd2b600b2f65031b2c0 |
| SHA256 | 8a2a7e292db0beed9fab3a27e21b363e70c8fd35c6177c0c1fc15da9d23302b8 |
| SHA512 | 9c2ed589b6d0fae5466b6359753ebf2f4aa2049b80cf14330149b883d6ca0d7f8e1bd685473de77dae4f6aee350bc89bf587e00f2e120400fe7fddacef0e1560 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2552-249-0x000000013FCC0000-0x00000001406FD000-memory.dmp
memory/816-220-0x0000000000BF0000-0x00000000010D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | 8b5cf3d102548da37888f34d3d468e27 |
| SHA1 | 823aa91b6e4ecf3bb68a2154a122e6a9ffc7bf89 |
| SHA256 | 3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2 |
| SHA512 | da525ea8b851739940fcce41fae69b4fa7942c21e2ac7fca79fd468e247c5ce0e8fc105a9288290ff79c064a5d200e7214f67ea070114da1fb335b152a5ac10b |
memory/2064-209-0x0000000000A40000-0x0000000000A60000-memory.dmp
C:\Windows\TEMP\zamrbllfjgdb.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/2064-206-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1404-205-0x000000013FCC0000-0x00000001406FD000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 97b3eae03fe3b429490dc22d1a3589e2 |
| SHA1 | 9bb73226c2956fe8f5bae95d4a22dbf472d4a326 |
| SHA256 | 2d2caef00efadbd7eef6931367adc2b4bdefd9efe9b26aadcf6d0f97244aa0cd |
| SHA512 | 845541a5c52d996853f183a83404f192231e07890c27ee234d7529f318798bc87cb7f616369054157c0dd6709a06d73ad4000860df576552728e731ffc9b908b |
memory/2284-281-0x00000000004B0000-0x0000000000537000-memory.dmp
memory/2204-280-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
| MD5 | 5a6358bb95f251ab50b99305958a4c98 |
| SHA1 | c7efa3847114e6fa410c5b2d3056c052a69cda01 |
| SHA256 | 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5 |
| SHA512 | 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0 |
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/816-291-0x0000000000BF0000-0x00000000010D3000-memory.dmp
memory/2064-293-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-297-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2064-298-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2692-294-0x000000013FCC0000-0x00000001406FD000-memory.dmp
memory/2972-302-0x0000000001FB0000-0x0000000001FF2000-memory.dmp
memory/2064-303-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2692-308-0x000000013FCC0000-0x00000001406FD000-memory.dmp
memory/2712-307-0x0000000000B60000-0x00000000014A8000-memory.dmp
memory/2064-305-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | b2f3f214e959043b7a6b623b82c95946 |
| SHA1 | 4924ee55c541809f9ba20fd508f2dd98168ffdc7 |
| SHA256 | 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29 |
| SHA512 | c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67 |
memory/1056-316-0x0000000004BC0000-0x0000000004D65000-memory.dmp
memory/1056-315-0x0000000004BC0000-0x0000000004D65000-memory.dmp
memory/2972-327-0x0000000002050000-0x000000000208E000-memory.dmp
memory/700-326-0x00000000002B0000-0x0000000000304000-memory.dmp
memory/2748-328-0x0000000002270000-0x0000000004270000-memory.dmp
memory/2204-329-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/816-330-0x0000000000BF0000-0x00000000010D3000-memory.dmp
memory/2972-332-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2204-333-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/2712-334-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2972-335-0x0000000004870000-0x00000000048B0000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 6e23201d2e4560010928ada16d5e4ae9 |
| SHA1 | 3d684081fd4da729269098f485ea9d3e13664d8e |
| SHA256 | 2e3d25b6b55a04346fcc1fa8f587dd08f27f2cf8878ad354a695e50c74956efc |
| SHA512 | 1ae277806c5817d59fee22caa28dd8b555027f43a7297360db856d1b1609526b1cb40181c53e5f4cfa8ea188299186a0af81be1ff1e79ee350530a9a97ad01f2 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 775ab0e37965f25f213dc47873fc151e |
| SHA1 | 57204aa304bf3e7f2fab7bf0aec702926f397122 |
| SHA256 | 9c2a38d0b27fb73cd2c4fbfbb220c218b8e4a0752909a32223813f896d65a408 |
| SHA512 | 36da2216f0a6d51f71360436aaa789b34898a99647f1631df1b3122bf77c4708d670bcaa5b82b6c04483f3ecbfcf0acce195cff07fa9e7cdd03a60ad8ec256b5 |
memory/1480-344-0x0000000001210000-0x0000000001292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | f5d8c385f7598e43554e31c11c29b597 |
| SHA1 | abe93bae29ebf0c77ba53558ad07cd6bc6dbe893 |
| SHA256 | 870e45b71bb66fcf216346510442b19c7e1a0670855110a84fd0aaa68609b544 |
| SHA512 | dee082b9f90d8e12f5dbbefa440988f6286498001bfc525bddebfa7cef06d538fb88cb5617459a14d26e1a44840b71cc35a65ce18b90a489dd31cb65087b7a69 |
memory/1808-348-0x0000000002620000-0x0000000004620000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsz7560.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 95bf71504e0b7d40a0b230128eda2910 |
| SHA1 | d544e844f5bdbe1ddc3df0bdc5dd47fbc89c0aca |
| SHA256 | f5bc93a03932e8dae0bf721685ac6bcc7052662ed709013617806cb6294fc373 |
| SHA512 | c008a5ef865a50dfe40e8a8c7c64200265a8ed41987651b0e0915294f4d43019ad8aaf53c49881596dc0088a589f45e223ced97c12de6dab36b7284620f3babd |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
memory/816-365-0x0000000000BF0000-0x00000000010D3000-memory.dmp
memory/2040-377-0x0000000000400000-0x0000000000454000-memory.dmp
memory/908-383-0x0000000000400000-0x000000000043D000-memory.dmp
memory/908-381-0x0000000000220000-0x000000000022B000-memory.dmp
memory/908-380-0x0000000000620000-0x000000000062E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 01cc1f458f6014f2300c782edee6f8cb |
| SHA1 | b5a935e6b0e6b5ea28dea1341f119100599b4b59 |
| SHA256 | 708c06eba82137de8afddee894d192ca27de1036c7de0d038c734ab219efb073 |
| SHA512 | 9a4b904a9c9f65241f2a36bcdbfae1de6736cb8bcf0cf2ea8ce420d23e6be38c04844d3f04383045fefcffffd48256e4ab2e73af1f163dcee667781ff6af4976 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 936009401446e096589f1458397273f3 |
| SHA1 | b0c7467f4a7f01b9b3e2cc985b473f98c35e1286 |
| SHA256 | cd78877485baa8b8ee3b6a69337fe1a1115824d0d145694a4ff3b64abe854810 |
| SHA512 | f44be5fc228dcf99718cf10d6ea0c6df6a815b5344143ffef804211e5d6efa75a411f3ccb6943adb6f80c37a6a9071a482945d1c935b9ec3879021a5c255d609 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\syncUpd[1].exe
| MD5 | 444c5adbaacbe3b46582adbaab8848e9 |
| SHA1 | 27a7eb3f93b9f210eccbf4660c280248f154a5bb |
| SHA256 | adcfbb7fe5cd4792e4c182b580e4437c8c491416e921597e852859eb29e2e0a2 |
| SHA512 | f393042f85b2df6a4fb8ae928ee2a9099cd4c9f6a58f03c8ae45001625f140ebd9b0ec96e0c9141d6506187cae3cea63504f1b4c3f41c8d9c461d63ad5bfe05f |
memory/2712-414-0x0000000073CB0000-0x000000007439E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5D7B.exe
| MD5 | f6304a26d04bb93807ce226ae4d2b0e4 |
| SHA1 | b61fa453a54b088d8bd138e004364435e00678d1 |
| SHA256 | 2e22574ce65eb936693a3f0161b38470b054d7dcea5fa1df46357dc37debefd7 |
| SHA512 | 6b4f1d1f8c6899ab6d948155f7de30d0138af5c486e1bcccd2cc49fb9de23059977fd5b76aef8214964434478e6eebf4d683963644dd975eeba6b556e4a2c41b |
memory/2440-429-0x0000000000400000-0x0000000002B17000-memory.dmp
memory/2160-431-0x00000000021F0000-0x00000000021F8000-memory.dmp
memory/2160-430-0x000000001B180000-0x000000001B462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8AA5.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar9755.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2160-468-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2160-470-0x000000000282B000-0x0000000002892000-memory.dmp
memory/2160-469-0x0000000002824000-0x0000000002827000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 07:05
Reported
2024-01-26 07:08
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
143s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe
"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
Files
memory/4704-0-0x00000000000C0000-0x00000000004C8000-memory.dmp
memory/4704-1-0x00000000000C0000-0x00000000004C8000-memory.dmp
memory/4704-2-0x00000000000C0000-0x00000000004C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 8dce9705c0c4c3f6175d0ac758a7aaad |
| SHA1 | 6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b |
| SHA256 | cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea |
| SHA512 | f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731 |
memory/4704-13-0x00000000000C0000-0x00000000004C8000-memory.dmp
memory/2012-16-0x0000000000110000-0x0000000000518000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
memory/2012-17-0x0000000000110000-0x0000000000518000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2012-28-0x0000000000110000-0x0000000000518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | d12d91d9af1b27448f2df925d6efa70e |
| SHA1 | 2ed2738bde707066ab051692184d3e35e4fad1fc |
| SHA256 | 3e8dfa01a765a1540648b88461f792b34bd9b8dc4b13d5b66da84cf7ef3dbf67 |
| SHA512 | b3b0827bdc7040ef880a5d0504f024a956d796b8169ca854880d2db38fdc413731f4b1152f3a6b493bef34d14f807706da66809d45240e4e392b70f81ea33255 |
memory/2012-31-0x0000000000110000-0x0000000000518000-memory.dmp
memory/4376-32-0x0000000000110000-0x0000000000518000-memory.dmp
memory/4376-35-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-36-0x0000000000110000-0x0000000000518000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2012-48-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-49-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-50-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-51-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-52-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-53-0x0000000000110000-0x0000000000518000-memory.dmp
memory/4416-58-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-59-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-60-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-61-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-62-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-63-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-64-0x0000000000110000-0x0000000000518000-memory.dmp
memory/948-69-0x0000000000110000-0x0000000000518000-memory.dmp
memory/2012-70-0x0000000000110000-0x0000000000518000-memory.dmp