Malware Analysis Report

2025-01-22 10:25

Sample ID 240126-hwtj2shgak
Target 8dce9705c0c4c3f6175d0ac758a7aaad
SHA256 cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
Tags
amadey redline risepro smokeloader xmrig zgrat 2024 @pixelscloud livetraffic pub1 backdoor evasion infostealer miner persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea

Threat Level: Known bad

The file 8dce9705c0c4c3f6175d0ac758a7aaad was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro smokeloader xmrig zgrat 2024 @pixelscloud livetraffic pub1 backdoor evasion infostealer miner persistence rat stealer trojan

xmrig

Detect ZGRat V1

Amadey

RisePro

RedLine

RedLine payload

ZGRat

SmokeLoader

XMRig Miner payload

Stops running service(s)

Creates new service(s)

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

.NET Reactor proctector

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 07:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 07:05

Reported

2024-01-26 07:08

Platform

win7-20231215-en

Max time kernel

18s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1404 set thread context of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1540 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1540 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1540 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2204 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2204 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2204 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2204 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2204 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2204 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2204 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2204 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2204 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2204 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2204 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2204 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2204 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2204 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2204 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2204 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2068 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2068 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2068 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2204 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2204 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2204 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2204 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1404 wrote to memory of 2324 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe

"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\taskeng.exe

taskeng.exe {4F0B185F-A7FC-46EB-BE3E-519C11DB5019} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 264

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Users\Admin\AppData\Local\Temp\nstBF1D.tmp

C:\Users\Admin\AppData\Local\Temp\nstBF1D.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 88

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\5D7B.exe

C:\Users\Admin\AppData\Local\Temp\5D7B.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
NL 195.20.16.103:20440 tcp
NL 94.156.67.230:13781 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
NL 80.79.4.61:18236 tcp
DE 20.79.30.95:33223 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 brusuax.com udp

Files

memory/1540-1-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1540-0-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1540-2-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1540-4-0x0000000000310000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 8dce9705c0c4c3f6175d0ac758a7aaad
SHA1 6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b
SHA256 cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
SHA512 f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731

memory/1540-12-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1540-15-0x0000000004E50000-0x0000000005258000-memory.dmp

memory/2204-14-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/2204-16-0x0000000000CE0000-0x00000000010E8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

MD5 00d8cb98d324168a33056cb564adec37
SHA1 ad9b8b7ab175cf0175baa930fc8cfb5f66f70b65
SHA256 9ff998e527c7f5af3ebf6c1f846f059ed40685467b5cc8df098240547ea46a35
SHA512 c5d7e3e9843a01fd3aa9fa54562ea898fc83e8245ea852edcf0a286301b61092db1d8cfb8053d24b987dbd1d36726ad3573cef7ff1fe6ae4e90f2f12747412d6

memory/816-35-0x0000000000BF0000-0x00000000010D3000-memory.dmp

memory/2204-34-0x00000000048A0000-0x0000000004D83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 2eafb4926d78feb0b61d5b995d0fe6ee
SHA1 f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512 1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/2204-68-0x0000000004750000-0x000000000518D000-memory.dmp

memory/2204-70-0x0000000004750000-0x000000000518D000-memory.dmp

memory/3004-71-0x000000013F7D0000-0x000000014020D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 a615f2eee64c5d7449a8792cc782b6d6
SHA1 cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512 9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c

memory/632-88-0x0000000001000000-0x0000000001052000-memory.dmp

memory/1808-87-0x00000000011B0000-0x000000000121C000-memory.dmp

memory/1808-98-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2204-99-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/632-101-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/3004-109-0x000000013F7D0000-0x000000014020D000-memory.dmp

memory/1056-110-0x0000000004DB0000-0x0000000004F5C000-memory.dmp

memory/1056-113-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2204-114-0x0000000000CE0000-0x00000000010E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2204-124-0x00000000048A0000-0x0000000004D83000-memory.dmp

memory/1056-125-0x0000000004D70000-0x0000000004DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 e359b20dbb49efd52e025be35c4d0887
SHA1 6c0361d641a2c429c065033f9a3702df9cca6462
SHA256 8a51c90caa1ad9ec87005a0d5c0d0fd0e72d7e52ffb92c5838911a19a58cb60b
SHA512 61a40e03ff12a2453bb2cbb293f10d98c077528d5a0817308d9e3c28d0ab9064e396c898b5307a4330d72c8d3dc2c6f8ec0bf68aa45503987e184cee6c4b22f0

memory/1056-115-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/632-147-0x00000000003F0000-0x0000000000430000-memory.dmp

memory/1808-151-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 2149cad9389c08a45b531eb27cae403a
SHA1 0046f2f476ca9b662862369930324c15ac407bc0
SHA256 6b598f21152dada10b081937a88b3c66b58fe7f0176dce0452a7b886cf01761e
SHA512 8f1aabe670465257c91682495717b357229843ea9bec6cde3ece161d1b543f4a102bcc50bdcc364e37c94ab41bcbafb52622e4091f6e7d9c782358f1a23df751

memory/2748-169-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2064-174-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-185-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-184-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-183-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-182-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-181-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-179-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-176-0x0000000140000000-0x0000000140840000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2064-175-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/1808-170-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2748-168-0x0000000000BD0000-0x0000000000C26000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 91ecc5efbd1ee04efa062057b4622e55
SHA1 308891e1e4c5f8157c2df383a78b957f7e9584f9
SHA256 0045b4da46cb505353101665c067e8b68bf0d39699a0bccc0d18a7359541aa49
SHA512 5bb508c3021b2cbe3ba8bed558774f05ca6ab1cbec882c94ca65fd4891794b20c0abb740eb45123213b4eeee0b6235d4a1970fe99f9d799158f0741b355ea214

memory/2204-166-0x0000000004750000-0x000000000518D000-memory.dmp

memory/2324-165-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1404-164-0x000000013FCC0000-0x00000001406FD000-memory.dmp

memory/2324-162-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2324-161-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2324-160-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2324-159-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2324-158-0x0000000140000000-0x000000014000D000-memory.dmp

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 399b8281fae0797459ec280e0706487b
SHA1 c3a1122a812a9227d861e4c1592dacd6373cef76
SHA256 e95a063d6b5c9d301718ce167f3551a4bedbae0103d8c48f2e3d9f7b8d1828ed
SHA512 d7169a763434fe15d0a9f4dcfe124c3873bd03d0bdc6640db3af9dbc69a01b93db59a5f48de2b6fcf8004f6cd336292ed83276aca13bb1fb6cc138b67dce742d

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 1897853bae0a4adaf356405c4786a24d
SHA1 614a1654a58abf8730231edc0af5788376bf4982
SHA256 74449aef9a54cd1a1f64f9997821a39448a8d7e76bbf5b1c419c2465630148fe
SHA512 b1be06610aa877e365784e6d0ade46ee186f1bc8ed7084cad3b3c595d0544b6f2ccb430d284e56278d3524508726226cfd3558f148ddd44f07d8beaf69fd7725

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 a89435afcb443eb8f4f0555016f56854
SHA1 837cb919d71c419baaa0c1fedf9f6102686dcc6c
SHA256 d60a44b02e834e0a59eb637d770c39b1dcc8b2c8936e94d3b981886791863450
SHA512 ad0631dde2173788290173b160c52daee635de1881e755b09c0e315766b393473d2f83d371970d272ec47dcb3893de752474521ca3b5d7f81446f89e7e0458a6

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 d289077948b563c16bae38983af67841
SHA1 655c1a8a86d5917ba470284dfdbf6304c2467806
SHA256 a4dd3ad1fa5aaf2510506fe4a3e3aaaf2103f6a445d711a21c52017fd34c6dd8
SHA512 69048b9282ea0b251169a9f268df6910ff8dd7f6685d2b6846dd6342a4d0eb8231b305fd7a245d559fe276e2d756982413fa50fc6b2ebb0a5bce32549606bf26

memory/816-137-0x0000000000BF0000-0x00000000010D3000-memory.dmp

memory/1056-136-0x0000000004BC0000-0x0000000004D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 0f6b510284c72a95538597e04c158a70
SHA1 06efb99318b29d3e6ba344c2d0adb7d1f31cbfd0
SHA256 7985397e575f58289e2de2ca2cc0202794fa69c1d57b9b7ab60da1ba99b4cd2f
SHA512 58d22b02306e3bf715060bb7d4d1201730cda3aca926df48a304fdc822f3e39b4d296c7a2f7671cd6c9c8e5b9d1f0069e244f298dc73d6afc9822363bd1c9d5b

memory/2204-112-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/2956-200-0x000000013FCC0000-0x00000001406FD000-memory.dmp

memory/2204-199-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/1540-111-0x0000000004E50000-0x0000000005258000-memory.dmp

memory/1056-106-0x0000000073CB0000-0x000000007439E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 010c80cee5537031e96e47bf32f8a22f
SHA1 0da0a3b45380a47516c6f72cdfde9bff7c347435
SHA256 1e2417a68516d2ee011ef3a9239e515b4f8b94e309a7eb681a20eca37e60c41a
SHA512 57b8de161331f948d7d79082696205d4708435c04affba4e1ec81d6427fa7e4d2e0156200eccb0a07652f00f8511b82b34c110bf29181cbc64cba3b3994a3221

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 dee63473a06ba61e8c176166609f3dbc
SHA1 40d399b25974e5d969a1f97604b35e93e19b82d3
SHA256 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
SHA512 416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c

\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 b375aa0ecb891d8b398e5a31965cd6a2
SHA1 57f7967e86528b7728ade0ae54a247278e8d7c9f
SHA256 49578c2ac1ec496d8cb8d6df1062cde958b6564aef3222bc0681d4095fe99959
SHA512 b8bde0773726d458f91627e1d21a8f1dda589c4f77684c3280149bbcf6348eef2d3886400e9e8ccbbc63e4af2f906bd10e89a660025aa7d7bfd64b1042af90d1

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 f7a149f04452a0a5eecdf05d17886ca2
SHA1 30740e9af4ef9807ace08cfd2f8e4e5e7675cd9e
SHA256 847c77654735a426ddcb7d9f5ac95f2b8aa28e693c7424992617ee7ba7431e3c
SHA512 c755071cdc83651131a45a04912ce685e438a1fb91503af28ecad7f5fa61a02945ea29c9de143163b974dbe4b79118ea3c81826f3893bdf8046baa2304563134

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 cd3fda8ccf2d2f7e2020c8bc07773001
SHA1 5ca95de49f10f9f58d15758477b07ac5a105e049
SHA256 8a654990cddf943e8fa08cbab83bd33fd8fe4c492c6359704e69ba3507f1e025
SHA512 cac38ab2a5cfc3704d166e568ed3f763f10addb664d4e5cd37c0d5c0b0ecac793b7bf85dd789eea523245dc010569da9b36555d14eb3751d67b5ee610b957a9d

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 b2e4173c9ccb8b719864f5602c9c988b
SHA1 ea4b215f218155ffccfdcfd2b600b2f65031b2c0
SHA256 8a2a7e292db0beed9fab3a27e21b363e70c8fd35c6177c0c1fc15da9d23302b8
SHA512 9c2ed589b6d0fae5466b6359753ebf2f4aa2049b80cf14330149b883d6ca0d7f8e1bd685473de77dae4f6aee350bc89bf587e00f2e120400fe7fddacef0e1560

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2552-249-0x000000013FCC0000-0x00000001406FD000-memory.dmp

memory/816-220-0x0000000000BF0000-0x00000000010D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 8b5cf3d102548da37888f34d3d468e27
SHA1 823aa91b6e4ecf3bb68a2154a122e6a9ffc7bf89
SHA256 3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2
SHA512 da525ea8b851739940fcce41fae69b4fa7942c21e2ac7fca79fd468e247c5ce0e8fc105a9288290ff79c064a5d200e7214f67ea070114da1fb335b152a5ac10b

memory/2064-209-0x0000000000A40000-0x0000000000A60000-memory.dmp

C:\Windows\TEMP\zamrbllfjgdb.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/2064-206-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1404-205-0x000000013FCC0000-0x00000001406FD000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 97b3eae03fe3b429490dc22d1a3589e2
SHA1 9bb73226c2956fe8f5bae95d4a22dbf472d4a326
SHA256 2d2caef00efadbd7eef6931367adc2b4bdefd9efe9b26aadcf6d0f97244aa0cd
SHA512 845541a5c52d996853f183a83404f192231e07890c27ee234d7529f318798bc87cb7f616369054157c0dd6709a06d73ad4000860df576552728e731ffc9b908b

memory/2284-281-0x00000000004B0000-0x0000000000537000-memory.dmp

memory/2204-280-0x0000000000CE0000-0x00000000010E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/816-291-0x0000000000BF0000-0x00000000010D3000-memory.dmp

memory/2064-293-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-297-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2064-298-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2692-294-0x000000013FCC0000-0x00000001406FD000-memory.dmp

memory/2972-302-0x0000000001FB0000-0x0000000001FF2000-memory.dmp

memory/2064-303-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2692-308-0x000000013FCC0000-0x00000001406FD000-memory.dmp

memory/2712-307-0x0000000000B60000-0x00000000014A8000-memory.dmp

memory/2064-305-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 b2f3f214e959043b7a6b623b82c95946
SHA1 4924ee55c541809f9ba20fd508f2dd98168ffdc7
SHA256 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29
SHA512 c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

memory/1056-316-0x0000000004BC0000-0x0000000004D65000-memory.dmp

memory/1056-315-0x0000000004BC0000-0x0000000004D65000-memory.dmp

memory/2972-327-0x0000000002050000-0x000000000208E000-memory.dmp

memory/700-326-0x00000000002B0000-0x0000000000304000-memory.dmp

memory/2748-328-0x0000000002270000-0x0000000004270000-memory.dmp

memory/2204-329-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/816-330-0x0000000000BF0000-0x00000000010D3000-memory.dmp

memory/2972-332-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2204-333-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/2712-334-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2972-335-0x0000000004870000-0x00000000048B0000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 6e23201d2e4560010928ada16d5e4ae9
SHA1 3d684081fd4da729269098f485ea9d3e13664d8e
SHA256 2e3d25b6b55a04346fcc1fa8f587dd08f27f2cf8878ad354a695e50c74956efc
SHA512 1ae277806c5817d59fee22caa28dd8b555027f43a7297360db856d1b1609526b1cb40181c53e5f4cfa8ea188299186a0af81be1ff1e79ee350530a9a97ad01f2

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 775ab0e37965f25f213dc47873fc151e
SHA1 57204aa304bf3e7f2fab7bf0aec702926f397122
SHA256 9c2a38d0b27fb73cd2c4fbfbb220c218b8e4a0752909a32223813f896d65a408
SHA512 36da2216f0a6d51f71360436aaa789b34898a99647f1631df1b3122bf77c4708d670bcaa5b82b6c04483f3ecbfcf0acce195cff07fa9e7cdd03a60ad8ec256b5

memory/1480-344-0x0000000001210000-0x0000000001292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 f5d8c385f7598e43554e31c11c29b597
SHA1 abe93bae29ebf0c77ba53558ad07cd6bc6dbe893
SHA256 870e45b71bb66fcf216346510442b19c7e1a0670855110a84fd0aaa68609b544
SHA512 dee082b9f90d8e12f5dbbefa440988f6286498001bfc525bddebfa7cef06d538fb88cb5617459a14d26e1a44840b71cc35a65ce18b90a489dd31cb65087b7a69

memory/1808-348-0x0000000002620000-0x0000000004620000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsz7560.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 95bf71504e0b7d40a0b230128eda2910
SHA1 d544e844f5bdbe1ddc3df0bdc5dd47fbc89c0aca
SHA256 f5bc93a03932e8dae0bf721685ac6bcc7052662ed709013617806cb6294fc373
SHA512 c008a5ef865a50dfe40e8a8c7c64200265a8ed41987651b0e0915294f4d43019ad8aaf53c49881596dc0088a589f45e223ced97c12de6dab36b7284620f3babd

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

memory/816-365-0x0000000000BF0000-0x00000000010D3000-memory.dmp

memory/2040-377-0x0000000000400000-0x0000000000454000-memory.dmp

memory/908-383-0x0000000000400000-0x000000000043D000-memory.dmp

memory/908-381-0x0000000000220000-0x000000000022B000-memory.dmp

memory/908-380-0x0000000000620000-0x000000000062E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 01cc1f458f6014f2300c782edee6f8cb
SHA1 b5a935e6b0e6b5ea28dea1341f119100599b4b59
SHA256 708c06eba82137de8afddee894d192ca27de1036c7de0d038c734ab219efb073
SHA512 9a4b904a9c9f65241f2a36bcdbfae1de6736cb8bcf0cf2ea8ce420d23e6be38c04844d3f04383045fefcffffd48256e4ab2e73af1f163dcee667781ff6af4976

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 936009401446e096589f1458397273f3
SHA1 b0c7467f4a7f01b9b3e2cc985b473f98c35e1286
SHA256 cd78877485baa8b8ee3b6a69337fe1a1115824d0d145694a4ff3b64abe854810
SHA512 f44be5fc228dcf99718cf10d6ea0c6df6a815b5344143ffef804211e5d6efa75a411f3ccb6943adb6f80c37a6a9071a482945d1c935b9ec3879021a5c255d609

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\syncUpd[1].exe

MD5 444c5adbaacbe3b46582adbaab8848e9
SHA1 27a7eb3f93b9f210eccbf4660c280248f154a5bb
SHA256 adcfbb7fe5cd4792e4c182b580e4437c8c491416e921597e852859eb29e2e0a2
SHA512 f393042f85b2df6a4fb8ae928ee2a9099cd4c9f6a58f03c8ae45001625f140ebd9b0ec96e0c9141d6506187cae3cea63504f1b4c3f41c8d9c461d63ad5bfe05f

memory/2712-414-0x0000000073CB0000-0x000000007439E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D7B.exe

MD5 f6304a26d04bb93807ce226ae4d2b0e4
SHA1 b61fa453a54b088d8bd138e004364435e00678d1
SHA256 2e22574ce65eb936693a3f0161b38470b054d7dcea5fa1df46357dc37debefd7
SHA512 6b4f1d1f8c6899ab6d948155f7de30d0138af5c486e1bcccd2cc49fb9de23059977fd5b76aef8214964434478e6eebf4d683963644dd975eeba6b556e4a2c41b

memory/2440-429-0x0000000000400000-0x0000000002B17000-memory.dmp

memory/2160-431-0x00000000021F0000-0x00000000021F8000-memory.dmp

memory/2160-430-0x000000001B180000-0x000000001B462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8AA5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar9755.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2160-468-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

memory/2160-470-0x000000000282B000-0x0000000002892000-memory.dmp

memory/2160-469-0x0000000002824000-0x0000000002827000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 07:05

Reported

2024-01-26 07:08

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"

Signatures

Amadey

trojan amadey

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe

"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/4704-0-0x00000000000C0000-0x00000000004C8000-memory.dmp

memory/4704-1-0x00000000000C0000-0x00000000004C8000-memory.dmp

memory/4704-2-0x00000000000C0000-0x00000000004C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 8dce9705c0c4c3f6175d0ac758a7aaad
SHA1 6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b
SHA256 cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
SHA512 f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731

memory/4704-13-0x00000000000C0000-0x00000000004C8000-memory.dmp

memory/2012-16-0x0000000000110000-0x0000000000518000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

memory/2012-17-0x0000000000110000-0x0000000000518000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2012-28-0x0000000000110000-0x0000000000518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 d12d91d9af1b27448f2df925d6efa70e
SHA1 2ed2738bde707066ab051692184d3e35e4fad1fc
SHA256 3e8dfa01a765a1540648b88461f792b34bd9b8dc4b13d5b66da84cf7ef3dbf67
SHA512 b3b0827bdc7040ef880a5d0504f024a956d796b8169ca854880d2db38fdc413731f4b1152f3a6b493bef34d14f807706da66809d45240e4e392b70f81ea33255

memory/2012-31-0x0000000000110000-0x0000000000518000-memory.dmp

memory/4376-32-0x0000000000110000-0x0000000000518000-memory.dmp

memory/4376-35-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-36-0x0000000000110000-0x0000000000518000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2012-48-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-49-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-50-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-51-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-52-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-53-0x0000000000110000-0x0000000000518000-memory.dmp

memory/4416-58-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-59-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-60-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-61-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-62-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-63-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-64-0x0000000000110000-0x0000000000518000-memory.dmp

memory/948-69-0x0000000000110000-0x0000000000518000-memory.dmp

memory/2012-70-0x0000000000110000-0x0000000000518000-memory.dmp