Analysis Overview
SHA256
58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af
Threat Level: Known bad
The file 335b17fdc989824126298877bed8804d.exe was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine payload
RedLine
Amadey
RisePro
Detect ZGRat V1
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Checks BIOS information in registry
Executes dropped EXE
.NET Reactor proctector
Identifies Wine through registry keys
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 05:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 05:18
Reported
2024-02-06 05:21
Platform
win10v2004-20231222-en
Max time kernel
56s
Max time network
151s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plaza.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000052001\\plaza.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3528 set thread context of 1220 | N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4944 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe
"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe"
C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe
"C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
"C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe"
C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
"C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe"
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe"
C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe"
C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe"
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2764 -ip 2764
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 808
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe"
C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3276 -ip 3276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1976
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1080
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| US | 8.8.8.8:53 | 95.30.79.20.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| DE | 144.76.1.85:18574 | tcp | |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| GB | 173.222.13.40:80 | tcp | |
| NL | 45.15.156.209:40481 | tcp | |
| DE | 185.172.128.127:80 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 104.21.58.31:443 | tcp | |
| RU | 5.42.65.31:48396 | tcp | |
| DE | 185.225.200.120:15666 | tcp | |
| US | 104.21.80.171:443 | tcp | |
| US | 8.8.8.8:53 | 62.78.21.104.in-addr.arpa | udp |
| US | 172.67.213.168:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.21.78.62:443 | tcp | |
| US | 104.21.58.31:443 | tcp | |
| US | 104.21.83.220:443 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| HK | 154.92.15.189:80 | tcp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 95.179.241.203:80 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| RU | 185.215.113.32:80 | tcp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 185.215.113.32:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 94.156.67.230:13781 | tcp |
Files
memory/2680-0-0x0000000000AC0000-0x0000000000F87000-memory.dmp
memory/2680-1-0x0000000077494000-0x0000000077496000-memory.dmp
memory/2680-2-0x0000000000AC0000-0x0000000000F87000-memory.dmp
memory/2680-3-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/2680-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
memory/2680-9-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/2680-8-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/2680-7-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/2680-6-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/2680-4-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/2680-11-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/2680-10-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/2680-16-0x0000000000AC0000-0x0000000000F87000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 335b17fdc989824126298877bed8804d |
| SHA1 | 594f601a3cd7add83fa94f97fe90da3bfa678449 |
| SHA256 | 58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af |
| SHA512 | b4fb222110afce49d786d9fd4f32a2f0c0e17229cf4792034ffe6498660b19912fb351230bf8eddbfcd30711780ab9ac0de5a6ae3fe536a43d9dac4184c05776 |
memory/4016-19-0x00000000008C0000-0x0000000000D87000-memory.dmp
memory/4016-26-0x0000000004990000-0x0000000004991000-memory.dmp
memory/4016-25-0x0000000004980000-0x0000000004981000-memory.dmp
memory/4016-24-0x00000000049E0000-0x00000000049E1000-memory.dmp
memory/4016-23-0x00000000049A0000-0x00000000049A1000-memory.dmp
memory/4016-22-0x00000000049C0000-0x00000000049C1000-memory.dmp
memory/4016-21-0x00000000049B0000-0x00000000049B1000-memory.dmp
memory/4016-20-0x00000000008C0000-0x0000000000D87000-memory.dmp
memory/4016-28-0x00000000049F0000-0x00000000049F1000-memory.dmp
memory/4016-27-0x0000000004A00000-0x0000000004A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe
| MD5 | d467222c3bd563cb72fa49302f80b079 |
| SHA1 | 9335e2a36abb8309d8a2075faf78d66b968b2a91 |
| SHA256 | fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e |
| SHA512 | 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7 |
C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe
| MD5 | 6e401ff8d2152ee1f93cdf7a48072207 |
| SHA1 | 5b6945cde50036da4f96c3ad4d8151e4edfa0eb7 |
| SHA256 | f7c9102387ff2be3466578767db90e8208f9edbfbeb048d08b3aa47b042a05a8 |
| SHA512 | 66ae5caabd19090229449dede7840770c6b3bf8a5d875fa75df3621119b3798a0a5b60e19c4bba9cfb8a39172bde6b5a45ec1d8cff865ca8a8f152f335c68b96 |
memory/3528-68-0x0000000000090000-0x00000000000EA000-memory.dmp
memory/3528-69-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/3528-70-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/1220-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3528-76-0x0000000002500000-0x0000000004500000-memory.dmp
memory/1220-78-0x0000000005C50000-0x00000000061F4000-memory.dmp
memory/3528-77-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/1220-80-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/1220-79-0x0000000005740000-0x00000000057D2000-memory.dmp
memory/1220-81-0x0000000005930000-0x0000000005940000-memory.dmp
memory/1220-82-0x00000000056E0000-0x00000000056EA000-memory.dmp
memory/1220-83-0x0000000006820000-0x0000000006E38000-memory.dmp
memory/1220-84-0x0000000005AA0000-0x0000000005BAA000-memory.dmp
memory/1220-95-0x00000000059C0000-0x00000000059FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
| MD5 | 321378ee3648d1e83ebd6fc3f0932aa8 |
| SHA1 | 8511ab3788ae431d909b7c17dcd1d251fa29fc41 |
| SHA256 | 7e6eab3216fb6b11590e524c8ea1e127e2866585c987ddac2d6a7cd1e06df333 |
| SHA512 | b73e0b94b903e4be8a61598cf9406286402c8dd2c60e2bbac1cbe9fdf0410ad800a10a7d0ea43421f5e1244cda9b752147cc9d091d565b32252da301dc69e326 |
memory/1220-96-0x0000000005A00000-0x0000000005A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
| MD5 | 7334ed11b189669383b97608c46fc5d3 |
| SHA1 | 3f11d2c6dbcb2a2a884c507339d6f24247559bb9 |
| SHA256 | 08956a3512e4895b49b529a54e14813fd742660a77a56cf10ecf67bd710f0258 |
| SHA512 | b739ccd8e12583a0aaa741ce2692b9cac069089c54e8b0919cb128e8da66292fc59e69c09314d12f5fbd2410ee148263416a58a0f2c1c497f2cdca6390474674 |
memory/4016-104-0x00000000008C0000-0x0000000000D87000-memory.dmp
memory/1628-106-0x0000000000DB0000-0x0000000001290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
| MD5 | c4d9809ee739f4385e596c24e384d837 |
| SHA1 | 93980678b500a0ade78817988fde911c65b45926 |
| SHA256 | 65705b6a36c82ecd8df4ff9b63d3501c5866238fa6e7f95e59de88e9d9d3cf0b |
| SHA512 | 39d4ac5834954641ea219504d617f2668c437c713937a6927271050413bc7820406fb48d402c49e0a237317f9968c59614cfd27ed74bb0c10735378f3707be75 |
memory/1220-85-0x0000000005960000-0x0000000005972000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
| MD5 | 7dacf8fea68957f6750df5da974b16cd |
| SHA1 | 085a5008421946f1185e816f7c7708fc1734782f |
| SHA256 | f8319a765a72e8c911464e4726a541a99566df777e05603efe7d083b032bd54a |
| SHA512 | ca5a6dafec5a26842738908c93e2d26a95f77e0c18aa6475179a146ca1a795ebac9e8cbf3ba94008761ad21ac5b87307e63db23c5d1df1f3533ed0c286660c40 |
C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
| MD5 | a30a7b9811ce1eb02fadb92aaddae9b8 |
| SHA1 | 572ff08da65062bfbb82cff6d746cb8a69cc097f |
| SHA256 | e2afc7b972a995f673bf14bfbcb35bf1ca94bea2fb79d224d1a6d220114fc897 |
| SHA512 | ff2aa3a8bab8862b490c54eb77cec3f9c38604629ba5afa7541f9bbbb737468db9a13e757a453af747a468358583171bd72d12ad1c582426325d489a1f754783 |
C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
| MD5 | 10a331a12ca40f3293dfadfcecb8d071 |
| SHA1 | ada41586d1366cf76c9a652a219a0e0562cc41af |
| SHA256 | b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f |
| SHA512 | 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399 |
memory/4944-126-0x0000000002510000-0x0000000002564000-memory.dmp
memory/4944-127-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/4944-128-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/4944-130-0x0000000004A20000-0x0000000004A72000-memory.dmp
memory/4944-132-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/4944-131-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/4016-129-0x00000000008C0000-0x0000000000D87000-memory.dmp
memory/4944-133-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/1972-136-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1972-141-0x0000000004F30000-0x0000000004F40000-memory.dmp
memory/1972-142-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/4944-140-0x00000000025E0000-0x00000000045E0000-memory.dmp
memory/4944-139-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/1972-143-0x0000000005370000-0x00000000053D6000-memory.dmp
memory/1972-144-0x0000000005F00000-0x0000000005F76000-memory.dmp
memory/1972-145-0x0000000006100000-0x000000000611E000-memory.dmp
memory/1972-146-0x0000000007170000-0x00000000071C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe
| MD5 | 25a9211e0afec5534ef2f0f78e330226 |
| SHA1 | ec4d93d74e549af6938932bce2e1f4dda3b726f4 |
| SHA256 | 4a15dde50b9712707660f082a0d14ddcaccb0f3095befe0970589b346cf229e9 |
| SHA512 | c9f7bf7bd4d279b62c8c09b75945895759c5ec09bf847315d02b2dd465c9dfe571339d1a44f51a8492be17484a5af418d998d4e16f5c1a6a07c535f9b2417591 |
memory/1972-163-0x0000000007870000-0x0000000007A32000-memory.dmp
memory/1972-165-0x0000000007F70000-0x000000000849C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe
| MD5 | 9633dc202f4e3b58f5d8cc39b4d698fc |
| SHA1 | 94846022741baccf388f2802219d020ee89d1c99 |
| SHA256 | 636c0b09b68097c46eb583e4776eb91fbf22fa472c58d80186ed3d17de9d6792 |
| SHA512 | 65d45e8b5066ddb67b62ab74ab073e7f93c65154aae324b240e3355fb790df9431f11eeaa970d289d83cd3f3fad7db85cada21664dec2a27da8188f7a3a455d6 |
memory/2764-169-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/2764-168-0x0000000000EE0000-0x0000000001470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe
| MD5 | ba6dd676427954677edfa0cda0e1ac0a |
| SHA1 | 06a9dafe6a0f8e197815fcfdb3d87c2254198860 |
| SHA256 | ed1a4b838b387e605cf451ec9c37e1b27dc62697f76637c70c06462878a5322a |
| SHA512 | 1b48c9cc7b259c08e865f00cd9130ee548500f2006e4260f13d6054ff6c810b6929daa4b0ef88ee67428268aedbb6a9001406260e1116db07154ae3dc5813941 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
| MD5 | 7dac479c38371e851879850f43b311db |
| SHA1 | 764151cb55f44f112c8acc5b6c804efc75bf85b2 |
| SHA256 | aef80018093ac77bb384cb50caaf7063811b832f0b29ffe739aa07548a759a47 |
| SHA512 | 6243cc205a90c7f84a43042e32f1c9c65b2ff3e19b54728dae126d7516c587d5883640edc7f4dc3ff288f83492ee0a4926cb49985a860db9b0a2db6077540870 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
| MD5 | 22b1164b9e4097e1a38a4a6e7bd4715f |
| SHA1 | b298cd55d4cad256ae69b2beade5fdab498409cd |
| SHA256 | b703ff6a4c61c5136da76b5ecfeca31ab2ea22dfe6ba4e106c290d31614f1f44 |
| SHA512 | 58e3cc37a3de6620161ead73d257316058566c2d15aa16ed870d6b24435c48e832684d08b823497e1c432f0bb8becda0b4342df42f5431771f5d2fd831193b70 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
| MD5 | b06321a832b856ba500c6073c390d9a0 |
| SHA1 | d60bef337e227e0356f87ccc4fe7532236b76def |
| SHA256 | 3a6e11ea4ac87827d96f0f56905e0f226bb8d48777880002782f3fb1f9fede3f |
| SHA512 | 223fba674a5a1e804e34cad1ecb37348ac65cf39f238ac21fd02f2ac1c47e1a6ee8d1d0420ae814fa985aaaef96ef8888433c03e0655685ffb9fbdd4cff6e9be |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 52c2eece63a232539d155c8945706002 |
| SHA1 | 4d6f3ccdd5cc0ee7ac09ed4fdbf419d6fc7a20e8 |
| SHA256 | bcd0e977741f64cce4f4a8d3a8ded7eee82280868dab2737b8d21f524f8eb43d |
| SHA512 | 2d70ea1cff24c1393b667c33899bf6d781403996070b72805d4741c3cc88a47768673f803b66204d9812f28fbabdf99257c043d1a752734f689b00c387539067 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | f1123b5bc78aa171132d0c45e8df0090 |
| SHA1 | d453cab5d2163cd339730e3b5d01faae3421555b |
| SHA256 | 1fd784af3951763fd768d7bcfe6c9c118c24e62984a1117290d8ff2d2762b870 |
| SHA512 | c97cabd92716a7f6e0e6157e2a836f967c43422cd05d9806738d5411d3906060b0551dc3fe0b9fe1462dd8b5218042e2cce0222a554ff8b1b8f13503250a5032 |
memory/4016-202-0x00000000008C0000-0x0000000000D87000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 028de661ecde4c4e91a7ff12ba30903b |
| SHA1 | f41cd40729d9e7e19a4aecd4933cbbe435d5f65c |
| SHA256 | e010db435cd5d02f41cdb3a11a70f4460ae5541ee95736c82d8b1d09e28de2a0 |
| SHA512 | 3b0cd2d2d4b8e56f6d7009090e978e454b403486434bcc1048893a068296a6ddf869b4c200922f77a3dd5593bc6b4d19d327eab7fbb432832d0acd8a74562f32 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 8c20d9745afb54a1b59131314c15d61c |
| SHA1 | 1975f997e2db1e487c1caf570263a6a3ba135958 |
| SHA256 | a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1 |
| SHA512 | 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7 |
memory/2764-215-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/1220-216-0x0000000072550000-0x0000000072D00000-memory.dmp
memory/4144-219-0x00007FF6E6D80000-0x00007FF6E6E37000-memory.dmp
memory/3528-214-0x0000000002500000-0x0000000004500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | ac8d1590347f64172343248ea678d125 |
| SHA1 | fcfcec676e0f45eac5522283585e64d971ecc112 |
| SHA256 | eaaa85d5e801764d3d30d680013f069134ee0ca8d3183838cfab14f2a6b01bef |
| SHA512 | 2e82c0dedbe048ba3a9f3e41b18084a7a256c713732eb0316fe36f2117a72b988939bd3085ccca0aab2ac169ddfb86ad0fde13ee94efe090c6cf200f5977e4a1 |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 49e2c31567efcf11469bdb0588ee9586 |
| SHA1 | fdca1e466002df936c5d9465de5f77691e060100 |
| SHA256 | 6bdc65d0e513a1d764a5e04d3bb60ee7677653b22c290dde2eae1ee550e8fcb7 |
| SHA512 | 2265cf23a2fffec0359ec97e961c163702fc9e71db789ef352a56669d64692ed66fad97fdf8474d80b91b7cc929d500db8a5c7b9d9f1b266b91bc7938214c150 |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | e142c68c6af621cc913ed7bb599f1418 |
| SHA1 | ce7fb5c30441bb72e54d55c6b81616bd76ce9444 |
| SHA256 | 9228710907f7c9d0da0cad9efd2d7fb7872a8ade366326d18af3360fa96c0f64 |
| SHA512 | 54645302732e0938364501ff3fc5fb5560b15f5c885242248adc19ea8f517e794e4f6163e2b4d7acba43d0e8eafba3fccbcda00afc60bddf4af1d9eba92e6474 |
C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe
| MD5 | 195b71ed0f85c147245d9a58bc15af4e |
| SHA1 | f834e12ae410935a88f04450857144b7a6720816 |
| SHA256 | 18719914ff879f533948ea30f4732b6beb7c62cd7cf584eb792bb2f0581ed1ce |
| SHA512 | 4a2f649b82f1616fc58659eaabc3bd3cc0570a8307b711498c44fc8d55cd708e93958eceafd512b71e98ecae385bb1948476219b19e941b0484f6a711570ff3e |
C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe
| MD5 | 94efb79f630143ef52343054fe28de26 |
| SHA1 | b45dd316e25e2fc738ba536b03937f1f49eaaec9 |
| SHA256 | 93fbf7e3f6e826e60aefe6f3d4145983771809f0d89cb0612239d52a824c8970 |
| SHA512 | 103ee72bdff2f774b42170f9162537dc7da0d7c7e7589d2c25d58fec69dc16cbc37b1e665c13870e8b6e0555c449386e91a2f54d272d4639691a2e35a4895a42 |
C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe
| MD5 | 1e06524b510d8d9a22fd5a6075a3c0ae |
| SHA1 | a282a1e2dd97657cc176f08ddd98f3c3113fb7b0 |
| SHA256 | 30167f6bb231eb0c6d796340f530b075d54a7842dcd6b424a1d6424565bf7815 |
| SHA512 | 8d77ac9b1d13f4a5f9f663199655f86780ceaec9a900e3fc67adf2f9a14082a5221319452fcbd0227eed8f9245ce353388e23c9289e4f92a168fd84e7c182900 |
memory/3032-237-0x0000000000490000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 8d535957253190e75a2de9a882144fc9 |
| SHA1 | e4dae0bdbc3b36686447d8338663065228e91828 |
| SHA256 | fd1d156396a211d4ca97d45208d2d1f5fe9b97535549d57e714a3ff57764609b |
| SHA512 | 9032699bd7b90787a34deba6c1eab7e8b3af8e36f926cf7981486a0e8eb2155c8b677baa82fddb377488919a005a77b9d1b7d5a109b2696eeb16d3fea8d022cb |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 0e051fe645ca981fe96bae7c6d9b8854 |
| SHA1 | ced21024390ea2adeb529c9963dcb91ffdca3afa |
| SHA256 | 0d48ef519083d961f7261d943abaa9d6b323f1f72fc75a127a3cdbd30adf30e3 |
| SHA512 | 037a874365cda113041053647c3996eeba382329a4efb30e6410b542ccc2a241811e0746080f5d9e62675a9d1cb924926418d98fb88c7a7d0bda381036821477 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 66309b8ffa5d84a149c88fa84b53f8fc |
| SHA1 | cc10f74822441b87a707536cd60a9c522037118c |
| SHA256 | ac64a959da677ce6f0cef3f07a39f506b7dd75228f6c9e3eeb7c28b0864b9ed6 |
| SHA512 | 1f58258ec7669ea1af03ae655f8613fce2841db6dd7e24f31b71a127236e118e58077e3f25074a23f3b78fb203f5b9edb27a1c01d4ac4dc3d735a5d9dcefbcc4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 124ff2b0fcf843b9c7ed0bf619198016 |
| SHA1 | 9022947cd8d337a3f48813be420625c775623346 |
| SHA256 | 3c3f366d58a0755317718bf59f6ec913f2efc3e5802a9140cc9ff6ea12552dcf |
| SHA512 | a13997c38d0debdae61f5db16b12fe57dfabc79df57bd05967be15dc50e0aa5ad83ec92da37ccf4fbd9df60af06334a20145e863ddd92246e674b53bee2f7b52 |
C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe
| MD5 | 48abaee021d7d47b243f6b7a2a4b5f32 |
| SHA1 | 5923f243a4313423c62dd4a2e6a61e49efcbf261 |
| SHA256 | 62ce3d68b0c9494b4aa2e1d40c0ba0380b446e2ccf0b61f02f4e753e7411188d |
| SHA512 | 0dd236baa5dc3085d76bf565d6e2141bb2313db71377b6bb1a8401515c1ea8b977b4b9120d3e7a16983d2bb3e15425e2e64865bac7495d74b4fa9864f28ee41b |
C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe
| MD5 | 3e91dbca42aa51904f6444994968967c |
| SHA1 | c26753281dd332b2d732635a0b8a860293cc2577 |
| SHA256 | cb67f74aae06171a3e3b4c66b5e9cc11f0b1c90c3836274277d4a394bbfac8ef |
| SHA512 | 7874cf71b9a5eb6ff2a76f3677f1575b3ef825b6cbb6681a88cd938062e48b83e5b4e7456f1852abc12fb438490cdab7ca48aa728abcde08709b03aa6c99ee21 |
C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe
| MD5 | 619e54a5fd683b5d54e99f866e325f45 |
| SHA1 | dcee8d536a993790521724b2c3f9ec1b22af0274 |
| SHA256 | 7412bfaadd0c62e782607b0e19739252dc02261b32527d0e67a7c883dde46e6f |
| SHA512 | 02efd2e5b20203723ec66ff25471f1a28485d468b832a6706195c7360504aec1e1a3fdce2d203c2bbd7e139e2f6429174ff2b5e188f1952e949dc21649c7a942 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | d5f3d2440a8ef3bc32ef9463ee2c3609 |
| SHA1 | 29608184d847ae2b6a484b795b881799100592cb |
| SHA256 | 372ee45ed4ffd1c7125e5b257bd33f39391e1bd2a6d5d1fe1adb2b19b7c66c03 |
| SHA512 | 65761d5f894648f70d3f4bdcd3071a59f854f8ceb6f71ad3f87159f2bfd808f1430cbcc4052bc51d60c2e2cf432a195bbfd6aaf8661322d7574a0eb530bf54da |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iimzospq.tao.ps1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe
| MD5 | a8dc2c18acd11c470bf75102b6697d1d |
| SHA1 | 7d9b9998210a37c67a8ec80726135ee9b296b41f |
| SHA256 | 77781461632236137e9b8b91af54df0593c663de5208e70cb32d1189e976b96e |
| SHA512 | 64633a7dbb52a8e26782ef35d72feff220134d6ca94fd879865b8a10173ea54e5ddb73ad0bbf5671e3b2c7ed4b6a8549e94ace35a7643e14c35926c40d5907d6 |
C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe
| MD5 | c05a30056c63f326c800ffc8a7b55f1b |
| SHA1 | d8d1ce4095b59fd9fac8f10800f9e4bc550e061e |
| SHA256 | 2a070e782ca43ee2052b269c49e410bbaf2859980017e4027126dc53965a23cc |
| SHA512 | c8cb27666187b23b5faca052fdeda747e68a7e48974b2efb32e857a853c51d2f4b9c0389ae0870cecfcbfed36827f757ce61729d07d5e92614a344436c7a675a |
C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe
| MD5 | 56871aa822d1027a4f61ed7b3d3d58ef |
| SHA1 | 084f36a96fa8c3fd3c378d8bc373e9315e25d7e4 |
| SHA256 | 792ac45d13068663f4588456fc5e51ef27223ad3154340c8854ce42bba702b6d |
| SHA512 | 6e4512358adcd4e495a1e6615270817871b5c88395cc6743f2ab90e0a1d6b0430fbcfd24c3c7f81dec913915d2a1e1d9db9a3ef8a5334b682d3963e298f35204 |
C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe
| MD5 | 7f5bd799f65cae60447c564d1277aab2 |
| SHA1 | 83031910d87591b274926065075dd5f776751d0d |
| SHA256 | a9365f2623bc7e9d168172a4fa803d3b7f110551a145790f1dfbad0faa8c2044 |
| SHA512 | 6567404cafebff89e65c479a8d7c0f0ad1b39c9852cfb48da98130adbde90ebcda1ee6ef91374dbefa3b2071daf3e6e5b279ced9fad2f8a9acb78c65c93efd71 |
memory/3032-349-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe
| MD5 | e776008ee63bf7bd72b4511366ab0740 |
| SHA1 | 6714d8624deb3b63f0ed987d357f326b48d40813 |
| SHA256 | 20c9b91cc4cf441353d254f80a5cccf99fdf00ccde498c52ee6714e0e1ca63b7 |
| SHA512 | 97ae82f82a29fda09b492d66d0bd790d116e20c14bbefb5588d6cde92182b34b2c99f820bae97798256162d739d5d06351dad37b20a8245cc46f7956e9ba603a |
C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe
| MD5 | b55fdea4a335fe71f9d10372e479386c |
| SHA1 | 47f5b644ba34c721240eb45bc512a0b659260678 |
| SHA256 | 9f2366161736f931d7897842eb96ac0f91859a0dc64c67e9fda40e3c8b965cd7 |
| SHA512 | ecca7b85ba19e9278a4036d9df45b69c3b5ed523cd119f4766c414a86ff6568ec94b9956fb32a0170a2fc92414ec99fb5a98a7c62ee9203f71ac6397a25d0cc3 |
C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe
| MD5 | f3512bcbd6fa7d0d5d36607e31bfe676 |
| SHA1 | 286aa4b19fb5f58b99323d1e486828bcd2426abe |
| SHA256 | 4320228afb3dd41aa1f8cc896b7f7f61826bfa5cdb643a4868a041d65fb1dabf |
| SHA512 | d8ce8000588bf193a271aae29651df94385820bb31eb45bd6346dd3130c4f20306f64c952512f6081f4084b5f326a9ae9f833943b3d157368e5bb1beccc999e4 |
C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe
| MD5 | 2eaa46dee893f8abc6742a74e4c689b9 |
| SHA1 | 555010fc22189a68eca445c9515da5fb53bad60b |
| SHA256 | 85c87e292984d41b8d13c00af7548f59febcec0bf8649f940573d4929809b34b |
| SHA512 | 8f0aaa4c22e2b77d3ae1d44d0799740d43242fa2e2677116165b36879ec9e58e744fd73abc1bc18418fbd540e75e96be88b5d112d481709051b1fa45c6603df2 |
memory/2764-411-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2764-418-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1628-423-0x0000000000DB0000-0x0000000001290000-memory.dmp
memory/3276-407-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3548-433-0x0000000002070000-0x0000000002086000-memory.dmp
memory/4916-437-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe
| MD5 | 53556584a0432a8055c5baccdfc475ed |
| SHA1 | 481ddc1f3b77b8dae7ace52b392dca3c131176ad |
| SHA256 | ba3703d2582cd0ce99697f5d4b979a7c036f6235a6daebab269b2b9fa3296e2c |
| SHA512 | 85faf9c36f90d63da236ccefb4647a2cf0291b34d34d0e4a5de331d1ca4a3b3ab4002d9f211a8ba29989406040aa53791a097186b444314b1e32b2661aeb3acb |
C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe
| MD5 | b04a91f3ba3f62ad7479e8342b78675a |
| SHA1 | bf0fa72d9ccb0c00acb8d2f210494e658fb3019b |
| SHA256 | ac15abc73e8ba9dd7fcb99abd6668c8c40eb6c1bed7a633984edbf58170fd626 |
| SHA512 | 5cdbe3762c3cfa7e2ca92aea689288754e8f563f159e88f21d0f5e52e69c859045f2171a19b038908ddf2cfe743ae8332b5dec5b85f847caf380e3bcd120a47d |
C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe
| MD5 | 48e7314ff16607c038c29b2f88792f17 |
| SHA1 | 409c7fd2b76a81bbd38dc0b0431e83ef69cca8cd |
| SHA256 | 3094baf0571a80f445074f2ef0ee46bfd54a293eac0c008938ffd1692fcc74e3 |
| SHA512 | f384a88d200d5b22d6427eca4ee96f421a0a7679d4fdb611003d832c4f8e0fb308fb7dbe7adb47ae40b72ac7d506f2c22ebd2bbd4ab3dcd4b0d572735d76163f |
memory/4188-521-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-522-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-531-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-528-0x0000000004EE0000-0x0000000005085000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | ba0340636ca757a88316d1e8b508a39b |
| SHA1 | 6d0bb542a11fa47ea34cafd5be5804b40942ab30 |
| SHA256 | 38f347676c3e1adc048e1483b92055992164853fe613f0b2f5ece5f92d54cbc3 |
| SHA512 | 012f8e7eaf89bf2c8e0c764bcd64695d0654d26fd25d31f80f8f9400325c84a7d415862beeb63b5604b80eb2721d389a53bb92c92c34036842ec077cd4e8cf18 |
memory/4188-537-0x0000000004EE0000-0x0000000005085000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1dfbfa155719f83b510b162d53402188 |
| SHA1 | 5b77bb156fff78643da4c559ca920f760075906c |
| SHA256 | b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831 |
| SHA512 | be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad |
memory/4188-539-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-545-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-547-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-549-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-551-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-553-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-543-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-541-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-556-0x0000000004EE0000-0x0000000005085000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe
| MD5 | 702f975e42dd7322d549469bfd8558a0 |
| SHA1 | 2efb64f57e060d86ef3afa1ac1c654c317eed13d |
| SHA256 | 2c8f5fbc6ce1a1a279477fd3656e5652553c0cbf760426a1b3f7cfff92d5dd38 |
| SHA512 | 4921d71de7a0fde4c31a582615d601f3b3b4ffdeb58830c284e7d26480e656ba1dd9f4830444cda17b9521c8e4e9d4622a2d4626d58aef054a9536e0fd9fd8d0 |
C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe
| MD5 | 4ac075b4e0f42d1b80197287a3c11159 |
| SHA1 | 8f1749a2fab4c639e3f4587c2ea797b9c6b46341 |
| SHA256 | 39b994c3911ce9632222970c869a520f2438730a36573bd78cb6500f60297a7d |
| SHA512 | 983914d5296249c8ab5f8a0a388e02eed07818885ff452d7605a0373a62e9197f0cef82cf11e51c11950a148679c1e8f4c405c7292e95793c8ad7ba162b71d70 |
C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe
| MD5 | e1bbcb25d1dffa013b3d89767742ea9b |
| SHA1 | 89510a66b43b05dd1af3343d642fa8df85ce70f6 |
| SHA256 | 0d1cdf2240e4218050a9da1b3a4335d85fdf2877a0817c3cb8d1bb7d871f8adf |
| SHA512 | 93c26b7e4db7822c9b8a1ec2450f57dc73690311f75c179e2b3218bce1b7dd9cce52b5e49f0d300a4fab8c09d40f865e3f85d9532f248403ad3881a134e91d7c |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 7c6158126fcaf750413a7930915b308f |
| SHA1 | caa1e195ea7af6169a0e6ac0709223557998792b |
| SHA256 | 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3 |
| SHA512 | d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 9e95a5cf92f84137c7da869567510731 |
| SHA1 | 86b70fafa7d322faa4a13575a93db8cedc377bde |
| SHA256 | 9acfdc879dfed14e1b1fd9100366f79123a8f60ecd646c2468ade8994366989d |
| SHA512 | c815ecc3ba48846aedc377edc1de65e29408796f8a88cc3ce5cbd999a0e39f2094043b702185436415717603c7f69554e4198f12cf9d24c50a65d188ea632d7e |
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | eabba160d6f0349204fff9e7e8c88974 |
| SHA1 | 1a8e0c74a02bc3933cc1be03d7ec7a5f071a80b9 |
| SHA256 | 37d483ff69e8e3c85b0da7ffb0d4efd6909606d1364966dd2e6a3d65db669d57 |
| SHA512 | 01cbbdff5a7150cf683b553aaa91506a368407d71fe0fb3c8d38531f93a35529f6f4be43c0cb3fca72954760e5d40813302bfc2217763629c644a95a9c99ce54 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 62eba6b831598a7ff9dedce0d4a1f51d |
| SHA1 | 33fa9a62ef4ba8de50e6027be8f62a7b8a02d6d8 |
| SHA256 | a4ed60f4a4c8f0fc3730754c59244ccf6b2cb4ea34a5247ef52cc3a398f1b9a2 |
| SHA512 | 66ba1d1e72fde92077d11e47e346c6190c6f1341eb59279f7af539f48bf959acd99bef60740a1b0dd9bdffe32c1d21bb7f9574a47a514d830e73928923135f76 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 4fc640a0270d34b3afc80a7bb4565712 |
| SHA1 | cbe48f83373c509e10c04eac6c0b6fbd5ef1bc04 |
| SHA256 | 955a7be4864c5fb97b6300353ba79522c901311803d189ccfe11c0c56f930a1e |
| SHA512 | dd3ba84ad7ffe432217a8a6a84936214cd8cb2519c6d0d29dd38ade0e7dcba8977b70693693e94040b6b8a701fb3b5e3bfbd98f2711c84b7ef37186a2caba3fb |
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 1f126d885ae732f7b6445c81d9d36104 |
| SHA1 | c14b9dd6306f42b506d512e4add00b90c385ddcb |
| SHA256 | dead6db5067388accc6ca2d125d35ee5619d02b6d0f3f3383089e9da2e82c788 |
| SHA512 | 7fa0df914911159854e3a667af82272c827b8a323c23c7153d4e7c4249f87199d4ca350820c71339220123a1a14de92261686f66172cdd57d3afa34f534a22d9 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | f4a77c669f72e61dd8c9af2d128c8e3f |
| SHA1 | 3450770f3ca4cd130f276ec8fe975119c3e708b3 |
| SHA256 | a0c6a13d879d3a1fc84ca398e6ef52c92d3d72f8c835f7a6c4baa7c711ca0475 |
| SHA512 | dd71bca2f137f990eed194b818644967124224c06af0bf3411e3db0fb9b79ba873a08b5c9bd55777030b433c7320a733448e8f59998f6b4554b8b41924f502c0 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 268f3e1c28fd626436290cba30a6283c |
| SHA1 | dbdf7a5d142f6f88d1cd1e7ccaaf48e057c4e96b |
| SHA256 | a5222cf9382663b2a2a7e1f82470e2d6a5b40f099a3fedecee4cc1f9b5282adb |
| SHA512 | c1ff8e12d84508c6821448a7e6efc569647b0846cbda67f8c50a69d6adddcef68c41c7ac834492eb3ab9d30f5875ee117605286fa47b8410dd8559837c1c04c2 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 33b5acd4f14fede1aac9d2b9332084ab |
| SHA1 | 4de647b748d8fe29d31107e33da6bdb714980a7a |
| SHA256 | 6b0f05028b170d5842d3d0248d1d20eff7ed62dd6a96e041bf53f51e27ec5e60 |
| SHA512 | 345a3a77acd2315db34700640d0984420d478435172e8929d6a9f1f18a07d51f966a8bcbcf2d5ce46cfb9bfbda8463e6f9b8782a99cfa8a0f50f99b3b464defa |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 3516d49c99639b4cca5c67648ab03126 |
| SHA1 | b7a24813dc537a42f85b019db93167f250c4a64d |
| SHA256 | 83c26d4103be1bbcbbd27818f3377853b3011af618fd31925e91e4c9857d11e7 |
| SHA512 | e6fd8b53d5174957b223b9c8af21227c02424103367edeb6808d7d6f8018fff18c73e262bcb7ad2cb743f8c71a39e46a82198cc36b153c16645b48befa5a5bc6 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 3aefb1620d40847dacd7ae31e8fd6ec4 |
| SHA1 | 28d21668a4c238641950c930b08dc265cf920023 |
| SHA256 | bb07d0184522f5e5364b92a22f6b23397ec88d82db4defc6696070545ea1dabb |
| SHA512 | 010166ceebb7ae2576c8340bef92ff92cf38f2ed25e9bda37f6ee921960ebdb24039e5876347577c6f043baa2cc67af56a01fabcad2f3eec455221aa57953f4d |
memory/4188-567-0x0000000004EE0000-0x0000000005085000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bec51f2d41da72bfc83d329ba830d280 |
| SHA1 | 49654e3dee030e714f5c96161d0c37bbd4849a20 |
| SHA256 | 46ab2774871c6590d24b6584c69f700993af9038592d5ce5592fd1dd254ce5c6 |
| SHA512 | efee0a326d56daec73ecd1cf8b64c6391d247ac269d28447fceabd9a09bedfeaca4b5c69fea0466949095292db184da4b63fd2560ee60fa4251872029f0a2827 |
C:\ProgramData\mozglue.dll
| MD5 | fc2817c39d4a1114ec93528276ff0af7 |
| SHA1 | 30e033d104bbeee466c95cdd368fed0fea56a79e |
| SHA256 | cbeb585bbedb7572ecea3c00a6b2a81d33fff1eb457a584a9426115a925695af |
| SHA512 | 5a7783459d4ebd0a62b228b577c784f992020135cdd4a9b3abbb92531b089283d8291a0ea1c619f54ab345e39609f34553d72cc8922aee9b1020b71696c4bde1 |
C:\ProgramData\mozglue.dll
| MD5 | 178f19af3729decc183747dbd2a2b8b4 |
| SHA1 | 9289c500809931735a13f7a5277d1ebe608497dd |
| SHA256 | a34639e55fe61a443a34477106f7d4c672f77170557fddb8983159dc1746131f |
| SHA512 | fd2c62a6926173df1a833d445e9da719a8b3d80002909b390e5dcc16ad979f139e91b0784e14b5f49c245548584f1038ec0d2bb44d82d4e79b138519e7a9f635 |
memory/4188-565-0x0000000004EE0000-0x0000000005085000-memory.dmp
memory/4188-563-0x0000000004EE0000-0x0000000005085000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe
| MD5 | 752e5f6b35080d715759cf0686771354 |
| SHA1 | 4277d0e566bfb50588e48a3bbd24be708beef26b |
| SHA256 | 7ea50311d9fabed729f0f42c497590bacfe39c2cac243e5c756cc410196dcdc0 |
| SHA512 | 37cea2edcb884d99bd73f54f13d88459ce37bc9f31a862ccdffee6c3777870a6b12e7c680361f250f97f79fa13de2ed9c97d97a50f468c8c1232dfac601b4cdb |
C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe
| MD5 | fce29935e27035f91cfbd7b82ef39a80 |
| SHA1 | ad36a4df7ea3e2cb4a7304667e3e62c871cc7c4e |
| SHA256 | 7a152177f1050af51678433a19e733fc3528bb277a000a20e382209e52af8b3d |
| SHA512 | ba12a19508f42811bf92ec9a90f4d072f3cb7dcfe59ba9da99a7ba09478ba512cd2427df2dcf2d106240a47a9ffb484b482315cf0d0b6eb1cda23720af7b81c4 |
C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe
| MD5 | 8e492a58439a0902c4fa70762eb4779a |
| SHA1 | 1ff136be2141900a70e3a15ab8e4599597379644 |
| SHA256 | d02f196856b315ee257d5af50ebb50afd6ed78a57747b938c2f138d416ef05ec |
| SHA512 | 6d3ffbf4136572389c954c9ce9ce7ece5d00b884706a1cdb3f7462db637b7276dfd7074da2c4f5b6f4509965a2f06fa1ebb8aa648b3af79acddfcf88151b487c |
C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe
| MD5 | 317c034ba7e8abbf350ba9b9856c4fa8 |
| SHA1 | 4ca6908958b1bf558e666eb8696ba41662df630f |
| SHA256 | 9e4b06bf8b2fb8ccc64707aac243b913d80182caa30569318faa4b0523e17a60 |
| SHA512 | 9d46e85e38eef4c673eec88ddd5dc2b08c662a05f31ad9bc87f30d2c298f3e9e2365393ac0ce96ae8ab796c6b42380a03daed974605a6b26bd57a88875c442ea |
C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe
| MD5 | dc10aeb4f4c642b2a46db51327bc1cfa |
| SHA1 | 63744c40dee691e1b0c62ce36e1a65e9db148729 |
| SHA256 | a6f452ec0b51f19e4d3b38857c3f70235317a41b7d83805df245e225ac38822e |
| SHA512 | 6d677e627d17379843febd0be036be1d589485d43354957d018205584fa206bc0f50a6b3d21212f33955060a3db783d3021d91699b76ff6d8033ca5d581df820 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe
| MD5 | 70dd662911db1c43b9861176d7e5a6a9 |
| SHA1 | f8e81ff3dc4ca3e8d3dd4c5276740b4f4ab91f47 |
| SHA256 | bdcb8ea9190c528524febeb44eb61f28e6f39826be32f394b83b646b51e4986e |
| SHA512 | baa085651ff34fd3376d387948467da566acdd0094bf4bc2c2c70d74abfedea2399ce1d8581d22d3ab6a2625cc95cc8a5afaf4da40c8c00b124b0d8e0772f5fd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d465ffba25bd409e8040c6724ba5952c |
| SHA1 | 3e35a32e97a5bd5c6084d1c901b34a4b7de10c0a |
| SHA256 | bb52655f377114c9826ec935cc61c1bbbdf8473c0778f40fefbf1a7fca93d86b |
| SHA512 | e048e8974382088363bbf19ae0605819ee2a17191f210a352a4186d3874a1a61a9f1f9a5e70dbab03e5aaf5f0ba1c19267e454fe234176306529a3aebd3a4e90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | eb2d09e6681b6ee7ac0b8bea3dc61868 |
| SHA1 | 54c02a21af9aa9a7cbdc2c586861e5e4c16ca7d0 |
| SHA256 | 3ad7ab6590b96305fc350995b4d4a42067491cb5718cc2f7309fd8c4a5e58968 |
| SHA512 | 7e17fed42a5d07d7268cfd54e0d2c984f28cc40d14943d234e356b7319c424ef342598bc88b55612a7760813f40b113b0a8b41cceb4cbf888e1fae4acefbb216 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | d7087cf8c1b8802574e5652be8e3a501 |
| SHA1 | b42075327a5b22f18f042e90d0d334287e379d4f |
| SHA256 | 51e5d5cf41d65640103e60f93eb3c807d91eaa3482a92e7c5c06356d67e641c5 |
| SHA512 | 37b5aa132e993c9a841b56fccad3588025ce22c3ac9eda686dd08d3732c492c08cc1360ae8c47f7cfca92424592cb6b813709b832d5b15cd0ad4e5e2644de742 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 05:18
Reported
2024-02-06 05:21
Platform
win7-20231129-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe
"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"
Network
Files
memory/1972-0-0x0000000000300000-0x00000000007C7000-memory.dmp
memory/1972-1-0x0000000077A40000-0x0000000077A42000-memory.dmp
memory/1972-13-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/1972-12-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
memory/1972-11-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/1972-10-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/1972-9-0x0000000002550000-0x0000000002551000-memory.dmp
memory/1972-8-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/1972-7-0x0000000002B40000-0x0000000002B41000-memory.dmp
memory/1972-6-0x0000000002C20000-0x0000000002C21000-memory.dmp
memory/1972-5-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/1972-4-0x0000000002BF0000-0x0000000002BF1000-memory.dmp
memory/1972-3-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/1972-2-0x0000000000300000-0x00000000007C7000-memory.dmp
memory/1972-16-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/1972-15-0x0000000002540000-0x0000000002541000-memory.dmp
memory/1972-17-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/1972-22-0x0000000000300000-0x00000000007C7000-memory.dmp
memory/1972-18-0x0000000002E20000-0x0000000002E21000-memory.dmp