Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-fy9ypshhhl
Target 335b17fdc989824126298877bed8804d.exe
SHA256 58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af
Tags
amadey redline risepro smokeloader zgrat @oleh_ps @oni912 @pixelscloud livetraffic backdoor discovery evasion infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af

Threat Level: Known bad

The file 335b17fdc989824126298877bed8804d.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro smokeloader zgrat @oleh_ps @oni912 @pixelscloud livetraffic backdoor discovery evasion infostealer persistence rat spyware stealer trojan

ZGRat

RedLine payload

RedLine

Amadey

RisePro

Detect ZGRat V1

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Checks BIOS information in registry

Executes dropped EXE

.NET Reactor proctector

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 05:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 05:18

Reported

2024-02-06 05:21

Platform

win10v2004-20231222-en

Max time kernel

56s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plaza.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000052001\\plaza.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3528 set thread context of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe
PID 4016 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe
PID 4016 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe
PID 4016 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe
PID 4016 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe
PID 4016 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3528 wrote to memory of 1220 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4016 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
PID 4016 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
PID 4016 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe
PID 4016 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
PID 4016 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
PID 4016 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe
PID 4944 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4944 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe"

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

"C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe"

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe"

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2764 -ip 2764

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 808

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1976

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1080

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
US 8.8.8.8:53 95.30.79.20.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 144.76.1.85:18574 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
GB 173.222.13.40:80 tcp
NL 45.15.156.209:40481 tcp
DE 185.172.128.127:80 tcp
HK 154.92.15.189:443 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 104.21.58.31:443 tcp
RU 5.42.65.31:48396 tcp
DE 185.225.200.120:15666 tcp
US 104.21.80.171:443 tcp
US 8.8.8.8:53 62.78.21.104.in-addr.arpa udp
US 172.67.213.168:443 tcp
US 8.8.8.8:53 udp
US 104.21.78.62:443 tcp
US 104.21.58.31:443 tcp
US 104.21.83.220:443 tcp
NL 94.156.67.230:13781 tcp
HK 154.92.15.189:80 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 95.179.241.203:80 tcp
NL 94.156.67.230:13781 tcp
RU 185.215.113.32:80 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 94.156.67.230:13781 tcp

Files

memory/2680-0-0x0000000000AC0000-0x0000000000F87000-memory.dmp

memory/2680-1-0x0000000077494000-0x0000000077496000-memory.dmp

memory/2680-2-0x0000000000AC0000-0x0000000000F87000-memory.dmp

memory/2680-3-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/2680-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/2680-9-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/2680-8-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2680-7-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2680-6-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/2680-4-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2680-11-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/2680-10-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/2680-16-0x0000000000AC0000-0x0000000000F87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 335b17fdc989824126298877bed8804d
SHA1 594f601a3cd7add83fa94f97fe90da3bfa678449
SHA256 58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af
SHA512 b4fb222110afce49d786d9fd4f32a2f0c0e17229cf4792034ffe6498660b19912fb351230bf8eddbfcd30711780ab9ac0de5a6ae3fe536a43d9dac4184c05776

memory/4016-19-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/4016-26-0x0000000004990000-0x0000000004991000-memory.dmp

memory/4016-25-0x0000000004980000-0x0000000004981000-memory.dmp

memory/4016-24-0x00000000049E0000-0x00000000049E1000-memory.dmp

memory/4016-23-0x00000000049A0000-0x00000000049A1000-memory.dmp

memory/4016-22-0x00000000049C0000-0x00000000049C1000-memory.dmp

memory/4016-21-0x00000000049B0000-0x00000000049B1000-memory.dmp

memory/4016-20-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/4016-28-0x00000000049F0000-0x00000000049F1000-memory.dmp

memory/4016-27-0x0000000004A00000-0x0000000004A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

MD5 6e401ff8d2152ee1f93cdf7a48072207
SHA1 5b6945cde50036da4f96c3ad4d8151e4edfa0eb7
SHA256 f7c9102387ff2be3466578767db90e8208f9edbfbeb048d08b3aa47b042a05a8
SHA512 66ae5caabd19090229449dede7840770c6b3bf8a5d875fa75df3621119b3798a0a5b60e19c4bba9cfb8a39172bde6b5a45ec1d8cff865ca8a8f152f335c68b96

memory/3528-68-0x0000000000090000-0x00000000000EA000-memory.dmp

memory/3528-69-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/3528-70-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/1220-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3528-76-0x0000000002500000-0x0000000004500000-memory.dmp

memory/1220-78-0x0000000005C50000-0x00000000061F4000-memory.dmp

memory/3528-77-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/1220-80-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/1220-79-0x0000000005740000-0x00000000057D2000-memory.dmp

memory/1220-81-0x0000000005930000-0x0000000005940000-memory.dmp

memory/1220-82-0x00000000056E0000-0x00000000056EA000-memory.dmp

memory/1220-83-0x0000000006820000-0x0000000006E38000-memory.dmp

memory/1220-84-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

memory/1220-95-0x00000000059C0000-0x00000000059FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 321378ee3648d1e83ebd6fc3f0932aa8
SHA1 8511ab3788ae431d909b7c17dcd1d251fa29fc41
SHA256 7e6eab3216fb6b11590e524c8ea1e127e2866585c987ddac2d6a7cd1e06df333
SHA512 b73e0b94b903e4be8a61598cf9406286402c8dd2c60e2bbac1cbe9fdf0410ad800a10a7d0ea43421f5e1244cda9b752147cc9d091d565b32252da301dc69e326

memory/1220-96-0x0000000005A00000-0x0000000005A4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 7334ed11b189669383b97608c46fc5d3
SHA1 3f11d2c6dbcb2a2a884c507339d6f24247559bb9
SHA256 08956a3512e4895b49b529a54e14813fd742660a77a56cf10ecf67bd710f0258
SHA512 b739ccd8e12583a0aaa741ce2692b9cac069089c54e8b0919cb128e8da66292fc59e69c09314d12f5fbd2410ee148263416a58a0f2c1c497f2cdca6390474674

memory/4016-104-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/1628-106-0x0000000000DB0000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 c4d9809ee739f4385e596c24e384d837
SHA1 93980678b500a0ade78817988fde911c65b45926
SHA256 65705b6a36c82ecd8df4ff9b63d3501c5866238fa6e7f95e59de88e9d9d3cf0b
SHA512 39d4ac5834954641ea219504d617f2668c437c713937a6927271050413bc7820406fb48d402c49e0a237317f9968c59614cfd27ed74bb0c10735378f3707be75

memory/1220-85-0x0000000005960000-0x0000000005972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 7dacf8fea68957f6750df5da974b16cd
SHA1 085a5008421946f1185e816f7c7708fc1734782f
SHA256 f8319a765a72e8c911464e4726a541a99566df777e05603efe7d083b032bd54a
SHA512 ca5a6dafec5a26842738908c93e2d26a95f77e0c18aa6475179a146ca1a795ebac9e8cbf3ba94008761ad21ac5b87307e63db23c5d1df1f3533ed0c286660c40

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 a30a7b9811ce1eb02fadb92aaddae9b8
SHA1 572ff08da65062bfbb82cff6d746cb8a69cc097f
SHA256 e2afc7b972a995f673bf14bfbcb35bf1ca94bea2fb79d224d1a6d220114fc897
SHA512 ff2aa3a8bab8862b490c54eb77cec3f9c38604629ba5afa7541f9bbbb737468db9a13e757a453af747a468358583171bd72d12ad1c582426325d489a1f754783

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 10a331a12ca40f3293dfadfcecb8d071
SHA1 ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256 b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

memory/4944-126-0x0000000002510000-0x0000000002564000-memory.dmp

memory/4944-127-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/4944-128-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4944-130-0x0000000004A20000-0x0000000004A72000-memory.dmp

memory/4944-132-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4944-131-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4016-129-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/4944-133-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1972-136-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1972-141-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/1972-142-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/4944-140-0x00000000025E0000-0x00000000045E0000-memory.dmp

memory/4944-139-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/1972-143-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/1972-144-0x0000000005F00000-0x0000000005F76000-memory.dmp

memory/1972-145-0x0000000006100000-0x000000000611E000-memory.dmp

memory/1972-146-0x0000000007170000-0x00000000071C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 25a9211e0afec5534ef2f0f78e330226
SHA1 ec4d93d74e549af6938932bce2e1f4dda3b726f4
SHA256 4a15dde50b9712707660f082a0d14ddcaccb0f3095befe0970589b346cf229e9
SHA512 c9f7bf7bd4d279b62c8c09b75945895759c5ec09bf847315d02b2dd465c9dfe571339d1a44f51a8492be17484a5af418d998d4e16f5c1a6a07c535f9b2417591

memory/1972-163-0x0000000007870000-0x0000000007A32000-memory.dmp

memory/1972-165-0x0000000007F70000-0x000000000849C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 9633dc202f4e3b58f5d8cc39b4d698fc
SHA1 94846022741baccf388f2802219d020ee89d1c99
SHA256 636c0b09b68097c46eb583e4776eb91fbf22fa472c58d80186ed3d17de9d6792
SHA512 65d45e8b5066ddb67b62ab74ab073e7f93c65154aae324b240e3355fb790df9431f11eeaa970d289d83cd3f3fad7db85cada21664dec2a27da8188f7a3a455d6

memory/2764-169-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/2764-168-0x0000000000EE0000-0x0000000001470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 ba6dd676427954677edfa0cda0e1ac0a
SHA1 06a9dafe6a0f8e197815fcfdb3d87c2254198860
SHA256 ed1a4b838b387e605cf451ec9c37e1b27dc62697f76637c70c06462878a5322a
SHA512 1b48c9cc7b259c08e865f00cd9130ee548500f2006e4260f13d6054ff6c810b6929daa4b0ef88ee67428268aedbb6a9001406260e1116db07154ae3dc5813941

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 7dac479c38371e851879850f43b311db
SHA1 764151cb55f44f112c8acc5b6c804efc75bf85b2
SHA256 aef80018093ac77bb384cb50caaf7063811b832f0b29ffe739aa07548a759a47
SHA512 6243cc205a90c7f84a43042e32f1c9c65b2ff3e19b54728dae126d7516c587d5883640edc7f4dc3ff288f83492ee0a4926cb49985a860db9b0a2db6077540870

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 22b1164b9e4097e1a38a4a6e7bd4715f
SHA1 b298cd55d4cad256ae69b2beade5fdab498409cd
SHA256 b703ff6a4c61c5136da76b5ecfeca31ab2ea22dfe6ba4e106c290d31614f1f44
SHA512 58e3cc37a3de6620161ead73d257316058566c2d15aa16ed870d6b24435c48e832684d08b823497e1c432f0bb8becda0b4342df42f5431771f5d2fd831193b70

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 b06321a832b856ba500c6073c390d9a0
SHA1 d60bef337e227e0356f87ccc4fe7532236b76def
SHA256 3a6e11ea4ac87827d96f0f56905e0f226bb8d48777880002782f3fb1f9fede3f
SHA512 223fba674a5a1e804e34cad1ecb37348ac65cf39f238ac21fd02f2ac1c47e1a6ee8d1d0420ae814fa985aaaef96ef8888433c03e0655685ffb9fbdd4cff6e9be

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 52c2eece63a232539d155c8945706002
SHA1 4d6f3ccdd5cc0ee7ac09ed4fdbf419d6fc7a20e8
SHA256 bcd0e977741f64cce4f4a8d3a8ded7eee82280868dab2737b8d21f524f8eb43d
SHA512 2d70ea1cff24c1393b667c33899bf6d781403996070b72805d4741c3cc88a47768673f803b66204d9812f28fbabdf99257c043d1a752734f689b00c387539067

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 f1123b5bc78aa171132d0c45e8df0090
SHA1 d453cab5d2163cd339730e3b5d01faae3421555b
SHA256 1fd784af3951763fd768d7bcfe6c9c118c24e62984a1117290d8ff2d2762b870
SHA512 c97cabd92716a7f6e0e6157e2a836f967c43422cd05d9806738d5411d3906060b0551dc3fe0b9fe1462dd8b5218042e2cce0222a554ff8b1b8f13503250a5032

memory/4016-202-0x00000000008C0000-0x0000000000D87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 028de661ecde4c4e91a7ff12ba30903b
SHA1 f41cd40729d9e7e19a4aecd4933cbbe435d5f65c
SHA256 e010db435cd5d02f41cdb3a11a70f4460ae5541ee95736c82d8b1d09e28de2a0
SHA512 3b0cd2d2d4b8e56f6d7009090e978e454b403486434bcc1048893a068296a6ddf869b4c200922f77a3dd5593bc6b4d19d327eab7fbb432832d0acd8a74562f32

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8c20d9745afb54a1b59131314c15d61c
SHA1 1975f997e2db1e487c1caf570263a6a3ba135958
SHA256 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

memory/2764-215-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/1220-216-0x0000000072550000-0x0000000072D00000-memory.dmp

memory/4144-219-0x00007FF6E6D80000-0x00007FF6E6E37000-memory.dmp

memory/3528-214-0x0000000002500000-0x0000000004500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 ac8d1590347f64172343248ea678d125
SHA1 fcfcec676e0f45eac5522283585e64d971ecc112
SHA256 eaaa85d5e801764d3d30d680013f069134ee0ca8d3183838cfab14f2a6b01bef
SHA512 2e82c0dedbe048ba3a9f3e41b18084a7a256c713732eb0316fe36f2117a72b988939bd3085ccca0aab2ac169ddfb86ad0fde13ee94efe090c6cf200f5977e4a1

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 49e2c31567efcf11469bdb0588ee9586
SHA1 fdca1e466002df936c5d9465de5f77691e060100
SHA256 6bdc65d0e513a1d764a5e04d3bb60ee7677653b22c290dde2eae1ee550e8fcb7
SHA512 2265cf23a2fffec0359ec97e961c163702fc9e71db789ef352a56669d64692ed66fad97fdf8474d80b91b7cc929d500db8a5c7b9d9f1b266b91bc7938214c150

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 e142c68c6af621cc913ed7bb599f1418
SHA1 ce7fb5c30441bb72e54d55c6b81616bd76ce9444
SHA256 9228710907f7c9d0da0cad9efd2d7fb7872a8ade366326d18af3360fa96c0f64
SHA512 54645302732e0938364501ff3fc5fb5560b15f5c885242248adc19ea8f517e794e4f6163e2b4d7acba43d0e8eafba3fccbcda00afc60bddf4af1d9eba92e6474

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

MD5 195b71ed0f85c147245d9a58bc15af4e
SHA1 f834e12ae410935a88f04450857144b7a6720816
SHA256 18719914ff879f533948ea30f4732b6beb7c62cd7cf584eb792bb2f0581ed1ce
SHA512 4a2f649b82f1616fc58659eaabc3bd3cc0570a8307b711498c44fc8d55cd708e93958eceafd512b71e98ecae385bb1948476219b19e941b0484f6a711570ff3e

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

MD5 94efb79f630143ef52343054fe28de26
SHA1 b45dd316e25e2fc738ba536b03937f1f49eaaec9
SHA256 93fbf7e3f6e826e60aefe6f3d4145983771809f0d89cb0612239d52a824c8970
SHA512 103ee72bdff2f774b42170f9162537dc7da0d7c7e7589d2c25d58fec69dc16cbc37b1e665c13870e8b6e0555c449386e91a2f54d272d4639691a2e35a4895a42

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

MD5 1e06524b510d8d9a22fd5a6075a3c0ae
SHA1 a282a1e2dd97657cc176f08ddd98f3c3113fb7b0
SHA256 30167f6bb231eb0c6d796340f530b075d54a7842dcd6b424a1d6424565bf7815
SHA512 8d77ac9b1d13f4a5f9f663199655f86780ceaec9a900e3fc67adf2f9a14082a5221319452fcbd0227eed8f9245ce353388e23c9289e4f92a168fd84e7c182900

memory/3032-237-0x0000000000490000-0x0000000000590000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 8d535957253190e75a2de9a882144fc9
SHA1 e4dae0bdbc3b36686447d8338663065228e91828
SHA256 fd1d156396a211d4ca97d45208d2d1f5fe9b97535549d57e714a3ff57764609b
SHA512 9032699bd7b90787a34deba6c1eab7e8b3af8e36f926cf7981486a0e8eb2155c8b677baa82fddb377488919a005a77b9d1b7d5a109b2696eeb16d3fea8d022cb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0e051fe645ca981fe96bae7c6d9b8854
SHA1 ced21024390ea2adeb529c9963dcb91ffdca3afa
SHA256 0d48ef519083d961f7261d943abaa9d6b323f1f72fc75a127a3cdbd30adf30e3
SHA512 037a874365cda113041053647c3996eeba382329a4efb30e6410b542ccc2a241811e0746080f5d9e62675a9d1cb924926418d98fb88c7a7d0bda381036821477

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 66309b8ffa5d84a149c88fa84b53f8fc
SHA1 cc10f74822441b87a707536cd60a9c522037118c
SHA256 ac64a959da677ce6f0cef3f07a39f506b7dd75228f6c9e3eeb7c28b0864b9ed6
SHA512 1f58258ec7669ea1af03ae655f8613fce2841db6dd7e24f31b71a127236e118e58077e3f25074a23f3b78fb203f5b9edb27a1c01d4ac4dc3d735a5d9dcefbcc4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 124ff2b0fcf843b9c7ed0bf619198016
SHA1 9022947cd8d337a3f48813be420625c775623346
SHA256 3c3f366d58a0755317718bf59f6ec913f2efc3e5802a9140cc9ff6ea12552dcf
SHA512 a13997c38d0debdae61f5db16b12fe57dfabc79df57bd05967be15dc50e0aa5ad83ec92da37ccf4fbd9df60af06334a20145e863ddd92246e674b53bee2f7b52

C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe

MD5 48abaee021d7d47b243f6b7a2a4b5f32
SHA1 5923f243a4313423c62dd4a2e6a61e49efcbf261
SHA256 62ce3d68b0c9494b4aa2e1d40c0ba0380b446e2ccf0b61f02f4e753e7411188d
SHA512 0dd236baa5dc3085d76bf565d6e2141bb2313db71377b6bb1a8401515c1ea8b977b4b9120d3e7a16983d2bb3e15425e2e64865bac7495d74b4fa9864f28ee41b

C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe

MD5 3e91dbca42aa51904f6444994968967c
SHA1 c26753281dd332b2d732635a0b8a860293cc2577
SHA256 cb67f74aae06171a3e3b4c66b5e9cc11f0b1c90c3836274277d4a394bbfac8ef
SHA512 7874cf71b9a5eb6ff2a76f3677f1575b3ef825b6cbb6681a88cd938062e48b83e5b4e7456f1852abc12fb438490cdab7ca48aa728abcde08709b03aa6c99ee21

C:\Users\Admin\AppData\Local\Temp\u2c8.0.exe

MD5 619e54a5fd683b5d54e99f866e325f45
SHA1 dcee8d536a993790521724b2c3f9ec1b22af0274
SHA256 7412bfaadd0c62e782607b0e19739252dc02261b32527d0e67a7c883dde46e6f
SHA512 02efd2e5b20203723ec66ff25471f1a28485d468b832a6706195c7360504aec1e1a3fdce2d203c2bbd7e139e2f6429174ff2b5e188f1952e949dc21649c7a942

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 d5f3d2440a8ef3bc32ef9463ee2c3609
SHA1 29608184d847ae2b6a484b795b881799100592cb
SHA256 372ee45ed4ffd1c7125e5b257bd33f39391e1bd2a6d5d1fe1adb2b19b7c66c03
SHA512 65761d5f894648f70d3f4bdcd3071a59f854f8ceb6f71ad3f87159f2bfd808f1430cbcc4052bc51d60c2e2cf432a195bbfd6aaf8661322d7574a0eb530bf54da

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iimzospq.tao.ps1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 a8dc2c18acd11c470bf75102b6697d1d
SHA1 7d9b9998210a37c67a8ec80726135ee9b296b41f
SHA256 77781461632236137e9b8b91af54df0593c663de5208e70cb32d1189e976b96e
SHA512 64633a7dbb52a8e26782ef35d72feff220134d6ca94fd879865b8a10173ea54e5ddb73ad0bbf5671e3b2c7ed4b6a8549e94ace35a7643e14c35926c40d5907d6

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 c05a30056c63f326c800ffc8a7b55f1b
SHA1 d8d1ce4095b59fd9fac8f10800f9e4bc550e061e
SHA256 2a070e782ca43ee2052b269c49e410bbaf2859980017e4027126dc53965a23cc
SHA512 c8cb27666187b23b5faca052fdeda747e68a7e48974b2efb32e857a853c51d2f4b9c0389ae0870cecfcbfed36827f757ce61729d07d5e92614a344436c7a675a

C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe

MD5 56871aa822d1027a4f61ed7b3d3d58ef
SHA1 084f36a96fa8c3fd3c378d8bc373e9315e25d7e4
SHA256 792ac45d13068663f4588456fc5e51ef27223ad3154340c8854ce42bba702b6d
SHA512 6e4512358adcd4e495a1e6615270817871b5c88395cc6743f2ab90e0a1d6b0430fbcfd24c3c7f81dec913915d2a1e1d9db9a3ef8a5334b682d3963e298f35204

C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe

MD5 7f5bd799f65cae60447c564d1277aab2
SHA1 83031910d87591b274926065075dd5f776751d0d
SHA256 a9365f2623bc7e9d168172a4fa803d3b7f110551a145790f1dfbad0faa8c2044
SHA512 6567404cafebff89e65c479a8d7c0f0ad1b39c9852cfb48da98130adbde90ebcda1ee6ef91374dbefa3b2071daf3e6e5b279ced9fad2f8a9acb78c65c93efd71

memory/3032-349-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2c8.1.exe

MD5 e776008ee63bf7bd72b4511366ab0740
SHA1 6714d8624deb3b63f0ed987d357f326b48d40813
SHA256 20c9b91cc4cf441353d254f80a5cccf99fdf00ccde498c52ee6714e0e1ca63b7
SHA512 97ae82f82a29fda09b492d66d0bd790d116e20c14bbefb5588d6cde92182b34b2c99f820bae97798256162d739d5d06351dad37b20a8245cc46f7956e9ba603a

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 b55fdea4a335fe71f9d10372e479386c
SHA1 47f5b644ba34c721240eb45bc512a0b659260678
SHA256 9f2366161736f931d7897842eb96ac0f91859a0dc64c67e9fda40e3c8b965cd7
SHA512 ecca7b85ba19e9278a4036d9df45b69c3b5ed523cd119f4766c414a86ff6568ec94b9956fb32a0170a2fc92414ec99fb5a98a7c62ee9203f71ac6397a25d0cc3

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 f3512bcbd6fa7d0d5d36607e31bfe676
SHA1 286aa4b19fb5f58b99323d1e486828bcd2426abe
SHA256 4320228afb3dd41aa1f8cc896b7f7f61826bfa5cdb643a4868a041d65fb1dabf
SHA512 d8ce8000588bf193a271aae29651df94385820bb31eb45bd6346dd3130c4f20306f64c952512f6081f4084b5f326a9ae9f833943b3d157368e5bb1beccc999e4

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 2eaa46dee893f8abc6742a74e4c689b9
SHA1 555010fc22189a68eca445c9515da5fb53bad60b
SHA256 85c87e292984d41b8d13c00af7548f59febcec0bf8649f940573d4929809b34b
SHA512 8f0aaa4c22e2b77d3ae1d44d0799740d43242fa2e2677116165b36879ec9e58e744fd73abc1bc18418fbd540e75e96be88b5d112d481709051b1fa45c6603df2

memory/2764-411-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2764-418-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1628-423-0x0000000000DB0000-0x0000000001290000-memory.dmp

memory/3276-407-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3548-433-0x0000000002070000-0x0000000002086000-memory.dmp

memory/4916-437-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

MD5 53556584a0432a8055c5baccdfc475ed
SHA1 481ddc1f3b77b8dae7ace52b392dca3c131176ad
SHA256 ba3703d2582cd0ce99697f5d4b979a7c036f6235a6daebab269b2b9fa3296e2c
SHA512 85faf9c36f90d63da236ccefb4647a2cf0291b34d34d0e4a5de331d1ca4a3b3ab4002d9f211a8ba29989406040aa53791a097186b444314b1e32b2661aeb3acb

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

MD5 b04a91f3ba3f62ad7479e8342b78675a
SHA1 bf0fa72d9ccb0c00acb8d2f210494e658fb3019b
SHA256 ac15abc73e8ba9dd7fcb99abd6668c8c40eb6c1bed7a633984edbf58170fd626
SHA512 5cdbe3762c3cfa7e2ca92aea689288754e8f563f159e88f21d0f5e52e69c859045f2171a19b038908ddf2cfe743ae8332b5dec5b85f847caf380e3bcd120a47d

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

MD5 48e7314ff16607c038c29b2f88792f17
SHA1 409c7fd2b76a81bbd38dc0b0431e83ef69cca8cd
SHA256 3094baf0571a80f445074f2ef0ee46bfd54a293eac0c008938ffd1692fcc74e3
SHA512 f384a88d200d5b22d6427eca4ee96f421a0a7679d4fdb611003d832c4f8e0fb308fb7dbe7adb47ae40b72ac7d506f2c22ebd2bbd4ab3dcd4b0d572735d76163f

memory/4188-521-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-522-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-531-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-528-0x0000000004EE0000-0x0000000005085000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 ba0340636ca757a88316d1e8b508a39b
SHA1 6d0bb542a11fa47ea34cafd5be5804b40942ab30
SHA256 38f347676c3e1adc048e1483b92055992164853fe613f0b2f5ece5f92d54cbc3
SHA512 012f8e7eaf89bf2c8e0c764bcd64695d0654d26fd25d31f80f8f9400325c84a7d415862beeb63b5604b80eb2721d389a53bb92c92c34036842ec077cd4e8cf18

memory/4188-537-0x0000000004EE0000-0x0000000005085000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1dfbfa155719f83b510b162d53402188
SHA1 5b77bb156fff78643da4c559ca920f760075906c
SHA256 b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831
SHA512 be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

memory/4188-539-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-545-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-547-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-549-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-551-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-553-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-543-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-541-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-556-0x0000000004EE0000-0x0000000005085000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 702f975e42dd7322d549469bfd8558a0
SHA1 2efb64f57e060d86ef3afa1ac1c654c317eed13d
SHA256 2c8f5fbc6ce1a1a279477fd3656e5652553c0cbf760426a1b3f7cfff92d5dd38
SHA512 4921d71de7a0fde4c31a582615d601f3b3b4ffdeb58830c284e7d26480e656ba1dd9f4830444cda17b9521c8e4e9d4622a2d4626d58aef054a9536e0fd9fd8d0

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 4ac075b4e0f42d1b80197287a3c11159
SHA1 8f1749a2fab4c639e3f4587c2ea797b9c6b46341
SHA256 39b994c3911ce9632222970c869a520f2438730a36573bd78cb6500f60297a7d
SHA512 983914d5296249c8ab5f8a0a388e02eed07818885ff452d7605a0373a62e9197f0cef82cf11e51c11950a148679c1e8f4c405c7292e95793c8ad7ba162b71d70

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 e1bbcb25d1dffa013b3d89767742ea9b
SHA1 89510a66b43b05dd1af3343d642fa8df85ce70f6
SHA256 0d1cdf2240e4218050a9da1b3a4335d85fdf2877a0817c3cb8d1bb7d871f8adf
SHA512 93c26b7e4db7822c9b8a1ec2450f57dc73690311f75c179e2b3218bce1b7dd9cce52b5e49f0d300a4fab8c09d40f865e3f85d9532f248403ad3881a134e91d7c

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 7c6158126fcaf750413a7930915b308f
SHA1 caa1e195ea7af6169a0e6ac0709223557998792b
SHA256 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3
SHA512 d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 9e95a5cf92f84137c7da869567510731
SHA1 86b70fafa7d322faa4a13575a93db8cedc377bde
SHA256 9acfdc879dfed14e1b1fd9100366f79123a8f60ecd646c2468ade8994366989d
SHA512 c815ecc3ba48846aedc377edc1de65e29408796f8a88cc3ce5cbd999a0e39f2094043b702185436415717603c7f69554e4198f12cf9d24c50a65d188ea632d7e

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 eabba160d6f0349204fff9e7e8c88974
SHA1 1a8e0c74a02bc3933cc1be03d7ec7a5f071a80b9
SHA256 37d483ff69e8e3c85b0da7ffb0d4efd6909606d1364966dd2e6a3d65db669d57
SHA512 01cbbdff5a7150cf683b553aaa91506a368407d71fe0fb3c8d38531f93a35529f6f4be43c0cb3fca72954760e5d40813302bfc2217763629c644a95a9c99ce54

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 62eba6b831598a7ff9dedce0d4a1f51d
SHA1 33fa9a62ef4ba8de50e6027be8f62a7b8a02d6d8
SHA256 a4ed60f4a4c8f0fc3730754c59244ccf6b2cb4ea34a5247ef52cc3a398f1b9a2
SHA512 66ba1d1e72fde92077d11e47e346c6190c6f1341eb59279f7af539f48bf959acd99bef60740a1b0dd9bdffe32c1d21bb7f9574a47a514d830e73928923135f76

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 4fc640a0270d34b3afc80a7bb4565712
SHA1 cbe48f83373c509e10c04eac6c0b6fbd5ef1bc04
SHA256 955a7be4864c5fb97b6300353ba79522c901311803d189ccfe11c0c56f930a1e
SHA512 dd3ba84ad7ffe432217a8a6a84936214cd8cb2519c6d0d29dd38ade0e7dcba8977b70693693e94040b6b8a701fb3b5e3bfbd98f2711c84b7ef37186a2caba3fb

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 1f126d885ae732f7b6445c81d9d36104
SHA1 c14b9dd6306f42b506d512e4add00b90c385ddcb
SHA256 dead6db5067388accc6ca2d125d35ee5619d02b6d0f3f3383089e9da2e82c788
SHA512 7fa0df914911159854e3a667af82272c827b8a323c23c7153d4e7c4249f87199d4ca350820c71339220123a1a14de92261686f66172cdd57d3afa34f534a22d9

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 f4a77c669f72e61dd8c9af2d128c8e3f
SHA1 3450770f3ca4cd130f276ec8fe975119c3e708b3
SHA256 a0c6a13d879d3a1fc84ca398e6ef52c92d3d72f8c835f7a6c4baa7c711ca0475
SHA512 dd71bca2f137f990eed194b818644967124224c06af0bf3411e3db0fb9b79ba873a08b5c9bd55777030b433c7320a733448e8f59998f6b4554b8b41924f502c0

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 268f3e1c28fd626436290cba30a6283c
SHA1 dbdf7a5d142f6f88d1cd1e7ccaaf48e057c4e96b
SHA256 a5222cf9382663b2a2a7e1f82470e2d6a5b40f099a3fedecee4cc1f9b5282adb
SHA512 c1ff8e12d84508c6821448a7e6efc569647b0846cbda67f8c50a69d6adddcef68c41c7ac834492eb3ab9d30f5875ee117605286fa47b8410dd8559837c1c04c2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 33b5acd4f14fede1aac9d2b9332084ab
SHA1 4de647b748d8fe29d31107e33da6bdb714980a7a
SHA256 6b0f05028b170d5842d3d0248d1d20eff7ed62dd6a96e041bf53f51e27ec5e60
SHA512 345a3a77acd2315db34700640d0984420d478435172e8929d6a9f1f18a07d51f966a8bcbcf2d5ce46cfb9bfbda8463e6f9b8782a99cfa8a0f50f99b3b464defa

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 3516d49c99639b4cca5c67648ab03126
SHA1 b7a24813dc537a42f85b019db93167f250c4a64d
SHA256 83c26d4103be1bbcbbd27818f3377853b3011af618fd31925e91e4c9857d11e7
SHA512 e6fd8b53d5174957b223b9c8af21227c02424103367edeb6808d7d6f8018fff18c73e262bcb7ad2cb743f8c71a39e46a82198cc36b153c16645b48befa5a5bc6

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 3aefb1620d40847dacd7ae31e8fd6ec4
SHA1 28d21668a4c238641950c930b08dc265cf920023
SHA256 bb07d0184522f5e5364b92a22f6b23397ec88d82db4defc6696070545ea1dabb
SHA512 010166ceebb7ae2576c8340bef92ff92cf38f2ed25e9bda37f6ee921960ebdb24039e5876347577c6f043baa2cc67af56a01fabcad2f3eec455221aa57953f4d

memory/4188-567-0x0000000004EE0000-0x0000000005085000-memory.dmp

C:\ProgramData\nss3.dll

MD5 bec51f2d41da72bfc83d329ba830d280
SHA1 49654e3dee030e714f5c96161d0c37bbd4849a20
SHA256 46ab2774871c6590d24b6584c69f700993af9038592d5ce5592fd1dd254ce5c6
SHA512 efee0a326d56daec73ecd1cf8b64c6391d247ac269d28447fceabd9a09bedfeaca4b5c69fea0466949095292db184da4b63fd2560ee60fa4251872029f0a2827

C:\ProgramData\mozglue.dll

MD5 fc2817c39d4a1114ec93528276ff0af7
SHA1 30e033d104bbeee466c95cdd368fed0fea56a79e
SHA256 cbeb585bbedb7572ecea3c00a6b2a81d33fff1eb457a584a9426115a925695af
SHA512 5a7783459d4ebd0a62b228b577c784f992020135cdd4a9b3abbb92531b089283d8291a0ea1c619f54ab345e39609f34553d72cc8922aee9b1020b71696c4bde1

C:\ProgramData\mozglue.dll

MD5 178f19af3729decc183747dbd2a2b8b4
SHA1 9289c500809931735a13f7a5277d1ebe608497dd
SHA256 a34639e55fe61a443a34477106f7d4c672f77170557fddb8983159dc1746131f
SHA512 fd2c62a6926173df1a833d445e9da719a8b3d80002909b390e5dcc16ad979f139e91b0784e14b5f49c245548584f1038ec0d2bb44d82d4e79b138519e7a9f635

memory/4188-565-0x0000000004EE0000-0x0000000005085000-memory.dmp

memory/4188-563-0x0000000004EE0000-0x0000000005085000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 752e5f6b35080d715759cf0686771354
SHA1 4277d0e566bfb50588e48a3bbd24be708beef26b
SHA256 7ea50311d9fabed729f0f42c497590bacfe39c2cac243e5c756cc410196dcdc0
SHA512 37cea2edcb884d99bd73f54f13d88459ce37bc9f31a862ccdffee6c3777870a6b12e7c680361f250f97f79fa13de2ed9c97d97a50f468c8c1232dfac601b4cdb

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 fce29935e27035f91cfbd7b82ef39a80
SHA1 ad36a4df7ea3e2cb4a7304667e3e62c871cc7c4e
SHA256 7a152177f1050af51678433a19e733fc3528bb277a000a20e382209e52af8b3d
SHA512 ba12a19508f42811bf92ec9a90f4d072f3cb7dcfe59ba9da99a7ba09478ba512cd2427df2dcf2d106240a47a9ffb484b482315cf0d0b6eb1cda23720af7b81c4

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 8e492a58439a0902c4fa70762eb4779a
SHA1 1ff136be2141900a70e3a15ab8e4599597379644
SHA256 d02f196856b315ee257d5af50ebb50afd6ed78a57747b938c2f138d416ef05ec
SHA512 6d3ffbf4136572389c954c9ce9ce7ece5d00b884706a1cdb3f7462db637b7276dfd7074da2c4f5b6f4509965a2f06fa1ebb8aa648b3af79acddfcf88151b487c

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 317c034ba7e8abbf350ba9b9856c4fa8
SHA1 4ca6908958b1bf558e666eb8696ba41662df630f
SHA256 9e4b06bf8b2fb8ccc64707aac243b913d80182caa30569318faa4b0523e17a60
SHA512 9d46e85e38eef4c673eec88ddd5dc2b08c662a05f31ad9bc87f30d2c298f3e9e2365393ac0ce96ae8ab796c6b42380a03daed974605a6b26bd57a88875c442ea

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 dc10aeb4f4c642b2a46db51327bc1cfa
SHA1 63744c40dee691e1b0c62ce36e1a65e9db148729
SHA256 a6f452ec0b51f19e4d3b38857c3f70235317a41b7d83805df245e225ac38822e
SHA512 6d677e627d17379843febd0be036be1d589485d43354957d018205584fa206bc0f50a6b3d21212f33955060a3db783d3021d91699b76ff6d8033ca5d581df820

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 70dd662911db1c43b9861176d7e5a6a9
SHA1 f8e81ff3dc4ca3e8d3dd4c5276740b4f4ab91f47
SHA256 bdcb8ea9190c528524febeb44eb61f28e6f39826be32f394b83b646b51e4986e
SHA512 baa085651ff34fd3376d387948467da566acdd0094bf4bc2c2c70d74abfedea2399ce1d8581d22d3ab6a2625cc95cc8a5afaf4da40c8c00b124b0d8e0772f5fd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d465ffba25bd409e8040c6724ba5952c
SHA1 3e35a32e97a5bd5c6084d1c901b34a4b7de10c0a
SHA256 bb52655f377114c9826ec935cc61c1bbbdf8473c0778f40fefbf1a7fca93d86b
SHA512 e048e8974382088363bbf19ae0605819ee2a17191f210a352a4186d3874a1a61a9f1f9a5e70dbab03e5aaf5f0ba1c19267e454fe234176306529a3aebd3a4e90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 eb2d09e6681b6ee7ac0b8bea3dc61868
SHA1 54c02a21af9aa9a7cbdc2c586861e5e4c16ca7d0
SHA256 3ad7ab6590b96305fc350995b4d4a42067491cb5718cc2f7309fd8c4a5e58968
SHA512 7e17fed42a5d07d7268cfd54e0d2c984f28cc40d14943d234e356b7319c424ef342598bc88b55612a7760813f40b113b0a8b41cceb4cbf888e1fae4acefbb216

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 d7087cf8c1b8802574e5652be8e3a501
SHA1 b42075327a5b22f18f042e90d0d334287e379d4f
SHA256 51e5d5cf41d65640103e60f93eb3c807d91eaa3482a92e7c5c06356d67e641c5
SHA512 37b5aa132e993c9a841b56fccad3588025ce22c3ac9eda686dd08d3732c492c08cc1360ae8c47f7cfca92424592cb6b813709b832d5b15cd0ad4e5e2644de742

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 05:18

Reported

2024-02-06 05:21

Platform

win7-20231129-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

Network

N/A

Files

memory/1972-0-0x0000000000300000-0x00000000007C7000-memory.dmp

memory/1972-1-0x0000000077A40000-0x0000000077A42000-memory.dmp

memory/1972-13-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/1972-12-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/1972-11-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/1972-10-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1972-9-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1972-8-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/1972-7-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/1972-6-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/1972-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1972-4-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/1972-3-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/1972-2-0x0000000000300000-0x00000000007C7000-memory.dmp

memory/1972-16-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/1972-15-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1972-17-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/1972-22-0x0000000000300000-0x00000000007C7000-memory.dmp

memory/1972-18-0x0000000002E20000-0x0000000002E21000-memory.dmp