Malware Analysis Report

2024-11-16 15:52

Sample ID 240208-r8p7tseg5x
Target 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe
SHA256 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de
Tags
amadey redline xmrig google evasion infostealer miner persistence phishing trojan upx spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de

Threat Level: Known bad

The file 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline xmrig google evasion infostealer miner persistence phishing trojan upx spyware stealer

RedLine

xmrig

RedLine payload

Detected google phishing page

Amadey

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Creates new service(s)

Blocklisted process makes network request

Stops running service(s)

Reads local data of messenger clients

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 14:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 14:52

Reported

2024-02-08 14:54

Platform

win7-20231215-en

Max time kernel

63s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe"

Signatures

Amadey

trojan amadey

Detected google phishing page

phishing google

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\amert.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000958001\\amert.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\fu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000031001\\fu.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\ladas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000032001\\ladas.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C45CCDF1-C691-11EE-BCDB-CE253106968E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C4854551-C691-11EE-BCDB-CE253106968E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C463F211-C691-11EE-BCDB-CE253106968E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2176 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2176 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2176 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 2820 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 2820 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 2820 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 2820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3040 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3040 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3040 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3040 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3040 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3040 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3040 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3040 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3040 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3040 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3040 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2396 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2396 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2396 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2396 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1536 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1536 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1536 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1536 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1996 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 1996 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 1996 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 1996 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 2592 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2592 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1260 wrote to memory of 2916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1260 wrote to memory of 2916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1260 wrote to memory of 2916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1260 wrote to memory of 2916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe

"C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorhe.exe" && timeout 1 && del "explorhe.exe" && ren cbfcbf explorhe.exe && C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe && Exit"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "explorhe.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {E735C0A0-BB93-40D5-A503-15527D5219D7} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:340993 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:406529 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe

"C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe"

C:\Users\Admin\AppData\Local\Temp\1000109001\for.exe

"C:\Users\Admin\AppData\Local\Temp\1000109001\for.exe"

C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000134001\dota.exe

"C:\Users\Admin\AppData\Local\Temp\1000134001\dota.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000136001\File300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000136001\File300un.exe"

C:\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe

"C:\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000140001\new.exe

"C:\Users\Admin\AppData\Local\Temp\1000140001\new.exe"

C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000143001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000143001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 596

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.linkedin.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 static.licdn.com udp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 m.facebook.com udp
GB 163.70.147.35:443 m.facebook.com tcp
GB 163.70.147.35:443 m.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.35:443 facebook.com tcp
GB 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
GB 163.70.147.35:443 fbcdn.net tcp
GB 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
US 15.204.38.209:80 15.204.38.209 tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 platform.linkedin.com udp
US 152.199.22.144:443 platform.linkedin.com tcp
US 152.199.22.144:443 platform.linkedin.com tcp
US 8.8.8.8:53 crls.pki.goog udp
GB 172.217.16.227:80 crls.pki.goog tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 45.15.156.209:40481 tcp
RU 185.215.113.67:26260 tcp
NL 45.15.156.209:40481 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 45.76.89.70:80 pool.hashvault.pro tcp

Files

memory/2176-0-0x0000000000150000-0x0000000000558000-memory.dmp

memory/2176-1-0x0000000000150000-0x0000000000558000-memory.dmp

memory/2176-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 bf7cf2cfacb88b527e232a5fb2556b9c
SHA1 d8cd7688c28bea013219f5b54eeb3fd34a8c7845
SHA256 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de
SHA512 53c64fa527dc134699cd03c7c29c4b7f969aa2b54e9da99d993601cb0822ea98546f2a9b2f8d77817190cae6940ca37f6c99386a8c48d5d7de64863b78cca8eb

memory/2176-14-0x0000000004C20000-0x0000000005028000-memory.dmp

memory/2176-13-0x0000000000150000-0x0000000000558000-memory.dmp

memory/2820-12-0x0000000000980000-0x0000000000D88000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 eec049d8f950563d7af89d1dd1cd11a8
SHA1 a3a40bac1de9121d4b84930fb04e13a5290177c9
SHA256 605215fdf90d6e9f24c0bcc9c7344b806ccd91e3b371ba816f0e485ebae00f71
SHA512 5b60a8e196c529b43e864cb3abe5a997954b71bb04e40b230b524e2abd7fd809c1959030dd11f1dc98bff2a1231b1a1382e4f61caee156798305f07e70ed9463

memory/2820-17-0x0000000000980000-0x0000000000D88000-memory.dmp

memory/2820-18-0x0000000000980000-0x0000000000D88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 bb549aea2d5bda85420c444d35caaa9f
SHA1 0eed639585177d70472e9b771001fa335244db2a
SHA256 c4a5f684b01da61022349af3fb86ecc9ae4e62fda54d451be65b304296ccb9ea
SHA512 b8286d25564a318e8a91e55302be00ca17b8dd6ef968db58377bb9591b029bfa226dc8eb1994d1160efdc11c19978c95765298bc7189e0655df89c09f332eb5e

\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 c92e04e1e7240eac5a1ed0a3de986c99
SHA1 0ce25bc98ea168cdce6b62df0fdc5e1b7c84e823
SHA256 0ffbc1619b66a1b3d5f69e0f4e1bde71e73cd0f986395be5b3dea4ad615f726f
SHA512 68535fcb04a0890bb9a620c0079c213576e3bf3b5fb5b18836faa7a0a4edfce9ab551a35cedb47943c8bf2bc1e822dd3f168a4ae0341c9ca362a431975e86253

\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 696418d093ddf153a82a95cea60ea460
SHA1 bf9df4e9861fa977b5fe8223e63e526646469328
SHA256 62579311e85474ad4ced79586fdc6bab1464707bef9e8ebe818e080f654729e5
SHA512 8a61cb7b689bb2298092ecdf83ba7193afd9e9327acb2c8d74678bc8f570160df23eaac0a7cdeb755cf63914e790813f94b31f7c46547fa8fff9f801aa9612b2

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 f4a7397247b7533b76ec53eea75b3a37
SHA1 86bef43400694b67c949123796be01acb49e0757
SHA256 fb90e9adfa0032b4d62f2fb4279ddfb2b9fa4e35e157411deda83b04c96d759e
SHA512 b1e70c0a856cd256951a1632ff57bff6a62d2f942d7464aacfb16689ce1a376bb90934536f994747297136b2653d984856fa0abcb04eb9d63f5f48f3371548a3

memory/2820-37-0x00000000049B0000-0x0000000004E78000-memory.dmp

memory/2820-38-0x00000000049B0000-0x0000000004E78000-memory.dmp

memory/2580-39-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2580-49-0x0000000077960000-0x0000000077962000-memory.dmp

memory/2580-50-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2580-51-0x0000000000700000-0x0000000000702000-memory.dmp

memory/2580-52-0x0000000000720000-0x0000000000721000-memory.dmp

memory/2580-53-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2580-55-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2580-60-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/2580-59-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2580-58-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2580-61-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/2580-57-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2580-56-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2580-54-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/2580-62-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2820-63-0x0000000000980000-0x0000000000D88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\cbfcbf

MD5 6bd16b3667e22acc7daee2273b9a79c0
SHA1 047b5b40fca71341a0c0440b08c738d3217a12b7
SHA256 5449a73144042449b18e609d36affb9154804579137c6ecde95a7a224d68d4a2
SHA512 b0d7050d3b9fed6bf9494a7f105f06c80774593891ffe14aedad160a9682c37d898882f55c6d6558c72edba27a59a6629c394420dfe815b36bf475ab65ac4811

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 486326ef33d1ceeb8ba07dabb4fc36e8
SHA1 5b4fb6ecee6c5946214d61732dce61c7a3777ce6
SHA256 c15705d2d5ae3c721d13a5c692a384591d32c3d3e31a3badb26c7efcb0f36669
SHA512 9dbb935eee6eab8ec01cbef4d2e7797871ca2ede35e1a6797cfa009902f64fccc467eabc7c9dc75afcec76dbd1a4c79ac481feda45c37007cafaba117ce7cfe6

memory/3040-68-0x0000000001FA0000-0x0000000002468000-memory.dmp

memory/1100-69-0x0000000000EC0000-0x0000000001388000-memory.dmp

memory/3040-70-0x0000000001FA0000-0x0000000002468000-memory.dmp

memory/1100-71-0x0000000000EC0000-0x0000000001388000-memory.dmp

memory/1100-73-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/1100-74-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/1100-72-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

memory/1100-75-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/1100-76-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1100-77-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/1100-78-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/1100-79-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/1100-80-0x0000000002790000-0x0000000002791000-memory.dmp

memory/1100-81-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/1100-82-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/1100-84-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/1100-85-0x0000000002830000-0x0000000002831000-memory.dmp

memory/1100-86-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1100-87-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/1100-91-0x0000000000EC0000-0x0000000001388000-memory.dmp

memory/1536-93-0x0000000001030000-0x00000000014F8000-memory.dmp

memory/1536-94-0x0000000001030000-0x00000000014F8000-memory.dmp

memory/1536-95-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/1536-96-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/1536-97-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/1536-98-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/1536-99-0x0000000000430000-0x0000000000431000-memory.dmp

memory/1536-100-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/1536-101-0x0000000000590000-0x0000000000591000-memory.dmp

memory/1536-102-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/1536-103-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/1536-104-0x0000000000450000-0x0000000000451000-memory.dmp

memory/1536-105-0x00000000004B0000-0x00000000004B1000-memory.dmp

C:\Windows\Tasks\explorgu.job

MD5 ce2d195e363179ae284c8282a649a555
SHA1 e35defa7900edf5ebd35b2e2bb494ba2dc78a809
SHA256 a617c7a12f27fa9cfb8a70cdeb5ba72174bc3432b60900a8e67e4981112d0ee4
SHA512 af973f7df72a8c96f7f4d515914bb129c097bceb5e86e9f2e8fb1b620e82818110895fb88868b1090a38d858720190096963da73f3d1f469ea8e101931d5e3e7

memory/1536-108-0x0000000000E60000-0x0000000000E61000-memory.dmp

memory/1536-107-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/1536-113-0x0000000001030000-0x00000000014F8000-memory.dmp

memory/1996-115-0x00000000008D0000-0x0000000000D98000-memory.dmp

memory/1996-116-0x00000000008D0000-0x0000000000D98000-memory.dmp

memory/1996-118-0x0000000000760000-0x0000000000761000-memory.dmp

memory/1996-117-0x0000000000740000-0x0000000000741000-memory.dmp

memory/1996-119-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/1996-122-0x0000000000490000-0x0000000000491000-memory.dmp

memory/1996-123-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1996-121-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1996-120-0x00000000008B0000-0x00000000008B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1

MD5 d769ca0816a72bacb8b3205b4c652b4b
SHA1 4072df351635eb621feb19cc0f47f2953d761c59
SHA256 f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2
SHA512 cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 36a030da0f2d35756bd8e4f4721c0c6f
SHA1 f3481e948677adaa1bd0d961c470e7963df1c3c5
SHA256 43ae1b8b0bbfc9bdfbbf7b5c67b1763808d045b9718cb412479deb1a7a812dd8
SHA512 b50b74516e7da90f815454c70a254b469382be680c9c6cd5bd9559082cedd0e15533a965effd3ea29ba932c854771b9ff6b54fa8f1c462874a8ca06f2f029fd2

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4665371-C691-11EE-BCDB-CE253106968E}.dat

MD5 3e6d4d03914953d15c93931ee59927ab
SHA1 000b467033f19f4f49fc3c76305aa0c13ab4eaf9
SHA256 66109483244d6a6da38f7069d1edbb7a9a4449d3602f677291c15d17ac2f8eae
SHA512 ce444e1f18905bd6a7d4f811ae6a4e85463dabdae9cd79ca7afdac6ab018340462b0a095bfe4a1fe79d7cf5b619b55b07765feea23a67185e707ec91800393c2

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C45CCDF1-C691-11EE-BCDB-CE253106968E}.dat

MD5 60898c63a2572b65b2508e1c4e988526
SHA1 422645cfdc7ba76951ccf50e9009a03b674f8a72
SHA256 08d8be18d08b9ccd32d87fc073704e86e285d2b499cf37491eee0b29363864ef
SHA512 713c55b3eca1ca5c0d218db54287a53b91cd4b48f8578e1ad43d157e061032a0d4ca68027c568fe6a3341932d5c5a899232d8fd08ecf0ecc927f65ac29398eec

C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe

MD5 affe557410a0e9641bdf9de3fe6b8c15
SHA1 96fcc44d403384403eaecabc8c563e8224eced8f
SHA256 a48bb7b52b58d98adc570a94428c9ad5bb84e4d64303c59fe97e5f1194537799
SHA512 d78a9a42a0395946cfa618acad93f5d82bb6d4ae0a7dba5290b1762169472b0197847d70e53e940a32cb4dc4956579317b1ca28c2da1f6f04a7e550c2d7566b7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C45CCDF1-C691-11EE-BCDB-CE253106968E}.dat

MD5 9a8ee08c05b669c5e4af87a6f4b960da
SHA1 e2f79621a105b9a594a2438501cd64dbe1e6fca1
SHA256 7564101c67c720cee4c5ff6ca2f40afa7cf0c0fbc8d1f340fdd0301971d2b905
SHA512 6898041901b52cc3c4f808cd27fade0d0a1815ef8d81cd0faec5961d90455cc1834e3edfaaa2b1397f32614167f13f080480425ee0931c4b260b21264145d525

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4854551-C691-11EE-BCDB-CE253106968E}.dat

MD5 8c7edba750a4d7ede6a6d293220e8d2d
SHA1 430e3fa4bcb5f71721f957993f1e1d68ef81d510
SHA256 6e120f8f8fcf8fefabe60c5067c76649aa35856fa40ca04bcc62c54d6a61bf12
SHA512 bff0da6e37fd3130ad3e4d0a584366f770233b7a931ffdc585f11790fa7fcf9e7e3785f6ea13d5e11435495bc4c2d788b7deeed129ce503b0c7826747148e611

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4da0e054cf3fc7bad188ad2a2649d0c9
SHA1 4f529958199dfd72833abee7e2774989bc4c2fe0
SHA256 db58546c5cb5ec72284a0c0f54dc355ab0ed9083453273a3a6cd5da7c19d66ec
SHA512 e666badd195fb92709be0c5c7c2a4b2672cedf0bc9aa08dd4982f3b59b0ab38e53124d76f366425be7d8f0d590c14d039b4024af93ac5311c0b1601d105c9572

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 73842dbd8033c3f38bbf73f0a3e2ea6d
SHA1 1ed88268cdb9c9f44c8d1e11da667adcebd2434f
SHA256 aa7f39120640bebfe3221538dc935a36ff1ea48a4bac8c280fe5af067f3c4d10
SHA512 1e2ad48a3e1a3d784b43ecb9731c6e7061fffaf52b8018ec577291acb44e5974397891351b0415879525acfff578c38f7a8ef73461fb00da4b6d842ce4abded7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 5fb64943c60f4e2cae4dee3a04ecfda0
SHA1 9b88f1128572f61ed0ed5fc2d11b83bdfd6aa4e6
SHA256 178f9bf88694ff5e79dd05c519ea00cc3ff09c59695d55773b7c07b887bed059
SHA512 c92b906069a1002f2ca13f962159bf7b6db7523c5a7d5ff44a4d87ee7cdf416672af78a81f35886b3c8e2699e148ed0e2fdf5e50bea7cbfc6e6965751ece92d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c1db6632e458109b86c94e7eb071fa2
SHA1 109791193340af8587073b0914d501ed46937188
SHA256 697a4d2d254e2e5252328a8e9ed77e15224a43979dd8809aefe7905c7c84d33e
SHA512 68cd783e8c28c05850eb4b4d7eb56881b752e3bb83788d1f0a9ac5f0f96e9667c0f98c77c9bb86506100de7c280010e1c16ee6815888beb09fcbb383ba4b0ca9

C:\Users\Admin\AppData\Local\Temp\Cab35C2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar35E1.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cad72d59c155aead20ed1b32e38f5fa
SHA1 9ef747b21900961b1798b4ef68c22a4f9c125f66
SHA256 c719808fef976b66483b13af1654b4d328e9389c609b3ab53feb46b9457cd466
SHA512 b181efb88b608c7f756f41a03802605d6617d59f8244006c5b7dff8583172ca428f97e2e30ebb265791611e18012aba60860c62ec86e408e5601cf868fc0e90d

C:\Users\Admin\AppData\Local\Temp\1000109001\for.exe

MD5 8c281571c5fdaf40aa847d90e5a81075
SHA1 041fa6e79e9027350c1f241375687de7f8cba367
SHA256 0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409
SHA512 b0e481681b02e4cc4f95deff2fa21354f94ad34e6611d97de3a127ae285038164df724f3db27bbf03caa217c3d8dabf77bfdadeaf9af8a1915edacbd35c1c862

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2fc4ac3c1f74c5fde913eeb8be3b5ba
SHA1 117757551054d70c63b1d8b0d0854af0723f2b23
SHA256 cff7747adfe9948930df321c858e4ae001e12c9df321e1cc37c3fac2340d76fd
SHA512 6162e9994d54e750d45acdde974e29dce77aff879dde9997b92b65f702fbf89ea372d1ac4c6655736720f6e6dea57e592dc792d7a4455f497017be30d0d32fc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8def86cca98a13cbb62f14c4002af13d
SHA1 796d0132e797911fbdb11451f0bafbdab1d8ec2f
SHA256 d8e1847cee58584e34d38a808ae4abe94541718bf3fd10674bd03138f7b524a4
SHA512 8260144cdfd91587ab6cda8db2ee85cf7f9db3c9e521a432164fa1c5501ecc1475b5efa21c07785746c742d82d3ec2800bfc159f149eb7a69d5515f2642bdb0d

C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4

MD5 cad81fad2ab96418942ccf7a83132c26
SHA1 c97d85bfdc74d42801b06f07cb49abe262d2f549
SHA256 343a22ce1c80b7675588c481445158ef298b35eba0c69ad47ef95ef77fbe9969
SHA512 a50c96f39626de958c7216425f52293cdd0af6635044346445d26e1f4e4985aa83c4f31f83e447ec9bc388c254755cfec083e71bfd28c4a04bbd70a82007a717

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4

MD5 601355e84d09ae5e2f302ac8ce943d27
SHA1 785e4ee1cb461788b2fccf07189ae1a402678742
SHA256 aad4e3c85a783acccfee383050ef4a34e2830fe27d75bfb0bb53724ae7ecd683
SHA512 391d9d32305d6e9995272935aa213a1bb89bf4993061b1298dfb850181bc45a4c4ad32a67976c94ebdb716b5cdfdd6d73b496d4faa12a252ca4e96f5c37b4f0a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\favicon[2].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wz5r4lq\imagestore.dat

MD5 7189ff7929585567c5f54d3068a44eff
SHA1 c2df775e2458d01a99f400ae519086ce7ed2bc25
SHA256 7a3751f738126b8496b850b82594106cf8f55dcffe624633d6da02a49f8c2fd1
SHA512 46707638f29864beaa47d81f5964ac4da8cdab5dd5dfe27fa3a9de2af53733e56e42ae56117d70be2b25b80c16c6cfca3bd49a380dd5ae6cb95d5d223a951130

C:\Users\Admin\AppData\Local\Temp\1000134001\dota.exe

MD5 edba1bd232a5f59e29bc3ee435a73e3d
SHA1 4733d2e159ec9d280616597b4e7e277b27192ac0
SHA256 c57adcf2224d5e191404f79fd94cf1d8824027700005cd59110f6769b1c36363
SHA512 7d3239c9a8490bf805fca65ed300481bb59850f0f6dc0840d55e886a60a7143c71d85c3c4b9ace3be3d5692e1d0631418e94013802c25975631bce8bd22a5ff0

C:\Users\Admin\AppData\Local\Temp\1000136001\File300un.exe

MD5 739030881c5314d72c7af19cc86a46f0
SHA1 b3f747902722a5200397bf41c5c1eabc4bf13068
SHA256 0266692ff90d1166e43a2fcc6d6648b9c5f9c74b8d7d93c03669dac57bec6507
SHA512 faa3f026303ab7753361a5cb562163ea8664de991261560405698832e4c443065efbbd870f2772bfb5b3dc36016ee3b0f3193c4289763496a03d38db4f9164d9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

C:\Users\Admin\AppData\Local\Temp\1000137001\daissss.exe

MD5 10a331a12ca40f3293dfadfcecb8d071
SHA1 ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256 b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

C:\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe

MD5 6159153a88b6eb2fa5d3dbfedc21facf
SHA1 2a010931a79a296b7327bb7cbe7a9e69dee04838
SHA256 480842e5fae90a213c67350e8fc89ba24837ab7b1f9acccc6cde115cba71075d
SHA512 da84813b7f24560cb5df7e085b69cf889f4229b4da2ce276814ecc9cf4c1e350f206537937c407f9406d8f3a87db2c4272484522a80e7ed2fc02f3f677dbe8f0

\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe

MD5 cad41f50c144c92747eee506f5c69a05
SHA1 f08fd5ec92fd22ba613776199182b3b1edb4f7b2
SHA256 1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6
SHA512 64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SP6DRJYJ\gB76kJXPYJV[1].png

MD5 389dfa18be34d8cf767e06fd5cde4ec6
SHA1 47b751cffab47d076816c63ce08d3e84600376ee
SHA256 3c45ce612f41b1e7936e7cf5b235047344fd3146d1630e342f186d1d1e8e00d5
SHA512 c4db18f636ad85e87f93a208fb4b02b528659ba367e51cfa6d7826ac1159f445a85fbca8d12ac67556e8fb5208dae24ae309e783d50feb088ef0e9f47ac19430

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ed979f45cd0be5d7923ec4e17f415e2
SHA1 ba5217764f7f013ebfad6166ba609c31e0b2abd6
SHA256 4de1b32451b9c4ba6f4ec5caf283762d057cef159b939129501610b4c6a5e52f
SHA512 90e9fbf66237451a600aa80469122d423ed900d2d50860627bed9bca041ef99a1f4d5571c87c71be8067f7b0a4477ccae27ffcd53da9bad14a652b9ae199195f

C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe

MD5 31201661705a0c56f6729c6e6d35e606
SHA1 e38f271969466be95da5426aa8623a92788280b6
SHA256 5ae4f2c36e99b04682836acf3a5255e0d1429bb36c1483c73b8e35515c5fde8d
SHA512 f42d7508e1ff2edf28e6f4904ee8797921eadcef063f08db2d21442a5cdb9283cbf1d1223cacb4e0ecfd91daf6893d1bc6a1e85b1a0be0f0678cc6c28869f8a5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wz5r4lq\imagestore.dat

MD5 d5fcb2f1b37fe56d80bb03906756519a
SHA1 fbe94d54f4df4379aa10f3710a2ec8c8cd997a67
SHA256 e53f85c07cf9b10ef8a4f58f45fdbe5343b3635072c26b9e8dff404427b6b441
SHA512 c3c7d796caad3079e32159668419cdef7dd534bd7ea2abaf14a2db91a84ece8997cdd537f44def103d327b25638a591cfbaf5c8659a070682e1d4c46a6e6cbc1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\3m4lyvbs6efg8pyhv7kupo6dh[1].ico

MD5 3d0e5c05903cec0bc8e3fe0cda552745
SHA1 1b513503c65572f0787a14cc71018bd34f11b661
SHA256 42a498dc5f62d81801f8e753fc9a50af5bc1aabda8ab8b2960dce48211d7c023
SHA512 3d95663ac130116961f53cdca380ffc34e4814c52f801df59629ec999db79661b1d1f8b2e35d90f1a5f68ce22cc07e03f8069bd6e593c7614f7a8b0b0c09fa9e

memory/2732-749-0x0000000000400000-0x0000000000592000-memory.dmp

memory/2824-750-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000140001\new.exe

MD5 dd92c027afedec37fa7c465374fa6c20
SHA1 14ee6246cd0ba776d49b20f62cd710387159d87a
SHA256 45b285d33204dd7762dedd169b2137817e2780acb7f40bc3bd47921e95b3f3bf
SHA512 2615726317156d628c3bcf5bb6e998074519817997704067c4df74e960fdba34c1260113ecf1e40ad4433957b137ac10c259bef6406a52e6191760b9b62fe87a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 550870b5db620082bd7c85c6f9bedff3
SHA1 355bb1f98fbd457f33d3c1f75e86fa46428ce0e7
SHA256 b2799597af1311cca0646bfcb72903e9e445080ff1feec566a750c0d1b3873cc
SHA512 0fc1541d98fcd09a62dedd76face897172fe2e917bc0d8bf7bc0fe8dbf1447692ec7ef9eee8a34e19f0bd780ec7ab17e41da9aecb28469424a150ed2c977d61c

memory/2732-785-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000141001\newfilelunacy.exe

MD5 c1982b0fb28f525d86557b71a6f81591
SHA1 e47df5873305fbcdb21097936711442921cd2c3b
SHA256 3bab5e1befbdc895d9e36e76cb9a40e59de61a34109c36ed26d7dedcd5db3080
SHA512 46dcabbfb57b3665faa76bc6f58b6f252934788acabbf2ba75263d42cac8c013f6feb5992a7043123842a609bdd1b3084f2f0c8b192c2b219b87274d29f8c432

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41d10dff5d22eb4bdb77d1c838359ff
SHA1 d30a5b70f11fbc153cde618c01fcfa7033b035a1
SHA256 efdec8a5872c07d37677577eb511768d3a0ff0677765636e2bbf8456c6d21b0e
SHA512 8e35f6a59bf0f922be25b1345761215a4a1018a4a3f92e94e1e0839745f7ade0c94d02a8c3a88b2fd68d83e371ab26b181b34fd888de46d70c591bf2a339fd1d

C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe

MD5 f733785f9d088490b784d4dc5584ebfb
SHA1 6c073d4208fee7cc88a235a3759b586889b91adf
SHA256 e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59
SHA512 43589b18333b0edcd6e300577f86de685058df5533bcbfdd3e30497aa76176008125fbd28deecaca5e6132c42cc5c0a583c34497f40dbe4ea577333eaebab899

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 531590c64158e03ffd3239b1ed7a98ee
SHA1 7f2e7c6336ab0a395585b609f5ad8188c47d1e58
SHA256 cdd2501775d6c842defe96eae23a0ebf7f94eae82569e2cb2ce5ce13c167e335
SHA512 4508d0d832ef4a755bee4fa5f0c1b4eb387b1c14b769fcec090f770dcb19484992c831ab4c2f10125d86d5f44b7dade0e5df8ee579c747a33fc2b66820c9084a

memory/2732-873-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc17c6f95b5c5f96d7570df609d558a5
SHA1 aeabb797fd899ad521bb5c62baa5cf930a576490
SHA256 0bf21023146453418a86137af83746375994f467f8f0ced4e862739c30ec8ae7
SHA512 3f36b24806b175b4a30bdd1a17a7fb27e34afebd6f23f60321c194277366813e7797bf2dec00575002f75a5cc7787e8f64c1282bf7f4cdf4acb93b9df89b2f30

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GGDF5YOT\accounts.google[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

memory/2820-923-0x0000000001070000-0x0000000001538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000143001\dayroc.exe

MD5 839ac1c1d2abd7dd2178e9e364a282ec
SHA1 e641cc6d982f11ccf20f19f873c1a4e0e5db7038
SHA256 f23c969449dc17a4b7c0e2e261768f496baa26625baf5f1fb97a306aa7a3d760
SHA512 986cb4c55ae8370e718ea3fbde74179f2e88d91fd7d3bc5ac250dcfa767afe2aec4a756eeab25c8772c79d8033ecd4c083d3f792ca2648d11e728914cb798b60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c6eca5860909d527605fd4d9392020a
SHA1 e64e0f6f19c925351d6dcfb9ad0c350b2cc8f7d7
SHA256 cbf9c2af934818395aaf60e25c686f27370fca62858694d3cabfbc59193e2613
SHA512 357f7fe13f5afe70a2162faa6887d54a1be618817cf4cb05a0968cd111361702980042b952fd6569b7b171c03ef304e0079775951827684d42610329ecdc3307

C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe

MD5 bf2a3e48b0ea897e1cb01f8e2d37a995
SHA1 4e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA512 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

memory/4060-1034-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1035-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1036-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1037-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1039-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1041-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1042-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1043-0x0000000000040000-0x0000000000060000-memory.dmp

memory/4060-1044-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1045-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1051-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1052-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1053-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47eac2d2ce5263ed1f254e8062978b03
SHA1 ef9f42a1f0c3b4a8c06d85e75b035040b276f95f
SHA256 f1691de11f86c5af05130a484182efbfc2703da99578b2c5be90c33369088e7e
SHA512 94595cf4c8fb445005c6654d6db73ccabbc575a68ca7db7a2408aacaad6fee1bacb96bf5e1aa1f7e3cf9cf42f35288ef7c85bf275f6dc660e9589dce1d6a4d35

C:\Users\Admin\AppData\Local\Temp\1000145001\Goldprime.exe

MD5 7e9e39a623a04307eb499ff6617b9746
SHA1 8d96a7b6464765f32a86e9103955ec74b9b87da9
SHA256 88cb62dfdf42ef1b6c083b8c25df0a383476a274ae1e1f0043585d4bdfd1217a
SHA512 bae1719b17d910ae001e0e81f9b5af535d844243ff9974da4794e73e73db115f46cc6d9053cedd4dab1b04416ec444774490cbab9b5dac8310aad43fde7c32a1

memory/4060-1133-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4060-1134-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2732-1135-0x0000000000400000-0x0000000000592000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 14:52

Reported

2024-02-08 14:54

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amert.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000958001\\amert.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4884 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4884 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4884 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4884 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 4884 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 4884 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 4884 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1236 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1236 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1236 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1236 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1236 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1236 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1236 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1236 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3364 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 3364 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 3364 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 2256 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 4704 wrote to memory of 4832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4704 wrote to memory of 4832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4832 wrote to memory of 3900 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4832 wrote to memory of 3900 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4832 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4832 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe

"C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorhe.exe" && timeout 1 && del "explorhe.exe" && ren cbfcbf explorhe.exe && C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe && Exit"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "explorhe.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\683043812824_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1472-0-0x0000000000950000-0x0000000000D58000-memory.dmp

memory/1472-1-0x0000000000950000-0x0000000000D58000-memory.dmp

memory/1472-2-0x0000000000950000-0x0000000000D58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 bf7cf2cfacb88b527e232a5fb2556b9c
SHA1 d8cd7688c28bea013219f5b54eeb3fd34a8c7845
SHA256 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de
SHA512 53c64fa527dc134699cd03c7c29c4b7f969aa2b54e9da99d993601cb0822ea98546f2a9b2f8d77817190cae6940ca37f6c99386a8c48d5d7de64863b78cca8eb

memory/4884-14-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/4884-15-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/1472-16-0x0000000000950000-0x0000000000D58000-memory.dmp

memory/4884-17-0x0000000000F40000-0x0000000001348000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 eec049d8f950563d7af89d1dd1cd11a8
SHA1 a3a40bac1de9121d4b84930fb04e13a5290177c9
SHA256 605215fdf90d6e9f24c0bcc9c7344b806ccd91e3b371ba816f0e485ebae00f71
SHA512 5b60a8e196c529b43e864cb3abe5a997954b71bb04e40b230b524e2abd7fd809c1959030dd11f1dc98bff2a1231b1a1382e4f61caee156798305f07e70ed9463

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 bb549aea2d5bda85420c444d35caaa9f
SHA1 0eed639585177d70472e9b771001fa335244db2a
SHA256 c4a5f684b01da61022349af3fb86ecc9ae4e62fda54d451be65b304296ccb9ea
SHA512 b8286d25564a318e8a91e55302be00ca17b8dd6ef968db58377bb9591b029bfa226dc8eb1994d1160efdc11c19978c95765298bc7189e0655df89c09f332eb5e

memory/2304-36-0x0000000000A90000-0x0000000000F58000-memory.dmp

memory/2304-47-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/2304-46-0x0000000077124000-0x0000000077126000-memory.dmp

memory/2304-48-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/2304-49-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/2304-50-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/2304-51-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/2304-52-0x0000000004E30000-0x0000000004E31000-memory.dmp

memory/2304-53-0x0000000000A90000-0x0000000000F58000-memory.dmp

memory/4884-54-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/2304-55-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/2304-57-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/2304-61-0x0000000000A90000-0x0000000000F58000-memory.dmp

memory/3364-64-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/3364-65-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/3364-66-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/3364-67-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/3364-68-0x0000000005110000-0x0000000005111000-memory.dmp

memory/3364-70-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/3364-69-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/3364-71-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/3364-73-0x0000000005130000-0x0000000005131000-memory.dmp

memory/3364-75-0x0000000005120000-0x0000000005121000-memory.dmp

C:\Windows\Tasks\explorgu.job

MD5 eb56f4c906829c8de1f5ec5c35c71739
SHA1 f51290b811d70c52e3d164fb55442a4a746b8c98
SHA256 66f5c7c6e266be07dd5df23736014778038bf4aadf9ee2ad15a5c82b25f4f335
SHA512 8d5bb60b7172bf8c090763c877f7e2a8e86e1f1101c1028355e5294e55bf394526d1274e636155f349ea82fc84c4b71ef7a15c4b6adfe0304eb52632fe59b3de

memory/2256-79-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/3364-78-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/2256-80-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-81-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/2256-82-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/2256-83-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/2256-84-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/2256-85-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/2256-86-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/2256-87-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/2256-88-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/2256-89-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2256-90-0x0000000000510000-0x00000000009D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dwavl35.pvp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5012-112-0x000001E086F40000-0x000001E086F62000-memory.dmp

memory/5012-113-0x00007FF907E80000-0x00007FF908941000-memory.dmp

memory/5012-114-0x000001E09F140000-0x000001E09F150000-memory.dmp

memory/2256-115-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/5012-116-0x000001E09F140000-0x000001E09F150000-memory.dmp

memory/5012-117-0x000001E09F140000-0x000001E09F150000-memory.dmp

memory/5012-118-0x000001E09F0E0000-0x000001E09F0F2000-memory.dmp

memory/5012-119-0x000001E09F0D0000-0x000001E09F0DA000-memory.dmp

memory/5012-125-0x00007FF907E80000-0x00007FF908941000-memory.dmp

memory/2256-126-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-127-0x0000000000510000-0x00000000009D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/2256-139-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-140-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/1080-142-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/1080-143-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/1080-145-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/1080-146-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/1080-144-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/1080-148-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/1080-147-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/1080-149-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/1080-150-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/3144-152-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/3144-153-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/3144-155-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/3144-159-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/3144-158-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/3144-157-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/3144-156-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/3144-154-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/3144-160-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/2256-161-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-162-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-163-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-164-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-165-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-166-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/392-168-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/392-169-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/392-185-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/3432-186-0x0000000000740000-0x0000000000C08000-memory.dmp

memory/2256-187-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-188-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-189-0x0000000000510000-0x00000000009D8000-memory.dmp

memory/2256-190-0x0000000000510000-0x00000000009D8000-memory.dmp