Analysis Overview
SHA256
1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de
Threat Level: Known bad
The file 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
xmrig
RedLine payload
Detected google phishing page
Amadey
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Creates new service(s)
Blocklisted process makes network request
Stops running service(s)
Reads local data of messenger clients
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Adds Run key to start application
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-08 14:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-08 14:52
Reported
2024-02-08 14:54
Platform
win7-20231215-en
Max time kernel
63s
Max time network
150s
Command Line
Signatures
Amadey
Detected google phishing page
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\amert.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000958001\\amert.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\fu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000031001\\fu.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\ladas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000032001\\ladas.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C45CCDF1-C691-11EE-BCDB-CE253106968E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C4854551-C691-11EE-BCDB-CE253106968E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C463F211-C691-11EE-BCDB-CE253106968E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe
"C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorhe.exe" && timeout 1 && del "explorhe.exe" && ren cbfcbf explorhe.exe && C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe && Exit"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "explorhe.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {E735C0A0-BB93-40D5-A503-15527D5219D7} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"
C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
"C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:340993 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:406529 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe
"C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe"
C:\Users\Admin\AppData\Local\Temp\1000109001\for.exe
"C:\Users\Admin\AppData\Local\Temp\1000109001\for.exe"
C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000134001\dota.exe
"C:\Users\Admin\AppData\Local\Temp\1000134001\dota.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000136001\File300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000136001\File300un.exe"
C:\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe
"C:\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000140001\new.exe
"C:\Users\Admin\AppData\Local\Temp\1000140001\new.exe"
C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000143001\dayroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000143001\dayroc.exe"
C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 596
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.linkedin.com | udp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| US | 13.107.42.14:443 | www.linkedin.com | tcp |
| US | 13.107.42.14:443 | www.linkedin.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | static.licdn.com | udp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | m.facebook.com | udp |
| GB | 163.70.147.35:443 | m.facebook.com | tcp |
| GB | 163.70.147.35:443 | m.facebook.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.35:443 | facebook.com | tcp |
| GB | 163.70.147.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| GB | 163.70.147.35:443 | fbcdn.net | tcp |
| GB | 163.70.147.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| GB | 163.70.147.35:443 | fbsbx.com | tcp |
| GB | 163.70.147.35:443 | fbsbx.com | tcp |
| US | 15.204.38.209:80 | 15.204.38.209 | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | scontent.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | platform.linkedin.com | udp |
| US | 152.199.22.144:443 | platform.linkedin.com | tcp |
| US | 152.199.22.144:443 | platform.linkedin.com | tcp |
| US | 8.8.8.8:53 | crls.pki.goog | udp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| NL | 45.15.156.209:40481 | tcp | |
| RU | 185.215.113.67:26260 | tcp | |
| NL | 45.15.156.209:40481 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
Files
memory/2176-0-0x0000000000150000-0x0000000000558000-memory.dmp
memory/2176-1-0x0000000000150000-0x0000000000558000-memory.dmp
memory/2176-3-0x0000000000B00000-0x0000000000B01000-memory.dmp
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | bf7cf2cfacb88b527e232a5fb2556b9c |
| SHA1 | d8cd7688c28bea013219f5b54eeb3fd34a8c7845 |
| SHA256 | 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de |
| SHA512 | 53c64fa527dc134699cd03c7c29c4b7f969aa2b54e9da99d993601cb0822ea98546f2a9b2f8d77817190cae6940ca37f6c99386a8c48d5d7de64863b78cca8eb |
memory/2176-14-0x0000000004C20000-0x0000000005028000-memory.dmp
memory/2176-13-0x0000000000150000-0x0000000000558000-memory.dmp
memory/2820-12-0x0000000000980000-0x0000000000D88000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | eec049d8f950563d7af89d1dd1cd11a8 |
| SHA1 | a3a40bac1de9121d4b84930fb04e13a5290177c9 |
| SHA256 | 605215fdf90d6e9f24c0bcc9c7344b806ccd91e3b371ba816f0e485ebae00f71 |
| SHA512 | 5b60a8e196c529b43e864cb3abe5a997954b71bb04e40b230b524e2abd7fd809c1959030dd11f1dc98bff2a1231b1a1382e4f61caee156798305f07e70ed9463 |
memory/2820-17-0x0000000000980000-0x0000000000D88000-memory.dmp
memory/2820-18-0x0000000000980000-0x0000000000D88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
| MD5 | bb549aea2d5bda85420c444d35caaa9f |
| SHA1 | 0eed639585177d70472e9b771001fa335244db2a |
| SHA256 | c4a5f684b01da61022349af3fb86ecc9ae4e62fda54d451be65b304296ccb9ea |
| SHA512 | b8286d25564a318e8a91e55302be00ca17b8dd6ef968db58377bb9591b029bfa226dc8eb1994d1160efdc11c19978c95765298bc7189e0655df89c09f332eb5e |
\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
| MD5 | c92e04e1e7240eac5a1ed0a3de986c99 |
| SHA1 | 0ce25bc98ea168cdce6b62df0fdc5e1b7c84e823 |
| SHA256 | 0ffbc1619b66a1b3d5f69e0f4e1bde71e73cd0f986395be5b3dea4ad615f726f |
| SHA512 | 68535fcb04a0890bb9a620c0079c213576e3bf3b5fb5b18836faa7a0a4edfce9ab551a35cedb47943c8bf2bc1e822dd3f168a4ae0341c9ca362a431975e86253 |
\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
| MD5 | 696418d093ddf153a82a95cea60ea460 |
| SHA1 | bf9df4e9861fa977b5fe8223e63e526646469328 |
| SHA256 | 62579311e85474ad4ced79586fdc6bab1464707bef9e8ebe818e080f654729e5 |
| SHA512 | 8a61cb7b689bb2298092ecdf83ba7193afd9e9327acb2c8d74678bc8f570160df23eaac0a7cdeb755cf63914e790813f94b31f7c46547fa8fff9f801aa9612b2 |
C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
| MD5 | f4a7397247b7533b76ec53eea75b3a37 |
| SHA1 | 86bef43400694b67c949123796be01acb49e0757 |
| SHA256 | fb90e9adfa0032b4d62f2fb4279ddfb2b9fa4e35e157411deda83b04c96d759e |
| SHA512 | b1e70c0a856cd256951a1632ff57bff6a62d2f942d7464aacfb16689ce1a376bb90934536f994747297136b2653d984856fa0abcb04eb9d63f5f48f3371548a3 |
memory/2820-37-0x00000000049B0000-0x0000000004E78000-memory.dmp
memory/2820-38-0x00000000049B0000-0x0000000004E78000-memory.dmp
memory/2580-39-0x0000000000A30000-0x0000000000EF8000-memory.dmp
memory/2580-49-0x0000000077960000-0x0000000077962000-memory.dmp
memory/2580-50-0x0000000000A30000-0x0000000000EF8000-memory.dmp
memory/2580-51-0x0000000000700000-0x0000000000702000-memory.dmp
memory/2580-52-0x0000000000720000-0x0000000000721000-memory.dmp
memory/2580-53-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/2580-55-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2580-60-0x00000000004D0000-0x00000000004D1000-memory.dmp
memory/2580-59-0x0000000002490000-0x0000000002491000-memory.dmp
memory/2580-58-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/2580-61-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/2580-57-0x0000000000690000-0x0000000000691000-memory.dmp
memory/2580-56-0x00000000004E0000-0x00000000004E1000-memory.dmp
memory/2580-54-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/2580-62-0x0000000000A30000-0x0000000000EF8000-memory.dmp
memory/2820-63-0x0000000000980000-0x0000000000D88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\cbfcbf
| MD5 | 6bd16b3667e22acc7daee2273b9a79c0 |
| SHA1 | 047b5b40fca71341a0c0440b08c738d3217a12b7 |
| SHA256 | 5449a73144042449b18e609d36affb9154804579137c6ecde95a7a224d68d4a2 |
| SHA512 | b0d7050d3b9fed6bf9494a7f105f06c80774593891ffe14aedad160a9682c37d898882f55c6d6558c72edba27a59a6629c394420dfe815b36bf475ab65ac4811 |
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 486326ef33d1ceeb8ba07dabb4fc36e8 |
| SHA1 | 5b4fb6ecee6c5946214d61732dce61c7a3777ce6 |
| SHA256 | c15705d2d5ae3c721d13a5c692a384591d32c3d3e31a3badb26c7efcb0f36669 |
| SHA512 | 9dbb935eee6eab8ec01cbef4d2e7797871ca2ede35e1a6797cfa009902f64fccc467eabc7c9dc75afcec76dbd1a4c79ac481feda45c37007cafaba117ce7cfe6 |
memory/3040-68-0x0000000001FA0000-0x0000000002468000-memory.dmp
memory/1100-69-0x0000000000EC0000-0x0000000001388000-memory.dmp
memory/3040-70-0x0000000001FA0000-0x0000000002468000-memory.dmp
memory/1100-71-0x0000000000EC0000-0x0000000001388000-memory.dmp
memory/1100-73-0x0000000000E90000-0x0000000000E91000-memory.dmp
memory/1100-74-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/1100-72-0x0000000000DF0000-0x0000000000DF2000-memory.dmp
memory/1100-75-0x00000000027E0000-0x00000000027E1000-memory.dmp
memory/1100-76-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/1100-77-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/1100-78-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/1100-79-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/1100-80-0x0000000002790000-0x0000000002791000-memory.dmp
memory/1100-81-0x0000000000A40000-0x0000000000A41000-memory.dmp
memory/1100-82-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
memory/1100-84-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/1100-85-0x0000000002830000-0x0000000002831000-memory.dmp
memory/1100-86-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/1100-87-0x0000000002D80000-0x0000000002D81000-memory.dmp
memory/1100-91-0x0000000000EC0000-0x0000000001388000-memory.dmp
memory/1536-93-0x0000000001030000-0x00000000014F8000-memory.dmp
memory/1536-94-0x0000000001030000-0x00000000014F8000-memory.dmp
memory/1536-95-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/1536-96-0x0000000000B10000-0x0000000000B11000-memory.dmp
memory/1536-97-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/1536-98-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/1536-99-0x0000000000430000-0x0000000000431000-memory.dmp
memory/1536-100-0x00000000004A0000-0x00000000004A1000-memory.dmp
memory/1536-101-0x0000000000590000-0x0000000000591000-memory.dmp
memory/1536-102-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/1536-103-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/1536-104-0x0000000000450000-0x0000000000451000-memory.dmp
memory/1536-105-0x00000000004B0000-0x00000000004B1000-memory.dmp
C:\Windows\Tasks\explorgu.job
| MD5 | ce2d195e363179ae284c8282a649a555 |
| SHA1 | e35defa7900edf5ebd35b2e2bb494ba2dc78a809 |
| SHA256 | a617c7a12f27fa9cfb8a70cdeb5ba72174bc3432b60900a8e67e4981112d0ee4 |
| SHA512 | af973f7df72a8c96f7f4d515914bb129c097bceb5e86e9f2e8fb1b620e82818110895fb88868b1090a38d858720190096963da73f3d1f469ea8e101931d5e3e7 |
memory/1536-108-0x0000000000E60000-0x0000000000E61000-memory.dmp
memory/1536-107-0x00000000004C0000-0x00000000004C1000-memory.dmp
memory/1536-113-0x0000000001030000-0x00000000014F8000-memory.dmp
memory/1996-115-0x00000000008D0000-0x0000000000D98000-memory.dmp
memory/1996-116-0x00000000008D0000-0x0000000000D98000-memory.dmp
memory/1996-118-0x0000000000760000-0x0000000000761000-memory.dmp
memory/1996-117-0x0000000000740000-0x0000000000741000-memory.dmp
memory/1996-119-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/1996-122-0x0000000000490000-0x0000000000491000-memory.dmp
memory/1996-123-0x0000000000500000-0x0000000000501000-memory.dmp
memory/1996-121-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1996-120-0x00000000008B0000-0x00000000008B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1
| MD5 | d769ca0816a72bacb8b3205b4c652b4b |
| SHA1 | 4072df351635eb621feb19cc0f47f2953d761c59 |
| SHA256 | f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2 |
| SHA512 | cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64 |
C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
| MD5 | 36a030da0f2d35756bd8e4f4721c0c6f |
| SHA1 | f3481e948677adaa1bd0d961c470e7963df1c3c5 |
| SHA256 | 43ae1b8b0bbfc9bdfbbf7b5c67b1763808d045b9718cb412479deb1a7a812dd8 |
| SHA512 | b50b74516e7da90f815454c70a254b469382be680c9c6cd5bd9559082cedd0e15533a965effd3ea29ba932c854771b9ff6b54fa8f1c462874a8ca06f2f029fd2 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4665371-C691-11EE-BCDB-CE253106968E}.dat
| MD5 | 3e6d4d03914953d15c93931ee59927ab |
| SHA1 | 000b467033f19f4f49fc3c76305aa0c13ab4eaf9 |
| SHA256 | 66109483244d6a6da38f7069d1edbb7a9a4449d3602f677291c15d17ac2f8eae |
| SHA512 | ce444e1f18905bd6a7d4f811ae6a4e85463dabdae9cd79ca7afdac6ab018340462b0a095bfe4a1fe79d7cf5b619b55b07765feea23a67185e707ec91800393c2 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C45CCDF1-C691-11EE-BCDB-CE253106968E}.dat
| MD5 | 60898c63a2572b65b2508e1c4e988526 |
| SHA1 | 422645cfdc7ba76951ccf50e9009a03b674f8a72 |
| SHA256 | 08d8be18d08b9ccd32d87fc073704e86e285d2b499cf37491eee0b29363864ef |
| SHA512 | 713c55b3eca1ca5c0d218db54287a53b91cd4b48f8578e1ad43d157e061032a0d4ca68027c568fe6a3341932d5c5a899232d8fd08ecf0ecc927f65ac29398eec |
C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe
| MD5 | affe557410a0e9641bdf9de3fe6b8c15 |
| SHA1 | 96fcc44d403384403eaecabc8c563e8224eced8f |
| SHA256 | a48bb7b52b58d98adc570a94428c9ad5bb84e4d64303c59fe97e5f1194537799 |
| SHA512 | d78a9a42a0395946cfa618acad93f5d82bb6d4ae0a7dba5290b1762169472b0197847d70e53e940a32cb4dc4956579317b1ca28c2da1f6f04a7e550c2d7566b7 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C45CCDF1-C691-11EE-BCDB-CE253106968E}.dat
| MD5 | 9a8ee08c05b669c5e4af87a6f4b960da |
| SHA1 | e2f79621a105b9a594a2438501cd64dbe1e6fca1 |
| SHA256 | 7564101c67c720cee4c5ff6ca2f40afa7cf0c0fbc8d1f340fdd0301971d2b905 |
| SHA512 | 6898041901b52cc3c4f808cd27fade0d0a1815ef8d81cd0faec5961d90455cc1834e3edfaaa2b1397f32614167f13f080480425ee0931c4b260b21264145d525 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4854551-C691-11EE-BCDB-CE253106968E}.dat
| MD5 | 8c7edba750a4d7ede6a6d293220e8d2d |
| SHA1 | 430e3fa4bcb5f71721f957993f1e1d68ef81d510 |
| SHA256 | 6e120f8f8fcf8fefabe60c5067c76649aa35856fa40ca04bcc62c54d6a61bf12 |
| SHA512 | bff0da6e37fd3130ad3e4d0a584366f770233b7a931ffdc585f11790fa7fcf9e7e3785f6ea13d5e11435495bc4c2d788b7deeed129ce503b0c7826747148e611 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 4da0e054cf3fc7bad188ad2a2649d0c9 |
| SHA1 | 4f529958199dfd72833abee7e2774989bc4c2fe0 |
| SHA256 | db58546c5cb5ec72284a0c0f54dc355ab0ed9083453273a3a6cd5da7c19d66ec |
| SHA512 | e666badd195fb92709be0c5c7c2a4b2672cedf0bc9aa08dd4982f3b59b0ab38e53124d76f366425be7d8f0d590c14d039b4024af93ac5311c0b1601d105c9572 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 73842dbd8033c3f38bbf73f0a3e2ea6d |
| SHA1 | 1ed88268cdb9c9f44c8d1e11da667adcebd2434f |
| SHA256 | aa7f39120640bebfe3221538dc935a36ff1ea48a4bac8c280fe5af067f3c4d10 |
| SHA512 | 1e2ad48a3e1a3d784b43ecb9731c6e7061fffaf52b8018ec577291acb44e5974397891351b0415879525acfff578c38f7a8ef73461fb00da4b6d842ce4abded7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 5fb64943c60f4e2cae4dee3a04ecfda0 |
| SHA1 | 9b88f1128572f61ed0ed5fc2d11b83bdfd6aa4e6 |
| SHA256 | 178f9bf88694ff5e79dd05c519ea00cc3ff09c59695d55773b7c07b887bed059 |
| SHA512 | c92b906069a1002f2ca13f962159bf7b6db7523c5a7d5ff44a4d87ee7cdf416672af78a81f35886b3c8e2699e148ed0e2fdf5e50bea7cbfc6e6965751ece92d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c1db6632e458109b86c94e7eb071fa2 |
| SHA1 | 109791193340af8587073b0914d501ed46937188 |
| SHA256 | 697a4d2d254e2e5252328a8e9ed77e15224a43979dd8809aefe7905c7c84d33e |
| SHA512 | 68cd783e8c28c05850eb4b4d7eb56881b752e3bb83788d1f0a9ac5f0f96e9667c0f98c77c9bb86506100de7c280010e1c16ee6815888beb09fcbb383ba4b0ca9 |
C:\Users\Admin\AppData\Local\Temp\Cab35C2.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar35E1.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cad72d59c155aead20ed1b32e38f5fa |
| SHA1 | 9ef747b21900961b1798b4ef68c22a4f9c125f66 |
| SHA256 | c719808fef976b66483b13af1654b4d328e9389c609b3ab53feb46b9457cd466 |
| SHA512 | b181efb88b608c7f756f41a03802605d6617d59f8244006c5b7dff8583172ca428f97e2e30ebb265791611e18012aba60860c62ec86e408e5601cf868fc0e90d |
C:\Users\Admin\AppData\Local\Temp\1000109001\for.exe
| MD5 | 8c281571c5fdaf40aa847d90e5a81075 |
| SHA1 | 041fa6e79e9027350c1f241375687de7f8cba367 |
| SHA256 | 0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409 |
| SHA512 | b0e481681b02e4cc4f95deff2fa21354f94ad34e6611d97de3a127ae285038164df724f3db27bbf03caa217c3d8dabf77bfdadeaf9af8a1915edacbd35c1c862 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f2fc4ac3c1f74c5fde913eeb8be3b5ba |
| SHA1 | 117757551054d70c63b1d8b0d0854af0723f2b23 |
| SHA256 | cff7747adfe9948930df321c858e4ae001e12c9df321e1cc37c3fac2340d76fd |
| SHA512 | 6162e9994d54e750d45acdde974e29dce77aff879dde9997b92b65f702fbf89ea372d1ac4c6655736720f6e6dea57e592dc792d7a4455f497017be30d0d32fc0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8def86cca98a13cbb62f14c4002af13d |
| SHA1 | 796d0132e797911fbdb11451f0bafbdab1d8ec2f |
| SHA256 | d8e1847cee58584e34d38a808ae4abe94541718bf3fd10674bd03138f7b524a4 |
| SHA512 | 8260144cdfd91587ab6cda8db2ee85cf7f9db3c9e521a432164fa1c5501ecc1475b5efa21c07785746c742d82d3ec2800bfc159f149eb7a69d5515f2642bdb0d |
C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe
| MD5 | d467222c3bd563cb72fa49302f80b079 |
| SHA1 | 9335e2a36abb8309d8a2075faf78d66b968b2a91 |
| SHA256 | fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e |
| SHA512 | 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4
| MD5 | cad81fad2ab96418942ccf7a83132c26 |
| SHA1 | c97d85bfdc74d42801b06f07cb49abe262d2f549 |
| SHA256 | 343a22ce1c80b7675588c481445158ef298b35eba0c69ad47ef95ef77fbe9969 |
| SHA512 | a50c96f39626de958c7216425f52293cdd0af6635044346445d26e1f4e4985aa83c4f31f83e447ec9bc388c254755cfec083e71bfd28c4a04bbd70a82007a717 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4
| MD5 | 601355e84d09ae5e2f302ac8ce943d27 |
| SHA1 | 785e4ee1cb461788b2fccf07189ae1a402678742 |
| SHA256 | aad4e3c85a783acccfee383050ef4a34e2830fe27d75bfb0bb53724ae7ecd683 |
| SHA512 | 391d9d32305d6e9995272935aa213a1bb89bf4993061b1298dfb850181bc45a4c4ad32a67976c94ebdb716b5cdfdd6d73b496d4faa12a252ca4e96f5c37b4f0a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\favicon[2].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wz5r4lq\imagestore.dat
| MD5 | 7189ff7929585567c5f54d3068a44eff |
| SHA1 | c2df775e2458d01a99f400ae519086ce7ed2bc25 |
| SHA256 | 7a3751f738126b8496b850b82594106cf8f55dcffe624633d6da02a49f8c2fd1 |
| SHA512 | 46707638f29864beaa47d81f5964ac4da8cdab5dd5dfe27fa3a9de2af53733e56e42ae56117d70be2b25b80c16c6cfca3bd49a380dd5ae6cb95d5d223a951130 |
C:\Users\Admin\AppData\Local\Temp\1000134001\dota.exe
| MD5 | edba1bd232a5f59e29bc3ee435a73e3d |
| SHA1 | 4733d2e159ec9d280616597b4e7e277b27192ac0 |
| SHA256 | c57adcf2224d5e191404f79fd94cf1d8824027700005cd59110f6769b1c36363 |
| SHA512 | 7d3239c9a8490bf805fca65ed300481bb59850f0f6dc0840d55e886a60a7143c71d85c3c4b9ace3be3d5692e1d0631418e94013802c25975631bce8bd22a5ff0 |
C:\Users\Admin\AppData\Local\Temp\1000136001\File300un.exe
| MD5 | 739030881c5314d72c7af19cc86a46f0 |
| SHA1 | b3f747902722a5200397bf41c5c1eabc4bf13068 |
| SHA256 | 0266692ff90d1166e43a2fcc6d6648b9c5f9c74b8d7d93c03669dac57bec6507 |
| SHA512 | faa3f026303ab7753361a5cb562163ea8664de991261560405698832e4c443065efbbd870f2772bfb5b3dc36016ee3b0f3193c4289763496a03d38db4f9164d9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\AppData\Local\Temp\1000137001\daissss.exe
| MD5 | 10a331a12ca40f3293dfadfcecb8d071 |
| SHA1 | ada41586d1366cf76c9a652a219a0e0562cc41af |
| SHA256 | b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f |
| SHA512 | 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399 |
C:\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe
| MD5 | 6159153a88b6eb2fa5d3dbfedc21facf |
| SHA1 | 2a010931a79a296b7327bb7cbe7a9e69dee04838 |
| SHA256 | 480842e5fae90a213c67350e8fc89ba24837ab7b1f9acccc6cde115cba71075d |
| SHA512 | da84813b7f24560cb5df7e085b69cf889f4229b4da2ce276814ecc9cf4c1e350f206537937c407f9406d8f3a87db2c4272484522a80e7ed2fc02f3f677dbe8f0 |
\Users\Admin\AppData\Local\Temp\1000138001\lumma123142124.exe
| MD5 | cad41f50c144c92747eee506f5c69a05 |
| SHA1 | f08fd5ec92fd22ba613776199182b3b1edb4f7b2 |
| SHA256 | 1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6 |
| SHA512 | 64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SP6DRJYJ\gB76kJXPYJV[1].png
| MD5 | 389dfa18be34d8cf767e06fd5cde4ec6 |
| SHA1 | 47b751cffab47d076816c63ce08d3e84600376ee |
| SHA256 | 3c45ce612f41b1e7936e7cf5b235047344fd3146d1630e342f186d1d1e8e00d5 |
| SHA512 | c4db18f636ad85e87f93a208fb4b02b528659ba367e51cfa6d7826ac1159f445a85fbca8d12ac67556e8fb5208dae24ae309e783d50feb088ef0e9f47ac19430 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ed979f45cd0be5d7923ec4e17f415e2 |
| SHA1 | ba5217764f7f013ebfad6166ba609c31e0b2abd6 |
| SHA256 | 4de1b32451b9c4ba6f4ec5caf283762d057cef159b939129501610b4c6a5e52f |
| SHA512 | 90e9fbf66237451a600aa80469122d423ed900d2d50860627bed9bca041ef99a1f4d5571c87c71be8067f7b0a4477ccae27ffcd53da9bad14a652b9ae199195f |
C:\Users\Admin\AppData\Local\Temp\1000139001\redline1234.exe
| MD5 | 31201661705a0c56f6729c6e6d35e606 |
| SHA1 | e38f271969466be95da5426aa8623a92788280b6 |
| SHA256 | 5ae4f2c36e99b04682836acf3a5255e0d1429bb36c1483c73b8e35515c5fde8d |
| SHA512 | f42d7508e1ff2edf28e6f4904ee8797921eadcef063f08db2d21442a5cdb9283cbf1d1223cacb4e0ecfd91daf6893d1bc6a1e85b1a0be0f0678cc6c28869f8a5 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wz5r4lq\imagestore.dat
| MD5 | d5fcb2f1b37fe56d80bb03906756519a |
| SHA1 | fbe94d54f4df4379aa10f3710a2ec8c8cd997a67 |
| SHA256 | e53f85c07cf9b10ef8a4f58f45fdbe5343b3635072c26b9e8dff404427b6b441 |
| SHA512 | c3c7d796caad3079e32159668419cdef7dd534bd7ea2abaf14a2db91a84ece8997cdd537f44def103d327b25638a591cfbaf5c8659a070682e1d4c46a6e6cbc1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E324WJ9A\3m4lyvbs6efg8pyhv7kupo6dh[1].ico
| MD5 | 3d0e5c05903cec0bc8e3fe0cda552745 |
| SHA1 | 1b513503c65572f0787a14cc71018bd34f11b661 |
| SHA256 | 42a498dc5f62d81801f8e753fc9a50af5bc1aabda8ab8b2960dce48211d7c023 |
| SHA512 | 3d95663ac130116961f53cdca380ffc34e4814c52f801df59629ec999db79661b1d1f8b2e35d90f1a5f68ce22cc07e03f8069bd6e593c7614f7a8b0b0c09fa9e |
memory/2732-749-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2824-750-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000140001\new.exe
| MD5 | dd92c027afedec37fa7c465374fa6c20 |
| SHA1 | 14ee6246cd0ba776d49b20f62cd710387159d87a |
| SHA256 | 45b285d33204dd7762dedd169b2137817e2780acb7f40bc3bd47921e95b3f3bf |
| SHA512 | 2615726317156d628c3bcf5bb6e998074519817997704067c4df74e960fdba34c1260113ecf1e40ad4433957b137ac10c259bef6406a52e6191760b9b62fe87a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 550870b5db620082bd7c85c6f9bedff3 |
| SHA1 | 355bb1f98fbd457f33d3c1f75e86fa46428ce0e7 |
| SHA256 | b2799597af1311cca0646bfcb72903e9e445080ff1feec566a750c0d1b3873cc |
| SHA512 | 0fc1541d98fcd09a62dedd76face897172fe2e917bc0d8bf7bc0fe8dbf1447692ec7ef9eee8a34e19f0bd780ec7ab17e41da9aecb28469424a150ed2c977d61c |
memory/2732-785-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000141001\newfilelunacy.exe
| MD5 | c1982b0fb28f525d86557b71a6f81591 |
| SHA1 | e47df5873305fbcdb21097936711442921cd2c3b |
| SHA256 | 3bab5e1befbdc895d9e36e76cb9a40e59de61a34109c36ed26d7dedcd5db3080 |
| SHA512 | 46dcabbfb57b3665faa76bc6f58b6f252934788acabbf2ba75263d42cac8c013f6feb5992a7043123842a609bdd1b3084f2f0c8b192c2b219b87274d29f8c432 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d41d10dff5d22eb4bdb77d1c838359ff |
| SHA1 | d30a5b70f11fbc153cde618c01fcfa7033b035a1 |
| SHA256 | efdec8a5872c07d37677577eb511768d3a0ff0677765636e2bbf8456c6d21b0e |
| SHA512 | 8e35f6a59bf0f922be25b1345761215a4a1018a4a3f92e94e1e0839745f7ade0c94d02a8c3a88b2fd68d83e371ab26b181b34fd888de46d70c591bf2a339fd1d |
C:\Users\Admin\AppData\Local\Temp\1000142001\RDX.exe
| MD5 | f733785f9d088490b784d4dc5584ebfb |
| SHA1 | 6c073d4208fee7cc88a235a3759b586889b91adf |
| SHA256 | e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59 |
| SHA512 | 43589b18333b0edcd6e300577f86de685058df5533bcbfdd3e30497aa76176008125fbd28deecaca5e6132c42cc5c0a583c34497f40dbe4ea577333eaebab899 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 531590c64158e03ffd3239b1ed7a98ee |
| SHA1 | 7f2e7c6336ab0a395585b609f5ad8188c47d1e58 |
| SHA256 | cdd2501775d6c842defe96eae23a0ebf7f94eae82569e2cb2ce5ce13c167e335 |
| SHA512 | 4508d0d832ef4a755bee4fa5f0c1b4eb387b1c14b769fcec090f770dcb19484992c831ab4c2f10125d86d5f44b7dade0e5df8ee579c747a33fc2b66820c9084a |
memory/2732-873-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc17c6f95b5c5f96d7570df609d558a5 |
| SHA1 | aeabb797fd899ad521bb5c62baa5cf930a576490 |
| SHA256 | 0bf21023146453418a86137af83746375994f467f8f0ced4e862739c30ec8ae7 |
| SHA512 | 3f36b24806b175b4a30bdd1a17a7fb27e34afebd6f23f60321c194277366813e7797bf2dec00575002f75a5cc7787e8f64c1282bf7f4cdf4acb93b9df89b2f30 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GGDF5YOT\accounts.google[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
memory/2820-923-0x0000000001070000-0x0000000001538000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000143001\dayroc.exe
| MD5 | 839ac1c1d2abd7dd2178e9e364a282ec |
| SHA1 | e641cc6d982f11ccf20f19f873c1a4e0e5db7038 |
| SHA256 | f23c969449dc17a4b7c0e2e261768f496baa26625baf5f1fb97a306aa7a3d760 |
| SHA512 | 986cb4c55ae8370e718ea3fbde74179f2e88d91fd7d3bc5ac250dcfa767afe2aec4a756eeab25c8772c79d8033ecd4c083d3f792ca2648d11e728914cb798b60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c6eca5860909d527605fd4d9392020a |
| SHA1 | e64e0f6f19c925351d6dcfb9ad0c350b2cc8f7d7 |
| SHA256 | cbf9c2af934818395aaf60e25c686f27370fca62858694d3cabfbc59193e2613 |
| SHA512 | 357f7fe13f5afe70a2162faa6887d54a1be618817cf4cb05a0968cd111361702980042b952fd6569b7b171c03ef304e0079775951827684d42610329ecdc3307 |
C:\Users\Admin\AppData\Local\Temp\1000144001\mrk1234.exe
| MD5 | bf2a3e48b0ea897e1cb01f8e2d37a995 |
| SHA1 | 4e7cd01f8126099d550e126ff1c44b9f60f79b70 |
| SHA256 | 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3 |
| SHA512 | 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91 |
memory/4060-1034-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1035-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1036-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1037-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1039-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1041-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1042-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1043-0x0000000000040000-0x0000000000060000-memory.dmp
memory/4060-1044-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1045-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1051-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1052-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1053-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47eac2d2ce5263ed1f254e8062978b03 |
| SHA1 | ef9f42a1f0c3b4a8c06d85e75b035040b276f95f |
| SHA256 | f1691de11f86c5af05130a484182efbfc2703da99578b2c5be90c33369088e7e |
| SHA512 | 94595cf4c8fb445005c6654d6db73ccabbc575a68ca7db7a2408aacaad6fee1bacb96bf5e1aa1f7e3cf9cf42f35288ef7c85bf275f6dc660e9589dce1d6a4d35 |
C:\Users\Admin\AppData\Local\Temp\1000145001\Goldprime.exe
| MD5 | 7e9e39a623a04307eb499ff6617b9746 |
| SHA1 | 8d96a7b6464765f32a86e9103955ec74b9b87da9 |
| SHA256 | 88cb62dfdf42ef1b6c083b8c25df0a383476a274ae1e1f0043585d4bdfd1217a |
| SHA512 | bae1719b17d910ae001e0e81f9b5af535d844243ff9974da4794e73e73db115f46cc6d9053cedd4dab1b04416ec444774490cbab9b5dac8310aad43fde7c32a1 |
memory/4060-1133-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4060-1134-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2732-1135-0x0000000000400000-0x0000000000592000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-08 14:52
Reported
2024-02-08 14:54
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amert.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000958001\\amert.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe
"C:\Users\Admin\AppData\Local\Temp\1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorhe.exe" && timeout 1 && del "explorhe.exe" && ren cbfcbf explorhe.exe && C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe && Exit"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "explorhe.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\683043812824_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/1472-0-0x0000000000950000-0x0000000000D58000-memory.dmp
memory/1472-1-0x0000000000950000-0x0000000000D58000-memory.dmp
memory/1472-2-0x0000000000950000-0x0000000000D58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | bf7cf2cfacb88b527e232a5fb2556b9c |
| SHA1 | d8cd7688c28bea013219f5b54eeb3fd34a8c7845 |
| SHA256 | 1afc28ea1bc0fea812e0dc6fb291cf8d872d9bd94cf6b11cdac7c950ffa1c4de |
| SHA512 | 53c64fa527dc134699cd03c7c29c4b7f969aa2b54e9da99d993601cb0822ea98546f2a9b2f8d77817190cae6940ca37f6c99386a8c48d5d7de64863b78cca8eb |
memory/4884-14-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/4884-15-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/1472-16-0x0000000000950000-0x0000000000D58000-memory.dmp
memory/4884-17-0x0000000000F40000-0x0000000001348000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | eec049d8f950563d7af89d1dd1cd11a8 |
| SHA1 | a3a40bac1de9121d4b84930fb04e13a5290177c9 |
| SHA256 | 605215fdf90d6e9f24c0bcc9c7344b806ccd91e3b371ba816f0e485ebae00f71 |
| SHA512 | 5b60a8e196c529b43e864cb3abe5a997954b71bb04e40b230b524e2abd7fd809c1959030dd11f1dc98bff2a1231b1a1382e4f61caee156798305f07e70ed9463 |
C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
| MD5 | bb549aea2d5bda85420c444d35caaa9f |
| SHA1 | 0eed639585177d70472e9b771001fa335244db2a |
| SHA256 | c4a5f684b01da61022349af3fb86ecc9ae4e62fda54d451be65b304296ccb9ea |
| SHA512 | b8286d25564a318e8a91e55302be00ca17b8dd6ef968db58377bb9591b029bfa226dc8eb1994d1160efdc11c19978c95765298bc7189e0655df89c09f332eb5e |
memory/2304-36-0x0000000000A90000-0x0000000000F58000-memory.dmp
memory/2304-47-0x0000000004E50000-0x0000000004E51000-memory.dmp
memory/2304-46-0x0000000077124000-0x0000000077126000-memory.dmp
memory/2304-48-0x0000000004E60000-0x0000000004E61000-memory.dmp
memory/2304-49-0x0000000004E40000-0x0000000004E41000-memory.dmp
memory/2304-50-0x0000000004E80000-0x0000000004E81000-memory.dmp
memory/2304-51-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/2304-52-0x0000000004E30000-0x0000000004E31000-memory.dmp
memory/2304-53-0x0000000000A90000-0x0000000000F58000-memory.dmp
memory/4884-54-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/2304-55-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
memory/2304-57-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
memory/2304-61-0x0000000000A90000-0x0000000000F58000-memory.dmp
memory/3364-64-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/3364-65-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/3364-66-0x00000000050E0000-0x00000000050E1000-memory.dmp
memory/3364-67-0x00000000050D0000-0x00000000050D1000-memory.dmp
memory/3364-68-0x0000000005110000-0x0000000005111000-memory.dmp
memory/3364-70-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/3364-69-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/3364-71-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/3364-73-0x0000000005130000-0x0000000005131000-memory.dmp
memory/3364-75-0x0000000005120000-0x0000000005121000-memory.dmp
C:\Windows\Tasks\explorgu.job
| MD5 | eb56f4c906829c8de1f5ec5c35c71739 |
| SHA1 | f51290b811d70c52e3d164fb55442a4a746b8c98 |
| SHA256 | 66f5c7c6e266be07dd5df23736014778038bf4aadf9ee2ad15a5c82b25f4f335 |
| SHA512 | 8d5bb60b7172bf8c090763c877f7e2a8e86e1f1101c1028355e5294e55bf394526d1274e636155f349ea82fc84c4b71ef7a15c4b6adfe0304eb52632fe59b3de |
memory/2256-79-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/3364-78-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/2256-80-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-81-0x0000000004A30000-0x0000000004A31000-memory.dmp
memory/2256-82-0x0000000004A40000-0x0000000004A41000-memory.dmp
memory/2256-83-0x0000000004A20000-0x0000000004A21000-memory.dmp
memory/2256-84-0x0000000004A70000-0x0000000004A71000-memory.dmp
memory/2256-85-0x0000000004A00000-0x0000000004A01000-memory.dmp
memory/2256-86-0x0000000004A10000-0x0000000004A11000-memory.dmp
memory/2256-87-0x0000000004A60000-0x0000000004A61000-memory.dmp
memory/2256-88-0x0000000004A90000-0x0000000004A91000-memory.dmp
memory/2256-89-0x0000000004A80000-0x0000000004A81000-memory.dmp
memory/2256-90-0x0000000000510000-0x00000000009D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dwavl35.pvp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5012-112-0x000001E086F40000-0x000001E086F62000-memory.dmp
memory/5012-113-0x00007FF907E80000-0x00007FF908941000-memory.dmp
memory/5012-114-0x000001E09F140000-0x000001E09F150000-memory.dmp
memory/2256-115-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/5012-116-0x000001E09F140000-0x000001E09F150000-memory.dmp
memory/5012-117-0x000001E09F140000-0x000001E09F150000-memory.dmp
memory/5012-118-0x000001E09F0E0000-0x000001E09F0F2000-memory.dmp
memory/5012-119-0x000001E09F0D0000-0x000001E09F0DA000-memory.dmp
memory/5012-125-0x00007FF907E80000-0x00007FF908941000-memory.dmp
memory/2256-126-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-127-0x0000000000510000-0x00000000009D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
memory/2256-139-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-140-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/1080-142-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/1080-143-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/1080-145-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/1080-146-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/1080-144-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/1080-148-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
memory/1080-147-0x0000000004F30000-0x0000000004F31000-memory.dmp
memory/1080-149-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
memory/1080-150-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/3144-152-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/3144-153-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/3144-155-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/3144-159-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
memory/3144-158-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/3144-157-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/3144-156-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/3144-154-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/3144-160-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/2256-161-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-162-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-163-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-164-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-165-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-166-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/392-168-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/392-169-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/392-185-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/3432-186-0x0000000000740000-0x0000000000C08000-memory.dmp
memory/2256-187-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-188-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-189-0x0000000000510000-0x00000000009D8000-memory.dmp
memory/2256-190-0x0000000000510000-0x00000000009D8000-memory.dmp