Malware Analysis Report

2025-08-11 01:12

Sample ID 240324-xyr7bsab9y
Target 34468074c946943518ab33be24c01ef9.bin.exe
SHA256 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
Tags
amadey redline logsdiller cloud (telegram: @logsdillabot) discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99

Threat Level: Known bad

The file 34468074c946943518ab33be24c01ef9.bin.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline logsdiller cloud (telegram: @logsdillabot) discovery infostealer spyware stealer trojan

RedLine

RedLine payload

Amadey

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 19:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 19:16

Reported

2024-03-24 19:18

Platform

win7-20240221-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\1000071002\nativecrypt6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380037004100430035004600380031002d0030003800390033002d0034003800340030002d0039004600320044002d003100440035004300330037004400420043003700340046007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\1000071002\nativecrypt6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2556 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2556 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2556 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2556 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2556 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 2556 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 2556 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 2556 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 2556 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 2556 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 2556 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 2556 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1440 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1440 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1440 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1560 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1560 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1560 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1560 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe

"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\1000071002\nativecrypt6.exe

"C:\Users\Admin\1000071002\nativecrypt6.exe"

C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe

"C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\658372521424_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
RU 5.42.65.68:29093 tcp
RU 5.42.65.68:29093 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/2972-1-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2972-2-0x0000000000B20000-0x0000000000B8F000-memory.dmp

memory/2972-3-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/2972-5-0x0000000002490000-0x0000000002491000-memory.dmp

\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 34468074c946943518ab33be24c01ef9
SHA1 742cf7ff13dcab6a99b372dc99f362f45be3d69c
SHA256 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
SHA512 b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b

memory/2972-17-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/2556-20-0x0000000000C70000-0x0000000000D70000-memory.dmp

memory/2972-19-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2556-21-0x0000000000400000-0x0000000000B17000-memory.dmp

\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 5cab432821c94450adf1b2314cd42092
SHA1 84cd4da52c31664244d87601624415cb8642d088
SHA256 bd584435de36eb1f093953e99307736e7793772296f026d06b00627cb0323095
SHA512 172d11aab49f8185c91f06dc704da84331aede0bcad388b9d34f1fe9b0e04bcf8a044c88d9c27e9ac335f2743ee22958be477bb3ed34e02a6d32fb27c32f5450

C:\Users\Admin\1000071002\nativecrypt6.exe

MD5 ef4b0d33ed0eb8ec64c7073ea8409cad
SHA1 b3c1b0b7e282a26bcc4ddb84cfac0437e3cff209
SHA256 37c593afa2791249363f27cb2818fe560338c9abdfb2b270b26a88696a87c3e9
SHA512 21076c222c0ee27ad88b682639bc82d8be50a0d369a5eec7a66023b0a8ced6cc9348b5b6cc7794c22269adc9b9faa38503276ba4b2d7e922beb1ce0e575a6228

C:\Users\Admin\AppData\Local\Temp\658372521424

MD5 cc0e6473b2d9f62575bf6c26bf67acf6
SHA1 9a97c7cb4ccc16e78defea8398546f2d4bd40ec1
SHA256 6adb22b6c7c1af88b6246ade10ad7d351f809a8db3a42ec68d8046e3fb02c4be
SHA512 5db5194bd60edfa903db04a8f928fa100ccce299a5025e6bb71f4053b60d47af0a3216b4e8a5a948f4ffc26b51ecbaf0cd7687e2e4cffe77f97a6fc639805b92

memory/2444-52-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/2444-61-0x0000000000220000-0x000000000027F000-memory.dmp

memory/2444-62-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/2796-72-0x0000000000C60000-0x0000000000D60000-memory.dmp

memory/2796-73-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/2796-74-0x0000000004EE0000-0x0000000004F38000-memory.dmp

memory/2796-75-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/2444-77-0x0000000004FD0000-0x0000000005026000-memory.dmp

memory/2444-78-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2444-76-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2796-79-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/2444-80-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/2444-81-0x0000000002810000-0x0000000002850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6C5A.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1658372521-4246568289-2509113762-1000\76b53b3ec448f7ccdda2063b15d2bfc3_f4bfc772-1e14-4cb7-967a-2360098b659f

MD5 bbc8da7d36df3f91c460984c2abe8419
SHA1 9a247c3d293022fde4f3abc8b56259275c4ef97c
SHA256 0399ccf5e780949a63400736a46cce7d1879903d0f45c6b7d194c960ba4dddc2
SHA512 facbe33baa35fccf8072fe207a4d5eda2a64c4ed067c8eecb23e49cb003747be4c3772cb4ae2dfb87f91aa711b9a8371a2e0d76dc40830e275098172318d7cb4

memory/2556-107-0x0000000000400000-0x0000000000B17000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 6ba3d481e8a0c753967f3e002044b050
SHA1 3630d082e516fac7273d5e5c2a09c972ad3fcac5
SHA256 d62a26be85ee3bb0b7d4504f4367f505180adee48ddaf8cb72e301263114adfe
SHA512 33e7defd57654fa57a2e04ecfba0222a28103794dc1236272e0eaf493d92f130132e90a20244e2ed7c2704a34aaab681bc931671816a6c03a2bd8fd405a4a61c

memory/2796-123-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/2556-128-0x0000000000C70000-0x0000000000D70000-memory.dmp

memory/2556-129-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/2444-134-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/2116-135-0x000000001B390000-0x000000001B672000-memory.dmp

memory/2116-136-0x0000000002650000-0x0000000002658000-memory.dmp

memory/2116-137-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2116-138-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2116-139-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2116-140-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2116-141-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2116-142-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2796-144-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/2796-146-0x0000000000C60000-0x0000000000D60000-memory.dmp

memory/2796-147-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/2444-148-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2796-149-0x0000000004FC0000-0x0000000005000000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

memory/2444-164-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/2444-165-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2556-168-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/2444-169-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/2444-170-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/2444-171-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/2796-175-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/2796-176-0x0000000000C60000-0x0000000000D60000-memory.dmp

memory/2796-177-0x0000000073310000-0x00000000739FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 19:16

Reported

2024-03-24 19:18

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\1000071002\nativecrypt6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\1000071002\nativecrypt6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\1000071002\nativecrypt6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3576 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3576 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1768 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1768 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1768 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1768 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 1768 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 1768 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\1000071002\nativecrypt6.exe
PID 1768 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 1768 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 1768 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
PID 1768 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4552 wrote to memory of 4548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4552 wrote to memory of 4548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4548 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4548 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4548 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 4548 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1768 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe

"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1240

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1016

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1688

C:\Users\Admin\1000071002\nativecrypt6.exe

"C:\Users\Admin\1000071002\nativecrypt6.exe"

C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe

"C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1688

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1412

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1744

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2004 -ip 2004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1028

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 96.39.123.93.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 5.42.65.68:29093 tcp
RU 5.42.65.68:29093 tcp
US 8.8.8.8:53 68.65.42.5.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/3576-1-0x0000000000DF0000-0x0000000000EF0000-memory.dmp

memory/3576-2-0x0000000002890000-0x00000000028FF000-memory.dmp

memory/3576-3-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/3576-5-0x0000000000400000-0x0000000000B17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 34468074c946943518ab33be24c01ef9
SHA1 742cf7ff13dcab6a99b372dc99f362f45be3d69c
SHA256 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
SHA512 b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b

memory/1768-17-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

memory/3576-18-0x0000000000DF0000-0x0000000000EF0000-memory.dmp

memory/1768-19-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/3576-20-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/3576-21-0x0000000002890000-0x00000000028FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\808065738166

MD5 4a31957fcc6a12c7f3712f94c819972a
SHA1 cf6d343b57f93351c28ee8fa52b66cc93576e40a
SHA256 4744156cf8d830a386449b871e48a577e6fe3673526f2663ab34030124f374b4
SHA512 a0453268d32a9038337ea30d62c51ef421910c0e1b6c6697a3c61c2bbad1e252680538d14b7abb991200499480d87c0b98fc76a9de61f516c18a99ab67e13ac9

C:\Users\Admin\1000071002\nativecrypt6.exe

MD5 ef4b0d33ed0eb8ec64c7073ea8409cad
SHA1 b3c1b0b7e282a26bcc4ddb84cfac0437e3cff209
SHA256 37c593afa2791249363f27cb2818fe560338c9abdfb2b270b26a88696a87c3e9
SHA512 21076c222c0ee27ad88b682639bc82d8be50a0d369a5eec7a66023b0a8ced6cc9348b5b6cc7794c22269adc9b9faa38503276ba4b2d7e922beb1ce0e575a6228

memory/1768-41-0x0000000000400000-0x0000000000B17000-memory.dmp

C:\Users\Admin\1000071002\nativecrypt6.exe

MD5 d6ec14d4006c215ddf5f25e757b6a0d2
SHA1 d18387a6a2ab4513708d2460c2f889af2181d959
SHA256 52eb5cc828a0a8e6df0578bdec79ae42cb44409b6386caad0f3a1c59025374b4
SHA512 30a9305d1530c0b38b570339b4db2dacc1760de0eb05ed6b09706479a71c4292e19825fbe5123ed0267a4bb3c45ef3dc4ab9fe8abe129f033e220f0e4de32b9e

C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe

MD5 1ba155e110194b1bd5c3a0fafb22efb1
SHA1 f0ca22993de08e42aca63d2ba61fb508887d9063
SHA256 a33b4d15c3704e9ae986a88192cc569290d9e7533c790ba7736840c8a5d93782
SHA512 583c34880322b943e484a50cc76269888ef2a9207cf8252cf1df5ab7f4fedaf277e668819a32585a482975f01304ce5aea0a0fe370fa5e626b2d20a7e51f0ee5

C:\Users\Admin\1000071002\nativecrypt6.exe

MD5 d861509fb4c8a898ec17fe11f46f891b
SHA1 ca985d8833e78683a3252d7374eed1f985fa6668
SHA256 8ecb93da4817ca5e198151ef894492d76c984ee6f4cc024bdcb9b45f7338ce83
SHA512 10d5accc5d404e39f0cf7590bc970b6e8771c16e2afd49721bc0103c6e724b28b65c0f5f32b79fabe674592e8d0412124ba08cc1a097b31c7f72d01879d359ba

C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe

MD5 ed56868f8ebed80e3b21042f95dc7e8a
SHA1 246a89723f0a891a38e13f50c54fddbd58202cb9
SHA256 9da26dd076198e05ce2927db85cd3072b6a174c2b07ab85efcd7e3f766982753
SHA512 008ac4ccc314b2f5e12a468a65a9e119750ba08122af0e797f84d6d2813bc69894a0b489e7732b0ff07bb869916c1856f7127a696a9287e5d07aa16e4ae8c242

memory/4136-66-0x0000000000D40000-0x0000000000E40000-memory.dmp

memory/4136-67-0x0000000000CA0000-0x0000000000CFF000-memory.dmp

memory/996-68-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

memory/4136-69-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/996-70-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/4136-71-0x0000000072B60000-0x0000000073310000-memory.dmp

memory/996-72-0x0000000072B60000-0x0000000073310000-memory.dmp

memory/4136-74-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/4136-75-0x0000000002D50000-0x0000000002DA8000-memory.dmp

memory/996-73-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/1768-76-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

memory/996-77-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/4136-79-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/996-78-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/1768-81-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/996-80-0x00000000052B0000-0x0000000005854000-memory.dmp

memory/996-82-0x0000000005860000-0x00000000058B6000-memory.dmp

memory/996-83-0x00000000058C0000-0x0000000005952000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 d7c1ce5b7af6d9aa0d802381fe9a0662
SHA1 95b8176ad64ae9f0e3a59cb8305e9c36b397c8dc
SHA256 757253bcca7fd7b8af775e895354ec005722e335fd9cd43ace4e7ec59a34fec7
SHA512 de80de49a76f72d93d71573310d23d95cd7130c679e1afcac08f7acb3f71e1d3aee2d203beb0593a2ab5d33c1a8bf7b7163e8d9956857a6fec9dddbefc4f29e1

memory/996-92-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/4136-93-0x00000000053B0000-0x00000000053C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 5ece0da4e5b348dace429b4c35f688e5
SHA1 7c2e0fb80cb99100353139081b1e564e22d82bb0
SHA256 5261ffc545d7047d36768251d0edcb67502c06e3214dbb225ba2bf815525b598
SHA512 55f38e6aacfb6bbadfd558dc91a3ac490ea3372488842b227bc9f838524a63b3f574c6524a1b210f83063c0552a1568c2ec68bb155e7fe21cbce0137697c9b97

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 264996a9e67e97b9d84517aaffe7db7f
SHA1 8167c6752d065b3ec57118fc2705b38e4d61fe06
SHA256 babee9cf7cd304c182da1e854602469d577abe5da37ea2e0b9f29dc90f31b7b3
SHA512 7a87ffd7ad36f35c566f682413281ff73613de6a88596f066c1ff4ea3523b6c02c896b5f1ee99078f68d5d3265882368799db0930a9fa07e09b1bbc580067244

memory/996-97-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 389b16e8c79f728ae26d054305e9e9fe
SHA1 5a849b5a890368b64de0c8617919489413c9ef1b
SHA256 b11c0973de4a1292a5ea8dfebf749c20ccbb09b76ae05dfc11597b16363ed66f
SHA512 9266e0e85f993d21ad3cfa6e14fd88d6190d2890edbdd87b0937933daa71e0288378c476a4e597bf68f49e3cfa0995683ffa4fd195aadd26fc4645434be54fe6

C:\Users\Admin\AppData\Local\Temp\Tmp5FAF.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/996-131-0x0000000005FF0000-0x0000000006066000-memory.dmp

memory/1100-132-0x0000022BFBEF0000-0x0000022BFBF12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f55scjh.z4n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1100-142-0x00007FFA03E70000-0x00007FFA04931000-memory.dmp

memory/4136-144-0x0000000000D40000-0x0000000000E40000-memory.dmp

memory/1100-143-0x0000022BFBF30000-0x0000022BFBF40000-memory.dmp

memory/996-145-0x00000000069E0000-0x00000000069FE000-memory.dmp

memory/996-148-0x0000000006A00000-0x0000000007018000-memory.dmp

memory/996-149-0x00000000070A0000-0x00000000071AA000-memory.dmp

memory/4136-150-0x00000000071E0000-0x00000000071F2000-memory.dmp

memory/996-151-0x0000000007200000-0x000000000723C000-memory.dmp

memory/4136-152-0x0000000007260000-0x00000000072AC000-memory.dmp

memory/1100-153-0x0000022BFC410000-0x0000022BFC422000-memory.dmp

memory/1100-154-0x0000022BFBF20000-0x0000022BFBF2A000-memory.dmp

memory/1100-160-0x00007FFA03E70000-0x00007FFA04931000-memory.dmp

memory/1768-161-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/996-162-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

memory/4136-163-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/4136-166-0x0000000072B60000-0x0000000073310000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

memory/4136-177-0x00000000073B0000-0x0000000007416000-memory.dmp

memory/4136-178-0x00000000076D0000-0x0000000007720000-memory.dmp

memory/996-179-0x0000000072B60000-0x0000000073310000-memory.dmp

memory/4136-180-0x0000000007A60000-0x0000000007C22000-memory.dmp

memory/4136-181-0x0000000007C40000-0x000000000816C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

MD5 0158fe9cead91d1b027b795984737614
SHA1 b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512 c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

memory/4136-185-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/996-187-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/1768-186-0x0000000000400000-0x0000000000B17000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nativecrypt6.exe.log

MD5 e34b053c93dcb4160094249280888117
SHA1 bd7cd93042c200c5fb012bccf3cd9f72d7e79cef
SHA256 2bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8
SHA512 f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2

memory/4136-190-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/996-191-0x0000000000400000-0x0000000000B19000-memory.dmp

memory/996-192-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/1856-196-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

memory/4136-195-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/1856-197-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/1856-198-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/2004-219-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

memory/2004-220-0x0000000000400000-0x0000000000B17000-memory.dmp

memory/2004-221-0x0000000000400000-0x0000000000B17000-memory.dmp