Malware Analysis Report

2025-08-11 01:12

Sample ID 240325-a39kvabc79
Target SecuriteInfo.com.Win32.TrojanX-gen.1033.1898
SHA256 773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78
Tags
amadey evasion persistence spyware stealer trojan risepro
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78

Threat Level: Known bad

The file SecuriteInfo.com.Win32.TrojanX-gen.1033.1898 was found to be: Known bad.

Malicious Activity Summary

amadey evasion persistence spyware stealer trojan risepro

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Reads local data of messenger clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Reads WinSCP keys stored on the system

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 00:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 00:45

Reported

2024-03-25 00:48

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5d6c42a3d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\d5d6c42a3d.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2332 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2332 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2332 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2976 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe
PID 2976 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe
PID 2976 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe
PID 2976 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe
PID 2976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2976 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 2976 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 2976 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 2976 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2380 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2380 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2380 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3040 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3040 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3040 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3040 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe

"C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\780967622241_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

Network

Country Destination Domain Proto
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp

Files

memory/2332-0-0x0000000000E60000-0x0000000001333000-memory.dmp

memory/2332-1-0x0000000077C60000-0x0000000077C62000-memory.dmp

memory/2332-2-0x0000000000E60000-0x0000000001333000-memory.dmp

memory/2332-4-0x0000000002780000-0x0000000002781000-memory.dmp

memory/2332-3-0x0000000002760000-0x0000000002761000-memory.dmp

memory/2332-12-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/2332-13-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2332-11-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2332-10-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/2332-9-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2332-8-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2332-7-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2332-6-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/2332-5-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/2332-14-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/2332-15-0x0000000002910000-0x0000000002911000-memory.dmp

memory/2332-17-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/2332-18-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 8b176c80a6ff69b7beb12254dfaac8ee
SHA1 a51457eb62364526addd00b610cb1e16c7d3918d
SHA256 773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78
SHA512 2eca1765e9d9ab3859fbcfa444125a396d420e194295ecd6f293e6b9d989de85e7b9fbeffe33590274c85ecdcb6939e81c2856c863a57f668df5b01ca0d66c0e

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 f4f4534b387144e4e535634729a4cb93
SHA1 83b7a8a6f61a1aa5224c54db79082814998547e1
SHA256 8c47fdd8a8fd19bd73beb7cdb0b2324866e9dc41c29d97cfecdc89a2f540c869
SHA512 8b7b37cfc38627b3d0e3856a1f6a6594c79add34de3d788a10566b2406d13ecf8f252f43a50af9f648e4ecd0305b8ba062beea582d41e3033b7f0cb5b5c885db

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 7f11e900dce6e5ba6a4952fe54684c16
SHA1 36270e43451fcc544609a1b7256c4111815c929f
SHA256 718d3a5b1705048fedaf33cdd4357ced71e2f59b49615a0b70e9d7a194a18ab9
SHA512 af245228f3a01c3c6b68839354efae2cdb1343f29bbeaa67cbeb52ab9bf653c29041cbedb9eada14b38fe7f0d2795c37a9d0db05198b17192bd03708dd98832e

memory/2332-27-0x0000000006B30000-0x0000000007003000-memory.dmp

memory/2332-28-0x0000000000E60000-0x0000000001333000-memory.dmp

memory/2976-29-0x0000000000300000-0x00000000007D3000-memory.dmp

memory/2976-30-0x0000000000300000-0x00000000007D3000-memory.dmp

memory/2976-31-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/2976-32-0x0000000001030000-0x0000000001031000-memory.dmp

memory/2976-33-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/2976-34-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2976-35-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/2976-36-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/2976-37-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2976-39-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2976-42-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/2976-41-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2976-40-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2976-38-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2976-44-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/2976-45-0x0000000002620000-0x0000000002621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\d5d6c42a3d.exe

MD5 c1ecc346ea298dadb57e357be3e06493
SHA1 3663a3324c56af3a76884c9c89a0d30dc18101ac
SHA256 b628895795757ca7da0306acb9ded2fd780fb1ea4be3c8e70c1e480d670114e9
SHA512 a7f8e0829fa881cc25af1f6d6054fbfb35198692d55d98feb45638273e28ca0a52b699ba3c5e140e92111ea5b2e19ced792193d085011d290040d14570ad8776

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

memory/2100-101-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/2100-102-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/2100-103-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

memory/2100-104-0x0000000002B74000-0x0000000002B77000-memory.dmp

memory/2100-105-0x0000000002B7B000-0x0000000002BE2000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 00:45

Reported

2024-03-25 00:48

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ba40b6dcb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\5ba40b6dcb.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2204 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2204 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe
PID 960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe
PID 960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe
PID 960 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4636 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4636 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2312 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2312 wrote to memory of 2320 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2312 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 960 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 960 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 960 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 960 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 960 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 960 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 960 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 4148 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
PID 4148 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
PID 4148 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
PID 3396 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe C:\Windows\SysWOW64\schtasks.exe
PID 3396 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe C:\Windows\SysWOW64\schtasks.exe
PID 3396 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe C:\Windows\SysWOW64\schtasks.exe
PID 4148 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4148 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4148 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4420 wrote to memory of 5092 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4420 wrote to memory of 5092 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5092 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 5092 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 5092 wrote to memory of 1196 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 1196 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4148 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4148 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe

"C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

"C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2204-0-0x00000000001C0000-0x0000000000693000-memory.dmp

memory/2204-1-0x0000000076FC4000-0x0000000076FC6000-memory.dmp

memory/2204-2-0x00000000001C0000-0x0000000000693000-memory.dmp

memory/2204-3-0x0000000005430000-0x0000000005431000-memory.dmp

memory/2204-4-0x0000000005440000-0x0000000005441000-memory.dmp

memory/2204-5-0x0000000005420000-0x0000000005421000-memory.dmp

memory/2204-6-0x0000000005460000-0x0000000005461000-memory.dmp

memory/2204-7-0x0000000005400000-0x0000000005401000-memory.dmp

memory/2204-8-0x0000000005410000-0x0000000005411000-memory.dmp

memory/2204-9-0x0000000005480000-0x0000000005481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 8b176c80a6ff69b7beb12254dfaac8ee
SHA1 a51457eb62364526addd00b610cb1e16c7d3918d
SHA256 773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78
SHA512 2eca1765e9d9ab3859fbcfa444125a396d420e194295ecd6f293e6b9d989de85e7b9fbeffe33590274c85ecdcb6939e81c2856c863a57f668df5b01ca0d66c0e

memory/960-21-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2204-22-0x00000000001C0000-0x0000000000693000-memory.dmp

memory/960-23-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/960-24-0x0000000005110000-0x0000000005111000-memory.dmp

memory/960-25-0x0000000005120000-0x0000000005121000-memory.dmp

memory/960-27-0x0000000005140000-0x0000000005141000-memory.dmp

memory/960-26-0x0000000005100000-0x0000000005101000-memory.dmp

memory/960-28-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/960-29-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/960-30-0x0000000005160000-0x0000000005161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\5ba40b6dcb.exe

MD5 c1ecc346ea298dadb57e357be3e06493
SHA1 3663a3324c56af3a76884c9c89a0d30dc18101ac
SHA256 b628895795757ca7da0306acb9ded2fd780fb1ea4be3c8e70c1e480d670114e9
SHA512 a7f8e0829fa881cc25af1f6d6054fbfb35198692d55d98feb45638273e28ca0a52b699ba3c5e140e92111ea5b2e19ced792193d085011d290040d14570ad8776

memory/2756-49-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-50-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-51-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-52-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/960-53-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-54-0x00000000007B0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 7e5c4d30a95f4f2ed06e6101005b2adb
SHA1 c081906a44094c812c63fa568ff180b98afa05f4
SHA256 64a68bac7cd2cbee1d09f565664825e0ec1af21a7d9ed43f0accfb426f254704
SHA512 38fa8bdadf6e6a488b2dd37e78e91e302b3f7629b9de3274e0ab53435dd483d3f347a96262a92a66e9aa5bb04e7f05b77b4f4f1ea8a8c89c4c4b1790ba6b7f2a

memory/2160-67-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2160-68-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2160-69-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/2160-70-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/2160-71-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/2160-73-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/2160-74-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/2160-72-0x0000000005110000-0x0000000005111000-memory.dmp

memory/2756-75-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/3040-76-0x0000021CF45E0000-0x0000021CF4602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sirq0hoa.jcs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3040-87-0x00007FFA62180000-0x00007FFA62C41000-memory.dmp

memory/2160-86-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/3040-89-0x0000021CF4610000-0x0000021CF4620000-memory.dmp

memory/3040-88-0x0000021CF4610000-0x0000021CF4620000-memory.dmp

memory/3040-90-0x0000021CF4B10000-0x0000021CF4B22000-memory.dmp

memory/3040-91-0x0000021CF4630000-0x0000021CF463A000-memory.dmp

memory/3040-97-0x00007FFA62180000-0x00007FFA62C41000-memory.dmp

memory/960-98-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-99-0x00000000007B0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

memory/960-131-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-132-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/2756-133-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-134-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-135-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-136-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/960-137-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-138-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-139-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-140-0x00000000007B0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 973e60e0b8b318465d2e619c3b58c7d6
SHA1 39f664c9bc6cf7af5802062ef864a6eb16495d68
SHA256 bb023eba25631fd57547541e5dbec8c590352585bbf331aa05a5d1cf7f6bc878
SHA512 9950abdf9d3b370bea8cbf2be6a306d7525b7f385c448f5a18b95f49df4176a4450a27ca133f97e74ac576c13d35ddab02dd46fee0d0aa758348bb3d5ef479ce

memory/4292-147-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/4292-148-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/4292-150-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/4292-151-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/4292-149-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/4292-152-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/4292-153-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/4292-154-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/4292-156-0x0000000000720000-0x0000000000BF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/960-173-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-174-0x00000000007B0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 a885fad25bdb2120d92e5ff0efa79e2c
SHA1 fa8d463cdf1eda689cff7d27192a098094b8643a
SHA256 bfe87b2f8c8478ee8b47c4032d093e1c50440aeedcbc2d7d68dcdd2d1d2e6d0c
SHA512 0e70c89381895712f8818e50c3e66e93f1c1523e96c3dd40cc48fb555e790a76948f943cdcc9d14d63b21ff2362fc5c2139e1b3f8def6afea490d9e85ba2a970

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

memory/960-188-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-189-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/1196-190-0x00007FFA60D30000-0x00007FFA617F1000-memory.dmp

memory/1196-191-0x000001D3BC560000-0x000001D3BC570000-memory.dmp

memory/1196-192-0x000001D3BC560000-0x000001D3BC570000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33ecfa931c560b746fb5199a4e050f0b
SHA1 2b44e8bc798714119717b8e34238cd1bbbd08266
SHA256 deb7bd6e8b0451bafa3eccbd5c43b4d3f610621a51747f1a6867c96761e57ba7
SHA512 8fc031c3f362adb88b731bc440769e3e3bbe6e9eb9fce3a22fe9743b0d09440422e995fcb8bf9b8710aca4ff1f9a451f8490482447120f8b2fdfb2a62dcfed60

memory/1196-207-0x00007FFA60D30000-0x00007FFA617F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/960-219-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-220-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/2756-222-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-221-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/960-223-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-224-0x00000000007B0000-0x0000000000B59000-memory.dmp

memory/960-225-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/2756-226-0x00000000007B0000-0x0000000000B59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 6c502ae35fae646dd41cbd0647700d51
SHA1 6b47be3535dfca70fb51225bab58ae9c0a64ab53
SHA256 fb0a5ab180eaf6e82ed398b00262cbe0849e2173621085cf74b87a1c7229ec2a
SHA512 f7ef6c5f685685ae5e61bebffd31497910e0b98b0486eb60d65bdc0f7de20f50b9ab5670ae538955571561f3fddb9aff865527bedff1c1e6d186b0e9a650e8a7

memory/4512-228-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/4512-229-0x0000000000720000-0x0000000000BF3000-memory.dmp

memory/4512-230-0x0000000004C20000-0x0000000004C21000-memory.dmp

memory/4512-232-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/4512-233-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/4512-231-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/4512-234-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/4512-235-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/4512-236-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/4512-238-0x0000000000720000-0x0000000000BF3000-memory.dmp