amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
33s
max time network
301s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey asyncrat redline zgrat @oleh_psp cloudytteam default evasion infostealer rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

glpngorolvfhxvlr

Attributes

delay
1
install
true
install_file
client.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/LwwcrLg4

aes.plain

Extracted

Family

redline

Botnet

CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 39 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\afile.exe	family_zgrat_v1
behavioral1/memory/2296-81-0x00000000010D0000-0x000000000128C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-156-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-158-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-161-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-174-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-176-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe	family_zgrat_v1
behavioral1/memory/1852-223-0x0000000000270000-0x00000000002D6000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-467-0x0000000005180000-0x0000000005630000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-478-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-489-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-493-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-495-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-497-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-506-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-508-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-510-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-512-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-514-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-516-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-519-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-521-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-523-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-535-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-537-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-539-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-541-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-552-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-554-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-556-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-559-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-561-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-568-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
behavioral1/memory/560-570-0x0000000005180000-0x000000000562B000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
behavioral1/memory/2900-734-0x0000000000F10000-0x0000000001414000-memory.dmp	family_zgrat_v1
\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\goldprimeldlldf.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe	family_redline
\Users\Admin\AppData\Roaming\configurationValue\newss.exe	family_redline
behavioral1/memory/1852-223-0x0000000000270000-0x00000000002D6000-memory.dmp	family_redline
behavioral1/memory/360-224-0x0000000001380000-0x00000000013D0000-memory.dmp	family_redline
\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\virus.exe	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

amert.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2492-694-0x00000000045A0000-0x0000000004606000-memory.dmp	net_reactor
behavioral1/memory/2492-717-0x0000000004740000-0x00000000047A4000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amert.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe

Executes dropped EXE 7 IoCs

Processes:

Ledger-Live.exeafile.exevirus.exetraffic.exenewss.exeTJeAjWEEeH.exeamert.exe

pid process

1856 Ledger-Live.exe
2296 afile.exe
2164 virus.exe
1852 traffic.exe
360 newss.exe
1148 TJeAjWEEeH.exe
2576 amert.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

amert.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine amert.exe
Loads dropped DLL 8 IoCs

Processes:

FUCKER.exeRegAsm.exe

pid process

2008 FUCKER.exe
2008 FUCKER.exe
2008 FUCKER.exe
2420 RegAsm.exe
2420 RegAsm.exe
2008 FUCKER.exe
2008 FUCKER.exe
2008 FUCKER.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

39 raw.githubusercontent.com
16 bitbucket.org
17 bitbucket.org
38 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

amert.exe

pid process

2576 amert.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

afile.exe

description pid process target process

PID 2296 set thread context of 2420 2296 afile.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

amert.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job amert.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1676 2492 WerFault.exe dsdasda.exe
2232 1660 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1776 schtasks.exe

pid	process
1856	Ledger-Live.exe
2296	afile.exe
2164	virus.exe
1852	traffic.exe
360	newss.exe
1148	TJeAjWEEeH.exe
2576	amert.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	amert.exe

pid	process
2008	FUCKER.exe
2008	FUCKER.exe
2008	FUCKER.exe
2420	RegAsm.exe
2420	RegAsm.exe
2008	FUCKER.exe
2008	FUCKER.exe
2008	FUCKER.exe

flow	ioc
39	raw.githubusercontent.com
16	bitbucket.org
17	bitbucket.org
38	raw.githubusercontent.com

pid	process
2576	amert.exe

description	pid	process	target process
PID 2296 set thread context of 2420	2296	afile.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	amert.exe

pid	pid_target	process	target process
1676	2492	WerFault.exe	dsdasda.exe
2232	1660	WerFault.exe	RegAsm.exe

pid	process
1776	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FUCKER.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FUCKER.exe

Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2180 PING.EXE
1480 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeamert.exe

pid process

1836 powershell.exe
2576 amert.exe

pid	process
2180	PING.EXE
1480	PING.EXE

pid	process
1836	powershell.exe
2576	amert.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

FUCKER.exevirus.exetraffic.exeTJeAjWEEeH.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2008	FUCKER.exe
Token: SeDebugPrivilege	2164	virus.exe
Token: SeDebugPrivilege	1852	traffic.exe
Token: SeIncreaseQuotaPrivilege	2164	virus.exe
Token: SeSecurityPrivilege	2164	virus.exe
Token: SeTakeOwnershipPrivilege	2164	virus.exe
Token: SeLoadDriverPrivilege	2164	virus.exe
Token: SeSystemProfilePrivilege	2164	virus.exe
Token: SeSystemtimePrivilege	2164	virus.exe
Token: SeProfSingleProcessPrivilege	2164	virus.exe
Token: SeIncBasePriorityPrivilege	2164	virus.exe
Token: SeCreatePagefilePrivilege	2164	virus.exe
Token: SeBackupPrivilege	2164	virus.exe
Token: SeRestorePrivilege	2164	virus.exe
Token: SeShutdownPrivilege	2164	virus.exe
Token: SeDebugPrivilege	2164	virus.exe
Token: SeSystemEnvironmentPrivilege	2164	virus.exe
Token: SeRemoteShutdownPrivilege	2164	virus.exe
Token: SeUndockPrivilege	2164	virus.exe
Token: SeManageVolumePrivilege	2164	virus.exe
Token: 33	2164	virus.exe
Token: 34	2164	virus.exe
Token: 35	2164	virus.exe
Token: SeIncreaseQuotaPrivilege	2164	virus.exe
Token: SeSecurityPrivilege	2164	virus.exe
Token: SeTakeOwnershipPrivilege	2164	virus.exe
Token: SeLoadDriverPrivilege	2164	virus.exe
Token: SeSystemProfilePrivilege	2164	virus.exe
Token: SeSystemtimePrivilege	2164	virus.exe
Token: SeProfSingleProcessPrivilege	2164	virus.exe
Token: SeIncBasePriorityPrivilege	2164	virus.exe
Token: SeCreatePagefilePrivilege	2164	virus.exe
Token: SeBackupPrivilege	2164	virus.exe
Token: SeRestorePrivilege	2164	virus.exe
Token: SeShutdownPrivilege	2164	virus.exe
Token: SeDebugPrivilege	2164	virus.exe
Token: SeSystemEnvironmentPrivilege	2164	virus.exe
Token: SeRemoteShutdownPrivilege	2164	virus.exe
Token: SeUndockPrivilege	2164	virus.exe
Token: SeManageVolumePrivilege	2164	virus.exe
Token: 33	2164	virus.exe
Token: 34	2164	virus.exe
Token: 35	2164	virus.exe
Token: SeDebugPrivilege	1148	TJeAjWEEeH.exe
Token: SeDebugPrivilege	1836	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

FUCKER.exeLedger-Live.execmd.exeafile.exeRegAsm.exeTJeAjWEEeH.exe

description	pid	process	target process
PID 2008 wrote to memory of 1856	2008	FUCKER.exe	Ledger-Live.exe
PID 2008 wrote to memory of 1856	2008	FUCKER.exe	Ledger-Live.exe
PID 2008 wrote to memory of 1856	2008	FUCKER.exe	Ledger-Live.exe
PID 2008 wrote to memory of 1856	2008	FUCKER.exe	Ledger-Live.exe
PID 1856 wrote to memory of 772	1856	Ledger-Live.exe	cmd.exe
PID 1856 wrote to memory of 772	1856	Ledger-Live.exe	cmd.exe
PID 1856 wrote to memory of 772	1856	Ledger-Live.exe	cmd.exe
PID 1856 wrote to memory of 772	1856	Ledger-Live.exe	cmd.exe
PID 772 wrote to memory of 1480	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 1480	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 1480	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 1480	772	cmd.exe	PING.EXE
PID 2008 wrote to memory of 2296	2008	FUCKER.exe	afile.exe
PID 2008 wrote to memory of 2296	2008	FUCKER.exe	afile.exe
PID 2008 wrote to memory of 2296	2008	FUCKER.exe	afile.exe
PID 2008 wrote to memory of 2296	2008	FUCKER.exe	afile.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2008 wrote to memory of 2164	2008	FUCKER.exe	virus.exe
PID 2008 wrote to memory of 2164	2008	FUCKER.exe	virus.exe
PID 2008 wrote to memory of 2164	2008	FUCKER.exe	virus.exe
PID 2008 wrote to memory of 2164	2008	FUCKER.exe	virus.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2296 wrote to memory of 2420	2296	afile.exe	RegAsm.exe
PID 2420 wrote to memory of 360	2420	RegAsm.exe	newss.exe
PID 2420 wrote to memory of 360	2420	RegAsm.exe	newss.exe
PID 2420 wrote to memory of 360	2420	RegAsm.exe	newss.exe
PID 2420 wrote to memory of 360	2420	RegAsm.exe	newss.exe
PID 2420 wrote to memory of 1852	2420	RegAsm.exe	traffic.exe
PID 2420 wrote to memory of 1852	2420	RegAsm.exe	traffic.exe
PID 2420 wrote to memory of 1852	2420	RegAsm.exe	traffic.exe
PID 2420 wrote to memory of 1852	2420	RegAsm.exe	traffic.exe
PID 2008 wrote to memory of 1148	2008	FUCKER.exe	TJeAjWEEeH.exe
PID 2008 wrote to memory of 1148	2008	FUCKER.exe	TJeAjWEEeH.exe
PID 2008 wrote to memory of 1148	2008	FUCKER.exe	TJeAjWEEeH.exe
PID 2008 wrote to memory of 1148	2008	FUCKER.exe	TJeAjWEEeH.exe
PID 1148 wrote to memory of 1836	1148	TJeAjWEEeH.exe	powershell.exe
PID 1148 wrote to memory of 1836	1148	TJeAjWEEeH.exe	powershell.exe
PID 1148 wrote to memory of 1836	1148	TJeAjWEEeH.exe	powershell.exe
PID 2008 wrote to memory of 2576	2008	FUCKER.exe	amert.exe
PID 2008 wrote to memory of 2576	2008	FUCKER.exe	amert.exe
PID 2008 wrote to memory of 2576	2008	FUCKER.exe	amert.exe
PID 2008 wrote to memory of 2576	2008	FUCKER.exe	amert.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:1480

C:\Users\Admin\AppData\Local\Temp\Files\afile.exe
"C:\Users\Admin\AppData\Local\Temp\Files\afile.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Roaming\configurationValue\newss.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\newss.exe"
4⤵
- Executes dropped EXE
PID:360

C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Local\Temp\Files\virus.exe
"C:\Users\Admin\AppData\Local\Temp\Files\virus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
"C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"
2⤵
PID:1788

C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
3⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe"
2⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 612
3⤵
- Program crash
PID:1676

C:\Users\Admin\AppData\Local\Temp\Files\H667H.exe
"C:\Users\Admin\AppData\Local\Temp\Files\H667H.exe"
2⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\Files\MStore.exe
"C:\Users\Admin\AppData\Local\Temp\Files\MStore.exe"
2⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Add-MpPreference -ExclusionExtension .exe
3⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension .exe
4⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
2⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
3⤵
PID:2508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 252
4⤵
- Program crash
PID:2232

C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe"
2⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2280

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:2164

C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe"
4⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\Files\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\goldprimeldlldf.exe"
2⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
"C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"
2⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
"C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
2⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
"cmd" /c net use
3⤵
PID:2060

C:\Windows\SysWOW64\net.exe
net use
4⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe"
2⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
3⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:2180

C:\Users\Admin\AppData\Local\Temp\Files\lummahelp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lummahelp.exe"
2⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"
2⤵
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\CNSWA.exe
Filesize
28.6MB

MD5
0b44d8e08785bd0464a34056857529cd

SHA1
9be80e26ba89dcea95df0d057924ed1eb14c144a

SHA256
47428a9f62a9a3efbe0bc9e5a3a1a7f957be06fca63879ebaa41cc0d3e9719bd

SHA512
681fd7f4beeb745fdcd5b5098e3d5099367b917b0c1482f5a0fadc0c8b0b664286ac6b62e9a4e2e0058343dafe830ff9b87798c288c9149dfcb09433579be4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2a5dfb95f9aa26b6f3a178d6369443fa

SHA1
66e62dc31d0d6f50270e727b1a0edcf28b33b21c

SHA256
4a85710897dc89f40f76248e74f71de4338de7081fcf9dda8b5e618b6076c9ce

SHA512
7cfbd00027960224760824364bb9273e4b69d8f44111bb9e208fca5341339b983f406c9375f3eeec8453e17e5d6b214128ff0c50b3e9cc710dda152cf66fef5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8c6a5d27096d1dd76a6c9f71cc815685

SHA1
6ec5e56545b1b2848ac9b0053b5c4354a7c21440

SHA256
82fc8dd86ea619f148f2155807166886a08bb354e6dab8f8b47e0dea6b933019

SHA512
1f5c327944825c75b5a2925294921fb383c650eaf2d60d35c6ddd71bd3853b49b758fe4988213305dea82af15f97e7c2eb394913182848521596d2abd9ee25f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d7d1c739e64acfaeb3a3fb1cf8a46f80

SHA1
c2816a0656fd70ce010e4037c3428819d5ff7132

SHA256
5a41085a93d997c9653cc03ff71b4cb6a1b836043d0602c44dda0dcd71ccea95

SHA512
995cf7a6dbf36449a0eb097e74bb582ad24284dc799418ddd5cb4fc4d6ef6b4b598bb735621760c62e57ee05dcd47c52858582e44f689ad768124f8656e0643c

Download Submit
C:\Users\Admin\AppData\Local\PhantomSoft\Support\UltraVNC.ini
Filesize
810B

MD5
fb8e93c5600db119f13c371d895db56b

SHA1
2dce9851d3013f2ba7c7af063c0a8da0e414f9f8

SHA256
8a412eee8611509fdb269e7440022b9dc4a053b94a8d406dd77c3bf4990ceb76

SHA512
ea1d2213765ec2d0e997bcb05c18a4c8bdd93cc60c16f1c615dacb7f7954c9f9348927daa723328b149d312ac0f922988379a41514fabd6ae31ec0ff949dc3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
Filesize
892KB

MD5
d65f5542509366672c1224cc31adfbf0

SHA1
b23844901a5cec793cece737f3357f8c8793d542

SHA256
85c5a9b53be051fef06d1082abb950a731ffb452e68cc9aafa907251e2d6bd72

SHA512
c4c333f4d084a3625162ff356b70f092cdbafff806af7d2b3c0ce596769b85ee546e341bf7e917609083f7785976dcce63b7bedd2cea63200fa4807721f19f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
Filesize
1.8MB

MD5
c6184d3d100524aadf7eb8fd1dcb8ec3

SHA1
3e56e59a5695da8cec3372ab72ba553a821d3f32

SHA256
8b38543e68dd7639af2a273a4a15a9a5db11af1e200a33b468474d06c3696fa4

SHA512
5aa0098c4541bfbaf584e2a1ae77296c205d30e0cb8b5ae9d0b31241a6725f8585af8df8d22169b9c0309e23e532659382b52653bde911febf717d09db7bd5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
464KB

MD5
4c4b53e5e75c14252ea3b8bf17a88f4b

SHA1
08c04b83d2c288346d77ec7bc824be8d7e34e40f

SHA256
799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598

SHA512
d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
Filesize
484KB

MD5
5e88980bb982663f2d687fd72bacd880

SHA1
04ea23d8cc91ee71b13476b4b60eee4fe478e01c

SHA256
c61c9ed0fdbcc1a5be82feb4895fe1a553659738137d8ed319c9f63ad301e423

SHA512
06b744b1a238c76b90a1182315838ee22e240cbd33d7ba9fabca344abca6e52e20fdfcd965febc18d82d05ad478aff7a4720715d7ed124ead75d9b91afc8301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\goldprimeldlldf.exe
Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4486.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6A38.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b9cf3b97639ddffbfdb62ce5631acaad

SHA1
0fa0aa99b9fd487575b52d502de91a9f6a6199b8

SHA256
e3caa279464ad3927fb1b505516f4cb426f921d49df9d512504f01a42a42868a

SHA512
394bad34c6c0e962d26e560edac63ae53ff56aefdc7b2429989c9ccab786222be90367aa35b0df64c22a11302b51cc94f63731caa06360cf7a74d621a02a7c35

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe
Filesize
381KB

MD5
2a962db2ec75a501e29468478cc4daf0

SHA1
6dba32665df9fa8b9d5899c527823ae9cfc0f042

SHA256
ffbde810025367bc18747442761de7523d93510b6f7ca5cac195f4cc294ff6a5

SHA512
2c90024880601f8994d89cb40fee0d20c2dc7d15f9cd178a0fab65a59f4c5583d47f740d9fa421f70b1e853b811aa6034cd7b450a6b96b59c94fae3d82182e0a

Download Submit
\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
Filesize
1.7MB

MD5
e0f5ea2b200ca1c5463e532d7cd18420

SHA1
4e192c88d50eae5cb809bd709dc41b091496c4ee

SHA256
122d26126466db404f2d5f1a6ed0e347fed81983cfa9a87039a95dc205770283

SHA512
4caae87208997c2b24315f529c683b01433d0ac2dbda5993f8db32727ce800efc14840660c2ae3898400d2f99d61266512e728f7cbe7360fceacd8b7d99c2fb4

Download Submit
\Users\Admin\AppData\Local\Temp\Files\H667H.exe
Filesize
32KB

MD5
f58195836da0faaea41f70fda27444cc

SHA1
0689aa29d20bab97bb08e48f75bb5c242a142866

SHA256
578ec40eb54828a3ebe1d6c51ef39c50a83dd0f0013435b7d9ca4a7fbd11451c

SHA512
120d426c1aa627ddceae7999dcf77d147f36fc6a47a8563033af6a858fc5dcb4d9938fdad5c9a41f7ec350941a9bf50b8309551694a3adc160bb045e0b959d42

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\MStore.exe
Filesize
12KB

MD5
282c1ebb16ad0edc41389d1e73a74607

SHA1
fbcdda121484ea6125827ed4e7b1b00f6a88835d

SHA256
7712424f2dec2d08630237c737e5f81789d2e92edc31111c72eaa0388b6df1dc

SHA512
94be4f173c5c63947a6e7902a86c8851ee84a06d1ddec104af91592178adafc3180f652791badc3e0c1139bbc7c9f64b9e47ccd0adadd16159a40ab6c188b292

Download Submit
\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
Filesize
533KB

MD5
eeabe641c001ce15e10f3ee3717b475a

SHA1
10fdda016fc47390017089367882281c6d38769f

SHA256
bb5ef9f70483ed7c79e37eca9dd136a514a346943edfe2803e27d1f6b262f05a

SHA512
1b0b9a398cf5a5e7c5ab0035796d07db720a8babcaf93fc92d1119ada5785c9de4d5df6a0ed10a29198cb4cd7c57da50ef4dc4c4fba5c77f72bf9fdcb73ac55a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\afile.exe
Filesize
1.7MB

MD5
48ec43bc47556095321ebc57a883efcd

SHA1
dafc012caabb4d0bd737ab141bfbc1853fa8553c

SHA256
51f914de76eac9e6bce5b2d3efb1d00a240097e71f3f042303b16917702f64ed

SHA512
74b7406457694ecfd1d59f077203e5efae9d189be26e95f3a31e7659112b59c00c652523291b17aa8c8c01aef7234929d5e7f6095a9c26c2c3e3c8724a0996b6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe
Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\virus.exe
Filesize
74KB

MD5
d7963dc144158429102bda49bc79e89b

SHA1
2d17331b35c800bbc22c2d33e55159a7a49fa5da

SHA256
f5c19d29589d4ac662c87f4aac467d9ca07396d51321d4c589c2dc285a88cd75

SHA512
c187154feb54ea2b2c8daddd370abf32ed53310633d9b4db8c873fbbb1605fa0c21d98afa50a2ef0b497ccfe1b537997d4a4dfecfd16d800b551836bd70f4055

Download Submit
\Users\Admin\AppData\Roaming\configurationValue\newss.exe
Filesize
297KB

MD5
bf16dc9b561369711e87666a91220711

SHA1
07823b283171caa390e8d10f3b72398dd3d9fc83

SHA256
5cb25bf182c14df7ae7dd13b0aa221ed0abe491cb82da6726595c34ce5e59a4d

SHA512
44dbbfdab99f57652a9a881958d020c0f06d88952a26d7ede45e8522f2d53c2c756c4aec0146daff60723c5265165e3d2f77fcf735362dd358b807d90beab9ab

Download Submit
\Users\Admin\AppData\Roaming\configurationValue\propro.exe
Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
memory/360-735-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/360-227-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/360-224-0x0000000001380000-0x00000000013D0000-memory.dmp

Filesize
320KB

Download
memory/360-228-0x00000000012C0000-0x0000000001300000-memory.dmp

Filesize
256KB

Download
memory/560-537-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-521-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-489-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-478-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-467-0x0000000005180000-0x0000000005630000-memory.dmp

Filesize
4.7MB

Download
memory/560-570-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-493-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-456-0x0000000001240000-0x000000000179A000-memory.dmp

Filesize
5.4MB

Download
memory/560-539-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-541-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-552-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-568-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-457-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/560-495-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-497-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-506-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-508-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-510-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-512-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-514-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-516-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-519-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-535-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-523-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-561-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-559-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-556-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/560-554-0x0000000005180000-0x000000000562B000-memory.dmp

Filesize
4.7MB

Download
memory/1148-386-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/1148-385-0x0000000001020000-0x0000000001104000-memory.dmp

Filesize
912KB

Download
memory/1148-384-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1704-751-0x0000000000C90000-0x0000000000D0A000-memory.dmp

Filesize
488KB

Download
memory/1788-438-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1836-405-0x0000000002CB4000-0x0000000002CB7000-memory.dmp

Filesize
12KB

Download
memory/1836-409-0x0000000002CBB000-0x0000000002D22000-memory.dmp

Filesize
412KB

Download
memory/1836-407-0x000007FEECB20000-0x000007FEED4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1836-408-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1836-396-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1836-397-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/1836-406-0x000007FEECB20000-0x000007FEED4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1852-230-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-223-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/1856-71-0x00000000047C0000-0x0000000004800000-memory.dmp

Filesize
256KB

Download
memory/1856-69-0x0000000001030000-0x0000000001050000-memory.dmp

Filesize
128KB

Download
memory/1856-70-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/1856-73-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-0-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2008-2-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2008-383-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2008-411-0x0000000007930000-0x0000000007DEF000-memory.dmp

Filesize
4.7MB

Download
memory/2008-1-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-412-0x0000000007930000-0x0000000007DEF000-memory.dmp

Filesize
4.7MB

Download
memory/2008-229-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-225-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-389-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-226-0x000000001A710000-0x000000001A790000-memory.dmp

Filesize
512KB

Download
memory/2164-188-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

Filesize
96KB

Download
memory/2296-82-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2296-81-0x00000000010D0000-0x000000000128C000-memory.dmp

Filesize
1.7MB

Download
memory/2296-113-0x0000000004F70000-0x0000000004FB0000-memory.dmp

Filesize
256KB

Download
memory/2296-147-0x0000000002690000-0x0000000004690000-memory.dmp

Filesize
32.0MB

Download
memory/2296-164-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-156-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2420-158-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2420-159-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-161-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2420-150-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2420-174-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2420-176-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2420-146-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2492-717-0x0000000004740000-0x00000000047A4000-memory.dmp

Filesize
400KB

Download
memory/2492-694-0x00000000045A0000-0x0000000004606000-memory.dmp

Filesize
408KB

Download
memory/2512-759-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2576-423-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2576-447-0x0000000001120000-0x00000000015DF000-memory.dmp

Filesize
4.7MB

Download
memory/2576-414-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/2576-416-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2576-415-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2576-417-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2576-418-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2576-419-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2576-420-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2576-421-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2576-422-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2576-413-0x0000000001120000-0x00000000015DF000-memory.dmp

Filesize
4.7MB

Download
memory/2576-443-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2576-424-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2576-425-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2576-426-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2576-427-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2576-428-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2576-439-0x0000000001120000-0x00000000015DF000-memory.dmp

Filesize
4.7MB

Download
memory/2576-440-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2576-441-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2900-734-0x0000000000F10000-0x0000000001414000-memory.dmp

Filesize
5.0MB

Download