Malware Analysis Report

2024-09-11 08:41

Sample ID 240427-gk1zbadb8z
Target ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a
SHA256 ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a
Tags
amadey lumma redline sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery evasion infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a

Threat Level: Known bad

The file ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a was found to be: Known bad.

Malicious Activity Summary

amadey lumma redline sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery evasion infostealer persistence rat spyware stealer trojan

Amadey

Detect Xworm Payload

SectopRAT

ZGRat

RedLine payload

Lumma Stealer

Stealc

RedLine

Xworm

Detect ZGRat V1

SectopRAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Stops running service(s)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Checks BIOS information in registry

Identifies Wine through registry keys

Reads local data of messenger clients

Reads WinSCP keys stored on the system

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Creates scheduled task(s)

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Impair Defenses
T1562
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Service Stop
T1489
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-27 05:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 05:52

Reported

2024-04-27 05:55

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe"

Signatures

Amadey

trojan amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Xworm

trojan rat xworm

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameServerClientC.exe N/A
N/A N/A C:\Windows\Temp\384272.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameServerClient.exe N/A
N/A N/A C:\Windows\Temp\173047.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Temp\173047.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2368 set thread context of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 set thread context of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 set thread context of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00420030003800310045003300320036002d0041003200450037002d0034003800430038002d0038003800450043002d004100380039003200330037003300390044004200380036007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 1456 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 1456 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1456 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\system32\DllHost.exe
PID 1456 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\system32\DllHost.exe
PID 1456 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\system32\DllHost.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1456 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 1456 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 1456 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3836 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2140 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 2140 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 1456 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 1456 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 1456 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 2140 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 2140 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 2140 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 3168 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Program Files (x86)\GameServerClient\GameService.exe
PID 3168 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Program Files (x86)\GameServerClient\GameService.exe
PID 3168 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Program Files (x86)\GameServerClient\GameService.exe
PID 1456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 1456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 1456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 1456 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 1456 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 1456 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 1456 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 4940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1928 wrote to memory of 4940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 396 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe

"C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2368 -ip 2368

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5116 -ip 5116

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 356

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClient confirm

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3520 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClientC confirm

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\Temp\384272.exe

"C:\Windows\Temp\384272.exe" --coin BTC -m ADDRESSES -t 0 --range 30e32f00400000000:30e32f00600000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\Temp\173047.exe

"C:\Windows\Temp\173047.exe" --list-devices

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 104.21.67.211:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 172.67.199.191:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 172.67.183.226:443 enthusiasimtitleow.shop tcp
US 8.8.8.8:53 211.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 32.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 104.21.22.160:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 226.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 160.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 172.67.211.165:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 172.67.166.251:443 communicationgenerwo.shop tcp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 172.67.144.218:443 pillowbrocccolipe.shop tcp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
US 8.8.8.8:53 165.211.67.172.in-addr.arpa udp
US 8.8.8.8:53 251.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 218.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 77.221.151.47:80 77.221.151.47 tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 47.151.221.77.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 file-drop.cc udp
FR 52.143.157.84:80 52.143.157.84 tcp
US 104.21.95.172:443 file-drop.cc tcp
US 8.8.8.8:53 84.157.143.52.in-addr.arpa udp
US 8.8.8.8:53 172.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 185.215.113.67:26260 tcp
DE 185.172.128.33:8970 tcp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
RU 5.42.65.67:48396 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 108.254.92.91.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/2584-0-0x0000000000FF0000-0x00000000014A5000-memory.dmp

memory/2584-1-0x0000000077A44000-0x0000000077A46000-memory.dmp

memory/2584-2-0x0000000000FF0000-0x00000000014A5000-memory.dmp

memory/2584-9-0x00000000053F0000-0x00000000053F1000-memory.dmp

memory/2584-8-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/2584-7-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/2584-6-0x0000000005390000-0x0000000005391000-memory.dmp

memory/2584-5-0x0000000005400000-0x0000000005401000-memory.dmp

memory/2584-4-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/2584-3-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/2584-11-0x0000000005410000-0x0000000005411000-memory.dmp

memory/2584-10-0x0000000005420000-0x0000000005421000-memory.dmp

memory/2584-16-0x0000000000FF0000-0x00000000014A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 aaf8b392cdb0fa0d2795df5129d1f3af
SHA1 3747955dd538f58007faee84877e596b16def200
SHA256 ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a
SHA512 877c7ec64b369376fecea7dfc068b8d6bef8d26bb040b2d6dd1dc4b2526f3f3d77d5c7d158cc454998edc398da6142b3ef95187380c0d1f11c40b7bd4173951a

memory/1456-19-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-26-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/1456-25-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/1456-24-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/1456-23-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/1456-22-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/1456-21-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/1456-20-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-27-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/2368-47-0x0000000073650000-0x0000000073E00000-memory.dmp

memory/2368-48-0x00000000005F0000-0x0000000000642000-memory.dmp

memory/3916-51-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3916-54-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2368-55-0x0000000002AA0000-0x0000000004AA0000-memory.dmp

memory/3916-56-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/2140-73-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/2336-92-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2336-93-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/1424-129-0x00000000009F0000-0x0000000000A42000-memory.dmp

memory/1424-131-0x0000000005820000-0x0000000005DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/1424-141-0x0000000005310000-0x00000000053A2000-memory.dmp

memory/2904-142-0x00000000004A0000-0x0000000000560000-memory.dmp

memory/2368-151-0x0000000073650000-0x0000000073E00000-memory.dmp

memory/1796-154-0x0000000000AF0000-0x0000000000B42000-memory.dmp

memory/1456-155-0x00000000009C0000-0x0000000000E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/1796-167-0x0000000005430000-0x000000000543A000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/396-186-0x00000000001C0000-0x00000000001EE000-memory.dmp

memory/3052-193-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

MD5 6184676075afacb9103ae8cbf542c1ed
SHA1 bc757642ad2fcfd6d1da79c0754323cdc823a937
SHA256 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
SHA512 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa

memory/3052-191-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp583D.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

MD5 6ff86c74b079acf4540c2317e92a2458
SHA1 49c658514be683abaa83e64fdb3fb94402b21e29
SHA256 11eae464bf3cd531ef1f195823ee0b0bc5978a95d3d425284a9778b24fc11f87
SHA512 1573f3098ab2321b2736d5e8107828104d5511c9ef83d913d38def9287f77c63fdf32a4c46c9cd8441f93196bb11ade8b0b7368adae9dd5a8f6e10bcc3f71590

memory/1424-247-0x0000000005F50000-0x0000000005FC6000-memory.dmp

memory/1796-258-0x0000000006950000-0x000000000696E000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 52e3f38557bc84b7845f1e9914b60276
SHA1 7f4d6ec636e5549e9b5e2b77c5efaa3d18dee03f
SHA256 974c64e7af9e27200b7c273e789c7061d22ac283f7b14ee94afe289651a182e0
SHA512 8e92f4e0f001413684cad06b72b10c6de8f9582e5f954ec536d303d8cd1d61dc4a7a3be34bc6b09e85ec1a03002b0a70efdc95b4aa7d99dec93975986ced931b

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 f8655ead162a0f200c9ed1cb0aa3491d
SHA1 cbe931d6a03a9f8b6d643e0764409882b84c5c49
SHA256 4d544c4b8dfab46950eff46aae27e50a020bb11fd1959a87dc008a3ab3d9fc31
SHA512 e89aca62ada806e154551a31f54fded42bc792d05444ffd64e0a7dbfd8bc185375b346847638a55e48352a7eb94a0b896648ff5958ab9c897030bdfcae050ffa

memory/1796-269-0x00000000070D0000-0x00000000076E8000-memory.dmp

memory/1796-283-0x0000000006C20000-0x0000000006D2A000-memory.dmp

memory/1796-288-0x0000000006B60000-0x0000000006B72000-memory.dmp

memory/3052-271-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1424-289-0x0000000006AC0000-0x0000000006AFC000-memory.dmp

memory/1424-299-0x0000000006C30000-0x0000000006C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

C:\Program Files (x86)\GameServerClient\installg.bat

MD5 b6b57c523f3733580d973f0f79d5c609
SHA1 2cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256 d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512 d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

memory/3976-321-0x0000000000B90000-0x0000000000BA2000-memory.dmp

C:\Program Files (x86)\GameServerClient\GameService.exe

MD5 d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1 e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA512 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

memory/4596-330-0x0000017868EE0000-0x0000017868F02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x1nypn1n.x3z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1456-335-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/2904-337-0x000000001F030000-0x000000001F13A000-memory.dmp

memory/2904-339-0x000000001EF60000-0x000000001EF9C000-memory.dmp

memory/2904-338-0x000000001C020000-0x000000001C032000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/2904-366-0x000000001F640000-0x000000001F6B6000-memory.dmp

memory/1424-371-0x0000000006D70000-0x0000000006DD6000-memory.dmp

memory/2904-370-0x000000001C000000-0x000000001C01E000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2904-405-0x0000000020490000-0x00000000209B8000-memory.dmp

memory/2904-404-0x000000001FD90000-0x000000001FF52000-memory.dmp

memory/1796-406-0x0000000008840000-0x0000000008890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9585.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp979C.tmp

MD5 d444c807029c83b8a892ac0c4971f955
SHA1 fa58ce7588513519dc8fed939b26b05dc25e53b5
SHA256 8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259
SHA512 b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

C:\Users\Admin\AppData\Local\Temp\tmp97DC.tmp

MD5 0005f10e2ed36e4e3e483444c3f25a32
SHA1 d16e43320a33481e9c76cefac056c9d5fa6b9d9a
SHA256 d9d2adb947709508fbef90007044a807bc61cdc776fbb2ab84b88618fa8f6ff3
SHA512 608a4ac79adedc3f2a8bff5b079f70df0df702ba8fda8d0ef5cb0d708fa53ce67d0ef19b463e773fbd60f7f4056e6d7c82d21c22974fbc3fd24cd51e2c8189d0

C:\Program Files (x86)\GameServerClient\installc.bat

MD5 a3d3d85bc0b7945908dd1a5eaf6e6266
SHA1 8979e79895226f2d05f8af1e10b99e8496348131
SHA256 3aad1c9feb23c9383ee7e5c8cb966afd262142b2e0124b8e9cda010ea53f24c6
SHA512 9184b09bdc10fb3ec981624f286ab4228917f8b1f5cbec7ee875d468c38461395d970d860e3ff99cb184e8839ed6c3ca85a9eaffdd24f15c74b311623c48f618

memory/1456-459-0x00000000009C0000-0x0000000000E75000-memory.dmp

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

MD5 9c3cfd2a7e37af3ed81598469fcbe08a
SHA1 059bb3b9bb547feedc2bf07c89c9a604aaf04f3d
SHA256 6991a5928be7bfbb9a18f20bf00121371b4127f8295e5673303bfe044da8f715
SHA512 1b48d43d665cbe8588f984a588439d16aac12fc3a9c70cfbf223350221db0e60dedb1ad3b4b83d5b2e7352c3ee402884390647da3189af8e26c307eb5c679edf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1796-466-0x0000000008890000-0x0000000008A52000-memory.dmp

memory/1796-485-0x0000000008F90000-0x00000000094BC000-memory.dmp

C:\Windows\Temp\384272.exe

MD5 bfe6b13011bbba05c28109cf6730f8a1
SHA1 28da37544341c3587c11c1f1f294505516434d40
SHA256 93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd
SHA512 d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 1aa4c8a8b942fc6bcb48eb0074a8115a
SHA1 9fd64716658829032a272d64fba6b5b0fcc2faff
SHA256 bde42a06c4b56700c437c20f3c8559ebbecb8470eb13f67ea0654e69c62441e4
SHA512 d14ff2c99de25c3cf0398892a1a5c34cf97a2a301c6d8391b14925f9d6105c3d0e25e4e19788db336d75a36b7274e6761beeebbda66ec0ada40f060e2d25afa3

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 dea6f5b96c6ecd85a677936934aedbfd
SHA1 ed4d7f47960d3eae9c1201269c19384ea10c1a3f
SHA256 0915272922d9505cff9083da0bf8381af8b1b198a6c4a6411cf66fc31bcb2ed3
SHA512 34ad4a8d955b093486d65a25e5c1b8d7c2513d846d827c0ebf8e4580ffe9397c474ad300f61949086be30158de5326be0fb2a57408f1bba8e4b1b6eccc88195d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Windows\Temp\curjob.bin

MD5 f5cb96700dc9398a5992a51e49e34268
SHA1 7b288f8710efbd687eecdf0a3d4132fe8a4da1a6
SHA256 7c072b1879949609ee2d08e6e53d38ed193a9e7f02b2617bc40fb3296c56806e
SHA512 b01b74e6dd9feb9c31f695c407de8aab04f82e877190feebd963bf833cc1791f20201e4ffbf9433b7a2a416b5533cdf3afc893bf69501e100b399ef7f63c7e20

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

MD5 bf4360d76b38ed71a8ec2391f1985a5f
SHA1 57d28dc8fd4ac052d0ae32ca22143e7b57733003
SHA256 4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf
SHA512 7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd

C:\Windows\Temp\173047.exe

MD5 5c9e996ee95437c15b8d312932e72529
SHA1 eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA256 0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512 935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

memory/4596-512-0x0000017868ED0000-0x0000017868EDA000-memory.dmp

memory/4596-511-0x0000017869070000-0x0000017869082000-memory.dmp

C:\Windows\Temp\cudart64_101.dll

MD5 1d7955354884a9058e89bb8ea34415c9
SHA1 62c046984afd51877ecadad1eca209fda74c8cb1
SHA256 111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA512 7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

MD5 e6529123a8aa7b91e1b975db5b7a6702
SHA1 d3e61433b4e92b1be62df16eb832fe500f9c2b01
SHA256 4ea738aa13683e30a40ece53737a3370dcbf875894fbb1b7a367f375c46ea8d4
SHA512 a5eca909aea204bc6069349bea9edb389135d2d97acebcaf57bdf7d8e55e7d84bc046720e0a425a1f8060936ebb2b13dfb902abd5638a2485ff5e3cc461e2453

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be67063c62a242565760a02a642a9f02
SHA1 d1043a892b44d6676f71b568f578fff947266a19
SHA256 56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48
SHA512 90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

memory/1456-542-0x00000000009C0000-0x0000000000E75000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3e8199b4634731cf0a0c26c1f14f588
SHA1 7f8fae27eb80055a436a6b5457978f32673d9ad4
SHA256 ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a
SHA512 806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

memory/1456-562-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-566-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/3976-568-0x000000001C810000-0x000000001C82E000-memory.dmp

memory/3976-569-0x000000001D9A0000-0x000000001DCF0000-memory.dmp

memory/1456-570-0x00000000009C0000-0x0000000000E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp511A.tmp

MD5 4c2e2189b87f507edc2e72d7d55583a0
SHA1 1f06e340f76d41ea0d1e8560acd380a901b2a5bd
SHA256 99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca
SHA512 8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

C:\Users\Admin\AppData\Local\Temp\tmp5203.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/1456-732-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-733-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-734-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-735-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-736-0x00000000009C0000-0x0000000000E75000-memory.dmp

memory/1456-737-0x00000000009C0000-0x0000000000E75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 05:52

Reported

2024-04-27 05:55

Platform

win11-20240426-en

Max time kernel

143s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2116 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2424 wrote to memory of 784 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2424 wrote to memory of 784 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2424 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe

"C:\Users\Admin\AppData\Local\Temp\ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\062789476783_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

Network

Country Destination Domain Proto
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp

Files

memory/4856-0-0x0000000000B20000-0x0000000000FD5000-memory.dmp

memory/4856-1-0x0000000077546000-0x0000000077548000-memory.dmp

memory/4856-2-0x0000000000B20000-0x0000000000FD5000-memory.dmp

memory/4856-3-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/4856-4-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/4856-8-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/4856-7-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/4856-6-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/4856-5-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/4856-11-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/4856-10-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/4856-15-0x0000000000B20000-0x0000000000FD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 aaf8b392cdb0fa0d2795df5129d1f3af
SHA1 3747955dd538f58007faee84877e596b16def200
SHA256 ea8b0aa11e49738dc4d76aa702471dea1da1665705e975635e63fd1ce933681a
SHA512 877c7ec64b369376fecea7dfc068b8d6bef8d26bb040b2d6dd1dc4b2526f3f3d77d5c7d158cc454998edc398da6142b3ef95187380c0d1f11c40b7bd4173951a

memory/2148-18-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-19-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-26-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/2148-25-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2148-24-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2148-23-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/2148-22-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2148-21-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/2148-20-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/2148-28-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/2148-27-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

memory/2148-29-0x00000000001E0000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqiabegt.e1z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2416-50-0x0000026A41D50000-0x0000026A41D72000-memory.dmp

memory/2416-51-0x0000026A41E00000-0x0000026A41E12000-memory.dmp

memory/2416-52-0x0000026A41DE0000-0x0000026A41DEA000-memory.dmp

memory/2148-57-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-58-0x00000000001E0000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/2148-70-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-71-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-72-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-73-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-74-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-75-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-76-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-77-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-78-0x00000000001E0000-0x0000000000695000-memory.dmp

memory/2148-79-0x00000000001E0000-0x0000000000695000-memory.dmp