028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Size

2.0MB
MD5

2c3bd477eefc6e52974a4fe8659660da
SHA1

4d77b1ca10a254109e71443ca72a320efb6bd13d
SHA256

028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e
SHA512

b4e1e44570f27dad612849e2cba04ff8fae75e6987a1c7a99efc2a34740671ebe8434fc0b8668ff6de2470302940a6ed01cf0066f1367f803123bc7213ca66df
SSDEEP

49152:RSnWm37PrFEAPTHnhg1j2DeED3WePTHnhg1j2DeED3gCQ5:RyWm37zT9oK/9oKBQ5

Score

8^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe

Executes dropped EXE 10 IoCs

pid	Process
1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
2776	AmigoDistrib.exe
2600	AmigoDistrib.exe
1036	mailruhomesearch.exe
3044	AmigoDistrib.exe
2240	setup.exe
2152	setup.exe
1012	amigo.exe
600	amigo.exe
2516	updater.exe

Loads dropped DLL 22 IoCs

pid	Process
2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
2776	AmigoDistrib.exe
2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
2600	AmigoDistrib.exe
3044	AmigoDistrib.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
1012	amigo.exe
600	amigo.exe
1012	amigo.exe
2600	AmigoDistrib.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MailRuUpdater = "C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\MailRuUpdater.exe"	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\mailruhomesearch = "\"C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Sputnik\\ptls\\mailruhomesearch.exe\" --pr_deferred"	mailruhomesearch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\amigo = "C:\\Users\\Admin\\AppData\\Local\\Amigo\\Application\\amigo.exe --no-startup-window"	setup.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mailruhomesearch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Mail.Ru\MailRuUpdater\us\336327ca85	MailRuUpdater.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmigoDistrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amigo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailRuUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmigoDistrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailRuUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmigoDistrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amigo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mailruhomesearch.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0ebe6d3b634db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000007d0de159d89cbd86c6b0d05fd46b78139277b98ce7a9786ddbf1371d012cfb16000000000e8000000002000020000000fd99d7a54bcbb9382233b2dfd3d81ec4fab4a273b5b6084feb49c2dab13e3e3290000000480cc267d3cf3d07d4f4f639e6991093c5f98a2f806bfd08eca908008d6d5ee276d05f4188406420169d7f15f34a9d1d4949e1eb72a2f694c4832a83e00535598403e08cd3f9e3694e48fd19f3c344bb6a8b839fa772e9553ef6bdbffe7c8c1e6d0dbc89cd7b384dc4e5fe7fca4295b59854cc0324f73b32b32dab6fd63be721d83311e0d991d4fddd444ef44c97f70d4000000040639f9475a0c8a1dbb03fe40f6b91e2e84265b5365a2659a9e9b93675c47abed373cb8cd5909b8bafc866716261d9e7558f285c606b367d1e9e384af72b5afa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000005e1db1af9418bacac3c966324d3927f76f61fca616bc33d94b9ce212a44bd08e000000000e8000000002000020000000f964dfde397c3a3117f624a6444f8c391bf158565cdad222084ae35b1d53cf9520000000bf9d794fe4b323f8bcee1694a623e1da229dfb96eeb256c3639e395f397989774000000070324a016538dd13d83da36c214cd8ff12bd32eb673055b3817700338587903008fe9d69388e4488fbd2f3db358c6e2909f4dbe2ebb49190f602b7051eaac89f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEBCF401-A0A9-11EF-B36A-E62D5E492327} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	MailRuUpdater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437545613"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MailRuUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "MailRuUpdater.exe"	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	MailRuUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MailRuUpdater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.html\ = "AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA"	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.xht\ = "AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA"	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Amigo\\Application\\amigo.exe\" -- \"%1\""	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.htm	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.shtml\ = "AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA"	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell\open	amigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\ = "Amigo HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Amigo\\Application\\amigo.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell\open\ddeexec	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\shell\open\ddeexec	amigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Amigo\\Application\\amigo.exe\" -- \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.xhtml\ = "AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA"	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell\open\ddeexec\	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell\ = "open"	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\shell\open\command	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\shell\ = "open"	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https\shell\ = "open"	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https\shell\open\ddeexec\	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\shell\open\ddeexec\	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https\URL Protocol	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.html	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Amigo\\Application\\amigo.exe,0"	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\shell	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https\shell\open	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.shtml	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.xhtml	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Amigo\\Application\\amigo.exe,0"	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\http\shell\open	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\DefaultIcon	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https\shell	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.xht	amigo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\URL Protocol	amigo.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\https\shell\open\command	amigo.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AmigoHTML.INIYRXFX7DJ74VDKHNUNV544PA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ftp\shell\open\command	amigo.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
1036	mailruhomesearch.exe
2240	setup.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2156	MailRuUpdater.exe
2156	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2156	MailRuUpdater.exe
2156	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe
2444	MailRuUpdater.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSecurityPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeTakeOwnershipPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeLoadDriverPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSystemProfilePrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSystemtimePrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeProfSingleProcessPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeIncBasePriorityPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeCreatePagefilePrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeBackupPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeRestorePrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeShutdownPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeDebugPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSystemEnvironmentPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeChangeNotifyPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeRemoteShutdownPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeUndockPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeManageVolumePrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeImpersonatePrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeCreateGlobalPrivilege	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 33	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 34	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 35	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeIncreaseQuotaPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSecurityPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeTakeOwnershipPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeLoadDriverPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSystemProfilePrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSystemtimePrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeProfSingleProcessPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeIncBasePriorityPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeCreatePagefilePrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeBackupPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeRestorePrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeShutdownPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeDebugPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeSystemEnvironmentPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeChangeNotifyPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeRemoteShutdownPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeUndockPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeManageVolumePrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeImpersonatePrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: SeCreateGlobalPrivilege	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 33	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 34	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 35	1620	_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
Token: 33	3044	AmigoDistrib.exe
Token: SeIncBasePriorityPrivilege	3044	AmigoDistrib.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2128	iexplore.exe
2128	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1620	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	31
PID 2532 wrote to memory of 1620	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	31
PID 2532 wrote to memory of 1620	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	31
PID 2532 wrote to memory of 1620	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	31
PID 2532 wrote to memory of 2776	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	33
PID 2532 wrote to memory of 2776	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	33
PID 2532 wrote to memory of 2776	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	33
PID 2532 wrote to memory of 2776	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	33
PID 2776 wrote to memory of 2600	2776	AmigoDistrib.exe	34
PID 2776 wrote to memory of 2600	2776	AmigoDistrib.exe	34
PID 2776 wrote to memory of 2600	2776	AmigoDistrib.exe	34
PID 2776 wrote to memory of 2600	2776	AmigoDistrib.exe	34
PID 2532 wrote to memory of 1036	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	35
PID 2532 wrote to memory of 1036	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	35
PID 2532 wrote to memory of 1036	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	35
PID 2532 wrote to memory of 1036	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	35
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 2600 wrote to memory of 3044	2600	AmigoDistrib.exe	37
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 3044 wrote to memory of 2240	3044	AmigoDistrib.exe	38
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2240 wrote to memory of 2152	2240	setup.exe	39
PID 2532 wrote to memory of 2128	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	41
PID 2532 wrote to memory of 2128	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	41
PID 2532 wrote to memory of 2128	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	41
PID 2532 wrote to memory of 2128	2532	028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe	41
PID 2128 wrote to memory of 1668	2128	iexplore.exe	42
PID 2128 wrote to memory of 1668	2128	iexplore.exe	42
PID 2128 wrote to memory of 1668	2128	iexplore.exe	42
PID 2128 wrote to memory of 1668	2128	iexplore.exe	42
PID 2240 wrote to memory of 1012	2240	setup.exe	43
PID 2240 wrote to memory of 1012	2240	setup.exe	43
PID 2240 wrote to memory of 1012	2240	setup.exe	43
PID 2240 wrote to memory of 1012	2240	setup.exe	43
PID 1012 wrote to memory of 600	1012	amigo.exe	44
PID 1012 wrote to memory of 600	1012	amigo.exe	44
PID 1012 wrote to memory of 600	1012	amigo.exe	44
PID 1012 wrote to memory of 600	1012	amigo.exe	44
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46
PID 2600 wrote to memory of 2516	2600	AmigoDistrib.exe	46

C:\Users\Admin\AppData\Local\Temp\028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
"C:\Users\Admin\AppData\Local\Temp\028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\Installer\_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe
  "C:\Users\Admin\AppData\Roaming\Installer\_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe" 655762
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\AppData\Roaming\Installer\AmigoDistrib.exe
  "C:\Users\Admin\AppData\Roaming\Installer\AmigoDistrib.exe" --silent --rfr=ticno2 --ua_rfr=CHANNEL_ticno2 --make_default=1 /partner_new_url=&ovr=$__OVR
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\loader_ldir_2776_25372\AmigoDistrib.exe
    C:\Users\Admin\AppData\Local\Temp\loader_ldir_2776_25372\AmigoDistrib.exe --silent --rfr=ticno2 --ua_rfr=CHANNEL_ticno2 /partner_new_url=&ovr=$__OVR --cp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1731383735\AmigoDistrib.exe
      "C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1731383735\AmigoDistrib.exe" --silent --rfr=ticno2 --ua_rfr=CHANNEL_ticno2 --partner_new_url=&ovr=$__OVR --ext_params=masterid={6B784311-E43A-490D-904F-5D6573299C0E}&tcvsts=-2 --ils=12
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\CR_FF1FE.tmp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CR_FF1FE.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_FF1FE.tmp\CHROME.PACKED.7Z" --silent --rfr=ticno2 --ua_rfr=CHANNEL_ticno2 --partner_new_url=&ovr=$__OVR --ext_params=masterid={6B784311-E43A-490D-904F-5D6573299C0E}&tcvsts=-2 --ils=12
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\CR_FF1FE.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\CR_FF1FE.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Amigo\User Data\Crashpad" --url=https://webrowser.amigo.mail.ru/amcr --annotation=ProductName=Amigo --annotation=Version=61.0.3163.114 --annotation=bid={213F6F67-DDDE-494D-A1DA-2C3A4DB66FD7} --annotation=plat=Win32 --initial-client-data=0x118,0x11c,0x120,0x10c,0x124,0x106dde0,0x106ddf0,0x106de00
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Amigo\Application\amigo.exe
        
        "C:\Users\Admin\AppData\Local\Amigo\Application\amigo.exe" --make-default-browser
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Amigo\Application\amigo.exe
        
        C:\Users\Admin\AppData\Local\Amigo\Application\amigo.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Amigo\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Amigo\User Data" --url=https://webrowser.amigo.mail.ru/amcr --annotation=ProductName=Amigo --annotation=Version=61.0.3163.114 --annotation=bid={213F6F67-DDDE-494D-A1DA-2C3A4DB66FD7} --annotation=plat=Win32 --initial-client-data=0x8c,0x90,0x94,0x88,0x98,0x70c772bc,0x70c772cc,0x70c772dc
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:600
  - - C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1731383735\updater.exe
      "C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1731383735\updater.exe" --install
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      PID:2516
    - - C:\Users\Admin\AppData\Local\Mail.Ru\MailRuUpdater.exe
        
        "C:\Users\Admin\AppData\Local\Mail.Ru\MailRuUpdater.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
- C:\Users\Admin\AppData\Roaming\Installer\mailruhomesearch.exe
  "C:\Users\Admin\AppData\Roaming\Installer\mailruhomesearch.exe" /silent /rfr=ticno2 /partner_new_url=
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://special.kaspersky-labs.com/AIF0KEZ7VLBUR6KBTBYC/kav14.0.0.4651abRU_5173.exe
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1668

C:\Program Files (x86)\Mail.Ru\MailRuUpdater\MailRuUpdater.exe
"C:\Program Files (x86)\Mail.Ru\MailRuUpdater\MailRuUpdater.exe" --s
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mail.Ru\Id

Filesize
38B

MD5
dc93eb00a1341afb35339bea3e1c70d9

SHA1
61d455592c0f362fd8d8ac751be0ca99075faed3

SHA256
951da8f11f2bd6c2cd89188e7d345aa6622607aba87c0890dc3678fcf2ec37b6

SHA512
d041caf2f2b01cfb4ea1c2a6032712622d3954fe220a3dfa5a2f66416c1bce282a4385b35534895ea7b79ac0057c9e7f4e589be037c9d2bcf85b74dfbbe1bd31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e0dd145852da9ebbe97a2776369b320c

SHA1
3e187150a090dd1839c07fc629d6bf8b910dbefa

SHA256
f1d7092a3eb0a1cf788c63e28fb9566ae1da8652e00887f4c0c07f323bab0a30

SHA512
583075d92bc14ac29a3f562f73ed1ec998d042d62d77817dc5123ddee40ffc09e00f466bc9b105ca3b53e3110e4dc7799fd43d76d9fee7c39ca1daacee794c49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41caecfa51633b7f773cc8f64b0aa2a9

SHA1
377d337e879c8a67f05a1efb3bbb814a1a08c321

SHA256
440871f4e90877f8a80684da79c2755ca060e9704dc5cabb11dc84ace9d23ac3

SHA512
5c4f5ccbcafaa9d307c9deb432015d0053a772859c41d5b0733493e6dc74c09284433f414bab7aa914f999d5d7d754b4ec9aafd4e739472fb459de8f128bec4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8422ed25fd52edbcf3b721a430727836

SHA1
a1a2a14861a9f9ba7e27364040bf66d79f57711d

SHA256
595a172b6f7bb555584b0e38d2dfc76aa8dc454f1124361fbb02fa2c6ca9b9ba

SHA512
2d14a11a1a9338a7bf4bf92807b9764a0e0db853894e4a0d8c2c20a08c47b10593505197393177532d45eeed7117dc9f24864b89eed6b1c6bc084b7ae1bb3df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5bfeedc1ddcb926417503cd3df68e2c

SHA1
4685e7bb5d02771a55c85c6b8b1c8534c607bf62

SHA256
92f7789e1f6bf545619a0ebbb9a5cd61c8ac5c40ce5fdf3d9a0ee8a4d9a7aa5f

SHA512
927022caeed2a620feb55bd82eeccb42e1dee4457ab8a8ec6baaee0e17a4dff46d77a1fe134ffe4406801ced24e726ee06bf09dc6b146740216f9cafe9f06ec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bf3a8b11a0b36b465900bf5182c13e8

SHA1
3bfa9095f4799b2cac19f81162185ed8e7ca809e

SHA256
118df8ec31b0387687040166036d08136189c6eb851e6c8fd5480ee854ba9320

SHA512
9c38d193a1086ce361bb5fa260578a607bdde88f3616de70a40be7e05a9aed44c2287a39d5f8ccf1f0bcc0aed5128070a94581dd3383fc291ce20ab33ee78fd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d8337f24e9f82992fede4a334decfcb

SHA1
70e04f43415e2f23988f2c0f9b9142c8046106dd

SHA256
c2fad84b24866101f3a1ae1fa13fba07b00b245156b63eef7c994aa8478c8e7e

SHA512
ab5a1d8b5f99d46673d7f8daddad3cbe58f4d0f7c65ab25a8300cde7ed952a712f1c84dbd5ce82ad522e029f8ee7ea918a3227117a91bce3f80869e34bffc01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf11318f870784c1780463af4d589743

SHA1
50981a46c14d878a7cfd1c39681f246bf4377ef5

SHA256
829425eb6279b8be3e91d6b68bea119fc46bfde289377f6aa04fefcc63dd7c34

SHA512
c45044617a124e3c7f6c2d4b7356008ca2e1e140ce9722ab979eae35550bab2f6e1491ff54f9910e57af47068cfc7c6f47aa5a670e88e1966d5dba73b50128cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df08337bd81b6391b9dd0ae7eb87bb87

SHA1
6869c8bfe994d12863a3456c787f60886a85ab19

SHA256
a07fe38f24e1992ea11af105f36b35701bcabddd19e53460a5fed624eeb53827

SHA512
b6560b6ba3f24ca96c944ea59e1552f956d3655708bd8cdd2d38b2229b7be0227243840d26da2329c3cf3dddc198c9c781873a6c4ed42baa87ac5b5827b36aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
059b041b817c1cf0205d0d3c1056f0c0

SHA1
7694bc5a08341b4487789f1002137fd1cd8287af

SHA256
4b44e30b23b7f9c8ef1363d12a552bbff87164e84fa76caa8f0c544407084169

SHA512
179704a494999b414353952f3b376da7a27c95f4b2e73938991164e3f450dd76910aef087650946513f5225b238f8a71d53a6e222812df85848c4131699ebf1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4681dc98e40c7510c33a26411a6fe07c

SHA1
ad1a82765e33079906262c260d2ceba0e329cea8

SHA256
12782f15ed4dd5010f5b3ea6a4c2561c4a4a63ed388d4a58c0a26869b680ce43

SHA512
e225ffec4e463df6b4f413ede8d936ab62691f8f5433f119dc6af0d2326104271418d58f8b25e29144b1f60246a21b12d4a1411a83260638dcebc69253339e99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33c85193354c9fb8d6829aa9c83b2c05

SHA1
fecd50fdac00fbd77494320491d1893533a26700

SHA256
c28d74f2450f5e74668ad975e7e56e232edc7f4a79660f239255266d5ba1de9b

SHA512
bf3e23bbd1b641e0acd5a80b085766649e851de786b6653d21b8431dd06852a932aab2d811722076221edcd3fc680b4ea9ce836317f0fd651d7aef34ead4681a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bca4bae0258242d670fecfddb067732

SHA1
f6c68edcfd6107e90f48591f468f1b0c47a2885a

SHA256
cc7f2b40dec8b856354023e901fc4361d65cf4a34126f3c9ec5d4a8282139196

SHA512
5b934f42880bfebd500bd9d5cb902a83854fa368741445e2203e443a0530f98d249570b5bc2c5f1fc66b703b923df9419bbea93a627a7ae6f719b2d4117c5703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c20b2cae7cdfec9a4011267f6eef85c

SHA1
e4ebafa2e22b00a64da9b285b4444a4d53feadc5

SHA256
2584d9e5a345f0330eceb59c6216864eb5f0bef3a7bb0b975acc7cf09fa6b701

SHA512
79ed13ad92a493c7b9e29ad04d7395e9dd9236e1c26a3f8941733538918e590b32d9d76bca9c3101f0a97e954de29fb5df923140773df5376df2ecf3f12f01c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e07ae99c73d39e868963434ae58c34a

SHA1
63d522ede19b55aa7ff13696d6e998151c07ad66

SHA256
cd22910109eb9585e4fbaab7d9627a5c40389c573ebde764752abd3064fe8975

SHA512
aecc00e0e0d61ef3f32af07d1d699e71a808c9ba1e3cf7b7de25fecdc8c26b22bba4ab1c4039edb1ca84c1645c933aeb6fed6410090e5934c76452c28698ca7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13c015c700bcd1b9680e9b9053ba78af

SHA1
4dd29db0bfa6b7915554c6b0ed9387349f714827

SHA256
6f62c1acc2c2d42c10afc293630d4cc8802242df475401c59b8c334a811b42c3

SHA512
e976b92af41c03d81e1a5e8fea7c95e7229385cddcfcd501dcf6d2336333d8ba244068060dc1725c5f2f732037e3f0fad00f2e9e5fea12c432801a915d6e74e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc5a1c2e3e68d4e2083a61a46a0fa2f5

SHA1
d3d5c67a13677a15082fc3b493ea2e267854aa19

SHA256
1199b361f86c32f1ccc899a3da5e1236c6547ef43792f3b4b6da97004578b5af

SHA512
3733daff12c7ec29f89010498addd0d7106dd5bd0aa848a10b5843e8f963b2d65732493e707b23fa93644b2fe181d9f45e418d843b7ab63c6600102aeb593bd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52f56dd09c0a1ce3ecd8874a098c24f8

SHA1
bf4453aa7d02adcf761dfe4c6f01713478f2847e

SHA256
6c258b5c8439c5714c51e5972771b56b1805fd4130b992b8ed8bfc0bc6355dc7

SHA512
d99d6ab230dd9d53824b3571193308230cf5feaf15ea038477eb79ca7da2b001d03a64ab2ee496eb8f3c245b7b414ff0e6f1bdbe00d903c82601974f8876b957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49c45bb414acf3439d6a13dbb930d549

SHA1
e0f8a0597eab36e39b3712df0944f49b6533ff3b

SHA256
93fce55a07ca659f3312e764e4ac62ab04d8e7754379ab8042806b1e9ffcee59

SHA512
52949967f7bbb74fd22091547abda73d7153c4b33e804a2e074904d08edca352e402a4e98a26c980a864157266678bcb27aef3878cf36baa6957f50c76fd5778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cb71859b78efcdd564f928dd1b5bf98

SHA1
c9a390382c37b98b9731f4c23b839d7e0ec6ecb3

SHA256
71b7c7b9eabacd4ca151b5a8fd966845a6b2c3f673146dee7a07d8621da17c4a

SHA512
13715ffc6b7fe7e54fb6f5293e4adef9068ef681e6be3d2e220c3d9cb44429a5ec967b8727f910031fc55845a7e818f549aa0efb2dea73f453bbd94ccc984cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a17c2eccf55ea8fc9fc7f004a8f0cd75

SHA1
ce9271ddde193e98e9fe658c5b2a55a71471a208

SHA256
f25a06b84e4812bc316cf5a476f4c4580300539a95ebdb163c06cfde1497334f

SHA512
7ca2b8b3431a9971408eb3e00c4e9c295cfb5c4c9fa3550af89ef7a61125dd0a4b9213f792ac9ac83e285eb9f89c4a8096f1b055e8a3ae09663d823be9cda1ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0988555462f84a0b91c62de3ee3ad54c

SHA1
c566a398c62ad0ce6101aec91c97791ef91d26f9

SHA256
410694d8607f15e0076404c125e59a30a9557e62a4e36e08fde6ac100de325e1

SHA512
0385da1e36acf2be7732b1b666fa7269ffd3f49f2d48c3eae14bef5ae7d4a4a19d9a692fe7ec921967dfffc5af94104f4b70dad9529d3f93c9f1025743c30b19

Download Submit
C:\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\chrome_100_percent.pak

Filesize
871KB

MD5
ff7101265818efa6fd4ae027451c0ee3

SHA1
a3b0da1b1204ac26ace3e5e73da2db97382f2e38

SHA256
a29b7bd0886ea4a6e3878fc19cc7a87114c7c7751311c4364bc68dbe3444b00d

SHA512
cb6396565523edd5012158d7933e9d2027d8196ef79834b9a87ba9fec879d8fc21059017e0ec77c394946e411555b42fe667d5117636ab94a0087ffe4e00984e

Download Submit
C:\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\chrome_200_percent.pak

Filesize
1.3MB

MD5
5f5fd99b05bb4ac9ca5b2341a855a172

SHA1
89e4a19d2ad2874b915f106ef37d6dcc17df47e0

SHA256
4d887b517caabf1ee374615b12678a58f550e92262fe60484d762f1a4eb26352

SHA512
501fc5d9db905f70c83a8ab30c9d0297f78892b2f49470549304a67120bb44ff8f89ac1b8273ea2f02fb13e005a572b4a63881c0fb3b1f4fe4bec712f9dea26f

Download Submit
C:\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\icudtl.dat

Filesize
9.7MB

MD5
d1fb52ed611b2fb214482d877921bfef

SHA1
b0a3c6c9ab60e2eb2bd68c10de5490978fed8321

SHA256
f4b7a46a026455785937c2aef596f92a02136129f7615200f7efc983ac2fadb2

SHA512
fba3b692088ba0bfcca1623d0e1490eeab7a097b99e9d0395d3744067b059b663228c4afa4604f54d14671d529a3c4aefd3b558fa2662e5849ddad9d80095efc

Download Submit
C:\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\locales\en-US.pak

Filesize
192KB

MD5
8b0578668b81df522febeaf199f45f74

SHA1
9ef7117f23777e64bb1376b60194e3ce173f4805

SHA256
55398a662764c9dcfb3ce86aa12360344168ce387c8a933c983a9f0d146ba808

SHA512
acf515df030eacf75389a2f41776493b11f6ff2541512c6535c638d7b31a3eb123f38edcd00ccb02bbc786ff401b76ab82358aec711639994538a6622fdc384a

Download Submit
C:\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\resources.pak

Filesize
17.0MB

MD5
2408bfe356195f7f7c4bbb87e3d86a0e

SHA1
8b4f43939b6b895544fe7ed80370ef1fd1be31b6

SHA256
e77aab9b3bc66f31df47ffa951dc41ae8ac3e08bbe878ef73525186b7669a2fd

SHA512
ee9112ea71f8b74ea9a254f9d1f71a33930dbb5994f2fb365a45a53af9f224251a0afa2e53b5f7ff83c94c0d4982187ce668ecc9fe1954cda36651731758f0bd

Download Submit
C:\Users\Admin\AppData\Local\Amigo\Application\amigo.exe

Filesize
1.1MB

MD5
12f74a11190a321695764da85c0b177a

SHA1
fbde96e731468a5309f2446b3f6d82d2522b2394

SHA256
b591dc2642c069cbaaeebeec23ae476aaefbbc178b47f255f6eaadf10d59f9f1

SHA512
a9ef056acbb6d5b4fe7bcacbdbf226900873ab6ad8cdb1539c7b3afd39ae19b1bedfeb87dfb5dcfc9abcd5029a4dc443f33602b59599619423090b21a9d2d77a

Download Submit
C:\Users\Admin\AppData\Local\Amigo\User Data\Crashpad\settings.dat

Filesize
40B

MD5
68bba0cd85774a8fcddfbe9fb950156b

SHA1
3d1e805316f4c7449de0a2b0d2dc86ace9ff6e58

SHA256
ca2e77d8ed507a7d3bf3cab34a66d2128ce692d33d5d2ecdce7a9483e2185dca

SHA512
821ccc7d9a7c4b0c0df65b9c933af9416aa439bc6ecaffe9feec81c5659c6790f48015e51bab513582dac11086e2e9ee4950c93005abfb033f8cdd6eb79eb926

Download Submit
C:\Users\Admin\AppData\Local\Amigo\User Data\Local State

Filesize
1KB

MD5
3d799078fba5c1cb80577b48178f6855

SHA1
e62153fd54aebb4c548324cb306b3dcedaee5ad9

SHA256
c23711f064756ca3c4ee71eb076fbaca7d26644d5dfa9418a206e08f15e824e3

SHA512
0432367662420407b38b5c284714ad3c19544b1336800be247306902bef5eb72d38a9e3646280f6ca45a8404625df5f1c336104cd19664036fb97cee24c6c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5ACE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5AD1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1731383735\updater.exe

Filesize
3.1MB

MD5
fdb8415567c0748a3bd4ffb9ac783cb7

SHA1
dbc51b3b102a1fd0fffa2dd5d2809c6e385d6a82

SHA256
92025c595d1a8e503aed2725ef9e64ef4ea919307c2694ffd564993ee4b64d43

SHA512
4335ed11f768209edff90f4611b7ea9ec3ca40daa39eea98cd6cf62bf4a51e1d94d2aa3b3d42b51abb834d2954aaccf84006c6d2af3065b8f35f3b505f3674c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SJ0FBHNO.txt

Filesize
104B

MD5
682568d468c2137753b09b113baa461c

SHA1
64a67da9a2e16cc8b66ffce6ed4c6b937d82b362

SHA256
e027400ba6db8b1c551eace6694f063ef15f665bd87d5a847f47bdbc9eccf199

SHA512
2319ff93d89bcbeeb3311f17c3b3847269e99d7e053028edf844bf03432f322baa58b09b8065612bad2d08d81be723a4fcb3128e02af33dd5441e77c85a0fc9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amigo.lnk

Filesize
2KB

MD5
d3f41926baef28d942fa947204a0087a

SHA1
40a6fa518cf9f1d667b369b6c2dcfb648debf9d1

SHA256
6653d1da408286b6acce999cead4cef6725bb4ee702a50d5a2ade2700bed5e3b

SHA512
e04e613a9b4c0f0aa7b0a0df17863b7f7e3ec2384c3cc5d87e228f2536f698b337bfed71bd98d97f01e383fca10e0d88165a535a9d75efb52e499873b3db2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ВКонтакте.lnk

Filesize
2KB

MD5
fbd0e4a11435578010d558a36f152bdd

SHA1
83c229e8103bc9fc95652429946a4c51dab333d3

SHA256
97737b2074461637a2389118532d785f2234771aaba29bb14b178f0f388a93ec

SHA512
407f9264e7ca96f0e700383dfdfe254c68361d0a16c6316660c17c46c4776c373d9879516cd350e467286385c4a9c0d46cfd60668b57c8cb72ebe96c7ffa7c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Одноклассники.lnk

Filesize
2KB

MD5
924752af6552370a9d588c4ec4abfba2

SHA1
3843b9f1b563170cebe404a40aa56aa3c7a5802a

SHA256
90cf01b5abcb730125b4a2a2d8eaa2eda8a18cc56fac17b6658b6366369b941d

SHA512
16d4d12fa763722ad2699a6830b7360837eb3893a7c6fe0b5850249b1394aad4fc61aea0aa0a55d61a1cad74cb38cc4beaf7e62976657a77ef27fabe2e34ee1e

Download Submit
\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\chrome.dll

Filesize
35.3MB

MD5
8ee2d07283acf5be92ebf81e7622f743

SHA1
cd79b5c1244abb7a4da86ef17a8d4b2429ccc15a

SHA256
7bccad759e4e96af2bbd2ea3578f74103e9f4f3cfefcfa04cbd0dde8f31f2b01

SHA512
dc7fc02974a200798738283af745c95b422970ee849df3754d3b817bc2b233541df05c5de60f2ede678e56c166370d9f59584242e7ee084ff0f7e037e02021dc

Download Submit
\Users\Admin\AppData\Local\Amigo\Application\61.0.3163.114\chrome_elf.dll

Filesize
426KB

MD5
a1bb3486b51eb004949cb8fc026f36e7

SHA1
786d4add44c182e5c2a983ee3ecf8b130a932b22

SHA256
98c67a1effc01984cdfbc89092929d45724e88e75efda69a322a83f7ac46042d

SHA512
090f3483afb127dac1e63e620ccf8465bd1a77fbf023d103c35caa6e9ca400f70d105dffb49a7c39ed38e35f774be75fbfb69c3f033634133dfb87849d6e96c7

Download Submit
\Users\Admin\AppData\Local\Temp\CR_FF1FE.tmp\setup.exe

Filesize
1.3MB

MD5
8947cdcbfb2f5a63052218d9a73768d8

SHA1
8b5b653c6985bdf3c9ef6aaf8b6dd2773c61d99e

SHA256
65532f8a9ac33b6f146c86497710acbe18516c14498919e7b610c21f296c9d6a

SHA512
14c1f5c8cd6f4c7f620a2b8e30da49a462b15abefa3171a828087a8ba035b1af72156a556272c6d3609cc4141ccaa0ed4641cafe5d73a44a2efcb7fb46a210ae

Download Submit
\Users\Admin\AppData\Roaming\Installer\AmigoDistrib.exe

Filesize
554KB

MD5
b2b97b5f2ffe8603788a49b7105baa82

SHA1
98b854520f4fe748a9ae54c8abe710f99da6acbc

SHA256
fe03edbc99e3728745e19e800195fbd795476cd503903eef3714eee5e675f760

SHA512
207608bd5529aaeab90b800beacdea9e2700c7a22117e2866c8809f3018d1f42694c50fe379e6d355db49dc93206f340b998d4b9ae2d30cab95fdebdfe549c56

Download Submit
\Users\Admin\AppData\Roaming\Installer\_028969f62470620aae3bc83f5cde670ccf00932272b5eb1a4d93107301e8823e.exe

Filesize
512KB

MD5
c2681c8a61954ed115834a530db9be33

SHA1
a669efa63b22eaab146b169be21fe9968912e2ab

SHA256
cf5c6ad54a838e8fc6c5965e3cab6414ebbff790e333dcb12d32768134ab6b99

SHA512
0a7512be2be45b4b76edabe465a1dcb84ddf36a5f7aaeef2a5d28204478090ca315622beec7066091c5a182deab850d250a2c1c4e1e59e3a25a249237a7776fd

Download Submit
\Users\Admin\AppData\Roaming\Installer\mailruhomesearch.exe

Filesize
2.0MB

MD5
a29c9f523b47027fb97190b908c18979

SHA1
203ca880efa5e1c883f37ad56a4b0e832b813a15

SHA256
25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed

SHA512
2d5383fd32060064843ff66be6f0477d36bb8eb0d348305700563fbb737ceddc14e0589ec78f922e9baa96e00c1487512f32fe92951229d5277db3701936d8c3

Download Submit
memory/1620-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1620-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1620-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1620-85-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2516-774-0x00000000024E0000-0x00000000025F0000-memory.dmp

Filesize
1.1MB

Download
memory/2532-84-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-10-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2532-786-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-785-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-784-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-783-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-762-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-1332-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-780-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-1-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2532-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2532-1331-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2600-782-0x0000000000F10000-0x0000000000F9E000-memory.dmp

Filesize
568KB

Download