Malware Analysis Report

2025-08-10 19:54

Sample ID 250703-gnev9avnt3
Target 2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_stealc_stop_tofsee_xiaobaminer
SHA256 f3e6518eeedfdca5e234fbb3d26cc68ffc2ffac65749387f85bb6fc78b59157f
Tags
blackmoon banker defense_evasion discovery persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3e6518eeedfdca5e234fbb3d26cc68ffc2ffac65749387f85bb6fc78b59157f

Threat Level: Known bad

The file 2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_stealc_stop_tofsee_xiaobaminer was found to be: Known bad.

Malicious Activity Summary

blackmoon banker defense_evasion discovery persistence spyware stealer trojan

UAC bypass

Blackmoon, KrBanker

Detect Blackmoon payload

Blackmoon family

Drops file in Drivers directory

Disables RegEdit via registry modification

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:56

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:59

Platform

win11-20250619-en

Max time kernel

103s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe"

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3625340254-1625357543-1797847221-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
N/A N/A C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created D:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification D:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created F:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification F:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ieUnatt.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\OposHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\provlaunch.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Robocopy.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\wevtutil.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\mountvol.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RpcPing.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\tzutil.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\where.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\winrshost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\format.com C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\tree.com C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\CloudNotifications.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Dism.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\mstsc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\quickassist.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\wecutil.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Com\comrepl.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\attrib.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\wermgr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\chkdsk.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\dpapimig.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\netsh.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\typeperf.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\makecab.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\print.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\tttracer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\upnpcont.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\user.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\explorer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\iexpress.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\PATHPING.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\TsWpfWrp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\regedit.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RMActivate_isv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\SearchFilterHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Taskmgr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\comp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\logagent.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\nslookup.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\PickerHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\relog.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\ttdinject.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\CertEnrollCtrl.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\cscript.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\powercfg.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\LaunchTM.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\lodctr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\msdt.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\fltMC.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\hh.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\autochk.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\CheckNetIsolation.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\isoburn.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\reg.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\fsquirt.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\gpscript.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\Windows Mail\wabmig.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\Windows Media Player\wmpconfig.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\PeopleApp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Install\{3153363F-C347-4BF6-B57E-CBE5F36972BA}\MicrosoftEdge_X64_133.0.3065.69.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Cortana.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedgewebview2.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WebviewOffline.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\TerminalAzBridge.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevated_tracing_service.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.22000.1_de-de_09db7b35a423b804\403-17.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\oobe-light-frame-template.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_windows-shield-provider_31bf3856ad364e35_10.0.22000.100_none_a1709384527830fe\f\SecurityHealthService.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.22000.469_none_c24a28fb71aa07c9\r\Robocopy.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-openwith_31bf3856ad364e35_10.0.22000.1_none_c3646c52777cf90a\OpenWith.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_bsdtar_31bf3856ad364e35_10.0.22000.1_none_b6c65439a52aae5e\tar.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.22000.282_none_5faf7b34bce42c4c\r\SearchIndexer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\hololensWorkAccount.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_554f241185facbd0\403-12.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.22000.1_ja-jp_e19c99655047c329\403.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.22000.318_none_8e5804ec62c5891c\r\cmimageworker.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\errorHandler.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_ef0bb92fa937f7ee\RMActivate_isv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\oobeprovisioningentry-main.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\f\oobeupdatesettings-main.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-runas_31bf3856ad364e35_10.0.22000.434_none_659b5b6317001d2c\runas.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\unifiedEnrollmentFinished.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.22000.282_none_555ad0e288836a51\r\SearchProtocolHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_ja-jp_3c6ad63d6db51185\f\oobe_learn_more_activity_history.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-sysreset_31bf3856ad364e35_10.0.22000.469_none_3765148c03bcc3ce\f\sysreset.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.22000.434_none_95bd8d59818abcd7\r\nltest.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Windows\Fonts\GlobalUserInterface.CompositeFont C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\troubleshootingdiagnostics-lite-main.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-dpiscaling_31bf3856ad364e35_10.0.22000.1_none_d08b70dc5fb929d4\DpiScaling.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.22000.65_none_cc4646d618bda56e\r\SystemSettingsBroker.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..restartup-baaupdate_31bf3856ad364e35_10.0.22000.1_none_8c926432d7f125a8\baaupdate.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.22000.1_none_d4a473e8ed9480cf\smss.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.22000.376_none_fd0b376d9072c88a\r\rdpclip.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-winver_31bf3856ad364e35_10.0.22000.1_none_0c951be2a141ecff\winver.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.22000.1_none_b71f28405c3abe06\WmsUserAgent.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.22000.1_none_38378aefc68a365f\autochk.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.22000.1_none_0367376385127fe1\FXSSVC.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\r\localAccount.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\oobeeula-main.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.22000.51_none_2158495b1874d95c\r\services.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.22000.282_none_03b4c900a639c980\r\TpmTool.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.22000.1_de-de_09db7b35a423b804\500-18.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobe-button-template.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\retailDemoMsa.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.22000.493_none_2b6ddb5beae8ce90\f\hvix64.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.22000.1_none_b7c933829422be28\netiougc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-client-li..e-licensing-service_31bf3856ad364e35_10.0.22000.1_none_da97f24371c07ce5\ClipDLS.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-light-frame-template.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.22000.120_none_a6b2722d9eed2eed\f\fixmapi.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_28babea403fb06cb\f\CallingShellApp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-adamsync_31bf3856ad364e35_10.0.22000.282_none_ed4920c9a3fd8bd2\f\adamsync.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_334ea48b976d3bd3\CHXSmartScreen.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.22000.51_none_2158495b1874d95c\f\services.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.22000.71_none_c9fbc04eb075be36\r\securekernel.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.22000.469_none_f7ee9eea6a40784c\UevAppMonitor.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-driverquery_31bf3856ad364e35_10.0.22000.1_none_f6bb136dce337547\driverquery.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\debugger.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_windowsdeviceportal-core-server_31bf3856ad364e35_10.0.22000.282_none_0536e7ab81ae6453\f\WebManagement.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.22000.120_none_576e8243334ab082\f\explorer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\f\audit.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-dfsvc_b03f5f7f11d50a3a_10.0.22000.1_none_5f1e3da0bccf23b8\dfsvc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel-la57_31bf3856ad364e35_10.0.22000.493_none_47936afef938817b_ntkrla57.exe_1a7d350a C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.22000.1_none_fca20623da1dc57b\resmon.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\retailDemoMsaInclusive.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe"

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

Network

Files

memory/3696-0-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

MD5 942a1fa5d58920ac5db17a2aa33054ba
SHA1 2a53dc3140654603d43b78d5f244af1bc8fb7259
SHA256 f3e6518eeedfdca5e234fbb3d26cc68ffc2ffac65749387f85bb6fc78b59157f
SHA512 c15405deebb6376de25ca662ceaedba0f50cb580c6e8552a5d8bf34d040686f0d2d2db4f0c8ba8203700282421e533dbd0724c544adab648a0c3b83fc168ddb0

C:\f2afd64e4c6dbf29d5a061\2010_x86.log.html

MD5 84352d781ee4832a58f083d26e958c74
SHA1 0d03dfb4dedfb3de3ece7e54f36c111d79043c94
SHA256 50620d25e3ab7a131cc463da7a1fcc72fb1d4092972560f23478623f4f5edd85
SHA512 78869867fd3f2c5233de5a67100cbb2773c610b59b125d14f61304d70fc5de2fdba5e61771000e7f182937239915ed0e455e687cb24eec79effadc160314a23a

C:\Users\Admin\AppData\Local\Temp\scoped_dir2288_1659557369\CRX_INSTALL\offscreendocument.html

MD5 17a98e40b9a7e4f37653ae32f090774b
SHA1 1964cf2fd13f441b50911ea9041f20e08fe09291
SHA256 77a027659b58b7879152909df5451c654a5d34bf144fc19738ff12ce164750de
SHA512 d2ee7a769098328dffd741f646d8c6a29aab816960a00a83f0073306f7c7290e0ce6b8abafcb46d909b96e8763d8fb695750e7f4e4d79154b60422ae56a256c4

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:59

Platform

win10v2004-20250502-en

Max time kernel

106s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe"

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
N/A N/A C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZhuDongFangYu = "C:\\Windows\\360\\360Safe\\deepscan\\ZhuDongFangYu.exe" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created D:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification D:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created F:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification F:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\autorun.inf C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\write.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\regedit.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Netplwiz.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\PackagedCWALauncher.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\print.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\SettingSyncHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\comp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\control.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\eventvwr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\ieUnatt.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\ipconfig.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\net1.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\ReAgentc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\replace.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\charmap.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\ddodiag.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\getmac.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\unlodctr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\autochk.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\autoconv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\curl.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\dialer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\tar.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\OneDriveSetup.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\verclsid.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\chcp.com C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\pcaui.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\iexpress.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\notepad.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\PickerHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\subst.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\certutil.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\cipher.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\findstr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\raserver.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\logman.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\printui.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\regsvr32.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Taskmgr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\bootcfg.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\rdrleakdiag.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\regini.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\choice.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\label.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\OposHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\Register-CimProvider.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RMActivate_isv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\sethc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\tzutil.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\CameraSettingsUIHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\forfiles.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\iscsicpl.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\msinfo32.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\ndadmin.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SysWOW64\RmClient.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\pwahelper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Installer\setup.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdate.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\WebviewOffline.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\README.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-16.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1266_none_aa0661cc14f9fe9a\r\vmwp.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-unlock_31bf3856ad364e35_10.0.19041.746_none_428efbd28b482d1c\f\bdeunlock.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.1_none_544850fb795d0a4f\UpgradeResultsUI.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_10.0.19041.1_none_3062feae2a702d0a\cliconfg.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrordisabledforregion.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-12.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\tlserror.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_198d8d483aa30ed0\gpresult.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.1_none_dc5648407c9fbfeb\wksprt.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_10.0.19041.1_none_e0dec3877978d84a\mscorsvw.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\pdferrorquitapplicationguard.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\DisableAboutFlag.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.153_none_ff44cfa7cb529ce3\f\lpksetup.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\UserOOBEBroker.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\f\ReAgentc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_regasm_b03f5f7f11d50a3a_4.0.15805.0_none_9be7d950c1f8addd\RegAsm.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\navcancl.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1_none_f725ad3465e95fe3\klist.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1060d2d22df7c6eb\WWAHost.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_10.0.19041.906_none_388c7870566ba06d\WMSvc.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\logman.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\HOSTNAME.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_10.0.19041.746_none_726cc4a1ebcb1c1e\wlrmdr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-d..directplay8-payload_31bf3856ad364e35_10.0.19041.1_none_5d525a67aae579a5\dpnsvr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\servbusy.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..tx-dxgiadaptercache_31bf3856ad364e35_10.0.19041.928_none_85ac1b118ff2a924\r\dxgiadaptercache.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.0.19041.1_none_4e5e653d48e95632\wextract.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.19041.1_none_afb33d8068b0adc0\ie4ushowIE.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\ssh-keygen.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1_none_ac040ccaa73c8c1b\setup16.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_wpf-globalmonospacecf_31bf3856ad364e35_10.0.19041.1_none_39df3b5c4f7e9aef\GlobalMonospace.CompositeFont C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\pdferrorneedcredentials.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\http_400.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\f\msra.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\sqsaLocalAccount.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\wmpshare.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.19041.1_none_ab07dd0c9dcc66c0\RMActivate_ssp_isv.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\f\DataUsageLiveTileTask.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..spaces-spacemanager_31bf3856ad364e35_10.0.19041.1266_none_bee3df875f7e71bb\f\spaceman.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1_none_8fe667a6f213806a\AtBroker.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\f\ndadmin.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_c05346ae3e1a99a4\f\rundll32.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_ae5ec9e59abc05e6\f\SndVol.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..-personalizationcsp_31bf3856ad364e35_10.0.19041.1_none_f6e35a697a06e63e\desktopimgdownldr.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\PrintDialog.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_wpf-globaluserinterfacecf_31bf3856ad364e35_10.0.19041.1_none_63ef47a65345eb76\GlobalUserInterface.CompositeFont C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrorunknownerror.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-12.htm C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVNice.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1266_none_b9c280a4d350d170\r\MDMAgent.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\pdferrormfnotfound.html C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\winload.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..alenrollmentmanager_31bf3856ad364e35_10.0.19041.264_none_839983ebef167c68\f\CredentialEnrollmentManager.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mdmappinstaller_31bf3856ad364e35_10.0.19041.153_none_7799fc2afae9a500\f\MDMAppInstaller.exe C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_942a1fa5d58920ac5db17a2aa33054ba_amadey_darkgate_elex_icedid_rhadamanthys_smoke-loader_st.exe"

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

"C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4444-0-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

MD5 942a1fa5d58920ac5db17a2aa33054ba
SHA1 2a53dc3140654603d43b78d5f244af1bc8fb7259
SHA256 f3e6518eeedfdca5e234fbb3d26cc68ffc2ffac65749387f85bb6fc78b59157f
SHA512 c15405deebb6376de25ca662ceaedba0f50cb580c6e8552a5d8bf34d040686f0d2d2db4f0c8ba8203700282421e533dbd0724c544adab648a0c3b83fc168ddb0

C:\a806a7f7e634bf7796\2010_x86.log.html

MD5 04a5ed564ac2a16ab1f17ebca0a90da2
SHA1 ba9f23cf39002dcf815d41bd62bc645484ce1df2
SHA256 bfc52d24631a851dc3f32a68fc1620187bf3f4f45bc7b06dd05658c1888c67d6
SHA512 614cd0ff95336f695c17335f4bb54f6d4ffc8c041465b8370f56f5107b27d2fbac9d663787c1f2722a9dde85a01e4484e0675c188eadf2e91b3492547a7ef251