Analysis Overview
SHA256
f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Amadey
Blocklisted process makes network request
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-02 09:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-02 09:57
Reported
2023-05-02 09:59
Platform
win7-20230220-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3277.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| UA | 194.40.243.240:3666 | tcp |
Files
memory/1716-54-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/1716-55-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1716-56-0x0000000000470000-0x0000000000476000-memory.dmp
memory/1716-58-0x0000000004820000-0x0000000004860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3277.tmp.bat
| MD5 | 0b35d3d9bb3679bc83c86f58a8d24379 |
| SHA1 | 861add7162e68d03974ef637de673b76aa397f57 |
| SHA256 | f91d5f1c8045285ef0160e4014551ef3b07a2f761d2e7a689770aecd77f93a20 |
| SHA512 | 5cebe2d0addeb79e482be732151e7f719599e95e26d595869c6256a9cd165f3d7112581c344fcdbdc6134d5ad2545bcd7724087221753e0f20fd8b62e595633c |
C:\Users\Admin\AppData\Local\Temp\tmp3277.tmp.bat
| MD5 | 0b35d3d9bb3679bc83c86f58a8d24379 |
| SHA1 | 861add7162e68d03974ef637de673b76aa397f57 |
| SHA256 | f91d5f1c8045285ef0160e4014551ef3b07a2f761d2e7a689770aecd77f93a20 |
| SHA512 | 5cebe2d0addeb79e482be732151e7f719599e95e26d595869c6256a9cd165f3d7112581c344fcdbdc6134d5ad2545bcd7724087221753e0f20fd8b62e595633c |
\Users\Admin\AppData\Roaming\RuntimeBroker.exe
| MD5 | fec1bb333482a2e245660c0e4026f85d |
| SHA1 | a08544a217c47a3d77292f013afa6d84f93f0821 |
| SHA256 | f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e |
| SHA512 | f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f |
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
| MD5 | fec1bb333482a2e245660c0e4026f85d |
| SHA1 | a08544a217c47a3d77292f013afa6d84f93f0821 |
| SHA256 | f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e |
| SHA512 | f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f |
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
| MD5 | fec1bb333482a2e245660c0e4026f85d |
| SHA1 | a08544a217c47a3d77292f013afa6d84f93f0821 |
| SHA256 | f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e |
| SHA512 | f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f |
memory/1296-71-0x00000000011E0000-0x0000000001280000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/1296-74-0x0000000004CF0000-0x0000000004D30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-02 09:57
Reported
2023-05-02 09:59
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\elXnPr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\elXnPr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\update.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\elXnPr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Users\Admin\AppData\Local\Temp\elXnPr.exe
"C:\Users\Admin\AppData\Local\Temp\elXnPr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1852
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B1C.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | nftday.art | udp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.151.67.172.in-addr.arpa | udp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| NL | 20.224.151.203:443 | tcp | |
| US | 8.8.8.8:53 | tadogem.com | udp |
| US | 104.21.96.152:80 | tadogem.com | tcp |
| US | 104.21.96.152:80 | tadogem.com | tcp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | 152.96.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| FI | 65.21.119.52:4277 | tcp | |
| US | 8.8.8.8:53 | 52.119.21.65.in-addr.arpa | udp |
| UA | 194.40.243.240:3666 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| US | 13.89.179.9:443 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| UA | 194.40.243.240:3666 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| UA | 194.40.243.240:3666 | tcp |
Files
memory/1724-133-0x0000000000CA0000-0x0000000000D40000-memory.dmp
memory/1724-134-0x0000000005620000-0x0000000005621000-memory.dmp
memory/1724-135-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/1724-136-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/1724-137-0x00000000057C0000-0x0000000005852000-memory.dmp
memory/1724-138-0x0000000005880000-0x00000000058F6000-memory.dmp
memory/1724-139-0x00000000059A0000-0x0000000005A3C000-memory.dmp
memory/1724-141-0x0000000005870000-0x0000000005880000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | c80864ec4f40c15a4589d19a1e6cd3ca |
| SHA1 | 60179fed90422c2db1cefa9e05762965fa0e4283 |
| SHA256 | 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc |
| SHA512 | acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1 |
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | c80864ec4f40c15a4589d19a1e6cd3ca |
| SHA1 | 60179fed90422c2db1cefa9e05762965fa0e4283 |
| SHA256 | 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc |
| SHA512 | acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1 |
memory/3988-155-0x0000000000E80000-0x0000000000F14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | c80864ec4f40c15a4589d19a1e6cd3ca |
| SHA1 | 60179fed90422c2db1cefa9e05762965fa0e4283 |
| SHA256 | 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc |
| SHA512 | acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1 |
C:\Users\Admin\AppData\Local\Temp\elXnPr.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\elXnPr.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
memory/3988-161-0x00000000057A0000-0x00000000057B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\tmp9B1C.tmp.bat
| MD5 | 47715aef6a60ec61c594ed8f5088a476 |
| SHA1 | e652c9ae69f0a592d1da5af4494e338d29c8735c |
| SHA256 | 0dbe9c8d6bd5e1960cf27d0be9a22597de9c51de378476978ecbcbba37e3e41b |
| SHA512 | e014685cb3da7f4168aaf887ffa60ebc04326d5a8f377c9d35f603df081e8d96dc67254a9db96d1ac61e6017a472202892a8c4814ae24c340a218fc10940f1be |
C:\Users\Admin\AppData\Local\Temp\013461898371
| MD5 | 747dbe1fe0cd999d44d230c2921556ff |
| SHA1 | b95c5a76303574416b65c0c6ce2d004bda38df42 |
| SHA256 | a56bad536af3c169e44bb72d6a55f41dcea54df0ddb4b2cc916ec37a06f93109 |
| SHA512 | 78f1a8d7fcbf0354cb4b81c627fcc1e6cb4afe28ecd9ccf991f093eadce11b1a2ddbcc53daf478718783789cdee0799669f3c787cca4f89be92af98da1e64d4b |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
memory/1516-213-0x0000000000C10000-0x0000000000C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
| MD5 | fec1bb333482a2e245660c0e4026f85d |
| SHA1 | a08544a217c47a3d77292f013afa6d84f93f0821 |
| SHA256 | f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e |
| SHA512 | f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f |
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
| MD5 | fec1bb333482a2e245660c0e4026f85d |
| SHA1 | a08544a217c47a3d77292f013afa6d84f93f0821 |
| SHA256 | f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e |
| SHA512 | f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/4912-232-0x00000000067E0000-0x00000000067EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/1516-250-0x0000000009A60000-0x0000000009A70000-memory.dmp
memory/1516-251-0x0000000009A60000-0x0000000009A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |