Malware Analysis Report

2025-04-03 09:44

Sample ID 230502-x6ydbaea5x
Target https://nftday.art/Setup2.exe
Tags
amadey systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://nftday.art/Setup2.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc persistence trojan

Amadey

SystemBC

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer Phishing Filter

Uses Volume Shadow Copy service COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-02 19:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-02 19:28

Reported

2023-05-02 19:31

Platform

win10v2004-20230221-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://nftday.art/Setup2.exe

Signatures

Amadey

trojan amadey

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d93b5b04e245d901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{C19E7AE5-4AE4-414D-9B33-C7B497E43DE2}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\RepId C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "608602041" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31030589" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4F4C557B-E930-11ED-8227-7E7F627BF915} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "608602041" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "389827897" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31030589" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 2908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1464 wrote to memory of 2908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1464 wrote to memory of 2908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1464 wrote to memory of 4352 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe
PID 1464 wrote to memory of 4352 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe
PID 1464 wrote to memory of 4352 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe
PID 4352 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe
PID 4352 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe
PID 4352 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe
PID 1352 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1352 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1352 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 4964 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 4964 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 4964 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 4964 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4964 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4964 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 1760 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4316 wrote to memory of 1760 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://nftday.art/Setup2.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:17410 /prefetch:2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe"

C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe

"C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1864

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nftday.art udp
US 104.21.32.126:443 nftday.art tcp
US 104.21.32.126:443 nftday.art tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 126.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 104.208.16.90:443 tcp
US 209.197.3.8:80 tcp
US 104.21.32.126:443 nftday.art tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 8.8.8.8:53 tadogem.com udp
US 172.67.183.249:80 tadogem.com tcp
US 172.67.183.249:80 tadogem.com tcp
US 104.21.32.126:443 nftday.art tcp
US 8.8.8.8:53 249.183.67.172.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.248.1.254:80 tcp
FI 65.21.119.52:4277 tcp
US 8.8.8.8:53 52.119.21.65.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\Setup2[1].exe

MD5 c80864ec4f40c15a4589d19a1e6cd3ca
SHA1 60179fed90422c2db1cefa9e05762965fa0e4283
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512 acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe.ysm9om6.partial

MD5 c80864ec4f40c15a4589d19a1e6cd3ca
SHA1 60179fed90422c2db1cefa9e05762965fa0e4283
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512 acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe

MD5 c80864ec4f40c15a4589d19a1e6cd3ca
SHA1 60179fed90422c2db1cefa9e05762965fa0e4283
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512 acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

memory/4352-156-0x0000000000E00000-0x0000000000E94000-memory.dmp

memory/4352-157-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/4352-158-0x00000000058B0000-0x00000000058C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 cfbc16e33dcbef6f773f0f79af528f45
SHA1 ecb8d5e8107bc671dd57fb2a137c00bffa419f1f
SHA256 f0937890fb1053069baac97b7992c6d22cb74cae20317fc05d51070d96950ffa
SHA512 59ac2ead1eb84edffb06867850beb1e63f72c5b5415abd2fd4e7c2a1922c368f612d2a0288c00e32d5da47c4a77968ffbe72660a8d1f577f44fb20df9c11a4af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5964dd5756121dce94e6f2bf77c96cdb
SHA1 5f398cb964fcc1cfc34e962a711aef632ee422f5
SHA256 9577aea6e8c1b3e089df70e3c773fa6ea196a61ed637079f8c18b2c91b7eeb90
SHA512 79a44252c59c520f1d4e0dd29a70b461746d51d92f3798b235ccc0544315abd46e7591b820219c3c4b69852b9b5b473ace44edb10ea104f3b74f1d35adc03a52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 826fd61900b81693965e104fdb1950b0
SHA1 abd17d1972f0e60f2a25a6be8eec78c9e2af65ce
SHA256 eb852708c7ac4c8930938d4a6ade9553d4d3adb73c9c51d04cc8385841fd5dac
SHA512 e8b3d60bd29def232dee5562656fe99797b9d05a9a55a7e69fc7729075694486a92d8405074c0c912db1a9a646759c3fa2e76415017e948ec09471f2a6e40195

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 75570d9c2c84f7d7fca0b536420c3b88
SHA1 40bc7120256de7dd93590ca2f9fd0e3476d20f84
SHA256 dc92f5afb10bb77df030d5f31894953c41d59bdbc9d2e3f7b8ab968774a1c6c2
SHA512 78e86bfeea74429625c0731ef9757195d7287974c1bf1e82426dec04539f519326df4e72970e5da8304801f654b5dda5e282b72b703927811c58700022134d4e

C:\Users\Admin\AppData\Local\Temp\805025096232

MD5 1c2317f1d16e05791276c4208f797091
SHA1 418a30fa4ee28f2a77aa1c436e0734383735b763
SHA256 4f432911caed6cbbc90bc95cd38fbcfffda04d8d6f13ec1dfdb0c51bf9be38c6
SHA512 2c63d7943a76ec5bdec6194834ec091b5cefe48dfd2d6a274f2853d759871f5ef39b41960421cf3083d78cc3c71bee0c21934d0a05a91c85c4e96d98cf3aa56d

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

memory/2884-207-0x00000000007C0000-0x0000000000800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

memory/2884-249-0x0000000007910000-0x0000000007EB4000-memory.dmp

memory/2884-250-0x0000000007350000-0x0000000007360000-memory.dmp

memory/2884-251-0x0000000007580000-0x0000000007612000-memory.dmp

memory/2884-252-0x0000000007350000-0x0000000007360000-memory.dmp