Malware Analysis Report

2024-10-23 15:42

Sample ID 230723-qgtv9seb55
Target tmp
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
Tags
themida amadey laplas redline clipper evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

themida amadey laplas redline clipper evasion infostealer persistence spyware stealer trojan

RedLine payload

Laplas Clipper

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

.NET Reactor proctector

Themida packer

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

GoLang User-Agent

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 13:14

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 13:14

Reported

2023-07-23 13:17

Platform

win7-20230712-en

Max time kernel

149s

Max time network

161s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2744 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 240 set thread context of 2032 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 240 set thread context of 1028 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0b1ade967bdd901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3040 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3040 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3040 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2808 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2472 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 2472 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 2472 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 2472 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 3064 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3064 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3064 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3064 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2472 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe
PID 2472 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe
PID 2472 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe
PID 2472 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2744 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2148 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2148 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2148 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2472 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe
PID 2472 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe
PID 2472 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe
PID 2472 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A4DD275C-D489-4A56-8D02-ADD7BBCF0AEC} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {42ED49D8-F79F-4E29-9D8A-4D04E35A0F8D} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
SG 165.232.162.31:80 165.232.162.31 tcp
US 167.99.14.220:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
NL 168.100.10.236:80 168.100.10.236 tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp

Files

memory/3040-54-0x0000000000F80000-0x0000000001676000-memory.dmp

memory/3040-55-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/3040-57-0x0000000000F80000-0x0000000001676000-memory.dmp

memory/3040-56-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/3040-59-0x0000000000F80000-0x0000000001676000-memory.dmp

memory/3040-58-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/3040-62-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/3040-63-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

memory/3040-61-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/3040-60-0x00000000769D0000-0x0000000076A17000-memory.dmp

memory/3040-64-0x0000000000F80000-0x0000000001676000-memory.dmp

memory/3040-65-0x0000000000F80000-0x0000000001676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

memory/3040-73-0x0000000000F80000-0x0000000001676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

memory/3040-76-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-75-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/3040-78-0x00000000769D0000-0x0000000076A17000-memory.dmp

memory/2472-77-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-79-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-80-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-81-0x00000000769D0000-0x0000000076A17000-memory.dmp

memory/2472-82-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-83-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-85-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-84-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/2472-86-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/2472-87-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-88-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/2472-89-0x0000000001370000-0x0000000001A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

memory/2472-95-0x0000000001370000-0x0000000001A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\770849782088

MD5 155417cafffe4d49065ac6f2a34a90ad
SHA1 ac278d0697b3ca15ce6ee21a089768445a8ce4d8
SHA256 e92a774dc7eeff09d53e96ceadd5c48b051b1dbe80e8f42d75be0372732b4aa2
SHA512 2a8defb9b1aa64b273bcdbc8a41d6335c1e93f2838ff78ffab4a7ad1beb02600cddbb5854c31b18391c20c464c04e9d3e280c905208bae4cb871282522aa8ad2

memory/2472-104-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-105-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-106-0x00000000769D0000-0x0000000076A17000-memory.dmp

memory/2472-107-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-108-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-109-0x00000000750D0000-0x00000000751E0000-memory.dmp

memory/2472-110-0x00000000750D0000-0x00000000751E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

memory/2744-126-0x00000000008E0000-0x0000000000C50000-memory.dmp

memory/2744-127-0x00000000736F0000-0x0000000073DDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

memory/1228-136-0x00000000769D0000-0x0000000076A17000-memory.dmp

memory/1228-135-0x00000000750D0000-0x00000000751E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

memory/1228-134-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/1228-133-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/1228-132-0x0000000001370000-0x0000000001A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

memory/2472-150-0x0000000004730000-0x0000000004EF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

memory/2744-146-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/1228-131-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/1228-129-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/2148-151-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2744-152-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2472-153-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/2148-154-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/2148-155-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-156-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-157-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-158-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-159-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-160-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-161-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-162-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-163-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2744-164-0x00000000736F0000-0x0000000073DDE000-memory.dmp

memory/2148-165-0x0000000000050000-0x0000000000811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

memory/2148-167-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2744-168-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/2472-169-0x0000000004730000-0x0000000004EF1000-memory.dmp

memory/2744-170-0x0000000002370000-0x00000000023E4000-memory.dmp

memory/2148-172-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2744-173-0x0000000000290000-0x00000000002AC000-memory.dmp

memory/2744-174-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-175-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-177-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-179-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-181-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-183-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-185-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-187-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-189-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-191-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-193-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-195-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2744-197-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2148-198-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/2744-199-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1492-200-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1492-201-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1492-202-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1492-204-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1492-203-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1492-205-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2744-208-0x00000000736F0000-0x0000000073DDE000-memory.dmp

memory/1492-207-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1492-210-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1492-211-0x00000000736F0000-0x0000000073DDE000-memory.dmp

memory/1492-212-0x0000000007330000-0x0000000007370000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 bb29feee1b2902d499b7a2d9a3805263
SHA1 d58855562ec7197c176e1b53d39f8aa2b79eda77
SHA256 074a83c07619724b54bfffd4fe8e7a54eeed98228d8a28234ab1ec54923be750
SHA512 7c597970e350c990f03529a44760213e570512f91905a321914d36570f30b419cfb7e5b3e161ddffa04f6a721337d13e7a22744e8bc45364bc8263257ddebc8a

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 ccde7b04d09802d94b092b8c6984b074
SHA1 132e00d82a6c6183948b11146012f63c5ef92547
SHA256 f7da24a00bd9fad234eb7dc7f978e6caaa27377c71e81ea1e72aa85dcc25d4ab
SHA512 433f6b168cc9b193c18e5972678c20c06bfc7580c2446ebf4ba50935dd026e3c57c6aa9419093516439eb50678c1e567c94695821fb3e27ddd9aa726bdf68891

memory/2148-218-0x0000000000050000-0x0000000000811000-memory.dmp

memory/2148-220-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1808-222-0x0000000001050000-0x0000000001811000-memory.dmp

memory/2148-219-0x00000000286F0000-0x0000000028EB1000-memory.dmp

memory/2148-217-0x0000000000050000-0x0000000000811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

memory/1808-236-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/2472-237-0x0000000001370000-0x0000000001A66000-memory.dmp

memory/2252-238-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/1492-241-0x00000000736F0000-0x0000000073DDE000-memory.dmp

memory/2252-249-0x000000013F170000-0x00000001409DD000-memory.dmp

memory/1808-269-0x0000000001050000-0x0000000001811000-memory.dmp

memory/2252-288-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1492-286-0x0000000007330000-0x0000000007370000-memory.dmp

memory/2252-289-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

memory/1808-292-0x0000000001050000-0x0000000001811000-memory.dmp

memory/1808-294-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/2252-295-0x000000013F170000-0x00000001409DD000-memory.dmp

memory/1808-297-0x0000000001050000-0x0000000001811000-memory.dmp

memory/2252-298-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1492-299-0x00000000736F0000-0x0000000073DDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 279904beef7dbffb19fc519f737d7d4a
SHA1 964dbae8527cea1d031edcc04c7a23a08a59c94d
SHA256 358f8cab382402c05c4e59ae0491bb965adac5b901fbce28eb25c9431216b5ff
SHA512 689200522adfdd864eea12b5a52ab008e4ad819b5eba3c9cdbc67999ed113259143dca349544ccf270d208e7a768dda4ec0cffb6a11c27452c25f40831f5eb94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A7V7BKTUFCWYNEW8U7M2.temp

MD5 279904beef7dbffb19fc519f737d7d4a
SHA1 964dbae8527cea1d031edcc04c7a23a08a59c94d
SHA256 358f8cab382402c05c4e59ae0491bb965adac5b901fbce28eb25c9431216b5ff
SHA512 689200522adfdd864eea12b5a52ab008e4ad819b5eba3c9cdbc67999ed113259143dca349544ccf270d208e7a768dda4ec0cffb6a11c27452c25f40831f5eb94

\Program Files\Google\Chrome\updater.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Program Files\Google\Chrome\updater.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Program Files\Google\Chrome\updater.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-23 13:14

Reported

2023-07-23 13:17

Platform

win10v2004-20230703-en

Max time kernel

30s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 388 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 388 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3268 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3268 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3268 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3268 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3396 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3268 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 3268 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 3268 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe
PID 3268 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe
PID 3268 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe
PID 3268 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe
PID 3268 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe
PID 2080 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe"

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe"

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
US 8.8.8.8:53 second.amadgood.com udp
SG 165.232.162.31:80 165.232.162.31 tcp
US 8.8.8.8:53 208.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 31.162.232.165.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 167.99.14.220:81 tcp
US 8.8.8.8:53 220.14.99.167.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp

Files

memory/388-133-0x0000000000C10000-0x0000000001306000-memory.dmp

memory/388-134-0x0000000076B80000-0x0000000076C70000-memory.dmp

memory/388-135-0x0000000076B80000-0x0000000076C70000-memory.dmp

memory/388-136-0x0000000076B80000-0x0000000076C70000-memory.dmp

memory/388-137-0x0000000077674000-0x0000000077676000-memory.dmp

memory/388-138-0x0000000000C10000-0x0000000001306000-memory.dmp

memory/388-139-0x0000000000C10000-0x0000000001306000-memory.dmp

memory/388-140-0x0000000000C10000-0x0000000001306000-memory.dmp

memory/388-141-0x0000000000C10000-0x0000000001306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

memory/388-151-0x0000000000C10000-0x0000000001306000-memory.dmp

memory/388-153-0x0000000076B80000-0x0000000076C70000-memory.dmp

memory/3268-152-0x0000000000920000-0x0000000001016000-memory.dmp

memory/3268-155-0x0000000076B80000-0x0000000076C70000-memory.dmp

memory/3268-154-0x0000000076B80000-0x0000000076C70000-memory.dmp

memory/3268-156-0x0000000000920000-0x0000000001016000-memory.dmp

memory/3268-157-0x0000000000920000-0x0000000001016000-memory.dmp

memory/3268-158-0x0000000000920000-0x0000000001016000-memory.dmp

memory/3268-159-0x0000000000920000-0x0000000001016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

C:\Users\Admin\AppData\Local\Temp\722984668182

MD5 13afd022074f6b0381a1dfb9e6a3cd92
SHA1 38ac9850d10a3f631aa7238035f004891bc5cc25
SHA256 b7620ad43d277acfc0d91d28723be3595275a395b2ecaa9535893f2da7559038
SHA512 01c1c7f0c417b48eaf54d24d60a0db4b2674221548568bf6c91f58549d49fa784a5026b747812f5d9e1e464c31972b7cba7f244e8ba78e1ed4b6d19b669f7322

memory/3268-173-0x0000000000920000-0x0000000001016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

memory/3268-185-0x0000000076B80000-0x0000000076C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe

MD5 126db18bbcf58a186b422970c57e4dbf
SHA1 97246ee3686052bb9e1142ac789b421b1bb067cc
SHA256 85693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA512 59a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6

memory/3268-194-0x0000000000920000-0x0000000001016000-memory.dmp

memory/2080-196-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/2080-195-0x0000000000480000-0x00000000007F0000-memory.dmp

memory/3268-197-0x0000000076B80000-0x0000000076C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

memory/3268-208-0x0000000076B80000-0x0000000076C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe

MD5 4472444218925ed8fd4982f141af1978
SHA1 101ff99cec2f571002915f23290d495671967db3
SHA256 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512 b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

memory/1232-218-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/2080-219-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2080-220-0x0000000005230000-0x00000000052CC000-memory.dmp

memory/2080-221-0x0000000005100000-0x0000000005101000-memory.dmp

memory/1232-222-0x00007FF94AF70000-0x00007FF94B165000-memory.dmp

memory/1232-223-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-224-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-225-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-226-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-227-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-228-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-229-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-230-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/1232-231-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/2080-232-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/1232-233-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/3268-234-0x0000000000920000-0x0000000001016000-memory.dmp

memory/1232-235-0x00000000003D0000-0x0000000000B91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe

MD5 78e97779f936b06a8c4c96240b7bc85b
SHA1 c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256 f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512 cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2

memory/1232-255-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/2080-256-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2080-257-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-258-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-260-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-262-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-264-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-266-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-268-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-270-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-272-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-274-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/2080-276-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/4888-280-0x00007FF94B170000-0x00007FF94B172000-memory.dmp

memory/2080-279-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/4888-282-0x00007FF94B180000-0x00007FF94B182000-memory.dmp

memory/4888-284-0x00007FF9498B0000-0x00007FF9498B2000-memory.dmp

memory/2080-283-0x00000000051B0000-0x00000000051C5000-memory.dmp

memory/4888-285-0x00007FF9498C0000-0x00007FF9498C2000-memory.dmp

memory/4888-287-0x00007FF948C10000-0x00007FF948C12000-memory.dmp

memory/4888-286-0x00007FF948C00000-0x00007FF948C02000-memory.dmp

memory/1232-278-0x00007FF94AF70000-0x00007FF94B165000-memory.dmp

memory/640-290-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2440-292-0x0000000000400000-0x0000000000400000-memory.dmp

memory/4888-291-0x00007FF6672B0000-0x00007FF668B1D000-memory.dmp

memory/4888-288-0x00007FF94B190000-0x00007FF94B192000-memory.dmp

memory/640-294-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/2080-296-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/640-298-0x0000000007320000-0x00000000073B2000-memory.dmp

memory/640-297-0x00000000077F0000-0x0000000007D94000-memory.dmp

memory/640-300-0x00000000074C0000-0x00000000074D0000-memory.dmp

memory/640-301-0x00000000074F0000-0x00000000074FA000-memory.dmp

memory/640-302-0x00000000083C0000-0x00000000089D8000-memory.dmp

memory/640-303-0x00000000075B0000-0x00000000075C2000-memory.dmp

memory/640-304-0x00000000076E0000-0x00000000077EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 4fcd70f4d036361d2fef09cf03932f7b
SHA1 b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256 bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512 3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

memory/640-307-0x0000000007610000-0x000000000764C000-memory.dmp

memory/1232-308-0x00000000003D0000-0x0000000000B91000-memory.dmp

memory/4732-309-0x0000000000920000-0x0000000001016000-memory.dmp

memory/3268-310-0x0000000000920000-0x0000000001016000-memory.dmp

memory/640-311-0x0000000007EE0000-0x0000000007F46000-memory.dmp

memory/1232-312-0x00000000003D0000-0x0000000000B91000-memory.dmp