Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-q97b3ahe86
Target 29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4
SHA256 29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4
Tags
amadey healer redline smokeloader virad backdoor dropper evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4

Threat Level: Known bad

The file 29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader virad backdoor dropper evasion infostealer persistence spyware trojan

Modifies Windows Defender Real-time Protection settings

Healer

SmokeLoader

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Amadey

Downloads MZ/PE file

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:58

Reported

2023-09-10 14:01

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9400.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90C3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90C3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9400.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1092 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe
PID 1092 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe
PID 1092 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe
PID 4460 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe
PID 4460 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe
PID 4460 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe
PID 3348 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe
PID 3348 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe
PID 3348 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe
PID 1472 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe
PID 1472 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe
PID 1472 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe
PID 4792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe
PID 4792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe
PID 4792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe
PID 2704 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4792 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe
PID 4792 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe
PID 4792 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1472 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe
PID 1472 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe
PID 1472 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe
PID 4264 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4264 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4264 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4264 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4264 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4264 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe

"C:\Users\Admin\AppData\Local\Temp\29d6e97e7a04a4902f3e68a7f5b072d7140f2a17048519c32b01d7bce43d24d4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4312 -ip 4312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2704 -ip 2704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1580 -ip 1580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 548

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d4643736.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d4643736.exe

C:\Users\Admin\AppData\Local\Temp\84AC.exe

C:\Users\Admin\AppData\Local\Temp\84AC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Roaming\rdcidfr

C:\Users\Admin\AppData\Roaming\rdcidfr

C:\Users\Admin\AppData\Local\Temp\90C3.exe

C:\Users\Admin\AppData\Local\Temp\90C3.exe

C:\Users\Admin\AppData\Local\Temp\9400.exe

C:\Users\Admin\AppData\Local\Temp\9400.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\90C3.exe

C:\Users\Admin\AppData\Local\Temp\90C3.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/1092-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1092-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1092-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1092-6-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe

MD5 daea3646643a48fef7ae952e2937ff35
SHA1 0abada8ff43a96509d4baf0a072d9c017a9f8146
SHA256 95ad3cb731bda71287d2b2b0f615b633e2f501acbf32caac4cb0b589ae7b11b3
SHA512 d43e24416b47fb83beefd564e216a89cd641e956cdd6cefc36403f1cf19331195e6350b388997de7615c5a2084b7a3a127d20a4f847d61b984af42e4b1711ac7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3696998.exe

MD5 daea3646643a48fef7ae952e2937ff35
SHA1 0abada8ff43a96509d4baf0a072d9c017a9f8146
SHA256 95ad3cb731bda71287d2b2b0f615b633e2f501acbf32caac4cb0b589ae7b11b3
SHA512 d43e24416b47fb83beefd564e216a89cd641e956cdd6cefc36403f1cf19331195e6350b388997de7615c5a2084b7a3a127d20a4f847d61b984af42e4b1711ac7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe

MD5 a9ee267c0332d584e30c018653063e52
SHA1 1ecf27f439e6dc21ef93faf89fde91e542c12eda
SHA256 e8957285c6c488e7ba37a0bd8a499edb136fd43551ef6c92682125e0799504bf
SHA512 d4b14a9d2ed50fed880d4c1723477ea4c0ae5143505f5b704e3145de0a363a1632473fc8b677596601f2a4298112d7bce31f8e26bead6b16621282d983dcf37a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4141827.exe

MD5 a9ee267c0332d584e30c018653063e52
SHA1 1ecf27f439e6dc21ef93faf89fde91e542c12eda
SHA256 e8957285c6c488e7ba37a0bd8a499edb136fd43551ef6c92682125e0799504bf
SHA512 d4b14a9d2ed50fed880d4c1723477ea4c0ae5143505f5b704e3145de0a363a1632473fc8b677596601f2a4298112d7bce31f8e26bead6b16621282d983dcf37a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe

MD5 935ab63f4f3cbcafee61ec255a2342e6
SHA1 07d3b3a007205a4a1c4b03633dbff70ef02af253
SHA256 6ba1dd7e65bbb526b0ff140b7326cbc6a4f3edd957819501f0cb761e5bd9bbb6
SHA512 c90c62788342e40e8a4302b8412ee921d7dc7cd723366f5ba9a385c808f7ac3684862b7e15ed8889f77bfec5576682d5f201bc89838d47317d951d766ba87298

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5997831.exe

MD5 935ab63f4f3cbcafee61ec255a2342e6
SHA1 07d3b3a007205a4a1c4b03633dbff70ef02af253
SHA256 6ba1dd7e65bbb526b0ff140b7326cbc6a4f3edd957819501f0cb761e5bd9bbb6
SHA512 c90c62788342e40e8a4302b8412ee921d7dc7cd723366f5ba9a385c808f7ac3684862b7e15ed8889f77bfec5576682d5f201bc89838d47317d951d766ba87298

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe

MD5 9ec105ca179a987bf4d5ef346aaf1832
SHA1 db687f63946cc1473345962b1794e7dda27cdf46
SHA256 3aca793e8b2f103677a172e829033a9e59ae03ec23d63d02bdb186fa5d6f8381
SHA512 074fe06f01967228b89171a17dbed32d9827955299a87c30300b577ba06353e1458deb44a1e43d288846150f24ccd42673ad342f1639b080df0586e9fbd3e36f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398203.exe

MD5 9ec105ca179a987bf4d5ef346aaf1832
SHA1 db687f63946cc1473345962b1794e7dda27cdf46
SHA256 3aca793e8b2f103677a172e829033a9e59ae03ec23d63d02bdb186fa5d6f8381
SHA512 074fe06f01967228b89171a17dbed32d9827955299a87c30300b577ba06353e1458deb44a1e43d288846150f24ccd42673ad342f1639b080df0586e9fbd3e36f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe

MD5 e582869c6e146f10a71b3f6ba484619d
SHA1 7598c5a18f3d7af6871f1d60bf5784aba2a1d403
SHA256 2514954107c29a1307d4076436ab56c64f4c60a37aca0400a540d486f3a77ee0
SHA512 137c21c123316e4048db81fe1dff7c5d0ce1b9206cf1167eadc77f710520d30d043a9fcba56b54f08ca4b113e755ec7913919190d4afa5dc40bbed1739dda516

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5167828.exe

MD5 e582869c6e146f10a71b3f6ba484619d
SHA1 7598c5a18f3d7af6871f1d60bf5784aba2a1d403
SHA256 2514954107c29a1307d4076436ab56c64f4c60a37aca0400a540d486f3a77ee0
SHA512 137c21c123316e4048db81fe1dff7c5d0ce1b9206cf1167eadc77f710520d30d043a9fcba56b54f08ca4b113e755ec7913919190d4afa5dc40bbed1739dda516

memory/2028-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2028-40-0x0000000074440000-0x0000000074BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe

MD5 4eca81c396a531037b541a0a9a769357
SHA1 2a44c67a35395a18106bc134768d9939ae65324b
SHA256 0902c4095d6b4be42503fc248b33d567ab30b2d77a6641ecef03c8c4f695207f
SHA512 7a46f569466505d6eb94b33bec68a4cfc362d6ec9135e56467ba73fc6edaa70527143e0d11a18daf473f2b1b4bcf8a953014ec3b02140a699413e48d8164dd60

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9213820.exe

MD5 4eca81c396a531037b541a0a9a769357
SHA1 2a44c67a35395a18106bc134768d9939ae65324b
SHA256 0902c4095d6b4be42503fc248b33d567ab30b2d77a6641ecef03c8c4f695207f
SHA512 7a46f569466505d6eb94b33bec68a4cfc362d6ec9135e56467ba73fc6edaa70527143e0d11a18daf473f2b1b4bcf8a953014ec3b02140a699413e48d8164dd60

memory/1580-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1580-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1580-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1580-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe

MD5 d980b37b1d4d80936fc1104a6dbf1b30
SHA1 434390b64261f106e03d26658250bacadc397ccc
SHA256 26597e6cdcb18250d187cfca96241da21ea5d4642c3834dcd856350df3d9b0f5
SHA512 3f3b6c62739f5c4ba3659a6733c40b6b1ca1b9fe8b25760c6067c6ad4b184193015f6fc5a399dc7e0016e6a9e4edc67b0f4f2bee762b37b7cb232b20197b75ca

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5056995.exe

MD5 d980b37b1d4d80936fc1104a6dbf1b30
SHA1 434390b64261f106e03d26658250bacadc397ccc
SHA256 26597e6cdcb18250d187cfca96241da21ea5d4642c3834dcd856350df3d9b0f5
SHA512 3f3b6c62739f5c4ba3659a6733c40b6b1ca1b9fe8b25760c6067c6ad4b184193015f6fc5a399dc7e0016e6a9e4edc67b0f4f2bee762b37b7cb232b20197b75ca

memory/4376-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4376-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d4643736.exe

MD5 cf9c2e94363527167b957887751aa92e
SHA1 8eb4c0bac0748df88354901ea96c808864863273
SHA256 febf49ab7922313472993702f1c12d8749819047b37dea13f6e3c569b4d192b6
SHA512 9bbf6b36f0b36f92cf5b06fdcb4a79a24f1e0d5ba074356046f4c561830e38c9f664d0636cedd5d6d29a0c65cdda435991fb1a85b4f4d507bb9c661fcf7501f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d4643736.exe

MD5 cf9c2e94363527167b957887751aa92e
SHA1 8eb4c0bac0748df88354901ea96c808864863273
SHA256 febf49ab7922313472993702f1c12d8749819047b37dea13f6e3c569b4d192b6
SHA512 9bbf6b36f0b36f92cf5b06fdcb4a79a24f1e0d5ba074356046f4c561830e38c9f664d0636cedd5d6d29a0c65cdda435991fb1a85b4f4d507bb9c661fcf7501f4

memory/2480-57-0x0000000000430000-0x0000000000460000-memory.dmp

memory/2480-58-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2480-59-0x000000000A7D0000-0x000000000ADE8000-memory.dmp

memory/2480-60-0x000000000A2C0000-0x000000000A3CA000-memory.dmp

memory/2480-62-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/2480-61-0x000000000A1E0000-0x000000000A1F2000-memory.dmp

memory/2480-63-0x000000000A240000-0x000000000A27C000-memory.dmp

memory/1092-64-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2848-65-0x0000000002520000-0x0000000002536000-memory.dmp

memory/4376-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-69-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2028-71-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2480-72-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2480-73-0x0000000004D20000-0x0000000004D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84AC.exe

MD5 1a18fc4db3affaacf43f4022df7a2c32
SHA1 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba
SHA256 b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32
SHA512 be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

C:\Users\Admin\AppData\Local\Temp\84AC.exe

MD5 1a18fc4db3affaacf43f4022df7a2c32
SHA1 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba
SHA256 b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32
SHA512 be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

memory/2840-81-0x0000000000D60000-0x0000000000EEE000-memory.dmp

memory/2840-82-0x0000000000D60000-0x0000000000EEE000-memory.dmp

memory/3624-83-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2840-88-0x0000000000D60000-0x0000000000EEE000-memory.dmp

memory/3624-89-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/3624-90-0x00000000075C0000-0x0000000007B64000-memory.dmp

memory/3624-91-0x00000000070F0000-0x0000000007182000-memory.dmp

memory/3624-92-0x00000000072A0000-0x00000000072B0000-memory.dmp

memory/3624-93-0x0000000007190000-0x000000000719A000-memory.dmp

C:\Users\Admin\AppData\Roaming\rdcidfr

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

C:\Users\Admin\AppData\Roaming\rdcidfr

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/3624-96-0x0000000007C90000-0x0000000007CF6000-memory.dmp

memory/3624-97-0x0000000008BC0000-0x0000000008C36000-memory.dmp

memory/3624-99-0x0000000008E10000-0x0000000008FD2000-memory.dmp

memory/3624-100-0x0000000009510000-0x0000000009A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90C3.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

C:\Users\Admin\AppData\Local\Temp\90C3.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

memory/3624-104-0x0000000008D40000-0x0000000008D5E000-memory.dmp

memory/1288-105-0x000001A26D3F0000-0x000001A26DA4E000-memory.dmp

memory/1288-106-0x00007FFF2B6F0000-0x00007FFF2C1B1000-memory.dmp

memory/1288-107-0x000001A26FEC0000-0x000001A26FED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9400.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\9400.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3624-112-0x0000000002670000-0x00000000026C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3624-123-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/3624-125-0x00000000072A0000-0x00000000072B0000-memory.dmp

memory/3624-126-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/1288-127-0x00007FFF2B6F0000-0x00007FFF2C1B1000-memory.dmp

memory/1288-128-0x000001A26FEC0000-0x000001A26FED0000-memory.dmp

memory/828-129-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90C3.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\90C3.exe.log

MD5 84a01db52ea5a878520e162c80acfcd3
SHA1 49b7c5c072f6c32e54cc97c1dcbee90de0dd4738
SHA256 25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe
SHA512 0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

memory/1288-133-0x00007FFF2B6F0000-0x00007FFF2C1B1000-memory.dmp

memory/828-134-0x00007FFF2B6F0000-0x00007FFF2C1B1000-memory.dmp

memory/828-135-0x000001930DB90000-0x000001930DBA0000-memory.dmp

memory/828-136-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-137-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-141-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-139-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-143-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-145-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-147-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-149-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-151-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-153-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-155-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-157-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-159-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-161-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-163-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-165-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-167-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-169-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-171-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-173-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-175-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-177-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-179-0x0000019327CA0000-0x0000019327D81000-memory.dmp

memory/828-1569-0x00007FFF2B6F0000-0x00007FFF2C1B1000-memory.dmp

memory/828-1939-0x000001930DB90000-0x000001930DBA0000-memory.dmp

memory/828-2349-0x00007FFF2B6F0000-0x00007FFF2C1B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474