Analysis Overview
SHA256
08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e
Threat Level: Known bad
The file 08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Healer
RedLine
Detects Healer an antivirus disabler dropper
Amadey
SmokeLoader
RedLine payload
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:18
Reported
2023-09-10 14:20
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F2B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F836.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7F6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7F6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1788 set thread context of 4120 | N/A | C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1864 set thread context of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1936 set thread context of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1940 set thread context of 3992 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1068 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\F836.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3296 set thread context of 3768 | N/A | C:\Users\Admin\AppData\Local\Temp\7F6.exe | C:\Users\Admin\AppData\Local\Temp\7F6.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7F6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7F6.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2B.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe
"C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1788 -ip 1788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 288
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1864 -ip 1864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 592
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4960 -ip 4960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 200
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 580
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe
C:\Users\Admin\AppData\Local\Temp\F836.exe
C:\Users\Admin\AppData\Local\Temp\F836.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\7F6.exe
C:\Users\Admin\AppData\Local\Temp\7F6.exe
C:\Users\Admin\AppData\Local\Temp\F2B.exe
C:\Users\Admin\AppData\Local\Temp\F2B.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\7F6.exe
C:\Users\Admin\AppData\Local\Temp\7F6.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| MD | 176.123.9.85:16482 | tcp | |
| US | 8.8.8.8:53 | 85.9.123.176.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/4120-0-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4120-1-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4120-2-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4120-3-0x0000000000400000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
| MD5 | 6d12a780de1b979bedf5fc2ff4e99e6d |
| SHA1 | 39e4d247392ee2d8fae08037db4b163853bafd55 |
| SHA256 | 87f51b58804741dc215c7db13d94e4a8c0da56cbee41eb877e0d8749625b618a |
| SHA512 | 8a7eaa2f342e572b788b6dda9eea4d759db634450ecd4af97830cdb489619d1e93c6e3345403586f19a67a6fe7215cae7978195dfe60bc8f0a90176ac582af05 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
| MD5 | 6d12a780de1b979bedf5fc2ff4e99e6d |
| SHA1 | 39e4d247392ee2d8fae08037db4b163853bafd55 |
| SHA256 | 87f51b58804741dc215c7db13d94e4a8c0da56cbee41eb877e0d8749625b618a |
| SHA512 | 8a7eaa2f342e572b788b6dda9eea4d759db634450ecd4af97830cdb489619d1e93c6e3345403586f19a67a6fe7215cae7978195dfe60bc8f0a90176ac582af05 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
| MD5 | b32d5161306e159aea986cb5879355ac |
| SHA1 | 58f2341215b3ac9807b4b09c9b94bfcdda02a027 |
| SHA256 | e96a1d814523de31eaef065aea38c09684fa076f2c7e632999ecefa98e75bd01 |
| SHA512 | fe8b414902872067162b09cef8a6eeb4804250346752211ed65ab877a876c292d416c03bc8151e4372836d8137fbebdf60eba54d37de3be5a33b1a75c013dfdd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
| MD5 | b32d5161306e159aea986cb5879355ac |
| SHA1 | 58f2341215b3ac9807b4b09c9b94bfcdda02a027 |
| SHA256 | e96a1d814523de31eaef065aea38c09684fa076f2c7e632999ecefa98e75bd01 |
| SHA512 | fe8b414902872067162b09cef8a6eeb4804250346752211ed65ab877a876c292d416c03bc8151e4372836d8137fbebdf60eba54d37de3be5a33b1a75c013dfdd |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
| MD5 | 81dd8f6e349d2ce27de8d74b3d899669 |
| SHA1 | e7637c1e71c0a69942bad90fda9fba62235687a4 |
| SHA256 | 50cc8864ff826c0e83fb8680bd7e6037d8e3bc221415e63675734dde0fec5b87 |
| SHA512 | 76994fc42d84f2c72d97ff9e3429429bb2ea542f1741b5f4e56013fee0e9a10a79841981a7bdc5d53f4c6365363a51d25bf3941b6d2274c3cd0ea0745c9f4c65 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
| MD5 | 81dd8f6e349d2ce27de8d74b3d899669 |
| SHA1 | e7637c1e71c0a69942bad90fda9fba62235687a4 |
| SHA256 | 50cc8864ff826c0e83fb8680bd7e6037d8e3bc221415e63675734dde0fec5b87 |
| SHA512 | 76994fc42d84f2c72d97ff9e3429429bb2ea542f1741b5f4e56013fee0e9a10a79841981a7bdc5d53f4c6365363a51d25bf3941b6d2274c3cd0ea0745c9f4c65 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
| MD5 | 72c40564ce2cf28107a76758fc5ee53a |
| SHA1 | 4e1f3b1eb3800b3fbc18acd29e007083073d0dc6 |
| SHA256 | f65021f0a18cdc307128b7c34f9d3cf4d88be5ca13e0c646a56d815827e80d94 |
| SHA512 | 0dd9c7815f1eda8a963eed582af8d02961b139393be28b71a3e12fe3754986bc734b9947f8a35124506e48581823a55df160545afd8307d6ec23f3e0c80e4ffc |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
| MD5 | 72c40564ce2cf28107a76758fc5ee53a |
| SHA1 | 4e1f3b1eb3800b3fbc18acd29e007083073d0dc6 |
| SHA256 | f65021f0a18cdc307128b7c34f9d3cf4d88be5ca13e0c646a56d815827e80d94 |
| SHA512 | 0dd9c7815f1eda8a963eed582af8d02961b139393be28b71a3e12fe3754986bc734b9947f8a35124506e48581823a55df160545afd8307d6ec23f3e0c80e4ffc |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
| MD5 | 85488af9e0d66ab24ee308148b1f206f |
| SHA1 | a3de388515d1486f55f1216396bc6c23a6e6e32a |
| SHA256 | 413353b1507d3c150c1fe3155d98d7d12d7669980160e0aa0bfe13aa333c4dca |
| SHA512 | 448ef4902d4a878f2093526d801ab17e8242fde4fa952c390b2c3a121211795d4148d8ca0fc4b43d8e18c78e76eb633a983536808b1d1ed312e6694973437243 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
| MD5 | 85488af9e0d66ab24ee308148b1f206f |
| SHA1 | a3de388515d1486f55f1216396bc6c23a6e6e32a |
| SHA256 | 413353b1507d3c150c1fe3155d98d7d12d7669980160e0aa0bfe13aa333c4dca |
| SHA512 | 448ef4902d4a878f2093526d801ab17e8242fde4fa952c390b2c3a121211795d4148d8ca0fc4b43d8e18c78e76eb633a983536808b1d1ed312e6694973437243 |
memory/1252-39-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1252-40-0x0000000073EE0000-0x0000000074690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
| MD5 | 4f96b15f7392bd9cde8bfc419b2d5438 |
| SHA1 | be4abda5fb946290cf0978548e049654db0365cc |
| SHA256 | 1b7314942a35a0b74a013d33132115fa97ca3f03bcf84b25e4c559cc73f243e5 |
| SHA512 | 865adb79a6b3ac226ce89741ad98e9c67ab40643556113b145b1ef2fdb4272ac681db7e06b48bf298ce075de7b4b5192b52741261ff98d92316e752eb7b30e77 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
| MD5 | 4f96b15f7392bd9cde8bfc419b2d5438 |
| SHA1 | be4abda5fb946290cf0978548e049654db0365cc |
| SHA256 | 1b7314942a35a0b74a013d33132115fa97ca3f03bcf84b25e4c559cc73f243e5 |
| SHA512 | 865adb79a6b3ac226ce89741ad98e9c67ab40643556113b145b1ef2fdb4272ac681db7e06b48bf298ce075de7b4b5192b52741261ff98d92316e752eb7b30e77 |
memory/4960-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4960-45-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4960-46-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4960-48-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
| MD5 | 821f91e744981c4f57f4511a57e26101 |
| SHA1 | 78158aad04d610410834de2351c1d553ddaa8f70 |
| SHA256 | 5db19b7597ee1f953d130f5af01c13ea269129fd056095f29493622664274a2a |
| SHA512 | d501e3ff9fda454cd18a6a79f68a89754114f93924d0c49669cca86063cfcf59509da179ef755cff5ed38c3324837f01a4a6ac61e92d81014e13948dc5f4563c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
| MD5 | 821f91e744981c4f57f4511a57e26101 |
| SHA1 | 78158aad04d610410834de2351c1d553ddaa8f70 |
| SHA256 | 5db19b7597ee1f953d130f5af01c13ea269129fd056095f29493622664274a2a |
| SHA512 | d501e3ff9fda454cd18a6a79f68a89754114f93924d0c49669cca86063cfcf59509da179ef755cff5ed38c3324837f01a4a6ac61e92d81014e13948dc5f4563c |
memory/3992-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3992-53-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe
| MD5 | a632d5d7bbb9ea5ef035e8e4f495d187 |
| SHA1 | b5adf857eb9a0bdf85b1b3319ff713f901336ba7 |
| SHA256 | 0d7c2823f25604b07a38dba00f4ba503a113d925a11d512de6585e76f4c00df9 |
| SHA512 | da7eef05db71c77048286ed7e3a057227bb29100b58db660eeba232bcee91a5c396fba72f09a3f5b4170ad0e459e8c09b25363b7b6b842e8901d6706b4317a5e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe
| MD5 | a632d5d7bbb9ea5ef035e8e4f495d187 |
| SHA1 | b5adf857eb9a0bdf85b1b3319ff713f901336ba7 |
| SHA256 | 0d7c2823f25604b07a38dba00f4ba503a113d925a11d512de6585e76f4c00df9 |
| SHA512 | da7eef05db71c77048286ed7e3a057227bb29100b58db660eeba232bcee91a5c396fba72f09a3f5b4170ad0e459e8c09b25363b7b6b842e8901d6706b4317a5e |
memory/3176-57-0x0000000000760000-0x0000000000790000-memory.dmp
memory/3176-58-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/3176-59-0x0000000005820000-0x0000000005E38000-memory.dmp
memory/3176-60-0x0000000005310000-0x000000000541A000-memory.dmp
memory/3176-62-0x0000000004FF0000-0x0000000005000000-memory.dmp
memory/3176-61-0x0000000005230000-0x0000000005242000-memory.dmp
memory/3176-63-0x0000000005290000-0x00000000052CC000-memory.dmp
memory/4120-64-0x0000000000400000-0x0000000000526000-memory.dmp
memory/3992-66-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3184-65-0x0000000003130000-0x0000000003146000-memory.dmp
memory/1252-69-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/1252-71-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/3176-72-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/3176-73-0x0000000004FF0000-0x0000000005000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F836.exe
| MD5 | 1a18fc4db3affaacf43f4022df7a2c32 |
| SHA1 | 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba |
| SHA256 | b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32 |
| SHA512 | be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069 |
memory/1068-81-0x0000000000280000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F836.exe
| MD5 | 1a18fc4db3affaacf43f4022df7a2c32 |
| SHA1 | 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba |
| SHA256 | b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32 |
| SHA512 | be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069 |
memory/1068-82-0x0000000000280000-0x000000000040E000-memory.dmp
memory/2632-83-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1068-88-0x0000000000280000-0x000000000040E000-memory.dmp
memory/2632-89-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/2632-90-0x0000000007F80000-0x0000000008524000-memory.dmp
memory/2632-91-0x0000000007AC0000-0x0000000007B52000-memory.dmp
memory/2632-92-0x0000000007C80000-0x0000000007C90000-memory.dmp
memory/2632-93-0x0000000007B80000-0x0000000007B8A000-memory.dmp
memory/2632-94-0x00000000086B0000-0x0000000008716000-memory.dmp
memory/2632-95-0x00000000095F0000-0x0000000009666000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7F6.exe
| MD5 | 02c02920de30db7f8852973ec8bdfedd |
| SHA1 | e4eebf1a7db4f7066a8748dc5a06159f62e3502d |
| SHA256 | 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa |
| SHA512 | 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6 |
C:\Users\Admin\AppData\Local\Temp\7F6.exe
| MD5 | 02c02920de30db7f8852973ec8bdfedd |
| SHA1 | e4eebf1a7db4f7066a8748dc5a06159f62e3502d |
| SHA256 | 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa |
| SHA512 | 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6 |
memory/3296-100-0x0000027EB43C0000-0x0000027EB4A1E000-memory.dmp
memory/2632-101-0x0000000009570000-0x000000000958E000-memory.dmp
memory/3296-102-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp
memory/3296-103-0x0000027ECEF20000-0x0000027ECEF30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F2B.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\F2B.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/2632-108-0x000000000A550000-0x000000000A712000-memory.dmp
memory/2632-109-0x000000000AC50000-0x000000000B17C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/2632-120-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/2632-121-0x00000000098F0000-0x0000000009940000-memory.dmp
memory/2632-122-0x0000000007C80000-0x0000000007C90000-memory.dmp
memory/2632-124-0x0000000073EE0000-0x0000000074690000-memory.dmp
memory/3296-125-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp
memory/3296-126-0x0000027ECEF20000-0x0000027ECEF30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7F6.exe
| MD5 | 02c02920de30db7f8852973ec8bdfedd |
| SHA1 | e4eebf1a7db4f7066a8748dc5a06159f62e3502d |
| SHA256 | 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa |
| SHA512 | 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6 |
memory/3768-127-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7F6.exe.log
| MD5 | 84a01db52ea5a878520e162c80acfcd3 |
| SHA1 | 49b7c5c072f6c32e54cc97c1dcbee90de0dd4738 |
| SHA256 | 25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe |
| SHA512 | 0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e |
memory/3296-131-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp
memory/3768-132-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp
memory/3768-133-0x000001E939DA0000-0x000001E939DB0000-memory.dmp
memory/3768-134-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-135-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-137-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-139-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-141-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-143-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-145-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-147-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-149-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-151-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-153-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-155-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-157-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-159-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-161-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-163-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-165-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-167-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-169-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-171-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-173-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-175-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-177-0x000001E952660000-0x000001E952741000-memory.dmp
memory/3768-810-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp
memory/3768-1047-0x000001E939DA0000-0x000001E939DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/3768-2348-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp