Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rl82eshf74
Target 08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e
SHA256 08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e
Tags
amadey healer redline smokeloader virad backdoor dropper evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e

Threat Level: Known bad

The file 08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader virad backdoor dropper evasion infostealer persistence spyware trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Detects Healer an antivirus disabler dropper

Amadey

SmokeLoader

RedLine payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:18

Reported

2023-09-10 14:20

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F2B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F6.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2B.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1788 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
PID 4120 wrote to memory of 2332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
PID 4120 wrote to memory of 2332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe
PID 2332 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
PID 2332 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
PID 2332 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe
PID 4212 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
PID 4212 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
PID 4212 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe
PID 3548 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
PID 3548 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
PID 3548 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe
PID 3508 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
PID 3508 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
PID 3508 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe
PID 1864 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
PID 3508 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
PID 3508 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1936 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
PID 3548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
PID 3548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe
PID 1940 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1940 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1940 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1940 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1940 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1940 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4212 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe
PID 4212 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe
PID 4212 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe

"C:\Users\Admin\AppData\Local\Temp\08765526e3ca4394eea13f57e4a72ed5fee260026c5f891f254bf53bf136fb0e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1788 -ip 1788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 288

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1864 -ip 1864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 592

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe

C:\Users\Admin\AppData\Local\Temp\F836.exe

C:\Users\Admin\AppData\Local\Temp\F836.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\7F6.exe

C:\Users\Admin\AppData\Local\Temp\7F6.exe

C:\Users\Admin\AppData\Local\Temp\F2B.exe

C:\Users\Admin\AppData\Local\Temp\F2B.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\7F6.exe

C:\Users\Admin\AppData\Local\Temp\7F6.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4120-0-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4120-1-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4120-2-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4120-3-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe

MD5 6d12a780de1b979bedf5fc2ff4e99e6d
SHA1 39e4d247392ee2d8fae08037db4b163853bafd55
SHA256 87f51b58804741dc215c7db13d94e4a8c0da56cbee41eb877e0d8749625b618a
SHA512 8a7eaa2f342e572b788b6dda9eea4d759db634450ecd4af97830cdb489619d1e93c6e3345403586f19a67a6fe7215cae7978195dfe60bc8f0a90176ac582af05

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5320496.exe

MD5 6d12a780de1b979bedf5fc2ff4e99e6d
SHA1 39e4d247392ee2d8fae08037db4b163853bafd55
SHA256 87f51b58804741dc215c7db13d94e4a8c0da56cbee41eb877e0d8749625b618a
SHA512 8a7eaa2f342e572b788b6dda9eea4d759db634450ecd4af97830cdb489619d1e93c6e3345403586f19a67a6fe7215cae7978195dfe60bc8f0a90176ac582af05

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe

MD5 b32d5161306e159aea986cb5879355ac
SHA1 58f2341215b3ac9807b4b09c9b94bfcdda02a027
SHA256 e96a1d814523de31eaef065aea38c09684fa076f2c7e632999ecefa98e75bd01
SHA512 fe8b414902872067162b09cef8a6eeb4804250346752211ed65ab877a876c292d416c03bc8151e4372836d8137fbebdf60eba54d37de3be5a33b1a75c013dfdd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4116576.exe

MD5 b32d5161306e159aea986cb5879355ac
SHA1 58f2341215b3ac9807b4b09c9b94bfcdda02a027
SHA256 e96a1d814523de31eaef065aea38c09684fa076f2c7e632999ecefa98e75bd01
SHA512 fe8b414902872067162b09cef8a6eeb4804250346752211ed65ab877a876c292d416c03bc8151e4372836d8137fbebdf60eba54d37de3be5a33b1a75c013dfdd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe

MD5 81dd8f6e349d2ce27de8d74b3d899669
SHA1 e7637c1e71c0a69942bad90fda9fba62235687a4
SHA256 50cc8864ff826c0e83fb8680bd7e6037d8e3bc221415e63675734dde0fec5b87
SHA512 76994fc42d84f2c72d97ff9e3429429bb2ea542f1741b5f4e56013fee0e9a10a79841981a7bdc5d53f4c6365363a51d25bf3941b6d2274c3cd0ea0745c9f4c65

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2029543.exe

MD5 81dd8f6e349d2ce27de8d74b3d899669
SHA1 e7637c1e71c0a69942bad90fda9fba62235687a4
SHA256 50cc8864ff826c0e83fb8680bd7e6037d8e3bc221415e63675734dde0fec5b87
SHA512 76994fc42d84f2c72d97ff9e3429429bb2ea542f1741b5f4e56013fee0e9a10a79841981a7bdc5d53f4c6365363a51d25bf3941b6d2274c3cd0ea0745c9f4c65

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe

MD5 72c40564ce2cf28107a76758fc5ee53a
SHA1 4e1f3b1eb3800b3fbc18acd29e007083073d0dc6
SHA256 f65021f0a18cdc307128b7c34f9d3cf4d88be5ca13e0c646a56d815827e80d94
SHA512 0dd9c7815f1eda8a963eed582af8d02961b139393be28b71a3e12fe3754986bc734b9947f8a35124506e48581823a55df160545afd8307d6ec23f3e0c80e4ffc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9503706.exe

MD5 72c40564ce2cf28107a76758fc5ee53a
SHA1 4e1f3b1eb3800b3fbc18acd29e007083073d0dc6
SHA256 f65021f0a18cdc307128b7c34f9d3cf4d88be5ca13e0c646a56d815827e80d94
SHA512 0dd9c7815f1eda8a963eed582af8d02961b139393be28b71a3e12fe3754986bc734b9947f8a35124506e48581823a55df160545afd8307d6ec23f3e0c80e4ffc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe

MD5 85488af9e0d66ab24ee308148b1f206f
SHA1 a3de388515d1486f55f1216396bc6c23a6e6e32a
SHA256 413353b1507d3c150c1fe3155d98d7d12d7669980160e0aa0bfe13aa333c4dca
SHA512 448ef4902d4a878f2093526d801ab17e8242fde4fa952c390b2c3a121211795d4148d8ca0fc4b43d8e18c78e76eb633a983536808b1d1ed312e6694973437243

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4004307.exe

MD5 85488af9e0d66ab24ee308148b1f206f
SHA1 a3de388515d1486f55f1216396bc6c23a6e6e32a
SHA256 413353b1507d3c150c1fe3155d98d7d12d7669980160e0aa0bfe13aa333c4dca
SHA512 448ef4902d4a878f2093526d801ab17e8242fde4fa952c390b2c3a121211795d4148d8ca0fc4b43d8e18c78e76eb633a983536808b1d1ed312e6694973437243

memory/1252-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1252-40-0x0000000073EE0000-0x0000000074690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe

MD5 4f96b15f7392bd9cde8bfc419b2d5438
SHA1 be4abda5fb946290cf0978548e049654db0365cc
SHA256 1b7314942a35a0b74a013d33132115fa97ca3f03bcf84b25e4c559cc73f243e5
SHA512 865adb79a6b3ac226ce89741ad98e9c67ab40643556113b145b1ef2fdb4272ac681db7e06b48bf298ce075de7b4b5192b52741261ff98d92316e752eb7b30e77

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3052616.exe

MD5 4f96b15f7392bd9cde8bfc419b2d5438
SHA1 be4abda5fb946290cf0978548e049654db0365cc
SHA256 1b7314942a35a0b74a013d33132115fa97ca3f03bcf84b25e4c559cc73f243e5
SHA512 865adb79a6b3ac226ce89741ad98e9c67ab40643556113b145b1ef2fdb4272ac681db7e06b48bf298ce075de7b4b5192b52741261ff98d92316e752eb7b30e77

memory/4960-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4960-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4960-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4960-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe

MD5 821f91e744981c4f57f4511a57e26101
SHA1 78158aad04d610410834de2351c1d553ddaa8f70
SHA256 5db19b7597ee1f953d130f5af01c13ea269129fd056095f29493622664274a2a
SHA512 d501e3ff9fda454cd18a6a79f68a89754114f93924d0c49669cca86063cfcf59509da179ef755cff5ed38c3324837f01a4a6ac61e92d81014e13948dc5f4563c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8910804.exe

MD5 821f91e744981c4f57f4511a57e26101
SHA1 78158aad04d610410834de2351c1d553ddaa8f70
SHA256 5db19b7597ee1f953d130f5af01c13ea269129fd056095f29493622664274a2a
SHA512 d501e3ff9fda454cd18a6a79f68a89754114f93924d0c49669cca86063cfcf59509da179ef755cff5ed38c3324837f01a4a6ac61e92d81014e13948dc5f4563c

memory/3992-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3992-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe

MD5 a632d5d7bbb9ea5ef035e8e4f495d187
SHA1 b5adf857eb9a0bdf85b1b3319ff713f901336ba7
SHA256 0d7c2823f25604b07a38dba00f4ba503a113d925a11d512de6585e76f4c00df9
SHA512 da7eef05db71c77048286ed7e3a057227bb29100b58db660eeba232bcee91a5c396fba72f09a3f5b4170ad0e459e8c09b25363b7b6b842e8901d6706b4317a5e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1593750.exe

MD5 a632d5d7bbb9ea5ef035e8e4f495d187
SHA1 b5adf857eb9a0bdf85b1b3319ff713f901336ba7
SHA256 0d7c2823f25604b07a38dba00f4ba503a113d925a11d512de6585e76f4c00df9
SHA512 da7eef05db71c77048286ed7e3a057227bb29100b58db660eeba232bcee91a5c396fba72f09a3f5b4170ad0e459e8c09b25363b7b6b842e8901d6706b4317a5e

memory/3176-57-0x0000000000760000-0x0000000000790000-memory.dmp

memory/3176-58-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/3176-59-0x0000000005820000-0x0000000005E38000-memory.dmp

memory/3176-60-0x0000000005310000-0x000000000541A000-memory.dmp

memory/3176-62-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3176-61-0x0000000005230000-0x0000000005242000-memory.dmp

memory/3176-63-0x0000000005290000-0x00000000052CC000-memory.dmp

memory/4120-64-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3992-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3184-65-0x0000000003130000-0x0000000003146000-memory.dmp

memory/1252-69-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/1252-71-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/3176-72-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/3176-73-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F836.exe

MD5 1a18fc4db3affaacf43f4022df7a2c32
SHA1 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba
SHA256 b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32
SHA512 be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

memory/1068-81-0x0000000000280000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F836.exe

MD5 1a18fc4db3affaacf43f4022df7a2c32
SHA1 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba
SHA256 b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32
SHA512 be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

memory/1068-82-0x0000000000280000-0x000000000040E000-memory.dmp

memory/2632-83-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1068-88-0x0000000000280000-0x000000000040E000-memory.dmp

memory/2632-89-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/2632-90-0x0000000007F80000-0x0000000008524000-memory.dmp

memory/2632-91-0x0000000007AC0000-0x0000000007B52000-memory.dmp

memory/2632-92-0x0000000007C80000-0x0000000007C90000-memory.dmp

memory/2632-93-0x0000000007B80000-0x0000000007B8A000-memory.dmp

memory/2632-94-0x00000000086B0000-0x0000000008716000-memory.dmp

memory/2632-95-0x00000000095F0000-0x0000000009666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F6.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

C:\Users\Admin\AppData\Local\Temp\7F6.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

memory/3296-100-0x0000027EB43C0000-0x0000027EB4A1E000-memory.dmp

memory/2632-101-0x0000000009570000-0x000000000958E000-memory.dmp

memory/3296-102-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp

memory/3296-103-0x0000027ECEF20000-0x0000027ECEF30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2B.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\F2B.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2632-108-0x000000000A550000-0x000000000A712000-memory.dmp

memory/2632-109-0x000000000AC50000-0x000000000B17C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2632-120-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/2632-121-0x00000000098F0000-0x0000000009940000-memory.dmp

memory/2632-122-0x0000000007C80000-0x0000000007C90000-memory.dmp

memory/2632-124-0x0000000073EE0000-0x0000000074690000-memory.dmp

memory/3296-125-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp

memory/3296-126-0x0000027ECEF20000-0x0000027ECEF30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F6.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

memory/3768-127-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7F6.exe.log

MD5 84a01db52ea5a878520e162c80acfcd3
SHA1 49b7c5c072f6c32e54cc97c1dcbee90de0dd4738
SHA256 25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe
SHA512 0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

memory/3296-131-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp

memory/3768-132-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp

memory/3768-133-0x000001E939DA0000-0x000001E939DB0000-memory.dmp

memory/3768-134-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-135-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-137-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-139-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-141-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-143-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-145-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-147-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-149-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-151-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-153-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-155-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-157-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-159-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-161-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-163-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-165-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-167-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-169-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-171-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-173-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-175-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-177-0x000001E952660000-0x000001E952741000-memory.dmp

memory/3768-810-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp

memory/3768-1047-0x000001E939DA0000-0x000001E939DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3768-2348-0x00007FF9B2BB0000-0x00007FF9B3671000-memory.dmp