Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-sra71saa9z
Target 1322008e75c620fd60416b4264d42e7e.exe
SHA256 0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2
Tags
amadey healer redline smokeloader virad backdoor discovery dropper evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2

Threat Level: Known bad

The file 1322008e75c620fd60416b4264d42e7e.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader virad backdoor discovery dropper evasion infostealer persistence spyware stealer trojan

Healer

RedLine

Amadey

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

SmokeLoader

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:21

Reported

2023-09-10 15:23

Platform

win7-20230831-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe

"C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 15:21

Reported

2023-09-10 15:23

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B979.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B66B.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBAD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B66B.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B979.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1672 wrote to memory of 4572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe
PID 1672 wrote to memory of 4572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe
PID 1672 wrote to memory of 4572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe
PID 4572 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe
PID 4572 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe
PID 4572 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe
PID 4536 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe
PID 4536 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe
PID 4536 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe
PID 4968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe
PID 4968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe
PID 4968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe
PID 2100 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe
PID 2100 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe
PID 2100 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 672 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2100 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe
PID 2100 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe
PID 2100 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe
PID 4968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe
PID 4968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe
PID 3128 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3128 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3128 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3128 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3128 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3128 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe
PID 4536 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe
PID 4536 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe
PID 3156 wrote to memory of 3932 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 3156 wrote to memory of 3932 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 3156 wrote to memory of 3932 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 3932 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3932 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3932 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe

"C:\Users\Admin\AppData\Local\Temp\1322008e75c620fd60416b4264d42e7e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2648 -ip 2648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 672 -ip 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3832 -ip 3832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3128 -ip 3128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\B66B.exe

C:\Users\Admin\AppData\Local\Temp\B66B.exe

C:\Users\Admin\AppData\Local\Temp\B979.exe

C:\Users\Admin\AppData\Local\Temp\B979.exe

C:\Users\Admin\AppData\Local\Temp\BBAD.exe

C:\Users\Admin\AppData\Local\Temp\BBAD.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\B66B.exe

C:\Users\Admin\AppData\Local\Temp\B66B.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 162.33.179.91:80 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 91.179.33.162.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/1672-0-0x0000000000400000-0x0000000000526000-memory.dmp

memory/1672-1-0x0000000000400000-0x0000000000526000-memory.dmp

memory/1672-2-0x0000000000400000-0x0000000000526000-memory.dmp

memory/1672-3-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe

MD5 966ac55df7967fa6382f25dfd04be81f
SHA1 132bed4e2696136643a4acfb9fa3d6a4726ff5d0
SHA256 d24a28f90efbf89bb29249c66878cd31d11daccf40351a94b873a8d7307c8e14
SHA512 823400078687fd635b0a7d0c7ee40191120f932106b534baf7dd16a68a128ff959dfb8d81bd50ea470f1bbfca232dc7e7220a0c890f862b365088058f323ff1b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9492834.exe

MD5 966ac55df7967fa6382f25dfd04be81f
SHA1 132bed4e2696136643a4acfb9fa3d6a4726ff5d0
SHA256 d24a28f90efbf89bb29249c66878cd31d11daccf40351a94b873a8d7307c8e14
SHA512 823400078687fd635b0a7d0c7ee40191120f932106b534baf7dd16a68a128ff959dfb8d81bd50ea470f1bbfca232dc7e7220a0c890f862b365088058f323ff1b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe

MD5 44a474eb1c481db04e9e8a1fac299467
SHA1 f5ae906ed548947af3daf6dc0edfbe5acd440972
SHA256 cb2c68c0c8da90014f48212fd52d52a2cc446b2202d4ffee9ca5e0737a3c3680
SHA512 c523c9a64c73645660c0072776e02d729d6c2d6ab95afddaf83442f945e56bedd64614cbc8de89001f8b6f82fa569bc289a7e42f52df38430c7df7434694a351

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6161139.exe

MD5 44a474eb1c481db04e9e8a1fac299467
SHA1 f5ae906ed548947af3daf6dc0edfbe5acd440972
SHA256 cb2c68c0c8da90014f48212fd52d52a2cc446b2202d4ffee9ca5e0737a3c3680
SHA512 c523c9a64c73645660c0072776e02d729d6c2d6ab95afddaf83442f945e56bedd64614cbc8de89001f8b6f82fa569bc289a7e42f52df38430c7df7434694a351

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe

MD5 0c8030b7eb49d1cc20e7fc3438fc1c63
SHA1 a19702ddcaa7ca840cd10da279d8105ed7673f62
SHA256 8d948e3c839ae9e1fc6885f8f95896d80b395db901b3f21bc52fd881325babe8
SHA512 184f0bedd5f838dc7522a3aa2c28c90f0c700dbd1332f84012223e3d25a6a85092d7704421138c58f88eaac5d23f8b37ff0d97323aeb9c2fd826527e2e5247e9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8528947.exe

MD5 0c8030b7eb49d1cc20e7fc3438fc1c63
SHA1 a19702ddcaa7ca840cd10da279d8105ed7673f62
SHA256 8d948e3c839ae9e1fc6885f8f95896d80b395db901b3f21bc52fd881325babe8
SHA512 184f0bedd5f838dc7522a3aa2c28c90f0c700dbd1332f84012223e3d25a6a85092d7704421138c58f88eaac5d23f8b37ff0d97323aeb9c2fd826527e2e5247e9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe

MD5 5919314ea60f6bd5e867bc3c797c80c1
SHA1 258a271a884d2029d03ee7a3ab5adfc9ebb6df54
SHA256 d710efe3ce575bb94648efddf4ef7eacea4afcc72653c2bdda2bd2e41a72a9ba
SHA512 4236ae3f83b2b0cdd9438996787ed29cd51c60b5219ee0427a569f4068b46886be5b300a49678379fb0931b1bc619e8f1a37568187e0961f785569fe49b296a2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1506589.exe

MD5 5919314ea60f6bd5e867bc3c797c80c1
SHA1 258a271a884d2029d03ee7a3ab5adfc9ebb6df54
SHA256 d710efe3ce575bb94648efddf4ef7eacea4afcc72653c2bdda2bd2e41a72a9ba
SHA512 4236ae3f83b2b0cdd9438996787ed29cd51c60b5219ee0427a569f4068b46886be5b300a49678379fb0931b1bc619e8f1a37568187e0961f785569fe49b296a2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe

MD5 a0ff34267f0cdd3ce245b9672039e803
SHA1 0ef012e48e2c40af071402474513473ee13f38f1
SHA256 e03ee0e81317f06d8edd0f357950a643241eb563a165340a07bfbd3fadb653a8
SHA512 4705e84910457f29d6e416270eba4c754c008aa2d6a0cc1862fed818287d0c9e36f2dd78da895332099e36a956a5c7c4caf86cf3d5e7bf51412e086ef7e64e3f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6784291.exe

MD5 a0ff34267f0cdd3ce245b9672039e803
SHA1 0ef012e48e2c40af071402474513473ee13f38f1
SHA256 e03ee0e81317f06d8edd0f357950a643241eb563a165340a07bfbd3fadb653a8
SHA512 4705e84910457f29d6e416270eba4c754c008aa2d6a0cc1862fed818287d0c9e36f2dd78da895332099e36a956a5c7c4caf86cf3d5e7bf51412e086ef7e64e3f

memory/3464-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3464-40-0x0000000073580000-0x0000000073D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe

MD5 8373260084d6b8c37cc0278dedeafbcb
SHA1 bcdf12c51d7f284bba0eff0e50fef77e78292296
SHA256 6b56198f7542abccee6f0261f4a4751346ae9f39550aa86cfd494fe9f4a1aa56
SHA512 0ca37560b2859e17f85fbe2ac38bfe5f3d917ca46cb2cdd49e24ada2de694e58fd27b01d2e015ee412de0e8b99e27d87f9c0abf4055cc8e630b411a80bde4c18

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9567100.exe

MD5 8373260084d6b8c37cc0278dedeafbcb
SHA1 bcdf12c51d7f284bba0eff0e50fef77e78292296
SHA256 6b56198f7542abccee6f0261f4a4751346ae9f39550aa86cfd494fe9f4a1aa56
SHA512 0ca37560b2859e17f85fbe2ac38bfe5f3d917ca46cb2cdd49e24ada2de694e58fd27b01d2e015ee412de0e8b99e27d87f9c0abf4055cc8e630b411a80bde4c18

memory/2904-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2904-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2904-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2904-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe

MD5 7906abee2e55f114f871c5c37ab601f3
SHA1 673a98d21f92b73aefbc18ca2baefb0a0ecb6ed8
SHA256 455d9e8710d6a4f87b321d0adddf11b14ac35758b5e37aeff35e6ecda5921b1d
SHA512 8ead2d67457bdca91b3cac8cf6aa0ff4028150add0166f5048565e626d08b2b2d9cc15fb6a9b5833d70c815a18829b87711d8a6a31252c6e62cbff663f807500

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3576046.exe

MD5 7906abee2e55f114f871c5c37ab601f3
SHA1 673a98d21f92b73aefbc18ca2baefb0a0ecb6ed8
SHA256 455d9e8710d6a4f87b321d0adddf11b14ac35758b5e37aeff35e6ecda5921b1d
SHA512 8ead2d67457bdca91b3cac8cf6aa0ff4028150add0166f5048565e626d08b2b2d9cc15fb6a9b5833d70c815a18829b87711d8a6a31252c6e62cbff663f807500

memory/2196-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2196-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe

MD5 25c76599a72dce84a2106b46e54b903d
SHA1 2e8eea09f5b2ff91e567781dd727c67f79addefc
SHA256 1a3f45582b0fe1b5ad02db7fa5dd8d375e7474e3c1e7ac6180b18652162ebe62
SHA512 2c5d059bd50389d9b14269ffd1ea955d4585b637e6837c998e3605e2b668deaef0c3db85d4ba90fc2b59947cf0dcc65436bf6472a424c559effb5cf0108731a6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8077178.exe

MD5 25c76599a72dce84a2106b46e54b903d
SHA1 2e8eea09f5b2ff91e567781dd727c67f79addefc
SHA256 1a3f45582b0fe1b5ad02db7fa5dd8d375e7474e3c1e7ac6180b18652162ebe62
SHA512 2c5d059bd50389d9b14269ffd1ea955d4585b637e6837c998e3605e2b668deaef0c3db85d4ba90fc2b59947cf0dcc65436bf6472a424c559effb5cf0108731a6

memory/4568-58-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/4568-57-0x0000000000D60000-0x0000000000D90000-memory.dmp

memory/4568-59-0x0000000005D40000-0x0000000006358000-memory.dmp

memory/4568-60-0x0000000005830000-0x000000000593A000-memory.dmp

memory/4568-62-0x0000000005710000-0x0000000005720000-memory.dmp

memory/4568-61-0x00000000056E0000-0x00000000056F2000-memory.dmp

memory/4568-63-0x0000000005760000-0x000000000579C000-memory.dmp

memory/1672-64-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3156-65-0x0000000000700000-0x0000000000716000-memory.dmp

memory/2196-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3464-69-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/3464-71-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/4568-72-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/3156-73-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-75-0x0000000000750000-0x0000000000760000-memory.dmp

memory/4568-76-0x0000000005710000-0x0000000005720000-memory.dmp

memory/3156-78-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-79-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-77-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-80-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-82-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-84-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-85-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-86-0x0000000002110000-0x0000000002120000-memory.dmp

memory/3156-88-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-89-0x0000000002110000-0x0000000002120000-memory.dmp

memory/3156-90-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-92-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-87-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-96-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-94-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-99-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-98-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-100-0x0000000002110000-0x0000000002120000-memory.dmp

memory/3156-101-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-103-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-105-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-104-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-107-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-108-0x0000000000750000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 1a18fc4db3affaacf43f4022df7a2c32
SHA1 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba
SHA256 b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32
SHA512 be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

memory/3932-116-0x00000000003C0000-0x000000000054E000-memory.dmp

memory/3932-117-0x00000000003C0000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 1a18fc4db3affaacf43f4022df7a2c32
SHA1 2ef240262c43bdd5f6a9db9f7e6abb1e408366ba
SHA256 b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32
SHA512 be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

memory/1952-118-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3932-123-0x00000000003C0000-0x000000000054E000-memory.dmp

memory/1952-124-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/1952-125-0x0000000007AE0000-0x0000000008084000-memory.dmp

memory/1952-126-0x0000000007610000-0x00000000076A2000-memory.dmp

memory/1952-127-0x0000000007750000-0x0000000007760000-memory.dmp

memory/1952-128-0x0000000007600000-0x000000000760A000-memory.dmp

memory/1952-129-0x00000000081A0000-0x0000000008206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B66B.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

memory/1952-134-0x0000000004AE0000-0x0000000004B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B66B.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

memory/4408-136-0x000001DACF3F0000-0x000001DACFA4E000-memory.dmp

memory/1952-135-0x00000000091F0000-0x0000000009266000-memory.dmp

memory/4408-137-0x00007FFC2DA60000-0x00007FFC2E521000-memory.dmp

memory/4408-138-0x000001DAEA080000-0x000001DAEA090000-memory.dmp

memory/1952-139-0x0000000006300000-0x000000000631E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B979.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B979.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\BBAD.exe

MD5 8669fe397a7225ede807202f6a9d8390
SHA1 04a806a5c4218cb703cba85d3e636d0c8cbae043
SHA256 1624a759791e49ce8f79dd249d3ac2aede589ffbe53db342e4c99e2fbbc1b90e
SHA512 29cad49434172a910ba7635058ecc02aacf43f648ee98b2c47c561332403a96847b5da817358095f7638295b238de8874bf34fb393670096bbf3caeb388a9c45

C:\Users\Admin\AppData\Local\Temp\BBAD.exe

MD5 8669fe397a7225ede807202f6a9d8390
SHA1 04a806a5c4218cb703cba85d3e636d0c8cbae043
SHA256 1624a759791e49ce8f79dd249d3ac2aede589ffbe53db342e4c99e2fbbc1b90e
SHA512 29cad49434172a910ba7635058ecc02aacf43f648ee98b2c47c561332403a96847b5da817358095f7638295b238de8874bf34fb393670096bbf3caeb388a9c45

memory/1336-148-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/1336-149-0x0000000000CD0000-0x0000000000D2A000-memory.dmp

memory/1336-155-0x0000000007D30000-0x0000000007D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1952-161-0x0000000009270000-0x0000000009432000-memory.dmp

memory/1952-162-0x0000000009970000-0x0000000009E9C000-memory.dmp

memory/1952-163-0x0000000073580000-0x0000000073D30000-memory.dmp

memory/3156-164-0x0000000000750000-0x0000000000760000-memory.dmp

memory/1952-165-0x0000000007750000-0x0000000007760000-memory.dmp

memory/3156-167-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-168-0x0000000002110000-0x0000000002112000-memory.dmp

memory/3156-170-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-171-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-166-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-172-0x0000000000750000-0x0000000000760000-memory.dmp

memory/4408-173-0x00007FFC2DA60000-0x00007FFC2E521000-memory.dmp

memory/3156-174-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-175-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-177-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-179-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-180-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-184-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-178-0x0000000002120000-0x0000000002130000-memory.dmp

memory/3156-176-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-187-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-188-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-190-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-191-0x0000000000750000-0x0000000000760000-memory.dmp

memory/3156-194-0x0000000000750000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\B66B.exe

MD5 02c02920de30db7f8852973ec8bdfedd
SHA1 e4eebf1a7db4f7066a8748dc5a06159f62e3502d
SHA256 1545479f31f7b015e2a4865266361821f6ab1870f0a9e067644d19038e2f95fa
SHA512 72e6bfb78de55652ea3e8880d978463d88b0228d83d6c37e382e0a6b6ee40c90de436aa7759268b7dc1f4cb2bf0e957599ae2f7c967140a6b39168a309303ca6

memory/5028-204-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\B66B.exe.log

MD5 84a01db52ea5a878520e162c80acfcd3
SHA1 49b7c5c072f6c32e54cc97c1dcbee90de0dd4738
SHA256 25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe
SHA512 0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

memory/5028-211-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp

memory/5028-212-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp

memory/5028-214-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp

memory/5028-216-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp

memory/5028-218-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp

memory/5028-220-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp

memory/5028-222-0x000001E6D5B80000-0x000001E6D5C61000-memory.dmp