Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-nr6xgacb68
Target 3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be
SHA256 3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be
Tags
amadey healer redline smokeloader jordan backdoor dropper infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be

Threat Level: Known bad

The file 3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader jordan backdoor dropper infostealer persistence trojan

Amadey

RedLine payload

SmokeLoader

Healer

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:38

Reported

2023-10-03 11:41

Platform

win10v2004-20230915-en

Max time kernel

27s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C4A8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2952 set thread context of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3172 wrote to memory of 3356 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4A8.exe
PID 3172 wrote to memory of 3356 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4A8.exe
PID 3172 wrote to memory of 3356 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4A8.exe
PID 3356 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\C4A8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
PID 3356 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\C4A8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
PID 3356 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\C4A8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
PID 4120 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe
PID 4120 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe
PID 4120 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe
PID 3172 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\C748.exe
PID 3172 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\C748.exe
PID 3172 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\C748.exe
PID 1264 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe
PID 1264 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe
PID 1264 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe
PID 1152 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe
PID 1152 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe
PID 1152 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe

"C:\Users\Admin\AppData\Local\Temp\3a11c0d376c929dbb436c83a01ff848347fae29ea4e3c7347430525915ee13be.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 144

C:\Users\Admin\AppData\Local\Temp\C4A8.exe

C:\Users\Admin\AppData\Local\Temp\C4A8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe

C:\Users\Admin\AppData\Local\Temp\C748.exe

C:\Users\Admin\AppData\Local\Temp\C748.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ti66oF6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ti66oF6.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8E0.bat" "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1132 -ip 1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2552 -ip 2552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2860 -ip 2860

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 540

C:\Users\Admin\AppData\Local\Temp\CCCA.exe

C:\Users\Admin\AppData\Local\Temp\CCCA.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2320 -ip 2320

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rb326Jw.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rb326Jw.exe

C:\Users\Admin\AppData\Local\Temp\CFD8.exe

C:\Users\Admin\AppData\Local\Temp\CFD8.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1f1c46f8,0x7ffb1f1c4708,0x7ffb1f1c4718

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp

Files

memory/540-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/540-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3172-2-0x0000000002E80000-0x0000000002E96000-memory.dmp

memory/540-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3172-6-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-7-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-8-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-9-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-10-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-11-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-12-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-13-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-16-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-14-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-17-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-18-0x0000000008550000-0x0000000008560000-memory.dmp

memory/3172-19-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-23-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-25-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-27-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-24-0x0000000008550000-0x0000000008560000-memory.dmp

memory/3172-31-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-29-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-33-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-34-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-35-0x0000000008550000-0x0000000008560000-memory.dmp

memory/3172-36-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-38-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-37-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-40-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-39-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-42-0x0000000008500000-0x0000000008510000-memory.dmp

memory/3172-43-0x0000000008500000-0x0000000008510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C4A8.exe

MD5 58f0d05dc318fb27da641c03fa4d664d
SHA1 daf53aa6f3f5706c1aec7c8149dd3973159d5264
SHA256 3f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2
SHA512 9ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7

C:\Users\Admin\AppData\Local\Temp\C4A8.exe

MD5 58f0d05dc318fb27da641c03fa4d664d
SHA1 daf53aa6f3f5706c1aec7c8149dd3973159d5264
SHA256 3f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2
SHA512 9ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

MD5 66c3517503dc4974307fec6ffa661d5a
SHA1 7c371312352f3335f55053e19ed5138b355a81b4
SHA256 bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0
SHA512 86d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

MD5 66c3517503dc4974307fec6ffa661d5a
SHA1 7c371312352f3335f55053e19ed5138b355a81b4
SHA256 bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0
SHA512 86d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe

MD5 49aafacee476804694b089564753232a
SHA1 e5f3f789c72b9f57f646dfbdcd8da420ffbd6460
SHA256 802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787
SHA512 30be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Or4RX8cx.exe

MD5 49aafacee476804694b089564753232a
SHA1 e5f3f789c72b9f57f646dfbdcd8da420ffbd6460
SHA256 802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787
SHA512 30be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c

C:\Users\Admin\AppData\Local\Temp\C748.exe

MD5 0b5d6ef3c97a9e982265f7af225e5a9c
SHA1 1997d3ee98bd097055ab61b4c3d63637b120bee3
SHA256 fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4
SHA512 71784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe

MD5 9014a0234d2c58ee7cf349c19e148c3b
SHA1 53b90f7cdbb745bbe5616cbbfd609323df8f822a
SHA256 5956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c
SHA512 42c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oS1CF3Qn.exe

MD5 9014a0234d2c58ee7cf349c19e148c3b
SHA1 53b90f7cdbb745bbe5616cbbfd609323df8f822a
SHA256 5956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c
SHA512 42c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06

C:\Users\Admin\AppData\Local\Temp\C748.exe

MD5 0b5d6ef3c97a9e982265f7af225e5a9c
SHA1 1997d3ee98bd097055ab61b4c3d63637b120bee3
SHA256 fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4
SHA512 71784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe

MD5 ad04538ac68bdbcdd4af15df754950df
SHA1 01a914d0ff62513dd29e5471a06262425b3587d0
SHA256 a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621
SHA512 da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Xy0vr1bG.exe

MD5 ad04538ac68bdbcdd4af15df754950df
SHA1 01a914d0ff62513dd29e5471a06262425b3587d0
SHA256 a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621
SHA512 da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ti66oF6.exe

MD5 94fe8c5b20737216593756185af3492c
SHA1 8eead059a52929964e302ea5b368b979839c2cac
SHA256 de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a
SHA512 4105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ti66oF6.exe

MD5 94fe8c5b20737216593756185af3492c
SHA1 8eead059a52929964e302ea5b368b979839c2cac
SHA256 de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a
SHA512 4105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340

memory/2740-90-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2740-91-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2740-92-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2740-93-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8E0.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/2860-96-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2860-97-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2860-99-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

MD5 0e6557057a1d9769a7cc3b4f670fdde5
SHA1 8870b8d7db588dd57b416e474875b908517cbedb
SHA256 aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c
SHA512 13a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

MD5 0e6557057a1d9769a7cc3b4f670fdde5
SHA1 8870b8d7db588dd57b416e474875b908517cbedb
SHA256 aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c
SHA512 13a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40

memory/3672-108-0x0000000000150000-0x000000000015A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCCA.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

C:\Users\Admin\AppData\Local\Temp\CCCA.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/2740-110-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3672-109-0x00007FFB1DFB0000-0x00007FFB1EA71000-memory.dmp

memory/4316-112-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CFD8.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 f3a9beb9939f45506a8c20f89b5a3134
SHA1 e6059321bdcbbbdd1ac6cdfee1cf121a5cec9ad4
SHA256 7621224038ea6ba67b435f364923971163d939cce5629414ffae4825b737b839
SHA512 2a419a68945bee46e845afb9c55e4779cfc8e77545f85318fe876adc6bfeafca51c2889946fa93dc2c90436872413a4cdca1b41dbe3fa3182b5ed2289c2dba24

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rb326Jw.exe

MD5 04ef7ddd78de02eaac28a0e271552452
SHA1 8d0c6b38be84f76303c64dbe13c792bd85ee8c0a
SHA256 7716f68962275129ad4abe0ac10507570713d22f10a2cc75a4f24894e4bc27f1
SHA512 14fea0123f0e5bdedcf1500fc76460ad290db79357649d33952e329c2bfd8854ac9a5038fe41973e43f508553a247647e571b50c8720946261ef99e2f1370d3b