Malware Analysis Report

2025-01-23 09:52

Sample ID 231010-zbgheshf2x
Target file
SHA256 9caecc47d2e4e9758cd72483a679ccbc2ba4c6bc7966fa82eccbca74404a457c
Tags
smokeloader backdoor persistence trojan amadey healer mystic dropper stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9caecc47d2e4e9758cd72483a679ccbc2ba4c6bc7966fa82eccbca74404a457c

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor persistence trojan amadey healer mystic dropper stealer

SmokeLoader

Healer

Mystic

Detects Healer an antivirus disabler dropper

Detect Mystic stealer payload

Amadey

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:32

Reported

2023-10-10 20:47

Platform

win7-20230831-en

Max time kernel

170s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2440 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2488 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2600 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 36

Network

Country Destination Domain Proto
FI 77.91.68.29:80 tcp
FI 77.91.68.29:80 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

memory/2624-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2624-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2624-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2624-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2624-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

memory/2624-33-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1228-32-0x0000000002C80000-0x0000000002C96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:32

Reported

2023-10-10 20:47

Platform

win10v2004-20230915-en

Max time kernel

33s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Mystic

stealer mystic

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 4592 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 4592 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe
PID 1460 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 1460 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 1460 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe
PID 968 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1460 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe
PID 1460 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe
PID 1460 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe
PID 3256 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3256 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe
PID 4592 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe
PID 4592 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe
PID 3276 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\4820.exe
PID 3276 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\4820.exe
PID 3276 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\4820.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3256 -ip 3256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3080 -ip 3080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

C:\Users\Admin\AppData\Local\Temp\4820.exe

C:\Users\Admin\AppData\Local\Temp\4820.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\490B.exe

C:\Users\Admin\AppData\Local\Temp\490B.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\49E7.bat

"C:\Users\Admin\AppData\Local\Temp\49E7.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\4BEC.exe

C:\Users\Admin\AppData\Local\Temp\4BEC.exe

C:\Users\Admin\AppData\Local\Temp\4D73.exe

C:\Users\Admin\AppData\Local\Temp\4D73.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\4EEB.exe

C:\Users\Admin\AppData\Local\Temp\4EEB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2584 -ip 2584

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4B5C.tmp\4B5D.tmp\4B5E.bat C:\Users\Admin\AppData\Local\Temp\49E7.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3724 -ip 3724

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
RU 5.42.92.211:80 5.42.92.211 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9695908.exe

MD5 cb1af71ceead417172b28de58431ef66
SHA1 c5e0ec5d020a25deabc48084658e820977b0b4aa
SHA256 6ce79dba9cb413c17a6329782e03d458b45ba6c666c4bc0ea25ad987ad622109
SHA512 5e409b1d51efed7cfdc98a301f8b68e0cfb80fb8dbe80f306ac15d2af105198bfae17d54348be867224c39a9cbf99e1d0dfffffe69898f4f4589618c15251fd0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7333758.exe

MD5 410af2f3e0bc3d247844509d7612fca0
SHA1 96bf45d02d6539dd6a575a3f517d4ebaa9f84343
SHA256 2356f822dafd186b6ff9a93ad828b9b5b72bf51e5e1f33d634b3570f09101cff
SHA512 b41be9ccab2469bdf8a732fee4b340438f0005bfef7117da858731790a062287603c6cbcad839e8a3b1e7d6c6a25d5f38fa79159030eae4927b16def344e977e

memory/672-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/672-15-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

MD5 da6f805e679c4f2456bf9b5908c8af58
SHA1 9b0d895770ae68c1e4d16235d7ab08be759af70b
SHA256 10a6c645178272da1631c2ce32450af5959e6241a18b3720c46629f5536b7019
SHA512 e14ff290f4f3663b83d17a162f64cc0a6ccee7945cd188e4a0969c634fb5450020fef3fceca6074cc4637d552b915f3159504e32b5d717a85286b894dc59ce45

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3605687.exe

MD5 da6f805e679c4f2456bf9b5908c8af58
SHA1 9b0d895770ae68c1e4d16235d7ab08be759af70b
SHA256 10a6c645178272da1631c2ce32450af5959e6241a18b3720c46629f5536b7019
SHA512 e14ff290f4f3663b83d17a162f64cc0a6ccee7945cd188e4a0969c634fb5450020fef3fceca6074cc4637d552b915f3159504e32b5d717a85286b894dc59ce45

memory/3080-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3080-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3080-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3080-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3276-24-0x0000000002C20000-0x0000000002C36000-memory.dmp

memory/672-27-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

MD5 90d0e9c28de807490744702047f6eb59
SHA1 63970b77663d449cc076ae4f87a6b77447acf843
SHA256 40e9dc6ea3a1acb0a951c025ef02c8c1618225e97fd973c7649f880bd29dc7d8
SHA512 ced9d267998b38743ccf7b61e73ecdb2c03738885475c2272d06fa5c5a3ad02728c9b75a6cd3ab979115407cbd0d07b379dd4aff0f9c95ce28ca6a540a17b728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4890796.exe

MD5 90d0e9c28de807490744702047f6eb59
SHA1 63970b77663d449cc076ae4f87a6b77447acf843
SHA256 40e9dc6ea3a1acb0a951c025ef02c8c1618225e97fd973c7649f880bd29dc7d8
SHA512 ced9d267998b38743ccf7b61e73ecdb2c03738885475c2272d06fa5c5a3ad02728c9b75a6cd3ab979115407cbd0d07b379dd4aff0f9c95ce28ca6a540a17b728

C:\Users\Admin\AppData\Local\Temp\4820.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\4820.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\490B.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\490B.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\49E7.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\49E7.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\4BEC.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\4BEC.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\49E7.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4D73.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\4D73.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\4EEB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/828-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/924-98-0x00007FFDCE150000-0x00007FFDCEC11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4EEB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/828-97-0x0000000000400000-0x0000000000433000-memory.dmp

memory/828-102-0x0000000000400000-0x0000000000433000-memory.dmp

memory/828-94-0x0000000000400000-0x0000000000433000-memory.dmp

memory/924-91-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

memory/4676-104-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4676-105-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4676-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 f31d60eff88ef10bf1321b3ce8abb881
SHA1 9f06792473fa3510ec507a591b024ae5a4ed0fb9
SHA256 6cbf23fbf9fe9d9e690ff2571c0d5bdae91135df5b2193fb5fec4468b81f945d
SHA512 94671b41edb252ebe32588902c1fbb8cf3bc545aee07151a4dfe718573d39a1756c9f2c7eae069624c6548c9061ef853a180c623e81cfe0f82d5ebf2f9d16eae

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 f31d60eff88ef10bf1321b3ce8abb881
SHA1 9f06792473fa3510ec507a591b024ae5a4ed0fb9
SHA256 6cbf23fbf9fe9d9e690ff2571c0d5bdae91135df5b2193fb5fec4468b81f945d
SHA512 94671b41edb252ebe32588902c1fbb8cf3bc545aee07151a4dfe718573d39a1756c9f2c7eae069624c6548c9061ef853a180c623e81cfe0f82d5ebf2f9d16eae