Analysis Overview
SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
Threat Level: Known bad
The file ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b was found to be: Known bad.
Malicious Activity Summary
Detect rhadamanthys stealer shellcode
Amadey family
Rhadamanthys
Aurora
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
GoLang User-Agent
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-23 18:46
Signatures
Amadey family
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-23 18:46
Reported
2023-01-23 18:48
Platform
win10v2004-20221111-en
Max time kernel
114s
Max time network
152s
Command Line
Signatures
Amadey
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4460 created 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe | C:\Windows\system32\taskhostw.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000001050\nonem.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000021001\redline4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000027001\pplaurora2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonem.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000001050\\nonem.exe" | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000002050\\nesto.exe" | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\1000021001\redline4.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4460 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000001050\nonem.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b.exe
"C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Roaming\1000001050\nonem.exe
"C:\Users\Admin\AppData\Roaming\1000001050\nonem.exe"
C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe
"C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe"
C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe"
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\c1e3594748" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\c1e3594748" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000021001\redline4.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\redline4.exe"
C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe
"C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe"
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000027001\pplaurora2.exe
"C:\Users\Admin\AppData\Local\Temp\1000027001\pplaurora2.exe"
C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe
"C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4788 -ip 4788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1784
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1288
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3016 -ip 3016
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3848 -ip 3848
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3016 -s 680
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4872 -s 680
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1772 -s 680
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1772 -ip 1772
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4872 -ip 4872
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3848 -s 680
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 2532 -ip 2532
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 62.204.41.88:80 | 62.204.41.88 | tcp |
| N/A | 62.204.41.119:80 | 62.204.41.119 | tcp |
| N/A | 62.204.41.151:80 | 62.204.41.151 | tcp |
| N/A | 151.80.89.233:13553 | tcp | |
| N/A | 62.204.41.159:4062 | tcp | |
| N/A | 8.8.8.8:53 | hellomr.observer | udp |
| N/A | 8.8.8.8:53 | pleasetake.pictures | udp |
| N/A | 8.8.8.8:53 | researchersgokick.rocks | udp |
| N/A | 107.189.7.245:80 | researchersgokick.rocks | tcp |
| N/A | 104.244.79.187:80 | hellomr.observer | tcp |
| N/A | 104.244.79.187:80 | hellomr.observer | tcp |
| N/A | 107.189.7.245:80 | researchersgokick.rocks | tcp |
| N/A | 62.204.41.159:4062 | tcp | |
| N/A | 107.189.7.245:80 | researchersgokick.rocks | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 8.8.8.8:53 | r5573v6r2qjysbd1hpbwqygh.lodf6mvynfalqvmps68nnytn | udp |
| N/A | 8.8.8.8:53 | wxd9lsrix7z5isc6fzqg.tzdw0akw7avqtgoiavrizxiivpkgia1 | udp |
| N/A | 179.43.175.174:80 | tcp | |
| N/A | 85.209.135.29:8081 | tcp | |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 107.189.7.245:80 | researchersgokick.rocks | tcp |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 45.159.189.105:80 | 45.159.189.105 | tcp |
| N/A | 107.189.7.245:80 | researchersgokick.rocks | tcp |
| N/A | 104.244.79.187:80 | hellomr.observer | tcp |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp |
Files
memory/2196-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
memory/4364-135-0x0000000000000000-mapping.dmp
memory/4808-136-0x0000000000000000-mapping.dmp
memory/4460-137-0x0000000000000000-mapping.dmp
memory/2432-138-0x0000000000000000-mapping.dmp
memory/1812-139-0x0000000000000000-mapping.dmp
memory/4984-140-0x0000000000000000-mapping.dmp
memory/2980-141-0x0000000000000000-mapping.dmp
memory/1608-142-0x0000000000000000-mapping.dmp
memory/3032-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1000001050\nonem.exe
| MD5 | 457e9166b2054f72807df280ddbde928 |
| SHA1 | 2ee7dc992d2677663d60450eda51027da87f276c |
| SHA256 | f7697b49d524b6d0daf19ea715cb8e72c84a7df2393875cedc8761cd32d5b726 |
| SHA512 | 3ce979c163a52506e85790a43e260bfbf901de75e2c2b0da4b4276a385deba009973b407349203d4fbb5235bad98bfc5aa8bbe1ee9b392e57005e28c6beccf17 |
C:\Users\Admin\AppData\Roaming\1000001050\nonem.exe
| MD5 | 457e9166b2054f72807df280ddbde928 |
| SHA1 | 2ee7dc992d2677663d60450eda51027da87f276c |
| SHA256 | f7697b49d524b6d0daf19ea715cb8e72c84a7df2393875cedc8761cd32d5b726 |
| SHA512 | 3ce979c163a52506e85790a43e260bfbf901de75e2c2b0da4b4276a385deba009973b407349203d4fbb5235bad98bfc5aa8bbe1ee9b392e57005e28c6beccf17 |
memory/3032-146-0x0000000000AA0000-0x0000000000AD2000-memory.dmp
memory/4788-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe
| MD5 | 9c480b45a655914fd8e3a33742a68d20 |
| SHA1 | a195778659c9733944ec6ad3471225182d3c3625 |
| SHA256 | 03640fd78685b00c87aac5f57af8f050588fbaf31235242742a03a3b788c5f84 |
| SHA512 | 6693d94b0a1ffdb977f0f6b7a7dad9b644d41995499fad43068dbfdb5a5fef15f8763f968736052cc8996eef7c13719df93e101684576af9602e171233786d03 |
C:\Users\Admin\AppData\Roaming\1000002050\nesto.exe
| MD5 | 9c480b45a655914fd8e3a33742a68d20 |
| SHA1 | a195778659c9733944ec6ad3471225182d3c3625 |
| SHA256 | 03640fd78685b00c87aac5f57af8f050588fbaf31235242742a03a3b788c5f84 |
| SHA512 | 6693d94b0a1ffdb977f0f6b7a7dad9b644d41995499fad43068dbfdb5a5fef15f8763f968736052cc8996eef7c13719df93e101684576af9602e171233786d03 |
memory/3032-150-0x00000000059E0000-0x0000000005FF8000-memory.dmp
memory/3032-151-0x0000000005530000-0x000000000563A000-memory.dmp
memory/3032-152-0x0000000005460000-0x0000000005472000-memory.dmp
memory/3760-153-0x0000000000000000-mapping.dmp
memory/3760-156-0x0000000000610000-0x0000000000642000-memory.dmp
memory/3032-157-0x00000000054C0000-0x00000000054FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe
| MD5 | 10fc0e201418375882eeef47dba6b6d8 |
| SHA1 | bbdc696eb27fb2367e251db9b0fae64a0a58b0d0 |
| SHA256 | b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3 |
| SHA512 | 746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5 |
C:\Users\Admin\AppData\Local\Temp\1000003001\700K.exe
| MD5 | 10fc0e201418375882eeef47dba6b6d8 |
| SHA1 | bbdc696eb27fb2367e251db9b0fae64a0a58b0d0 |
| SHA256 | b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3 |
| SHA512 | 746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5 |
memory/4348-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe
| MD5 | 9adcb26071e8018dc0b576b39acb980e |
| SHA1 | d0f48a5761efbb38a4d195c69d6382b9e9748ed6 |
| SHA256 | 083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf |
| SHA512 | 679044773e02c6fff42387da8ba252058eb1462015011a455cc147952598e9df3a4a47af31fa71daa3f31175fa14f34d4b56d01740c8c38a7d09fb007779280f |
C:\Users\Admin\AppData\Local\Temp\1000015001\Amadey.exe
| MD5 | 9adcb26071e8018dc0b576b39acb980e |
| SHA1 | d0f48a5761efbb38a4d195c69d6382b9e9748ed6 |
| SHA256 | 083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf |
| SHA512 | 679044773e02c6fff42387da8ba252058eb1462015011a455cc147952598e9df3a4a47af31fa71daa3f31175fa14f34d4b56d01740c8c38a7d09fb007779280f |
memory/4208-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
| MD5 | 9adcb26071e8018dc0b576b39acb980e |
| SHA1 | d0f48a5761efbb38a4d195c69d6382b9e9748ed6 |
| SHA256 | 083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf |
| SHA512 | 679044773e02c6fff42387da8ba252058eb1462015011a455cc147952598e9df3a4a47af31fa71daa3f31175fa14f34d4b56d01740c8c38a7d09fb007779280f |
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
| MD5 | 9adcb26071e8018dc0b576b39acb980e |
| SHA1 | d0f48a5761efbb38a4d195c69d6382b9e9748ed6 |
| SHA256 | 083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf |
| SHA512 | 679044773e02c6fff42387da8ba252058eb1462015011a455cc147952598e9df3a4a47af31fa71daa3f31175fa14f34d4b56d01740c8c38a7d09fb007779280f |
memory/3588-164-0x0000000000000000-mapping.dmp
memory/1936-165-0x0000000000000000-mapping.dmp
memory/2816-166-0x0000000000000000-mapping.dmp
memory/4596-167-0x0000000000000000-mapping.dmp
memory/3012-168-0x0000000000000000-mapping.dmp
memory/5100-169-0x0000000000000000-mapping.dmp
memory/3460-170-0x0000000000000000-mapping.dmp
memory/1284-171-0x0000000000000000-mapping.dmp
memory/4788-172-0x000000000068C000-0x00000000006BA000-memory.dmp
memory/4788-173-0x0000000000600000-0x000000000064B000-memory.dmp
memory/4788-174-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4788-175-0x0000000004B40000-0x00000000050E4000-memory.dmp
memory/2800-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1000021001\redline4.exe
| MD5 | 01c418020bd02b62e7f8629b0b59b119 |
| SHA1 | 0fe4c12083e1c61c396836173b4b4ddd99cf8b14 |
| SHA256 | b62f5066357d2dfc94dec4d902f68f6e9e98a19a9aea6fb70d2811de384fd7a1 |
| SHA512 | d0f1d6bc69fb104c530d90464674124d3ed17a2db5d293fa7c3e8ad3e8ad848615ab892c755b052c6ea5137b5c791a2a3ed376c71d6a5007d070569d9cc11434 |
C:\Users\Admin\AppData\Local\Temp\1000021001\redline4.exe
| MD5 | 01c418020bd02b62e7f8629b0b59b119 |
| SHA1 | 0fe4c12083e1c61c396836173b4b4ddd99cf8b14 |
| SHA256 | b62f5066357d2dfc94dec4d902f68f6e9e98a19a9aea6fb70d2811de384fd7a1 |
| SHA512 | d0f1d6bc69fb104c530d90464674124d3ed17a2db5d293fa7c3e8ad3e8ad848615ab892c755b052c6ea5137b5c791a2a3ed376c71d6a5007d070569d9cc11434 |
memory/3472-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/3760-184-0x00000000081D0000-0x0000000008262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/3760-186-0x0000000008270000-0x00000000082D6000-memory.dmp
memory/1100-182-0x0000000000000000-mapping.dmp
memory/4420-187-0x0000000000000000-mapping.dmp
memory/5032-188-0x0000000000000000-mapping.dmp
memory/4384-189-0x0000000000000000-mapping.dmp
memory/5076-190-0x0000000000000000-mapping.dmp
memory/4672-191-0x0000000000000000-mapping.dmp
memory/4076-192-0x0000000000000000-mapping.dmp
memory/3760-194-0x00000000084B0000-0x0000000008672000-memory.dmp
memory/5056-193-0x0000000000000000-mapping.dmp
memory/3760-195-0x00000000091C0000-0x00000000096EC000-memory.dmp
memory/2224-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\386679933149
| MD5 | 662b0cad643d902cc011fc75a721c006 |
| SHA1 | ca19231168e71182fc715ff0e978a3673d4fbcbd |
| SHA256 | ec40e246a8500462b294c9844105596899e1acb00778786072decd2dc5548636 |
| SHA512 | 056582564ace9adb3adb0769eb0478b1e8b3f2366644c6b652c378f79702330da48165c14ec5874ec9fb30b7aa27abcfff4a0b27089b154893b7c0c85a9a72ee |
memory/2800-198-0x0000000004A35000-0x0000000004BDF000-memory.dmp
memory/2800-199-0x0000000004BE0000-0x0000000004FB0000-memory.dmp
memory/2800-200-0x0000000000400000-0x0000000002D32000-memory.dmp
memory/4052-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1000027001\pplaurora2.exe
| MD5 | a78251ef6bec128a4a1a26d7f7e1e52a |
| SHA1 | 28c570f5bd6f5d42696c64c49d7d9bec16eb3ee4 |
| SHA256 | 7c3f4be7798b4299d9f90bc1dfa31bdbf9bdd96c4e3a6d8baf38d91a9b2bc4f3 |
| SHA512 | 8b0cde4c374339b34157b5ad9dbf1e83c2d684fd29853ab89cbad46475d50c19e463313b8c452fb8e503f51a38de21aba162c4e406fafb668bb772a8d23a9486 |
C:\Users\Admin\AppData\Local\Temp\1000027001\pplaurora2.exe
| MD5 | a78251ef6bec128a4a1a26d7f7e1e52a |
| SHA1 | 28c570f5bd6f5d42696c64c49d7d9bec16eb3ee4 |
| SHA256 | 7c3f4be7798b4299d9f90bc1dfa31bdbf9bdd96c4e3a6d8baf38d91a9b2bc4f3 |
| SHA512 | 8b0cde4c374339b34157b5ad9dbf1e83c2d684fd29853ab89cbad46475d50c19e463313b8c452fb8e503f51a38de21aba162c4e406fafb668bb772a8d23a9486 |
memory/4052-204-0x0000000003200000-0x0000000003654000-memory.dmp
memory/3032-205-0x0000000006610000-0x0000000006686000-memory.dmp
memory/3032-206-0x0000000006590000-0x00000000065E0000-memory.dmp
memory/4052-207-0x000000000CA90000-0x000000000EDC7000-memory.dmp
memory/4460-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe
| MD5 | 43f24ef9dba869ca89d924b738d490a5 |
| SHA1 | 830d57062e14b8618588dec2621f9c158a899a8f |
| SHA256 | aac77df202fa677d49bf79fe87c081c81b0a6f66cca1a52f36a4cb947f8bc9a2 |
| SHA512 | 271b05148ceb2cf3b4d680ee20cebda0c0ddfecd4aa64c25152882adf970c50a7a8046b11ea1c454c514e91a9447ef860316928380269b8c8a6d1c1556e12d99 |
C:\Users\Admin\AppData\Local\Temp\1000036001\aurora1.exe
| MD5 | 43f24ef9dba869ca89d924b738d490a5 |
| SHA1 | 830d57062e14b8618588dec2621f9c158a899a8f |
| SHA256 | aac77df202fa677d49bf79fe87c081c81b0a6f66cca1a52f36a4cb947f8bc9a2 |
| SHA512 | 271b05148ceb2cf3b4d680ee20cebda0c0ddfecd4aa64c25152882adf970c50a7a8046b11ea1c454c514e91a9447ef860316928380269b8c8a6d1c1556e12d99 |
memory/4052-211-0x000000000CA90000-0x000000000EDC7000-memory.dmp
memory/4460-212-0x000000000EEA0000-0x000000000F15E000-memory.dmp
memory/4460-213-0x0000000002CF0000-0x0000000002E64000-memory.dmp
memory/4460-214-0x000000000EEA0000-0x000000000F15E000-memory.dmp
memory/2124-215-0x0000000000000000-mapping.dmp
memory/2124-216-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2124-218-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240573328.dll
| MD5 | af92bfcb7e4c67628a686accbf4231df |
| SHA1 | e5b392743d1731ca6fbe6b344d88028588548cac |
| SHA256 | 959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe |
| SHA512 | 553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c |
memory/3484-220-0x0000000000500000-0x0000000000535000-memory.dmp
memory/3484-221-0x0000000000000000-mapping.dmp
memory/3484-222-0x0000000000500000-0x0000000000535000-memory.dmp
memory/4052-223-0x0000000000400000-0x0000000000876000-memory.dmp
memory/2800-225-0x0000000000400000-0x0000000002D32000-memory.dmp
memory/4788-228-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3484-229-0x0000000000925000-0x0000000000927000-memory.dmp
memory/4052-230-0x0000000003200000-0x0000000003654000-memory.dmp
memory/3484-231-0x0000000000925000-0x0000000000927000-memory.dmp
memory/3484-232-0x0000000000C10000-0x0000000000C2D000-memory.dmp
memory/4052-233-0x000000000CA90000-0x000000000EDC7000-memory.dmp
memory/3484-234-0x00000000025C0000-0x00000000035C0000-memory.dmp
memory/312-235-0x0000000000000000-mapping.dmp
memory/3404-236-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | fc3fa53150a6d686c18b8becbf4e4081 |
| SHA1 | dc6e1ab6f0d52c4da0c76bd57d44f6257e5e443e |
| SHA256 | 9f0ce05cfa252a47f29d34fb57a8b2907c88f6eb0abf51126a8e7b205fd59cc7 |
| SHA512 | 6c037cff85ac80687b83d9c6e6a46d213796696a378e08187883022ee000d7185874330a008189c7a09812892a477c44b57971b0da52e12c2a2a7d23c62e5bc9 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | fc3fa53150a6d686c18b8becbf4e4081 |
| SHA1 | dc6e1ab6f0d52c4da0c76bd57d44f6257e5e443e |
| SHA256 | 9f0ce05cfa252a47f29d34fb57a8b2907c88f6eb0abf51126a8e7b205fd59cc7 |
| SHA512 | 6c037cff85ac80687b83d9c6e6a46d213796696a378e08187883022ee000d7185874330a008189c7a09812892a477c44b57971b0da52e12c2a2a7d23c62e5bc9 |
memory/4460-238-0x000000000EEA0000-0x000000000F15E000-memory.dmp
memory/4460-237-0x0000000002CF0000-0x0000000002E64000-memory.dmp
memory/2800-241-0x0000000000400000-0x0000000002D32000-memory.dmp
memory/4200-242-0x0000000000000000-mapping.dmp
memory/3448-243-0x0000000000000000-mapping.dmp
memory/4564-244-0x0000000000000000-mapping.dmp
memory/3484-246-0x0000000000C10000-0x0000000000C2D000-memory.dmp
memory/3484-245-0x0000000000500000-0x0000000000535000-memory.dmp
memory/2204-247-0x0000000000000000-mapping.dmp
memory/4460-248-0x0000000002CF0000-0x0000000002E64000-memory.dmp
memory/3404-249-0x0000000004A50000-0x0000000004BFA000-memory.dmp
memory/3404-250-0x0000000000400000-0x0000000002D32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/1516-252-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
memory/3016-255-0x0000000000000000-mapping.dmp
memory/4512-256-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
memory/4432-260-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
memory/4644-267-0x0000000000000000-mapping.dmp
memory/4872-266-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
memory/1772-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll
| MD5 | 7e3f36660ce48aeb851666df4bc87e2c |
| SHA1 | 260131798c9807ee088a3702ed56fe24800b97a3 |
| SHA256 | e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd |
| SHA512 | b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6 |
memory/3848-264-0x0000000000000000-mapping.dmp
memory/2916-262-0x0000000000000000-mapping.dmp
memory/5020-273-0x0000000000000000-mapping.dmp
memory/3384-274-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll
| MD5 | 87f59221122202070e2f2670720627d5 |
| SHA1 | dc05034456d6b54ce4947fa19f04b0625f4e9b2b |
| SHA256 | 531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533 |
| SHA512 | b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0 |
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/2816-282-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll
| MD5 | 87f59221122202070e2f2670720627d5 |
| SHA1 | dc05034456d6b54ce4947fa19f04b0625f4e9b2b |
| SHA256 | 531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533 |
| SHA512 | b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0 |
memory/2532-280-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/3512-277-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll
| MD5 | 87f59221122202070e2f2670720627d5 |
| SHA1 | dc05034456d6b54ce4947fa19f04b0625f4e9b2b |
| SHA256 | 531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533 |
| SHA512 | b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0 |
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll
| MD5 | 87f59221122202070e2f2670720627d5 |
| SHA1 | dc05034456d6b54ce4947fa19f04b0625f4e9b2b |
| SHA256 | 531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533 |
| SHA512 | b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0 |
memory/3404-285-0x0000000000400000-0x0000000002D32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |