Malware Analysis Report

2024-11-30 22:55

Sample ID 230224-3sddwabd42
Target dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af
SHA256 dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af
Tags
amadey aurora redline xmrig frukt rodik discovery evasion infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af

Threat Level: Known bad

The file dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline xmrig frukt rodik discovery evasion infostealer miner persistence spyware stealer trojan

Amadey

xmrig

RedLine payload

Aurora

Modifies Windows Defender Real-time Protection settings

RedLine

XMRig Miner payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 23:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 23:46

Reported

2023-02-24 23:48

Platform

win10-20230220-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3964 set thread context of 1600 N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nPG31HV14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nPG31HV14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe
PID 4192 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe
PID 4192 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe
PID 4236 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe
PID 4236 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe
PID 4236 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe
PID 3928 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe
PID 3928 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe
PID 3928 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe
PID 3916 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe
PID 3916 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe
PID 3916 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe
PID 3916 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe
PID 3916 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe
PID 3928 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe
PID 3928 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe
PID 3928 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe
PID 4236 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe
PID 4236 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe
PID 4236 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe
PID 4192 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe
PID 4192 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe
PID 4192 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe
PID 5084 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 5084 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 5084 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 656 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 512 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 656 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 656 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 656 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 2444 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe
PID 2444 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe
PID 2444 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe
PID 656 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 656 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 656 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 3520 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 3520 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 3520 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 1432 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe

"C:\Users\Admin\AppData\Local\Temp\dfc4b95f51ea86f6cf72e008e44e79a0f4ee4d1457b6ba93a9edec681420c0af.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nPG31HV14.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nPG31HV14.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2176 -s 604

Network

Country Destination Domain Proto
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.20.233.193.in-addr.arpa udp
US 52.182.143.208:443 tcp
DE 193.233.20.23:4124 tcp
DE 193.233.20.15:80 193.233.20.15 tcp
DE 193.233.20.19:80 193.233.20.19 tcp
US 8.8.8.8:53 15.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 19.20.233.193.in-addr.arpa udp
RU 62.204.41.245:80 62.204.41.245 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 245.41.204.62.in-addr.arpa udp
RU 62.204.41.88:80 62.204.41.88 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 88.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
NL 45.15.159.15:80 45.15.159.15 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 15.159.15.45.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 xiaoxiaojue.duckdns.org udp
NL 212.87.204.245:55215 xiaoxiaojue.duckdns.org tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 245.204.87.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe

MD5 a9bf409630cbfb7c249304a0d36f78b4
SHA1 28d3164eaa52afdf2dd67baddd5b2fd72aec6733
SHA256 28928996ec6c942da93bdb4a6997526ffe32ce83ad017a0ff0ec57abc86d74f6
SHA512 e486e1b950c086da1d61cbfaf48f78a94c6f51af110ef710d1408e5dbcbb6d264e5069ebbfd1200c1cee59169e69c72c588d8c45d4844d4291cab06c05393e71

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scr67hD90.exe

MD5 a9bf409630cbfb7c249304a0d36f78b4
SHA1 28d3164eaa52afdf2dd67baddd5b2fd72aec6733
SHA256 28928996ec6c942da93bdb4a6997526ffe32ce83ad017a0ff0ec57abc86d74f6
SHA512 e486e1b950c086da1d61cbfaf48f78a94c6f51af110ef710d1408e5dbcbb6d264e5069ebbfd1200c1cee59169e69c72c588d8c45d4844d4291cab06c05393e71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe

MD5 f5d6d9488356e1c891f041efdc24289e
SHA1 37733bba6d6277e88e0f1dbd3f900719a4b84a2f
SHA256 f9d56d70bde9635e9a4989e94ed214a8cfba34873fc1900451077fcee8c881a3
SHA512 45b25efb573b90950a74a805752a5e40e5b9234858dd5bfe4f7e536c2fa0792e3c386eabf3c6de3900bc7da97718a56531eb5d82761e92eef40dc8d7d5f1fa56

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sTW56EX35.exe

MD5 f5d6d9488356e1c891f041efdc24289e
SHA1 37733bba6d6277e88e0f1dbd3f900719a4b84a2f
SHA256 f9d56d70bde9635e9a4989e94ed214a8cfba34873fc1900451077fcee8c881a3
SHA512 45b25efb573b90950a74a805752a5e40e5b9234858dd5bfe4f7e536c2fa0792e3c386eabf3c6de3900bc7da97718a56531eb5d82761e92eef40dc8d7d5f1fa56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe

MD5 97487658eea0010dfb32915f5ca7dc61
SHA1 59bbd110ca8fba5e4422fb09d043b1d996f93f55
SHA256 1e235369f5b5f8e81e81468ee481bc700346562064c8125a7bbacd666d65e7d9
SHA512 bfa018ca8cfff0c514afb527fb7e5e35cf16fba8c028d7b589881b122ea3c7e4e8c8a559185014224e6f73cc107472a759c5ecc150c7985e3ccf8321cf8dcbaa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sIm15Sa15.exe

MD5 97487658eea0010dfb32915f5ca7dc61
SHA1 59bbd110ca8fba5e4422fb09d043b1d996f93f55
SHA256 1e235369f5b5f8e81e81468ee481bc700346562064c8125a7bbacd666d65e7d9
SHA512 bfa018ca8cfff0c514afb527fb7e5e35cf16fba8c028d7b589881b122ea3c7e4e8c8a559185014224e6f73cc107472a759c5ecc150c7985e3ccf8321cf8dcbaa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe

MD5 44cec223ac4401073f6ed3b5215b71c1
SHA1 66178e73446d4132cbfae037418f7f046c901e31
SHA256 91ce5075b4ac3b6eacf73c42012161ab10b240c03e624f2433e7aa6f4dc5d55e
SHA512 cd0368f1f1398f260e80922a4f163fa6dda75beb2317753e896bcabdde46d33e4467d54918f15bc484ae488d034a1efb934b31ae1988b857de406bbbc043aefb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iLx38rN.exe

MD5 44cec223ac4401073f6ed3b5215b71c1
SHA1 66178e73446d4132cbfae037418f7f046c901e31
SHA256 91ce5075b4ac3b6eacf73c42012161ab10b240c03e624f2433e7aa6f4dc5d55e
SHA512 cd0368f1f1398f260e80922a4f163fa6dda75beb2317753e896bcabdde46d33e4467d54918f15bc484ae488d034a1efb934b31ae1988b857de406bbbc043aefb

memory/3112-148-0x0000000000A00000-0x0000000000A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kUR63BH.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

memory/4744-154-0x0000000002750000-0x0000000002796000-memory.dmp

memory/4744-155-0x0000000004DB0000-0x00000000052AE000-memory.dmp

memory/4744-156-0x0000000004C50000-0x0000000004C94000-memory.dmp

memory/4744-157-0x00000000008F0000-0x000000000093B000-memory.dmp

memory/4744-158-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/4744-159-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/4744-160-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-161-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-163-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-165-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-167-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-169-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-171-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-173-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-175-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-177-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-179-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-181-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-183-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-185-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-187-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-189-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-191-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-193-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-195-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-197-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-199-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-201-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-203-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-205-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-207-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-209-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-211-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-213-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-215-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-217-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-219-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-221-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-223-0x0000000004C50000-0x0000000004C8F000-memory.dmp

memory/4744-1066-0x00000000058C0000-0x0000000005EC6000-memory.dmp

memory/4744-1067-0x00000000052B0000-0x00000000053BA000-memory.dmp

memory/4744-1068-0x0000000004D80000-0x0000000004D92000-memory.dmp

memory/4744-1069-0x00000000053C0000-0x00000000053FE000-memory.dmp

memory/4744-1070-0x0000000005510000-0x000000000555B000-memory.dmp

memory/4744-1072-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/4744-1073-0x0000000006370000-0x0000000006402000-memory.dmp

memory/4744-1074-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/4744-1075-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/4744-1076-0x0000000006560000-0x0000000006722000-memory.dmp

memory/4744-1077-0x0000000006740000-0x0000000006C6C000-memory.dmp

memory/4744-1078-0x0000000006EE0000-0x0000000006F56000-memory.dmp

memory/4744-1079-0x0000000006F60000-0x0000000006FB0000-memory.dmp

memory/4744-1080-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe

MD5 ddb8df77fe3943a1e06e7d7f092c03aa
SHA1 7d0691c6c9407f7136fa2128e0d0407b7aa596a8
SHA256 9535e71465d7d21aedd6767eb74dda42ff005921c503b44a6a76ecf02acbd0a3
SHA512 7e4636dfc39dd82d642242888a5a3eaba703f1cf1a5ae575df21ccf7ead55031c784cd72f4a33853237fca4efcd315525a2f75575109ca23d29ab167650ebd8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mIy14yt.exe

MD5 ddb8df77fe3943a1e06e7d7f092c03aa
SHA1 7d0691c6c9407f7136fa2128e0d0407b7aa596a8
SHA256 9535e71465d7d21aedd6767eb74dda42ff005921c503b44a6a76ecf02acbd0a3
SHA512 7e4636dfc39dd82d642242888a5a3eaba703f1cf1a5ae575df21ccf7ead55031c784cd72f4a33853237fca4efcd315525a2f75575109ca23d29ab167650ebd8e

memory/4528-1087-0x0000000002270000-0x000000000228A000-memory.dmp

memory/4528-1088-0x00000000022F0000-0x0000000002308000-memory.dmp

memory/4528-1117-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/4528-1118-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/4528-1119-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/4528-1120-0x0000000002290000-0x00000000022A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYy73sL30.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

memory/4892-1515-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4892-1519-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4892-1516-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4892-2037-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe

MD5 cc2cc18e6a7ff6f19c7f7167575d1625
SHA1 fa8d01d7e10f59e1733b51b00ec046c601f34f4f
SHA256 671e044a44dc2405b6c6b547add1afab6ee465da46908f6e9740fee5b8d64a16
SHA512 e462339fee3e64c3c809b017df61c802d9504e3885e58ca957e0e221a5f5d66dfe053611837a14fd031abb428fcfa73353e0c4ba6a2fe646486211d1c5da8a03

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rRl85Mg19.exe

MD5 cc2cc18e6a7ff6f19c7f7167575d1625
SHA1 fa8d01d7e10f59e1733b51b00ec046c601f34f4f
SHA256 671e044a44dc2405b6c6b547add1afab6ee465da46908f6e9740fee5b8d64a16
SHA512 e462339fee3e64c3c809b017df61c802d9504e3885e58ca957e0e221a5f5d66dfe053611837a14fd031abb428fcfa73353e0c4ba6a2fe646486211d1c5da8a03

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 cc2cc18e6a7ff6f19c7f7167575d1625
SHA1 fa8d01d7e10f59e1733b51b00ec046c601f34f4f
SHA256 671e044a44dc2405b6c6b547add1afab6ee465da46908f6e9740fee5b8d64a16
SHA512 e462339fee3e64c3c809b017df61c802d9504e3885e58ca957e0e221a5f5d66dfe053611837a14fd031abb428fcfa73353e0c4ba6a2fe646486211d1c5da8a03

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 cc2cc18e6a7ff6f19c7f7167575d1625
SHA1 fa8d01d7e10f59e1733b51b00ec046c601f34f4f
SHA256 671e044a44dc2405b6c6b547add1afab6ee465da46908f6e9740fee5b8d64a16
SHA512 e462339fee3e64c3c809b017df61c802d9504e3885e58ca957e0e221a5f5d66dfe053611837a14fd031abb428fcfa73353e0c4ba6a2fe646486211d1c5da8a03

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 cc2cc18e6a7ff6f19c7f7167575d1625
SHA1 fa8d01d7e10f59e1733b51b00ec046c601f34f4f
SHA256 671e044a44dc2405b6c6b547add1afab6ee465da46908f6e9740fee5b8d64a16
SHA512 e462339fee3e64c3c809b017df61c802d9504e3885e58ca957e0e221a5f5d66dfe053611837a14fd031abb428fcfa73353e0c4ba6a2fe646486211d1c5da8a03

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 03da2e1c55453d1edc24a5cb60ec807c
SHA1 37852ac44b7f23f109e010993cd5f136c955913f
SHA256 5dc3241901d8e7d4ad3f13e0880e980b66fcdd1655831d46d7cbfd40bce5f815
SHA512 fab6a797ff16baf5e9f77859d39fa9a57a09fe8c4b0adf3dfcfd0de8bf66bf84b9a121b7dba9e869144dbbd20eeee89e93b3f9d883133b41029e183b845774f1

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 03da2e1c55453d1edc24a5cb60ec807c
SHA1 37852ac44b7f23f109e010993cd5f136c955913f
SHA256 5dc3241901d8e7d4ad3f13e0880e980b66fcdd1655831d46d7cbfd40bce5f815
SHA512 fab6a797ff16baf5e9f77859d39fa9a57a09fe8c4b0adf3dfcfd0de8bf66bf84b9a121b7dba9e869144dbbd20eeee89e93b3f9d883133b41029e183b845774f1

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 03da2e1c55453d1edc24a5cb60ec807c
SHA1 37852ac44b7f23f109e010993cd5f136c955913f
SHA256 5dc3241901d8e7d4ad3f13e0880e980b66fcdd1655831d46d7cbfd40bce5f815
SHA512 fab6a797ff16baf5e9f77859d39fa9a57a09fe8c4b0adf3dfcfd0de8bf66bf84b9a121b7dba9e869144dbbd20eeee89e93b3f9d883133b41029e183b845774f1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eOK22iY64.exe

MD5 f5f85fec043226b9bae64b9608f8b609
SHA1 a47b6c25e7657bd277c5ebf18eca4bd609cb6609
SHA256 2a540838b3022ba9b4175bf490404e6c8223c992864227f9b6f0774587f4ff98
SHA512 7a1aebc2a945b86b9b7cf74247b48f244ba82606a4326b1cf073b729651b84a841f92f7be857a4e203807229292431b6111415fddd9d24ca82aaffaa8827ace3

memory/1804-2070-0x00000000021A0000-0x00000000021E6000-memory.dmp

memory/1804-2177-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1804-2179-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1804-2175-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

memory/3964-2960-0x0000000000E80000-0x0000000000EF8000-memory.dmp

memory/3964-2968-0x00000000019D0000-0x0000000001A70000-memory.dmp

memory/3964-2992-0x0000000001910000-0x0000000001920000-memory.dmp

memory/1804-3091-0x00000000053D0000-0x000000000541B000-memory.dmp

memory/1804-3093-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 2b8e1b75b4d4fdf0c640838191ac3946
SHA1 dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f
SHA256 17a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e
SHA512 3c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038

memory/1804-3423-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1804-3425-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1804-3427-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/3964-3860-0x0000000001890000-0x00000000018E6000-memory.dmp

memory/3964-3864-0x0000000001910000-0x0000000001920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nPG31HV14.exe

MD5 382c41e7fc353853527b352b5788c73b
SHA1 d2a8580aad09e5ef9f94bf8270c78b13d5ee5dcb
SHA256 e1037b57b2856f98d70699e7c5329a7093e8bb2c923a110d930792cab277d8e3
SHA512 21856f542182a0305b4e484b1939fed2f037f27a740a42937f4b053fabd4642b0a01e3e472106f525cfb5a200adb7bc300d786b853ab14c97657616dd859cd7c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nPG31HV14.exe

MD5 382c41e7fc353853527b352b5788c73b
SHA1 d2a8580aad09e5ef9f94bf8270c78b13d5ee5dcb
SHA256 e1037b57b2856f98d70699e7c5329a7093e8bb2c923a110d930792cab277d8e3
SHA512 21856f542182a0305b4e484b1939fed2f037f27a740a42937f4b053fabd4642b0a01e3e472106f525cfb5a200adb7bc300d786b853ab14c97657616dd859cd7c

memory/4192-3870-0x00000000009E0000-0x0000000000A12000-memory.dmp

memory/4192-3871-0x0000000005420000-0x000000000546B000-memory.dmp

memory/4192-3872-0x0000000005240000-0x0000000005250000-memory.dmp

memory/3964-3874-0x0000000001940000-0x000000000198C000-memory.dmp

memory/3964-3875-0x000000001D890000-0x000000001D8E4000-memory.dmp

memory/3964-3877-0x0000000001910000-0x0000000001920000-memory.dmp

memory/3964-3878-0x0000000001910000-0x0000000001920000-memory.dmp

memory/3964-3879-0x000000001E030000-0x000000001E046000-memory.dmp

memory/1600-3890-0x0000000140000000-0x00000001407CD000-memory.dmp

memory/3964-3891-0x0000000001910000-0x0000000001920000-memory.dmp

memory/3964-3892-0x0000000001910000-0x0000000001920000-memory.dmp

memory/1600-3893-0x00000185D1ED0000-0x00000185D1F10000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 cc2cc18e6a7ff6f19c7f7167575d1625
SHA1 fa8d01d7e10f59e1733b51b00ec046c601f34f4f
SHA256 671e044a44dc2405b6c6b547add1afab6ee465da46908f6e9740fee5b8d64a16
SHA512 e462339fee3e64c3c809b017df61c802d9504e3885e58ca957e0e221a5f5d66dfe053611837a14fd031abb428fcfa73353e0c4ba6a2fe646486211d1c5da8a03

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

memory/1600-3938-0x0000000140000000-0x00000001407CD000-memory.dmp

memory/1600-3941-0x0000018664370000-0x0000018664390000-memory.dmp

memory/1600-3942-0x0000018664370000-0x0000018664390000-memory.dmp