Malware Analysis Report

2024-11-30 23:02

Sample ID 230225-a1rl9abe56
Target 1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da
SHA256 1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da
Tags
amadey aurora redline xmrig frukt rodik discovery evasion infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da

Threat Level: Known bad

The file 1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline xmrig frukt rodik discovery evasion infostealer miner persistence spyware stealer trojan

xmrig

Aurora

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Amadey

XMRig Miner payload

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-25 00:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 00:41

Reported

2023-02-25 00:43

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 4756 N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlV74QR33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlV74QR33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe
PID 2100 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe
PID 2100 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe
PID 4436 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe
PID 4436 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe
PID 4436 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe
PID 4564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe
PID 4564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe
PID 4564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe
PID 1344 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe
PID 1344 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe
PID 1344 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe
PID 1344 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe
PID 1344 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe
PID 4564 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe
PID 4564 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe
PID 4564 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe
PID 4436 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe
PID 4436 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe
PID 4436 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe
PID 2100 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe
PID 2100 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe
PID 2100 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe
PID 1824 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1824 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1824 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3632 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2860 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 2860 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 2860 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 3112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe
PID 3112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe
PID 3112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe
PID 2860 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 2860 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 2860 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 4512 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 4512 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 4512 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 332 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe

"C:\Users\Admin\AppData\Local\Temp\1f374a74a81aeed7ea64611d90940a28af67e843735694d7da1245417088a3da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3716 -ip 3716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1776 -ip 1776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlV74QR33.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlV74QR33.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 480 -p 4048 -ip 4048

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4048 -s 652

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
IE 13.69.239.74:443 tcp
DE 193.233.20.23:4124 tcp
US 8.248.5.254:80 tcp
US 8.248.5.254:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
DE 193.233.20.15:80 193.233.20.15 tcp
DE 193.233.20.19:80 193.233.20.19 tcp
US 8.8.8.8:53 15.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 19.20.233.193.in-addr.arpa udp
RU 62.204.41.245:80 62.204.41.245 tcp
US 8.8.8.8:53 245.41.204.62.in-addr.arpa udp
US 8.248.5.254:80 tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
RU 62.204.41.88:80 62.204.41.88 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 88.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
NL 45.15.159.15:80 45.15.159.15 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 15.159.15.45.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 xiaoxiaojue.duckdns.org udp
NL 212.87.204.245:55215 xiaoxiaojue.duckdns.org tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 245.204.87.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe

MD5 0b3683c2a99a57929d36ddb1330d3eda
SHA1 402c0dd77d76e1a13a9496822b3e57d35bb96e10
SHA256 50d9174129a456f2d2fcbacaccd00f24ffc3455bab1f04144b9b00bbb9e954eb
SHA512 9628be1ae0419588e20f24410474dcc75fb39e6d9a98987ca8ed6f9708eb0e32805f83ea85142c3af98ecdff97b1418b2bb00cfca7e3bfffb3ea5b8656fea6ee

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stK95Mg40.exe

MD5 0b3683c2a99a57929d36ddb1330d3eda
SHA1 402c0dd77d76e1a13a9496822b3e57d35bb96e10
SHA256 50d9174129a456f2d2fcbacaccd00f24ffc3455bab1f04144b9b00bbb9e954eb
SHA512 9628be1ae0419588e20f24410474dcc75fb39e6d9a98987ca8ed6f9708eb0e32805f83ea85142c3af98ecdff97b1418b2bb00cfca7e3bfffb3ea5b8656fea6ee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe

MD5 9f32fdd22652478caab0b4939673e80e
SHA1 93b8be8b0df66bc5f312374a2d6b7e2e111c3bf3
SHA256 867bdcd3ba76ee84bcd4a27be96d72ded4f73feca229d2cdc8581ef09ecdb81e
SHA512 38e5ef12cbd9cbe447dd71e954f6b3b45533fb2304f7b947ceb244ffd27c2a3c1a2be42c60c2327804efe99c58bde4ee7a8c2156e0d15dd5761663e5b7c380f6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sSZ38vZ56.exe

MD5 9f32fdd22652478caab0b4939673e80e
SHA1 93b8be8b0df66bc5f312374a2d6b7e2e111c3bf3
SHA256 867bdcd3ba76ee84bcd4a27be96d72ded4f73feca229d2cdc8581ef09ecdb81e
SHA512 38e5ef12cbd9cbe447dd71e954f6b3b45533fb2304f7b947ceb244ffd27c2a3c1a2be42c60c2327804efe99c58bde4ee7a8c2156e0d15dd5761663e5b7c380f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe

MD5 c91a93af4dcdafa76e2273198ef6fb6b
SHA1 640ff8002b2e912df91b7d86206c9a32ef07d56b
SHA256 9d350c29ce6296e8d2fbfd7f2eb9d6ad75cfefbaaa103759adc0f4d81b7c7bc7
SHA512 56fc9a9640cfa2802a0c01c60455cc5641d37bedd4cee2697719e1616680d9e89f43bd3b3e5123f6a54f823bd520b2b493d8f74289dc0bb2bb98e47284a17b8f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfP72gj86.exe

MD5 c91a93af4dcdafa76e2273198ef6fb6b
SHA1 640ff8002b2e912df91b7d86206c9a32ef07d56b
SHA256 9d350c29ce6296e8d2fbfd7f2eb9d6ad75cfefbaaa103759adc0f4d81b7c7bc7
SHA512 56fc9a9640cfa2802a0c01c60455cc5641d37bedd4cee2697719e1616680d9e89f43bd3b3e5123f6a54f823bd520b2b493d8f74289dc0bb2bb98e47284a17b8f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe

MD5 f6d0b8f359744b55258659dd2b3e3bad
SHA1 aed13b92a575889d502c87c7989b6fd00ab27580
SHA256 6a0bfb156ac8580978927364c5ef4f905434225f53654cb1d06b56b944556a86
SHA512 c88e4bc9b508a549d87b4c5007ebf599a2631e594dbcb8702f51df34f2201c57cdb4ac1ef68cd52062cf78810247da93585e7ff0af97f43f559b14c13d89f2b9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\isX18aO.exe

MD5 f6d0b8f359744b55258659dd2b3e3bad
SHA1 aed13b92a575889d502c87c7989b6fd00ab27580
SHA256 6a0bfb156ac8580978927364c5ef4f905434225f53654cb1d06b56b944556a86
SHA512 c88e4bc9b508a549d87b4c5007ebf599a2631e594dbcb8702f51df34f2201c57cdb4ac1ef68cd52062cf78810247da93585e7ff0af97f43f559b14c13d89f2b9

memory/636-161-0x00000000002A0000-0x00000000002AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kxP90Tm.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/1488-167-0x0000000002E20000-0x0000000002E6B000-memory.dmp

memory/1488-168-0x0000000007290000-0x0000000007834000-memory.dmp

memory/1488-169-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-170-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-171-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-172-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-173-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-175-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-177-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-179-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-181-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-183-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-185-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-187-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-189-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-191-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-193-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-195-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-197-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-199-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-201-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-205-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-203-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-207-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-209-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-211-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-213-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-215-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-217-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-219-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-221-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-223-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-225-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-227-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-229-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-231-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-233-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-235-0x0000000007880000-0x00000000078BF000-memory.dmp

memory/1488-1078-0x00000000078F0000-0x0000000007F08000-memory.dmp

memory/1488-1079-0x0000000007F90000-0x000000000809A000-memory.dmp

memory/1488-1080-0x00000000080D0000-0x00000000080E2000-memory.dmp

memory/1488-1081-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-1082-0x00000000080F0000-0x000000000812C000-memory.dmp

memory/1488-1084-0x0000000002E20000-0x0000000002E6B000-memory.dmp

memory/1488-1085-0x00000000083E0000-0x0000000008472000-memory.dmp

memory/1488-1086-0x0000000008480000-0x00000000084E6000-memory.dmp

memory/1488-1087-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-1088-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-1089-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-1090-0x0000000007280000-0x0000000007290000-memory.dmp

memory/1488-1091-0x0000000009E50000-0x000000000A012000-memory.dmp

memory/1488-1092-0x000000000A030000-0x000000000A55C000-memory.dmp

memory/1488-1093-0x0000000006D60000-0x0000000006DD6000-memory.dmp

memory/1488-1094-0x000000000A780000-0x000000000A7D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mmg42iZ.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

memory/3716-1129-0x0000000002C30000-0x0000000002C5D000-memory.dmp

memory/3716-1130-0x0000000007430000-0x0000000007440000-memory.dmp

memory/3716-1131-0x0000000007430000-0x0000000007440000-memory.dmp

memory/3716-1132-0x0000000007430000-0x0000000007440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVf50cl45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/2856-1615-0x00000000072B0000-0x00000000072C0000-memory.dmp

memory/2856-1616-0x00000000072B0000-0x00000000072C0000-memory.dmp

memory/2856-2049-0x00000000072B0000-0x00000000072C0000-memory.dmp

memory/2856-2051-0x00000000072B0000-0x00000000072C0000-memory.dmp

memory/2856-2052-0x00000000072B0000-0x00000000072C0000-memory.dmp

memory/2856-2053-0x00000000072B0000-0x00000000072C0000-memory.dmp

memory/2856-2055-0x00000000072B0000-0x00000000072C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe

MD5 4777ebd67c3f659537c5d7274a546616
SHA1 f7290bd12e620c426d4c04aeb42cd57e2db3557e
SHA256 e2c3ae8b5b9bb8d1647778fbf3f9f6225ec80964ffebbc99ecb5ee720c569130
SHA512 0ee31ab136dab6df6e3756938d1d888e5f61bd684bda8076243d9c6129428a670fff2535ae8cefbdee60af4550243336cacde3c9178139df1f2271f34046d742

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rpC97BB15.exe

MD5 4777ebd67c3f659537c5d7274a546616
SHA1 f7290bd12e620c426d4c04aeb42cd57e2db3557e
SHA256 e2c3ae8b5b9bb8d1647778fbf3f9f6225ec80964ffebbc99ecb5ee720c569130
SHA512 0ee31ab136dab6df6e3756938d1d888e5f61bd684bda8076243d9c6129428a670fff2535ae8cefbdee60af4550243336cacde3c9178139df1f2271f34046d742

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 4777ebd67c3f659537c5d7274a546616
SHA1 f7290bd12e620c426d4c04aeb42cd57e2db3557e
SHA256 e2c3ae8b5b9bb8d1647778fbf3f9f6225ec80964ffebbc99ecb5ee720c569130
SHA512 0ee31ab136dab6df6e3756938d1d888e5f61bd684bda8076243d9c6129428a670fff2535ae8cefbdee60af4550243336cacde3c9178139df1f2271f34046d742

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 4777ebd67c3f659537c5d7274a546616
SHA1 f7290bd12e620c426d4c04aeb42cd57e2db3557e
SHA256 e2c3ae8b5b9bb8d1647778fbf3f9f6225ec80964ffebbc99ecb5ee720c569130
SHA512 0ee31ab136dab6df6e3756938d1d888e5f61bd684bda8076243d9c6129428a670fff2535ae8cefbdee60af4550243336cacde3c9178139df1f2271f34046d742

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 4777ebd67c3f659537c5d7274a546616
SHA1 f7290bd12e620c426d4c04aeb42cd57e2db3557e
SHA256 e2c3ae8b5b9bb8d1647778fbf3f9f6225ec80964ffebbc99ecb5ee720c569130
SHA512 0ee31ab136dab6df6e3756938d1d888e5f61bd684bda8076243d9c6129428a670fff2535ae8cefbdee60af4550243336cacde3c9178139df1f2271f34046d742

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 9877065ba285865760ea6a1775ea24bb
SHA1 02af3e2a846a25939c1ed35eeae81bcb2ef52dd7
SHA256 84fedb49824f46fc8af1085455b1941f56af0bdeeaddd989b61e65f2e142c43a
SHA512 7e925ec3df2f4322db53c3dd57ab0db60523079eb05567af9d84ca40d47e3a62f68e7a494097d630a14e5e6a6acea328e4ae9f64c73a7c30b73bae3df35bc17c

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 9877065ba285865760ea6a1775ea24bb
SHA1 02af3e2a846a25939c1ed35eeae81bcb2ef52dd7
SHA256 84fedb49824f46fc8af1085455b1941f56af0bdeeaddd989b61e65f2e142c43a
SHA512 7e925ec3df2f4322db53c3dd57ab0db60523079eb05567af9d84ca40d47e3a62f68e7a494097d630a14e5e6a6acea328e4ae9f64c73a7c30b73bae3df35bc17c

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 9877065ba285865760ea6a1775ea24bb
SHA1 02af3e2a846a25939c1ed35eeae81bcb2ef52dd7
SHA256 84fedb49824f46fc8af1085455b1941f56af0bdeeaddd989b61e65f2e142c43a
SHA512 7e925ec3df2f4322db53c3dd57ab0db60523079eb05567af9d84ca40d47e3a62f68e7a494097d630a14e5e6a6acea328e4ae9f64c73a7c30b73bae3df35bc17c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\erp87EW04.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/1776-2202-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/1776-2204-0x0000000002E50000-0x0000000002E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

memory/2264-2944-0x0000000000EB0000-0x0000000000F28000-memory.dmp

memory/2264-2978-0x0000000001920000-0x0000000001930000-memory.dmp

memory/1776-3264-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/1776-3442-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/1776-3440-0x0000000002E50000-0x0000000002E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 92d24961d2ebaacf1ace5463dfc9930d
SHA1 99ffaf6904ab616c33a37ce01d383e4a493df335
SHA256 9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA512 77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 dce9b749d38fdc247ab517e8a76e6102
SHA1 d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA256 5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA512 56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

memory/2264-3920-0x0000000001920000-0x0000000001930000-memory.dmp

memory/1776-3922-0x0000000002E50000-0x0000000002E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlV74QR33.exe

MD5 03eedf3bdaa6f6433335672c48f82159
SHA1 c764e72db27b4a0e6dd2be1aa243c67530ca6e0d
SHA256 7aa0de930393785e7c14436dcc056868e2c3087514d56b4ab9f8b7305fbd20da
SHA512 85896e8a654c761dfc7a3c1a097282a8f0fdadb1f85d7e94639827fc56b744e3f77f26b347a28d2d0d8c13ad4e51c4b3087d504578d062cee9aaaa3328eff5e2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlV74QR33.exe

MD5 03eedf3bdaa6f6433335672c48f82159
SHA1 c764e72db27b4a0e6dd2be1aa243c67530ca6e0d
SHA256 7aa0de930393785e7c14436dcc056868e2c3087514d56b4ab9f8b7305fbd20da
SHA512 85896e8a654c761dfc7a3c1a097282a8f0fdadb1f85d7e94639827fc56b744e3f77f26b347a28d2d0d8c13ad4e51c4b3087d504578d062cee9aaaa3328eff5e2

memory/2640-3928-0x0000000000F80000-0x0000000000FB2000-memory.dmp

memory/2640-3929-0x00000000059A0000-0x00000000059B0000-memory.dmp

memory/2264-3931-0x0000000001920000-0x0000000001930000-memory.dmp

memory/2264-3932-0x0000000001920000-0x0000000001930000-memory.dmp

memory/4756-3944-0x0000000140000000-0x00000001407CD000-memory.dmp

memory/2264-3945-0x0000000001920000-0x0000000001930000-memory.dmp

memory/2264-3946-0x0000000001920000-0x0000000001930000-memory.dmp

memory/4756-3947-0x000001636C190000-0x000001636C1D0000-memory.dmp

memory/4756-3948-0x0000000140000000-0x00000001407CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 4777ebd67c3f659537c5d7274a546616
SHA1 f7290bd12e620c426d4c04aeb42cd57e2db3557e
SHA256 e2c3ae8b5b9bb8d1647778fbf3f9f6225ec80964ffebbc99ecb5ee720c569130
SHA512 0ee31ab136dab6df6e3756938d1d888e5f61bd684bda8076243d9c6129428a670fff2535ae8cefbdee60af4550243336cacde3c9178139df1f2271f34046d742

memory/4756-3995-0x000001636C1D0000-0x000001636C1F0000-memory.dmp

memory/4756-3996-0x000001636C1D0000-0x000001636C1F0000-memory.dmp