Analysis Overview
SHA256
d11b07c6bbba28037be9d117bb8fb16ed674ad717f4666b093a9688d0b3ac782
Threat Level: Known bad
The file d11b07c6bbba28037be9d117bb8fb16ed674ad717f4666b093a9688d0b3ac782 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Modifies Windows Defender Real-time Protection settings
Amadey
RedLine
xmrig
Aurora
XMRig Miner payload
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Windows security modification
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 00:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 00:51
Reported
2023-02-25 00:54
Platform
win10v2004-20230220-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rTR23sH89.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shU16vb24.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shU16vb24.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\d11b07c6bbba28037be9d117bb8fb16ed674ad717f4666b093a9688d0b3ac782.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d11b07c6bbba28037be9d117bb8fb16ed674ad717f4666b093a9688d0b3ac782.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sNM18eH54.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sNM18eH54.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUF93Ey98.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUF93Ey98.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3616 set thread context of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kqF24mY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\new64yw10.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eOv29Zr48.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d11b07c6bbba28037be9d117bb8fb16ed674ad717f4666b093a9688d0b3ac782.exe
"C:\Users\Admin\AppData\Local\Temp\d11b07c6bbba28037be9d117bb8fb16ed674ad717f4666b093a9688d0b3ac782.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUF93Ey98.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUF93Ey98.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sNM18eH54.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sNM18eH54.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shU16vb24.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shU16vb24.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kqF24mY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kqF24mY.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 3456 -ip 3456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1336
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 944 -ip 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\new64yw10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\new64yw10.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2216 -ip 2216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1576
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rTR23sH89.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rTR23sH89.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eOv29Zr48.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eOv29Zr48.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1340
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBI01qT83.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBI01qT83.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 5064 -ip 5064
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5064 -s 644
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 55.154.139.52.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| IE | 20.50.80.209:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| US | 8.8.8.8:53 | 19.20.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| US | 8.8.8.8:53 | 245.41.204.62.in-addr.arpa | udp |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 88.41.204.62.in-addr.arpa | udp |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 15.159.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | xiaoxiaojue.duckdns.org | udp |
| NL | 212.87.204.245:55215 | xiaoxiaojue.duckdns.org | tcp |
| US | 8.8.8.8:53 | 245.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUF93Ey98.exe
| MD5 | b453b7e5611cfb0519a4660cf98e02ae |
| SHA1 | 2b084e6337b33eff870f87c670b177dc50217d01 |
| SHA256 | f390966c94482f5ffec351492c439b838fadb9173726f4c2c068c0595acf39db |
| SHA512 | 0a5caf45d1cb2e65a48665ddee0b15a556a1bfd8a4f2d3e7d517a3e6d53d43981a7835dff7789608fcc5371b8523672594ff25c988ba7b677e962883ec57cd32 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUF93Ey98.exe
| MD5 | b453b7e5611cfb0519a4660cf98e02ae |
| SHA1 | 2b084e6337b33eff870f87c670b177dc50217d01 |
| SHA256 | f390966c94482f5ffec351492c439b838fadb9173726f4c2c068c0595acf39db |
| SHA512 | 0a5caf45d1cb2e65a48665ddee0b15a556a1bfd8a4f2d3e7d517a3e6d53d43981a7835dff7789608fcc5371b8523672594ff25c988ba7b677e962883ec57cd32 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sNM18eH54.exe
| MD5 | 7a9addd8047f19c3a7b7c35253b27cfa |
| SHA1 | b28eef4a4d2daaaa5adc42485d8ec16f3cca709a |
| SHA256 | aacc447fe68583494419a11ce4516b3e81137c164bb808dad2292f4093b98427 |
| SHA512 | 6c56c20cdb15c90194dc2de23f3fd80a37b7234532a54681520ea39d122f8d06b3b7b604e4f85c80b032e39ab75808db0a8068eaba4a339398c2b3855318f969 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sNM18eH54.exe
| MD5 | 7a9addd8047f19c3a7b7c35253b27cfa |
| SHA1 | b28eef4a4d2daaaa5adc42485d8ec16f3cca709a |
| SHA256 | aacc447fe68583494419a11ce4516b3e81137c164bb808dad2292f4093b98427 |
| SHA512 | 6c56c20cdb15c90194dc2de23f3fd80a37b7234532a54681520ea39d122f8d06b3b7b604e4f85c80b032e39ab75808db0a8068eaba4a339398c2b3855318f969 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shU16vb24.exe
| MD5 | d51c4b261c220a8918269d726e92c65e |
| SHA1 | 46b3ee3062a4a00e6ea349e83c47ccf4aa2237a9 |
| SHA256 | 28566c60f70b9c901436a634d0358c0517e67d312cdf788f5ae87d4da2c2dedf |
| SHA512 | 0f18d9471e38fcdcf590ee894df6c75db55d5dd4d14a1d6f85490d67ba716eb0b687b6e6dbe77d0577536c34acc9742f7944cf627a72f1547e17115d913ad142 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shU16vb24.exe
| MD5 | d51c4b261c220a8918269d726e92c65e |
| SHA1 | 46b3ee3062a4a00e6ea349e83c47ccf4aa2237a9 |
| SHA256 | 28566c60f70b9c901436a634d0358c0517e67d312cdf788f5ae87d4da2c2dedf |
| SHA512 | 0f18d9471e38fcdcf590ee894df6c75db55d5dd4d14a1d6f85490d67ba716eb0b687b6e6dbe77d0577536c34acc9742f7944cf627a72f1547e17115d913ad142 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe
| MD5 | 16c3d988bce3081317554671723db4e8 |
| SHA1 | fb89d29d2b54b1d6e6b2500349558beaa184731e |
| SHA256 | b3d4f7a066be5e3bb169ff0da41c0445e9e0bc06c2348a65bd214dde20da5c65 |
| SHA512 | 78ba8fa376dbff46b762801c0a91fcf790a17b8eb0718e7be301a3045edede7c1b387314c639fe34101892814b24aa190190fc403d6ac28d00c8d1205ba62c71 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTB49Gb.exe
| MD5 | 16c3d988bce3081317554671723db4e8 |
| SHA1 | fb89d29d2b54b1d6e6b2500349558beaa184731e |
| SHA256 | b3d4f7a066be5e3bb169ff0da41c0445e9e0bc06c2348a65bd214dde20da5c65 |
| SHA512 | 78ba8fa376dbff46b762801c0a91fcf790a17b8eb0718e7be301a3045edede7c1b387314c639fe34101892814b24aa190190fc403d6ac28d00c8d1205ba62c71 |
memory/3584-161-0x0000000000B90000-0x0000000000B9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kqF24mY.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kqF24mY.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kqF24mY.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/3456-167-0x0000000002D00000-0x0000000002D4B000-memory.dmp
memory/3456-168-0x00000000071B0000-0x0000000007754000-memory.dmp
memory/3456-169-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-170-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-172-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-174-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-176-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-178-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-180-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-179-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-183-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-182-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-185-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-187-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-189-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-191-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-193-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-195-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-197-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-201-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-199-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-203-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-205-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-207-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-209-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-211-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-213-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-215-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-217-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-219-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-221-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-223-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-225-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-227-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-229-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-231-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-233-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-235-0x0000000007150000-0x000000000718F000-memory.dmp
memory/3456-1078-0x00000000077B0000-0x0000000007DC8000-memory.dmp
memory/3456-1079-0x0000000007E50000-0x0000000007F5A000-memory.dmp
memory/3456-1080-0x0000000007F90000-0x0000000007FA2000-memory.dmp
memory/3456-1081-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-1082-0x0000000007FB0000-0x0000000007FEC000-memory.dmp
memory/3456-1084-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-1085-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-1086-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-1087-0x00000000082A0000-0x0000000008306000-memory.dmp
memory/3456-1088-0x0000000008970000-0x0000000008A02000-memory.dmp
memory/3456-1089-0x0000000008A60000-0x0000000008C22000-memory.dmp
memory/3456-1090-0x0000000008C40000-0x000000000916C000-memory.dmp
memory/3456-1091-0x00000000071A0000-0x00000000071B0000-memory.dmp
memory/3456-1092-0x00000000095C0000-0x0000000009636000-memory.dmp
memory/3456-1093-0x0000000009640000-0x0000000009690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZc84IZ.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
memory/944-1129-0x0000000002BF0000-0x0000000002C1D000-memory.dmp
memory/944-1130-0x0000000007300000-0x0000000007310000-memory.dmp
memory/944-1131-0x0000000007300000-0x0000000007310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\new64yw10.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\new64yw10.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/2216-1205-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2216-1206-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2216-2047-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2216-2049-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2216-2050-0x0000000007360000-0x0000000007370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rTR23sH89.exe
| MD5 | 706b5060e6876d197e6fe6282c5de33e |
| SHA1 | 72558e71ab1a80b52a4eb4f665827b6dda81a807 |
| SHA256 | 20c2739e552df53f00d1fcf2e6c26bb09305c17b8ef7fab682e52ae1cce1bd4b |
| SHA512 | 5fed5f0a7f9fbaef008eecc70261dce83b1fbf6ee2787f1bbf693ba375b8a058de8b58afd0ceb95ff42e7e83488f02f6b3515c37b7e941019981fd8cf6af964c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rTR23sH89.exe
| MD5 | 706b5060e6876d197e6fe6282c5de33e |
| SHA1 | 72558e71ab1a80b52a4eb4f665827b6dda81a807 |
| SHA256 | 20c2739e552df53f00d1fcf2e6c26bb09305c17b8ef7fab682e52ae1cce1bd4b |
| SHA512 | 5fed5f0a7f9fbaef008eecc70261dce83b1fbf6ee2787f1bbf693ba375b8a058de8b58afd0ceb95ff42e7e83488f02f6b3515c37b7e941019981fd8cf6af964c |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 706b5060e6876d197e6fe6282c5de33e |
| SHA1 | 72558e71ab1a80b52a4eb4f665827b6dda81a807 |
| SHA256 | 20c2739e552df53f00d1fcf2e6c26bb09305c17b8ef7fab682e52ae1cce1bd4b |
| SHA512 | 5fed5f0a7f9fbaef008eecc70261dce83b1fbf6ee2787f1bbf693ba375b8a058de8b58afd0ceb95ff42e7e83488f02f6b3515c37b7e941019981fd8cf6af964c |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 706b5060e6876d197e6fe6282c5de33e |
| SHA1 | 72558e71ab1a80b52a4eb4f665827b6dda81a807 |
| SHA256 | 20c2739e552df53f00d1fcf2e6c26bb09305c17b8ef7fab682e52ae1cce1bd4b |
| SHA512 | 5fed5f0a7f9fbaef008eecc70261dce83b1fbf6ee2787f1bbf693ba375b8a058de8b58afd0ceb95ff42e7e83488f02f6b3515c37b7e941019981fd8cf6af964c |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 706b5060e6876d197e6fe6282c5de33e |
| SHA1 | 72558e71ab1a80b52a4eb4f665827b6dda81a807 |
| SHA256 | 20c2739e552df53f00d1fcf2e6c26bb09305c17b8ef7fab682e52ae1cce1bd4b |
| SHA512 | 5fed5f0a7f9fbaef008eecc70261dce83b1fbf6ee2787f1bbf693ba375b8a058de8b58afd0ceb95ff42e7e83488f02f6b3515c37b7e941019981fd8cf6af964c |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 386c0ef17f7620b45a09430cfcc8be4a |
| SHA1 | d61d1e1843286e262e1f81372ff7fc14b66b7071 |
| SHA256 | 3136812e9af0f7443ca25443ac014293e8e4d4ebea2cc4788a2f1c80f5b20eef |
| SHA512 | 6cf5342d5cd18c145ecc54e905616fa6b80f9933db745e16610b0ac5c647a58909ee7d27b134e99e7fb16db5d9142c768809f2cbf87aa4d03dada67531c4ed24 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 386c0ef17f7620b45a09430cfcc8be4a |
| SHA1 | d61d1e1843286e262e1f81372ff7fc14b66b7071 |
| SHA256 | 3136812e9af0f7443ca25443ac014293e8e4d4ebea2cc4788a2f1c80f5b20eef |
| SHA512 | 6cf5342d5cd18c145ecc54e905616fa6b80f9933db745e16610b0ac5c647a58909ee7d27b134e99e7fb16db5d9142c768809f2cbf87aa4d03dada67531c4ed24 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 386c0ef17f7620b45a09430cfcc8be4a |
| SHA1 | d61d1e1843286e262e1f81372ff7fc14b66b7071 |
| SHA256 | 3136812e9af0f7443ca25443ac014293e8e4d4ebea2cc4788a2f1c80f5b20eef |
| SHA512 | 6cf5342d5cd18c145ecc54e905616fa6b80f9933db745e16610b0ac5c647a58909ee7d27b134e99e7fb16db5d9142c768809f2cbf87aa4d03dada67531c4ed24 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eOv29Zr48.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eOv29Zr48.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
memory/2044-2149-0x0000000007260000-0x0000000007270000-memory.dmp
memory/2044-2152-0x0000000007260000-0x0000000007270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/3616-2470-0x0000000000890000-0x0000000000908000-memory.dmp
memory/3616-2495-0x000000001C410000-0x000000001C420000-memory.dmp
memory/2044-2791-0x0000000007260000-0x0000000007270000-memory.dmp
memory/2044-2794-0x0000000007260000-0x0000000007270000-memory.dmp
memory/2044-2797-0x0000000007260000-0x0000000007270000-memory.dmp
memory/3616-2984-0x000000001C410000-0x000000001C420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 53bf804f75123ed2339305be1d298398 |
| SHA1 | 33a337e3e219da8ecd237b44fbcaf4864124a012 |
| SHA256 | 7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8 |
| SHA512 | 7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | b2446d155f77cf70a33bb0c25172fa3f |
| SHA1 | c20d68dad9e872b4607a5677c4851f863c28daf7 |
| SHA256 | 0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb |
| SHA512 | 5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654 |
memory/2044-3711-0x0000000007260000-0x0000000007270000-memory.dmp
memory/2044-3923-0x0000000007260000-0x0000000007270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBI01qT83.exe
| MD5 | ba13a585b35add9b6bf3c33146afc6fe |
| SHA1 | 977ba6958cf4f5fd175ad9c34623944e7109ea98 |
| SHA256 | bc6a8a19f87e369eb3fc008614fd570092a1cfa85ecd8bb56d1c5d0528d9b07c |
| SHA512 | 8f136f26304893a4c12d54d392266be228790a28e38603f5ac3619a256f545c7e531d7d2d6b96dfbad3f9289bdd1fb4c6e184fa30b763c37dd66234c90077539 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBI01qT83.exe
| MD5 | ba13a585b35add9b6bf3c33146afc6fe |
| SHA1 | 977ba6958cf4f5fd175ad9c34623944e7109ea98 |
| SHA256 | bc6a8a19f87e369eb3fc008614fd570092a1cfa85ecd8bb56d1c5d0528d9b07c |
| SHA512 | 8f136f26304893a4c12d54d392266be228790a28e38603f5ac3619a256f545c7e531d7d2d6b96dfbad3f9289bdd1fb4c6e184fa30b763c37dd66234c90077539 |
memory/2292-3927-0x0000000000CD0000-0x0000000000D02000-memory.dmp
memory/2292-3928-0x00000000058E0000-0x00000000058F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 706b5060e6876d197e6fe6282c5de33e |
| SHA1 | 72558e71ab1a80b52a4eb4f665827b6dda81a807 |
| SHA256 | 20c2739e552df53f00d1fcf2e6c26bb09305c17b8ef7fab682e52ae1cce1bd4b |
| SHA512 | 5fed5f0a7f9fbaef008eecc70261dce83b1fbf6ee2787f1bbf693ba375b8a058de8b58afd0ceb95ff42e7e83488f02f6b3515c37b7e941019981fd8cf6af964c |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
memory/3616-3975-0x000000001C410000-0x000000001C420000-memory.dmp
memory/3616-3976-0x000000001C410000-0x000000001C420000-memory.dmp
memory/1356-3983-0x0000000140000000-0x00000001407CD000-memory.dmp
memory/3616-3989-0x000000001C410000-0x000000001C420000-memory.dmp
memory/3616-3988-0x000000001C410000-0x000000001C420000-memory.dmp
memory/1356-3990-0x000001D643E50000-0x000001D643E70000-memory.dmp