Analysis Overview
SHA256
100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71
Threat Level: Known bad
The file 100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Amadey
Aurora
Downloads MZ/PE file
Executes dropped EXE
Windows security modification
Reads user/profile data of web browsers
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 00:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 00:36
Reported
2023-02-25 00:39
Platform
win10v2004-20230220-en
Max time kernel
96s
Max time network
146s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe
"C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1612
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3192 -ip 3192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1032
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2168 -ip 2168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1352
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| US | 20.189.173.2:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 13.107.4.50:80 | tcp | |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.20.233.193.in-addr.arpa | udp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| US | 8.8.8.8:53 | 245.41.204.62.in-addr.arpa | udp |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 88.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| US | 8.8.8.8:53 | 15.159.15.45.in-addr.arpa | udp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
| MD5 | 29d70e2dfb23bae1d95caedb83c93f64 |
| SHA1 | 634ccb693de5291ea2e139eea2beaf4b70302810 |
| SHA256 | 6373757d581b503b8de4d1053cae0ee75bb1ad319b1873e36770e73c9f4b9580 |
| SHA512 | 1fdffd27cfb6ac30f2633be5dcdfe71e23e858b208a2a86b60f6c5e45ea7952c95625e8b8843d478c6febc4ae019ebc2786bd61ac693b76e1320462175e1528c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
| MD5 | 29d70e2dfb23bae1d95caedb83c93f64 |
| SHA1 | 634ccb693de5291ea2e139eea2beaf4b70302810 |
| SHA256 | 6373757d581b503b8de4d1053cae0ee75bb1ad319b1873e36770e73c9f4b9580 |
| SHA512 | 1fdffd27cfb6ac30f2633be5dcdfe71e23e858b208a2a86b60f6c5e45ea7952c95625e8b8843d478c6febc4ae019ebc2786bd61ac693b76e1320462175e1528c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
| MD5 | 43c7ae9bafea48e8cf4ed5a7cc6dcf05 |
| SHA1 | ec86c5064ea7a12b9f9ad46e2533bf23477997bc |
| SHA256 | 95c4e86afb7cce650224c9541f3dbba6bcae62cee9ca92ce7dfc216914544372 |
| SHA512 | 4c4e58b7f86d758c4e199a77375937ffda94b682a5a344fed713d7b55188263032b6db2c8239018b2825b9faddc5339141cb1ffcddcfb4d345387340522c9abb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
| MD5 | 43c7ae9bafea48e8cf4ed5a7cc6dcf05 |
| SHA1 | ec86c5064ea7a12b9f9ad46e2533bf23477997bc |
| SHA256 | 95c4e86afb7cce650224c9541f3dbba6bcae62cee9ca92ce7dfc216914544372 |
| SHA512 | 4c4e58b7f86d758c4e199a77375937ffda94b682a5a344fed713d7b55188263032b6db2c8239018b2825b9faddc5339141cb1ffcddcfb4d345387340522c9abb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
| MD5 | 63abec558c230905906b978f8a0cd42b |
| SHA1 | 9549b2a70f6f7fa2a9c1ab4a767339a686e4ee00 |
| SHA256 | 8c5c182826e3fca3de8efefac84a703c67cdb41d115cb0fd88a319868aa7b3da |
| SHA512 | 20441a736e0c02b8f9356b9d842840967e98f5207655fdd0acff92fe04434eac0c4005990bb941c00ab9c92ffea49d4eacea09a5b67213631f76657df1fed5bf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
| MD5 | 63abec558c230905906b978f8a0cd42b |
| SHA1 | 9549b2a70f6f7fa2a9c1ab4a767339a686e4ee00 |
| SHA256 | 8c5c182826e3fca3de8efefac84a703c67cdb41d115cb0fd88a319868aa7b3da |
| SHA512 | 20441a736e0c02b8f9356b9d842840967e98f5207655fdd0acff92fe04434eac0c4005990bb941c00ab9c92ffea49d4eacea09a5b67213631f76657df1fed5bf |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe
| MD5 | 0114ecc4de5b5e96b1b97c7d40ae9d8a |
| SHA1 | 8959a8376fc0d7018c39c417989f3d12200700fa |
| SHA256 | 6ed9d9bcf004dbf4f621fe5de509f20f3377200655aa52183ec3a0c51a70a6ac |
| SHA512 | f2e8f30ad10ae3185fc7f1fd8369944d23b98728898c7272fdb81fba88a49832556705a16bf49a4f3936f3000bbf0311df3d963c5a171280680861aab83a9273 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe
| MD5 | 0114ecc4de5b5e96b1b97c7d40ae9d8a |
| SHA1 | 8959a8376fc0d7018c39c417989f3d12200700fa |
| SHA256 | 6ed9d9bcf004dbf4f621fe5de509f20f3377200655aa52183ec3a0c51a70a6ac |
| SHA512 | f2e8f30ad10ae3185fc7f1fd8369944d23b98728898c7272fdb81fba88a49832556705a16bf49a4f3936f3000bbf0311df3d963c5a171280680861aab83a9273 |
memory/3764-164-0x0000000000190000-0x000000000019A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/2020-170-0x0000000002E40000-0x0000000002E8B000-memory.dmp
memory/2020-171-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-172-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-173-0x00000000071C0000-0x0000000007764000-memory.dmp
memory/2020-174-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-175-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-177-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-179-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-181-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-183-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-185-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-187-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-189-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-191-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-193-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-195-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-197-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-200-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-199-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-202-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-204-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-206-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-208-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-210-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-212-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-214-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-216-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-218-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-220-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-222-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-224-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-226-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-228-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-230-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-232-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-234-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-236-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-238-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/2020-1081-0x00000000077B0000-0x0000000007DC8000-memory.dmp
memory/2020-1082-0x0000000007E50000-0x0000000007F5A000-memory.dmp
memory/2020-1083-0x0000000007F90000-0x0000000007FA2000-memory.dmp
memory/2020-1084-0x0000000007FB0000-0x0000000007FEC000-memory.dmp
memory/2020-1085-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-1087-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-1088-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-1089-0x00000000082A0000-0x0000000008332000-memory.dmp
memory/2020-1090-0x0000000008340000-0x00000000083A6000-memory.dmp
memory/2020-1091-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2020-1092-0x0000000008B80000-0x0000000008BF6000-memory.dmp
memory/2020-1093-0x0000000008C10000-0x0000000008C60000-memory.dmp
memory/2020-1094-0x000000000A030000-0x000000000A1F2000-memory.dmp
memory/2020-1095-0x000000000A210000-0x000000000A73C000-memory.dmp
memory/2020-1096-0x0000000004E20000-0x0000000004E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
memory/3192-1131-0x0000000002BF0000-0x0000000002C1D000-memory.dmp
memory/3192-1132-0x00000000073C0000-0x00000000073D0000-memory.dmp
memory/3192-1135-0x00000000073C0000-0x00000000073D0000-memory.dmp
memory/3192-1137-0x00000000073C0000-0x00000000073D0000-memory.dmp
memory/3192-1136-0x00000000073C0000-0x00000000073D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/2168-1299-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/2168-1300-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/2168-1303-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/2168-2052-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/2168-2055-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/2168-2054-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/2168-2056-0x00000000072C0000-0x00000000072D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
| MD5 | 1185eb8cb23746f48a1d9ea3af90668f |
| SHA1 | 6b65155683e380bd9928630a6f505a1acca54021 |
| SHA256 | c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a |
| SHA512 | 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
| MD5 | 1185eb8cb23746f48a1d9ea3af90668f |
| SHA1 | 6b65155683e380bd9928630a6f505a1acca54021 |
| SHA256 | c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a |
| SHA512 | 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 1185eb8cb23746f48a1d9ea3af90668f |
| SHA1 | 6b65155683e380bd9928630a6f505a1acca54021 |
| SHA256 | c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a |
| SHA512 | 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 1185eb8cb23746f48a1d9ea3af90668f |
| SHA1 | 6b65155683e380bd9928630a6f505a1acca54021 |
| SHA256 | c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a |
| SHA512 | 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 1185eb8cb23746f48a1d9ea3af90668f |
| SHA1 | 6b65155683e380bd9928630a6f505a1acca54021 |
| SHA256 | c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a |
| SHA512 | 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | cd468397263f01cc5abf9183fb992b51 |
| SHA1 | b3ef36a9ecc8859c5f46312ba366a40ff77fc9b1 |
| SHA256 | 444cebb887cb869f62073ef6df888120b4e209f5c1fbd75cb699f6988129c7a2 |
| SHA512 | 3c378931d012cdc7711dac5ef160a603d876be7274c9edf91c27c761448a2b2a4237c2e6dbfc5182dd376c32fa0e164f317ac16334e18236ce16bf02971e02a8 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | cd468397263f01cc5abf9183fb992b51 |
| SHA1 | b3ef36a9ecc8859c5f46312ba366a40ff77fc9b1 |
| SHA256 | 444cebb887cb869f62073ef6df888120b4e209f5c1fbd75cb699f6988129c7a2 |
| SHA512 | 3c378931d012cdc7711dac5ef160a603d876be7274c9edf91c27c761448a2b2a4237c2e6dbfc5182dd376c32fa0e164f317ac16334e18236ce16bf02971e02a8 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | cd468397263f01cc5abf9183fb992b51 |
| SHA1 | b3ef36a9ecc8859c5f46312ba366a40ff77fc9b1 |
| SHA256 | 444cebb887cb869f62073ef6df888120b4e209f5c1fbd75cb699f6988129c7a2 |
| SHA512 | 3c378931d012cdc7711dac5ef160a603d876be7274c9edf91c27c761448a2b2a4237c2e6dbfc5182dd376c32fa0e164f317ac16334e18236ce16bf02971e02a8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
memory/2400-2200-0x0000000007200000-0x0000000007210000-memory.dmp
memory/2400-2203-0x0000000007200000-0x0000000007210000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/4480-2475-0x0000000000B90000-0x0000000000C08000-memory.dmp
memory/4480-2512-0x00000000014E0000-0x00000000014F0000-memory.dmp
memory/2400-2900-0x0000000007200000-0x0000000007210000-memory.dmp
memory/2400-2906-0x0000000007200000-0x0000000007210000-memory.dmp
memory/2400-2903-0x0000000007200000-0x0000000007210000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 1185eb8cb23746f48a1d9ea3af90668f |
| SHA1 | 6b65155683e380bd9928630a6f505a1acca54021 |
| SHA256 | c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a |
| SHA512 | 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 386c014d0948d4fc41afa98cfca9022e |
| SHA1 | 786cc52d9b962f55f92202c7d50c3707eb62607b |
| SHA256 | 448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2 |
| SHA512 | 13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | 77e31b1123e94ce5720ceb729a425798 |
| SHA1 | 2b65c95f27d8dca23864a3ed4f78490039ae27bf |
| SHA256 | 68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85 |
| SHA512 | 9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a |
memory/2400-3756-0x0000000007200000-0x0000000007210000-memory.dmp