Malware Analysis Report

2024-11-30 23:04

Sample ID 230225-ayawqabe44
Target 100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71
SHA256 100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71
Tags
amadey aurora redline rodik discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71

Threat Level: Known bad

The file 100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rodik discovery evasion infostealer persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Amadey

Aurora

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-25 00:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 00:36

Reported

2023-02-25 00:39

Platform

win10v2004-20230220-en

Max time kernel

96s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
PID 4464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
PID 4464 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe
PID 4224 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
PID 4224 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
PID 4224 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe
PID 1760 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
PID 1760 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
PID 1760 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe
PID 3532 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe
PID 3532 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe
PID 3532 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
PID 3532 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
PID 3532 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe
PID 1760 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
PID 1760 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
PID 1760 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe
PID 4224 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
PID 4224 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
PID 4224 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe
PID 4464 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
PID 4464 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
PID 4464 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe
PID 3496 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 3496 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 3496 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 4000 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 4000 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 4000 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 4000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2280 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4000 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 4000 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 4000 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
PID 3432 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
PID 3432 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
PID 3432 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe
PID 4000 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 4000 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 4000 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
PID 3948 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 3948 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 3948 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
PID 232 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe
PID 232 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe

"C:\Users\Admin\AppData\Local\Temp\100c6f5ff43129f8838775ea9db7d645f58b42ba53f6d38addc0b7e12e971c71.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1612

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3192 -ip 3192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1032

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1352

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.20.233.193.in-addr.arpa udp
US 20.189.173.2:443 tcp
US 209.197.3.8:80 tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 13.107.4.50:80 tcp
DE 193.233.20.15:80 193.233.20.15 tcp
DE 193.233.20.19:80 193.233.20.19 tcp
US 8.8.8.8:53 15.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 19.20.233.193.in-addr.arpa udp
RU 62.204.41.245:80 62.204.41.245 tcp
US 8.8.8.8:53 245.41.204.62.in-addr.arpa udp
RU 62.204.41.88:80 62.204.41.88 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 88.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
NL 45.15.159.15:80 45.15.159.15 tcp
US 8.8.8.8:53 15.159.15.45.in-addr.arpa udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
DE 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe

MD5 29d70e2dfb23bae1d95caedb83c93f64
SHA1 634ccb693de5291ea2e139eea2beaf4b70302810
SHA256 6373757d581b503b8de4d1053cae0ee75bb1ad319b1873e36770e73c9f4b9580
SHA512 1fdffd27cfb6ac30f2633be5dcdfe71e23e858b208a2a86b60f6c5e45ea7952c95625e8b8843d478c6febc4ae019ebc2786bd61ac693b76e1320462175e1528c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sum37sL77.exe

MD5 29d70e2dfb23bae1d95caedb83c93f64
SHA1 634ccb693de5291ea2e139eea2beaf4b70302810
SHA256 6373757d581b503b8de4d1053cae0ee75bb1ad319b1873e36770e73c9f4b9580
SHA512 1fdffd27cfb6ac30f2633be5dcdfe71e23e858b208a2a86b60f6c5e45ea7952c95625e8b8843d478c6febc4ae019ebc2786bd61ac693b76e1320462175e1528c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe

MD5 43c7ae9bafea48e8cf4ed5a7cc6dcf05
SHA1 ec86c5064ea7a12b9f9ad46e2533bf23477997bc
SHA256 95c4e86afb7cce650224c9541f3dbba6bcae62cee9ca92ce7dfc216914544372
SHA512 4c4e58b7f86d758c4e199a77375937ffda94b682a5a344fed713d7b55188263032b6db2c8239018b2825b9faddc5339141cb1ffcddcfb4d345387340522c9abb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sKI25YS39.exe

MD5 43c7ae9bafea48e8cf4ed5a7cc6dcf05
SHA1 ec86c5064ea7a12b9f9ad46e2533bf23477997bc
SHA256 95c4e86afb7cce650224c9541f3dbba6bcae62cee9ca92ce7dfc216914544372
SHA512 4c4e58b7f86d758c4e199a77375937ffda94b682a5a344fed713d7b55188263032b6db2c8239018b2825b9faddc5339141cb1ffcddcfb4d345387340522c9abb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe

MD5 63abec558c230905906b978f8a0cd42b
SHA1 9549b2a70f6f7fa2a9c1ab4a767339a686e4ee00
SHA256 8c5c182826e3fca3de8efefac84a703c67cdb41d115cb0fd88a319868aa7b3da
SHA512 20441a736e0c02b8f9356b9d842840967e98f5207655fdd0acff92fe04434eac0c4005990bb941c00ab9c92ffea49d4eacea09a5b67213631f76657df1fed5bf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sQS68ub70.exe

MD5 63abec558c230905906b978f8a0cd42b
SHA1 9549b2a70f6f7fa2a9c1ab4a767339a686e4ee00
SHA256 8c5c182826e3fca3de8efefac84a703c67cdb41d115cb0fd88a319868aa7b3da
SHA512 20441a736e0c02b8f9356b9d842840967e98f5207655fdd0acff92fe04434eac0c4005990bb941c00ab9c92ffea49d4eacea09a5b67213631f76657df1fed5bf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe

MD5 0114ecc4de5b5e96b1b97c7d40ae9d8a
SHA1 8959a8376fc0d7018c39c417989f3d12200700fa
SHA256 6ed9d9bcf004dbf4f621fe5de509f20f3377200655aa52183ec3a0c51a70a6ac
SHA512 f2e8f30ad10ae3185fc7f1fd8369944d23b98728898c7272fdb81fba88a49832556705a16bf49a4f3936f3000bbf0311df3d963c5a171280680861aab83a9273

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCM00BG.exe

MD5 0114ecc4de5b5e96b1b97c7d40ae9d8a
SHA1 8959a8376fc0d7018c39c417989f3d12200700fa
SHA256 6ed9d9bcf004dbf4f621fe5de509f20f3377200655aa52183ec3a0c51a70a6ac
SHA512 f2e8f30ad10ae3185fc7f1fd8369944d23b98728898c7272fdb81fba88a49832556705a16bf49a4f3936f3000bbf0311df3d963c5a171280680861aab83a9273

memory/3764-164-0x0000000000190000-0x000000000019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\khR73dH.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/2020-170-0x0000000002E40000-0x0000000002E8B000-memory.dmp

memory/2020-171-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-172-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-173-0x00000000071C0000-0x0000000007764000-memory.dmp

memory/2020-174-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-175-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-177-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-179-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-181-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-183-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-185-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-187-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-189-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-191-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-193-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-195-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-197-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-200-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-199-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-202-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-204-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-206-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-208-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-210-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-212-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-214-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-216-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-218-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-220-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-222-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-224-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-226-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-228-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-230-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-232-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-234-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-236-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-238-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/2020-1081-0x00000000077B0000-0x0000000007DC8000-memory.dmp

memory/2020-1082-0x0000000007E50000-0x0000000007F5A000-memory.dmp

memory/2020-1083-0x0000000007F90000-0x0000000007FA2000-memory.dmp

memory/2020-1084-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

memory/2020-1085-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-1087-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-1088-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-1089-0x00000000082A0000-0x0000000008332000-memory.dmp

memory/2020-1090-0x0000000008340000-0x00000000083A6000-memory.dmp

memory/2020-1091-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2020-1092-0x0000000008B80000-0x0000000008BF6000-memory.dmp

memory/2020-1093-0x0000000008C10000-0x0000000008C60000-memory.dmp

memory/2020-1094-0x000000000A030000-0x000000000A1F2000-memory.dmp

memory/2020-1095-0x000000000A210000-0x000000000A73C000-memory.dmp

memory/2020-1096-0x0000000004E20000-0x0000000004E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mSK14Fh.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

memory/3192-1131-0x0000000002BF0000-0x0000000002C1D000-memory.dmp

memory/3192-1132-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/3192-1135-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/3192-1137-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/3192-1136-0x00000000073C0000-0x00000000073D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nta01fa06.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/2168-1299-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/2168-1300-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/2168-1303-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/2168-2052-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/2168-2055-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/2168-2054-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/2168-2056-0x00000000072C0000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe

MD5 1185eb8cb23746f48a1d9ea3af90668f
SHA1 6b65155683e380bd9928630a6f505a1acca54021
SHA256 c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a
SHA512 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roL24sX22.exe

MD5 1185eb8cb23746f48a1d9ea3af90668f
SHA1 6b65155683e380bd9928630a6f505a1acca54021
SHA256 c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a
SHA512 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 1185eb8cb23746f48a1d9ea3af90668f
SHA1 6b65155683e380bd9928630a6f505a1acca54021
SHA256 c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a
SHA512 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 1185eb8cb23746f48a1d9ea3af90668f
SHA1 6b65155683e380bd9928630a6f505a1acca54021
SHA256 c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a
SHA512 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 1185eb8cb23746f48a1d9ea3af90668f
SHA1 6b65155683e380bd9928630a6f505a1acca54021
SHA256 c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a
SHA512 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 cd468397263f01cc5abf9183fb992b51
SHA1 b3ef36a9ecc8859c5f46312ba366a40ff77fc9b1
SHA256 444cebb887cb869f62073ef6df888120b4e209f5c1fbd75cb699f6988129c7a2
SHA512 3c378931d012cdc7711dac5ef160a603d876be7274c9edf91c27c761448a2b2a4237c2e6dbfc5182dd376c32fa0e164f317ac16334e18236ce16bf02971e02a8

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 cd468397263f01cc5abf9183fb992b51
SHA1 b3ef36a9ecc8859c5f46312ba366a40ff77fc9b1
SHA256 444cebb887cb869f62073ef6df888120b4e209f5c1fbd75cb699f6988129c7a2
SHA512 3c378931d012cdc7711dac5ef160a603d876be7274c9edf91c27c761448a2b2a4237c2e6dbfc5182dd376c32fa0e164f317ac16334e18236ce16bf02971e02a8

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 cd468397263f01cc5abf9183fb992b51
SHA1 b3ef36a9ecc8859c5f46312ba366a40ff77fc9b1
SHA256 444cebb887cb869f62073ef6df888120b4e209f5c1fbd75cb699f6988129c7a2
SHA512 3c378931d012cdc7711dac5ef160a603d876be7274c9edf91c27c761448a2b2a4237c2e6dbfc5182dd376c32fa0e164f317ac16334e18236ce16bf02971e02a8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\edM52Xx49.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

memory/2400-2200-0x0000000007200000-0x0000000007210000-memory.dmp

memory/2400-2203-0x0000000007200000-0x0000000007210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

memory/4480-2475-0x0000000000B90000-0x0000000000C08000-memory.dmp

memory/4480-2512-0x00000000014E0000-0x00000000014F0000-memory.dmp

memory/2400-2900-0x0000000007200000-0x0000000007210000-memory.dmp

memory/2400-2906-0x0000000007200000-0x0000000007210000-memory.dmp

memory/2400-2903-0x0000000007200000-0x0000000007210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 1185eb8cb23746f48a1d9ea3af90668f
SHA1 6b65155683e380bd9928630a6f505a1acca54021
SHA256 c0989c1f148b34719cfeb89e69d580320c12a64947fbc0e93da95571d86f2f1a
SHA512 40b9584efb2630ca7ac66e37ed40728b7153b1f18f04d405ad86757fdb47214739c5af4f82470a8160138f133e166e6cdbd67a5a61554f9beff6ff494e63bd92

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 386c014d0948d4fc41afa98cfca9022e
SHA1 786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256 448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA512 13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 77e31b1123e94ce5720ceb729a425798
SHA1 2b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA256 68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA512 9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

memory/2400-3756-0x0000000007200000-0x0000000007210000-memory.dmp