Malware Analysis Report

2024-11-30 23:15

Sample ID 230225-jlzhzsce82
Target e960131e05854d7c428dd3b894a5ed7e.exe
SHA256 aaaac6b3162aeaffba1f71e2408bc15729eff58290d7c76dcb07f342f3299e9f
Tags
amadey aurora redline frukt rodik discovery evasion infostealer persistence pyinstaller spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaaac6b3162aeaffba1f71e2408bc15729eff58290d7c76dcb07f342f3299e9f

Threat Level: Known bad

The file e960131e05854d7c428dd3b894a5ed7e.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline frukt rodik discovery evasion infostealer persistence pyinstaller spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Amadey

Aurora

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Program crash

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-25 07:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 07:46

Reported

2023-02-25 07:48

Platform

win7-20230220-en

Max time kernel

127s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A

Checks installed software on the system

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1052 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1664 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 1840 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1840 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1664 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1052 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1324 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe

"C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe

"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"

C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe

"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1752 -s 1236

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {CD343964-C971-41ED-BBFB-B5780B460807} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 556 -s 316

Network

Country Destination Domain Proto
DE 193.233.20.23:4124 tcp
DE 193.233.20.23:4124 tcp
DE 193.233.20.15:80 193.233.20.15 tcp
DE 193.233.20.19:80 193.233.20.19 tcp
RU 62.204.41.245:80 62.204.41.245 tcp
DE 193.233.20.23:4124 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
NL 45.15.159.15:80 45.15.159.15 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 cracked23.site udp
NL 185.241.208.138:80 cracked23.site tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 xiaoxiaojue.duckdns.org udp
NL 212.87.204.245:55215 xiaoxiaojue.duckdns.org tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

MD5 d22f0ceb98c63a258aabb72cc9dd03db
SHA1 e7f31c09417dac996c641938e17c111d8dd4b88f
SHA256 dfe7213f35a8e133d4de2f3e6efe527f7d9a418803a7312ba94e6200ace2e414
SHA512 8b5086ef457713005ca24784e1056fedeb516dd4e98b078eaf38a0d4278a443e78176ac56f2b0ccc4b3b9c9fec8e78eea26ed416c7eabb513b4b2d8645d8d511

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

MD5 d22f0ceb98c63a258aabb72cc9dd03db
SHA1 e7f31c09417dac996c641938e17c111d8dd4b88f
SHA256 dfe7213f35a8e133d4de2f3e6efe527f7d9a418803a7312ba94e6200ace2e414
SHA512 8b5086ef457713005ca24784e1056fedeb516dd4e98b078eaf38a0d4278a443e78176ac56f2b0ccc4b3b9c9fec8e78eea26ed416c7eabb513b4b2d8645d8d511

\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

MD5 d22f0ceb98c63a258aabb72cc9dd03db
SHA1 e7f31c09417dac996c641938e17c111d8dd4b88f
SHA256 dfe7213f35a8e133d4de2f3e6efe527f7d9a418803a7312ba94e6200ace2e414
SHA512 8b5086ef457713005ca24784e1056fedeb516dd4e98b078eaf38a0d4278a443e78176ac56f2b0ccc4b3b9c9fec8e78eea26ed416c7eabb513b4b2d8645d8d511

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

MD5 d22f0ceb98c63a258aabb72cc9dd03db
SHA1 e7f31c09417dac996c641938e17c111d8dd4b88f
SHA256 dfe7213f35a8e133d4de2f3e6efe527f7d9a418803a7312ba94e6200ace2e414
SHA512 8b5086ef457713005ca24784e1056fedeb516dd4e98b078eaf38a0d4278a443e78176ac56f2b0ccc4b3b9c9fec8e78eea26ed416c7eabb513b4b2d8645d8d511

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

MD5 2c94d1fc5fcd0966f460a75f775cc027
SHA1 fd22300ffbedd6de7a823bbd856c17a4ed5bfc2e
SHA256 cbd052e79c034f88cf12dec3f352b43b48ba1ef76642dd3c5a05eda627371ad2
SHA512 68cfd3d09312c3f988fe6686e902aeb1148b1430e079ebf57ad5380f2e304630396412e1109a31dad30be021e5f00c6dd6a94c604c8ef5484010c4afb37dde19

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

MD5 2c94d1fc5fcd0966f460a75f775cc027
SHA1 fd22300ffbedd6de7a823bbd856c17a4ed5bfc2e
SHA256 cbd052e79c034f88cf12dec3f352b43b48ba1ef76642dd3c5a05eda627371ad2
SHA512 68cfd3d09312c3f988fe6686e902aeb1148b1430e079ebf57ad5380f2e304630396412e1109a31dad30be021e5f00c6dd6a94c604c8ef5484010c4afb37dde19

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

MD5 2c94d1fc5fcd0966f460a75f775cc027
SHA1 fd22300ffbedd6de7a823bbd856c17a4ed5bfc2e
SHA256 cbd052e79c034f88cf12dec3f352b43b48ba1ef76642dd3c5a05eda627371ad2
SHA512 68cfd3d09312c3f988fe6686e902aeb1148b1430e079ebf57ad5380f2e304630396412e1109a31dad30be021e5f00c6dd6a94c604c8ef5484010c4afb37dde19

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

MD5 2c94d1fc5fcd0966f460a75f775cc027
SHA1 fd22300ffbedd6de7a823bbd856c17a4ed5bfc2e
SHA256 cbd052e79c034f88cf12dec3f352b43b48ba1ef76642dd3c5a05eda627371ad2
SHA512 68cfd3d09312c3f988fe6686e902aeb1148b1430e079ebf57ad5380f2e304630396412e1109a31dad30be021e5f00c6dd6a94c604c8ef5484010c4afb37dde19

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

MD5 12a2bd4b4e890133b660cd4585529896
SHA1 ea3922dbaa3a180a1b630d1fd8fb9cb58fea31fc
SHA256 d872fa46732c57d5b5c60b8c0ba0f275c3ad8b36be9f0583780d4c32a047c755
SHA512 9fadc09fc6feb29fe1f4270c8892459e787e540c9a1c59a125b03c9acb9a864d9617963315212f7133d0ea1edc4db249c24dd713d64a6d880466461b8fc9e94a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

MD5 12a2bd4b4e890133b660cd4585529896
SHA1 ea3922dbaa3a180a1b630d1fd8fb9cb58fea31fc
SHA256 d872fa46732c57d5b5c60b8c0ba0f275c3ad8b36be9f0583780d4c32a047c755
SHA512 9fadc09fc6feb29fe1f4270c8892459e787e540c9a1c59a125b03c9acb9a864d9617963315212f7133d0ea1edc4db249c24dd713d64a6d880466461b8fc9e94a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

MD5 12a2bd4b4e890133b660cd4585529896
SHA1 ea3922dbaa3a180a1b630d1fd8fb9cb58fea31fc
SHA256 d872fa46732c57d5b5c60b8c0ba0f275c3ad8b36be9f0583780d4c32a047c755
SHA512 9fadc09fc6feb29fe1f4270c8892459e787e540c9a1c59a125b03c9acb9a864d9617963315212f7133d0ea1edc4db249c24dd713d64a6d880466461b8fc9e94a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

MD5 12a2bd4b4e890133b660cd4585529896
SHA1 ea3922dbaa3a180a1b630d1fd8fb9cb58fea31fc
SHA256 d872fa46732c57d5b5c60b8c0ba0f275c3ad8b36be9f0583780d4c32a047c755
SHA512 9fadc09fc6feb29fe1f4270c8892459e787e540c9a1c59a125b03c9acb9a864d9617963315212f7133d0ea1edc4db249c24dd713d64a6d880466461b8fc9e94a

\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

MD5 7aec008cd290fd9e521fdf0a19947f8c
SHA1 411cf2389fea5702b8840f3ef81476b9768b4c1d
SHA256 8f84cc0b07859be47304976a8d33ce84ae72d40528aa937975a880d51c2ae7ae
SHA512 f8233df3f2f5b63232ee6e1ab021b68db3c164073a162cc284d9e73c959b53ffc4f848b5565f59b3edd85e9fcc00e17f350b26a1a313549b1514b47b8db82eb9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

MD5 7aec008cd290fd9e521fdf0a19947f8c
SHA1 411cf2389fea5702b8840f3ef81476b9768b4c1d
SHA256 8f84cc0b07859be47304976a8d33ce84ae72d40528aa937975a880d51c2ae7ae
SHA512 f8233df3f2f5b63232ee6e1ab021b68db3c164073a162cc284d9e73c959b53ffc4f848b5565f59b3edd85e9fcc00e17f350b26a1a313549b1514b47b8db82eb9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

MD5 7aec008cd290fd9e521fdf0a19947f8c
SHA1 411cf2389fea5702b8840f3ef81476b9768b4c1d
SHA256 8f84cc0b07859be47304976a8d33ce84ae72d40528aa937975a880d51c2ae7ae
SHA512 f8233df3f2f5b63232ee6e1ab021b68db3c164073a162cc284d9e73c959b53ffc4f848b5565f59b3edd85e9fcc00e17f350b26a1a313549b1514b47b8db82eb9

memory/1752-92-0x0000000000860000-0x000000000086A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/848-103-0x0000000006FE0000-0x0000000007026000-memory.dmp

memory/848-104-0x0000000007170000-0x00000000071B4000-memory.dmp

memory/848-105-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-106-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-108-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-110-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-112-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-114-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-116-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-118-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-120-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-122-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-124-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-126-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-128-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-130-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-132-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-134-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-136-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-138-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-140-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-142-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-144-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-146-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-148-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-150-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-152-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-154-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-156-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-157-0x0000000002F40000-0x0000000002F8B000-memory.dmp

memory/848-160-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-159-0x0000000007030000-0x0000000007070000-memory.dmp

memory/848-161-0x0000000007030000-0x0000000007070000-memory.dmp

memory/848-163-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-165-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-167-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-169-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-171-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/848-1014-0x0000000007030000-0x0000000007070000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

memory/1616-1027-0x00000000045F0000-0x000000000460A000-memory.dmp

memory/1616-1028-0x0000000004650000-0x0000000004668000-memory.dmp

memory/1616-1057-0x0000000000250000-0x000000000027D000-memory.dmp

memory/1616-1058-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/1616-1059-0x0000000007280000-0x00000000072C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/884-1072-0x0000000002CE0000-0x0000000002D26000-memory.dmp

memory/884-1788-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/884-1790-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/884-1981-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 19df35dcb6394e6fe7551b0513700e88
SHA1 c3a5c0488c0f4f48f8e64d539e7217434b2e099e
SHA256 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c
SHA512 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b

\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 19df35dcb6394e6fe7551b0513700e88
SHA1 c3a5c0488c0f4f48f8e64d539e7217434b2e099e
SHA256 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c
SHA512 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 19df35dcb6394e6fe7551b0513700e88
SHA1 c3a5c0488c0f4f48f8e64d539e7217434b2e099e
SHA256 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c
SHA512 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 19df35dcb6394e6fe7551b0513700e88
SHA1 c3a5c0488c0f4f48f8e64d539e7217434b2e099e
SHA256 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c
SHA512 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b

\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 19df35dcb6394e6fe7551b0513700e88
SHA1 c3a5c0488c0f4f48f8e64d539e7217434b2e099e
SHA256 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c
SHA512 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b

\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

memory/1296-2029-0x00000000048B0000-0x00000000048F4000-memory.dmp

memory/1296-2413-0x0000000004E90000-0x0000000004ED0000-memory.dmp

memory/1296-2415-0x0000000004E90000-0x0000000004ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

memory/1752-2997-0x000000013F0D0000-0x000000013F148000-memory.dmp

memory/1752-2998-0x000000001BA60000-0x000000001BAE0000-memory.dmp

memory/1752-2999-0x000000001AD00000-0x000000001ADA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe

MD5 ffd3071e0de056dee2c9383add4f387a
SHA1 0e2c325aff25e2b6ddc5ff72eb0dc12eb5511c65
SHA256 302696014b7c9236d548a7174446284b5cd03e755cc5b180a0cf927a3e74be06
SHA512 eb22095064366451dabb2cc4fa7da66c4a071d86b32f22d8f824aa7df04aa9d49c25e0858f7ac489e5570a5949f39d8cc80f075064694aee39fabd2112aab906

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 6082dd13ad8102d17f9db9cd07600e97
SHA1 39becc88cea914d843b3c5521038907f2f2f4e71
SHA256 40a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a
SHA512 b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e

memory/848-3624-0x0000000001320000-0x0000000001352000-memory.dmp

memory/848-3627-0x00000000008C0000-0x0000000000900000-memory.dmp

memory/1752-3862-0x0000000002400000-0x0000000002456000-memory.dmp

memory/1752-3880-0x000000001BA60000-0x000000001BAE0000-memory.dmp

memory/1752-3881-0x0000000000810000-0x000000000085C000-memory.dmp

memory/1752-3882-0x000000001B1E0000-0x000000001B234000-memory.dmp

memory/1752-3884-0x000000001BA60000-0x000000001BAE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

memory/1752-3902-0x000000001BA60000-0x000000001BAE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-25 07:46

Reported

2023-02-25 07:48

Platform

win10v2004-20230220-en

Max time kernel

113s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 4400 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 4400 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe
PID 2596 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 2596 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 2596 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe
PID 4112 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 4112 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 4112 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe
PID 616 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 616 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe
PID 616 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 616 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 616 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe
PID 4112 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 4112 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 4112 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe
PID 2596 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 2596 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 2596 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe
PID 4400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 4400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 4400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe
PID 444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 928 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2424 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe

"C:\Users\Admin\AppData\Local\Temp\e960131e05854d7c428dd3b894a5ed7e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 720 -ip 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.20.233.193.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
DE 193.233.20.15:80 193.233.20.15 tcp
US 8.8.8.8:53 15.20.233.193.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

MD5 d22f0ceb98c63a258aabb72cc9dd03db
SHA1 e7f31c09417dac996c641938e17c111d8dd4b88f
SHA256 dfe7213f35a8e133d4de2f3e6efe527f7d9a418803a7312ba94e6200ace2e414
SHA512 8b5086ef457713005ca24784e1056fedeb516dd4e98b078eaf38a0d4278a443e78176ac56f2b0ccc4b3b9c9fec8e78eea26ed416c7eabb513b4b2d8645d8d511

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sok01oa22.exe

MD5 d22f0ceb98c63a258aabb72cc9dd03db
SHA1 e7f31c09417dac996c641938e17c111d8dd4b88f
SHA256 dfe7213f35a8e133d4de2f3e6efe527f7d9a418803a7312ba94e6200ace2e414
SHA512 8b5086ef457713005ca24784e1056fedeb516dd4e98b078eaf38a0d4278a443e78176ac56f2b0ccc4b3b9c9fec8e78eea26ed416c7eabb513b4b2d8645d8d511

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

MD5 2c94d1fc5fcd0966f460a75f775cc027
SHA1 fd22300ffbedd6de7a823bbd856c17a4ed5bfc2e
SHA256 cbd052e79c034f88cf12dec3f352b43b48ba1ef76642dd3c5a05eda627371ad2
SHA512 68cfd3d09312c3f988fe6686e902aeb1148b1430e079ebf57ad5380f2e304630396412e1109a31dad30be021e5f00c6dd6a94c604c8ef5484010c4afb37dde19

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ssa22bz08.exe

MD5 2c94d1fc5fcd0966f460a75f775cc027
SHA1 fd22300ffbedd6de7a823bbd856c17a4ed5bfc2e
SHA256 cbd052e79c034f88cf12dec3f352b43b48ba1ef76642dd3c5a05eda627371ad2
SHA512 68cfd3d09312c3f988fe6686e902aeb1148b1430e079ebf57ad5380f2e304630396412e1109a31dad30be021e5f00c6dd6a94c604c8ef5484010c4afb37dde19

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

MD5 12a2bd4b4e890133b660cd4585529896
SHA1 ea3922dbaa3a180a1b630d1fd8fb9cb58fea31fc
SHA256 d872fa46732c57d5b5c60b8c0ba0f275c3ad8b36be9f0583780d4c32a047c755
SHA512 9fadc09fc6feb29fe1f4270c8892459e787e540c9a1c59a125b03c9acb9a864d9617963315212f7133d0ea1edc4db249c24dd713d64a6d880466461b8fc9e94a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sfS34OC52.exe

MD5 12a2bd4b4e890133b660cd4585529896
SHA1 ea3922dbaa3a180a1b630d1fd8fb9cb58fea31fc
SHA256 d872fa46732c57d5b5c60b8c0ba0f275c3ad8b36be9f0583780d4c32a047c755
SHA512 9fadc09fc6feb29fe1f4270c8892459e787e540c9a1c59a125b03c9acb9a864d9617963315212f7133d0ea1edc4db249c24dd713d64a6d880466461b8fc9e94a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

MD5 7aec008cd290fd9e521fdf0a19947f8c
SHA1 411cf2389fea5702b8840f3ef81476b9768b4c1d
SHA256 8f84cc0b07859be47304976a8d33ce84ae72d40528aa937975a880d51c2ae7ae
SHA512 f8233df3f2f5b63232ee6e1ab021b68db3c164073a162cc284d9e73c959b53ffc4f848b5565f59b3edd85e9fcc00e17f350b26a1a313549b1514b47b8db82eb9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVu19IR.exe

MD5 7aec008cd290fd9e521fdf0a19947f8c
SHA1 411cf2389fea5702b8840f3ef81476b9768b4c1d
SHA256 8f84cc0b07859be47304976a8d33ce84ae72d40528aa937975a880d51c2ae7ae
SHA512 f8233df3f2f5b63232ee6e1ab021b68db3c164073a162cc284d9e73c959b53ffc4f848b5565f59b3edd85e9fcc00e17f350b26a1a313549b1514b47b8db82eb9

memory/3792-161-0x0000000000C60000-0x0000000000C6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSU72SW.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/1116-167-0x00000000073B0000-0x0000000007954000-memory.dmp

memory/1116-168-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-169-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-171-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-174-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-175-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-178-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-177-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-179-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-173-0x0000000002D10000-0x0000000002D5B000-memory.dmp

memory/1116-181-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-183-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-185-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-187-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-189-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-191-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-193-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-195-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-197-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-199-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-201-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-203-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-205-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-207-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-209-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-211-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-213-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-215-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-217-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-219-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-221-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-223-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-225-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-227-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-229-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-231-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-233-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-235-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

memory/1116-1078-0x0000000007960000-0x0000000007F78000-memory.dmp

memory/1116-1079-0x0000000007270000-0x000000000737A000-memory.dmp

memory/1116-1080-0x0000000007F90000-0x0000000007FA2000-memory.dmp

memory/1116-1081-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

memory/1116-1082-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-1083-0x00000000082A0000-0x0000000008332000-memory.dmp

memory/1116-1084-0x0000000008340000-0x00000000083A6000-memory.dmp

memory/1116-1086-0x0000000008A60000-0x0000000008C22000-memory.dmp

memory/1116-1087-0x0000000008C30000-0x000000000915C000-memory.dmp

memory/1116-1088-0x00000000092B0000-0x0000000009326000-memory.dmp

memory/1116-1089-0x0000000009330000-0x0000000009380000-memory.dmp

memory/1116-1090-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-1091-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-1092-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/1116-1093-0x00000000073A0000-0x00000000073B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mnN79Cs.exe

MD5 f74e99a7c08bb4d44d32eeaf18062492
SHA1 1e225b042b87db87204d987c46958ffde22b3931
SHA256 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b
SHA512 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429

memory/720-1128-0x0000000002D40000-0x0000000002D6D000-memory.dmp

memory/720-1129-0x0000000007350000-0x0000000007360000-memory.dmp

memory/720-1130-0x0000000007350000-0x0000000007360000-memory.dmp

memory/720-1131-0x0000000007350000-0x0000000007360000-memory.dmp

memory/720-1134-0x0000000007350000-0x0000000007360000-memory.dmp

memory/720-1135-0x0000000007350000-0x0000000007360000-memory.dmp

memory/720-1136-0x0000000007350000-0x0000000007360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nON58gt45.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/1604-1486-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1604-1487-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1604-1490-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1604-2051-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1604-2054-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1604-2055-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1604-2056-0x0000000007230000-0x0000000007240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rkV24ct05.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 5000293e7aa249097e8b74bc53bd72c6
SHA1 59d4c25a4672f031f8829e867309121e306c9f0d
SHA256 10a04c6d03458a1b32fddcb445bdb1610cee6d1136d5a9ff44500633c708e0fa
SHA512 107d0c522a2d312654f7ca464fbbbe354680cea766587fbc7d140b10e1b56eaf750f8f5f94a04cb94368785aa450f36a4557411f6bbf3121596042f75f9529aa