Analysis Overview
SHA256
feeca3d000aeaa547592798acf95885a114950754d17964b39a7d4c02db1039d
Threat Level: Known bad
The file 413f2d21e656ca5d875fff0d6447288b.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Amadey
Aurora
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Windows security modification
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Program crash
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 07:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 07:46
Reported
2023-02-25 07:48
Platform
win7-20230220-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Checks installed software on the system
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe
"C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9BC788EC-4901-442C-AAF6-6B23FD38D219} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nYn47Gy19.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| DE | 193.233.20.23:4124 | tcp | |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | cracked23.site | udp |
| NL | 185.241.208.138:80 | cracked23.site | tcp |
| DE | 193.233.20.23:4124 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
| MD5 | be3686b0767c13a4fee96ed82e683d77 |
| SHA1 | c23211cd77f6856bfc0b28b0d7be9329e9e112d7 |
| SHA256 | c0ce38a3f35e619dd0e57e5abb1e8c4b2200ce732c86a55c31df673b072d4dcd |
| SHA512 | 54f8dcba755dca3f24b3a7ac54673320f8fbf77a44135a1a7f1e9288120d67fbc5524873a625ab15a4c2b1e610e36b2b5bc05614db84f586618e0ca137773cfa |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
| MD5 | be3686b0767c13a4fee96ed82e683d77 |
| SHA1 | c23211cd77f6856bfc0b28b0d7be9329e9e112d7 |
| SHA256 | c0ce38a3f35e619dd0e57e5abb1e8c4b2200ce732c86a55c31df673b072d4dcd |
| SHA512 | 54f8dcba755dca3f24b3a7ac54673320f8fbf77a44135a1a7f1e9288120d67fbc5524873a625ab15a4c2b1e610e36b2b5bc05614db84f586618e0ca137773cfa |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
| MD5 | be3686b0767c13a4fee96ed82e683d77 |
| SHA1 | c23211cd77f6856bfc0b28b0d7be9329e9e112d7 |
| SHA256 | c0ce38a3f35e619dd0e57e5abb1e8c4b2200ce732c86a55c31df673b072d4dcd |
| SHA512 | 54f8dcba755dca3f24b3a7ac54673320f8fbf77a44135a1a7f1e9288120d67fbc5524873a625ab15a4c2b1e610e36b2b5bc05614db84f586618e0ca137773cfa |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
| MD5 | be3686b0767c13a4fee96ed82e683d77 |
| SHA1 | c23211cd77f6856bfc0b28b0d7be9329e9e112d7 |
| SHA256 | c0ce38a3f35e619dd0e57e5abb1e8c4b2200ce732c86a55c31df673b072d4dcd |
| SHA512 | 54f8dcba755dca3f24b3a7ac54673320f8fbf77a44135a1a7f1e9288120d67fbc5524873a625ab15a4c2b1e610e36b2b5bc05614db84f586618e0ca137773cfa |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
| MD5 | 9342ae833d7ccdacf077501e08964240 |
| SHA1 | d7925e70ffbb66cb7040c0737ae1c7bf27e5ccf6 |
| SHA256 | e88f13434f3ea0590ec7dc9ef419b216578c07bd28ba2a81ce9bfaec12898f60 |
| SHA512 | 223a1ba53a75d9de86a3f15ef5369ea81cdf76bf9749601e4aa785eaeed8ce3f89f928676aba177b266d7d752dbd873ded0ad3d397fb23d3bcb3a9ada8b111da |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
| MD5 | 9342ae833d7ccdacf077501e08964240 |
| SHA1 | d7925e70ffbb66cb7040c0737ae1c7bf27e5ccf6 |
| SHA256 | e88f13434f3ea0590ec7dc9ef419b216578c07bd28ba2a81ce9bfaec12898f60 |
| SHA512 | 223a1ba53a75d9de86a3f15ef5369ea81cdf76bf9749601e4aa785eaeed8ce3f89f928676aba177b266d7d752dbd873ded0ad3d397fb23d3bcb3a9ada8b111da |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
| MD5 | 9342ae833d7ccdacf077501e08964240 |
| SHA1 | d7925e70ffbb66cb7040c0737ae1c7bf27e5ccf6 |
| SHA256 | e88f13434f3ea0590ec7dc9ef419b216578c07bd28ba2a81ce9bfaec12898f60 |
| SHA512 | 223a1ba53a75d9de86a3f15ef5369ea81cdf76bf9749601e4aa785eaeed8ce3f89f928676aba177b266d7d752dbd873ded0ad3d397fb23d3bcb3a9ada8b111da |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
| MD5 | 9342ae833d7ccdacf077501e08964240 |
| SHA1 | d7925e70ffbb66cb7040c0737ae1c7bf27e5ccf6 |
| SHA256 | e88f13434f3ea0590ec7dc9ef419b216578c07bd28ba2a81ce9bfaec12898f60 |
| SHA512 | 223a1ba53a75d9de86a3f15ef5369ea81cdf76bf9749601e4aa785eaeed8ce3f89f928676aba177b266d7d752dbd873ded0ad3d397fb23d3bcb3a9ada8b111da |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
| MD5 | 2349d99436c45db5501873b4e1910f23 |
| SHA1 | 992a3977338f06de6c4b0c977570440ea5ae0e82 |
| SHA256 | d313b34f625513f8c48dc58fb425feda4debc387c6f7bf40575297a2ace3d106 |
| SHA512 | 53a66bbae1bcdeaa09cdb2f0f344bf78672be4ade855661bb737c7e859309f3582842f6eb82e51202a6a659e7e58ec98fa28f887370380f8069a7a1ed98d48a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
| MD5 | 2349d99436c45db5501873b4e1910f23 |
| SHA1 | 992a3977338f06de6c4b0c977570440ea5ae0e82 |
| SHA256 | d313b34f625513f8c48dc58fb425feda4debc387c6f7bf40575297a2ace3d106 |
| SHA512 | 53a66bbae1bcdeaa09cdb2f0f344bf78672be4ade855661bb737c7e859309f3582842f6eb82e51202a6a659e7e58ec98fa28f887370380f8069a7a1ed98d48a5 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
| MD5 | 2349d99436c45db5501873b4e1910f23 |
| SHA1 | 992a3977338f06de6c4b0c977570440ea5ae0e82 |
| SHA256 | d313b34f625513f8c48dc58fb425feda4debc387c6f7bf40575297a2ace3d106 |
| SHA512 | 53a66bbae1bcdeaa09cdb2f0f344bf78672be4ade855661bb737c7e859309f3582842f6eb82e51202a6a659e7e58ec98fa28f887370380f8069a7a1ed98d48a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
| MD5 | 2349d99436c45db5501873b4e1910f23 |
| SHA1 | 992a3977338f06de6c4b0c977570440ea5ae0e82 |
| SHA256 | d313b34f625513f8c48dc58fb425feda4debc387c6f7bf40575297a2ace3d106 |
| SHA512 | 53a66bbae1bcdeaa09cdb2f0f344bf78672be4ade855661bb737c7e859309f3582842f6eb82e51202a6a659e7e58ec98fa28f887370380f8069a7a1ed98d48a5 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
| MD5 | ef36915953487fc84279c436635d4a3a |
| SHA1 | f3ee5b10c606a9f3e63f88c965992d754d68902b |
| SHA256 | d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a |
| SHA512 | 700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
| MD5 | ef36915953487fc84279c436635d4a3a |
| SHA1 | f3ee5b10c606a9f3e63f88c965992d754d68902b |
| SHA256 | d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a |
| SHA512 | 700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
| MD5 | ef36915953487fc84279c436635d4a3a |
| SHA1 | f3ee5b10c606a9f3e63f88c965992d754d68902b |
| SHA256 | d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a |
| SHA512 | 700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb |
memory/1416-92-0x00000000008D0000-0x00000000008DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
memory/844-103-0x00000000002F0000-0x000000000033B000-memory.dmp
memory/844-104-0x00000000046B0000-0x00000000046F6000-memory.dmp
memory/844-105-0x0000000004930000-0x0000000004974000-memory.dmp
memory/844-106-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-107-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-109-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-111-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-113-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-115-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-117-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-119-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-122-0x00000000072A0000-0x00000000072E0000-memory.dmp
memory/844-121-0x00000000072A0000-0x00000000072E0000-memory.dmp
memory/844-123-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-125-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-127-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-129-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-131-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-133-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-135-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-137-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-139-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-141-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-143-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-145-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-147-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-149-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-151-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-153-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-155-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-157-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-159-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-161-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-163-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-165-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-167-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-169-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-171-0x0000000004930000-0x000000000496F000-memory.dmp
memory/844-1014-0x00000000072A0000-0x00000000072E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
memory/1220-1027-0x00000000003C0000-0x00000000003ED000-memory.dmp
memory/1220-1028-0x0000000002F70000-0x0000000002F8A000-memory.dmp
memory/1220-1029-0x0000000003100000-0x0000000003118000-memory.dmp
memory/1220-1058-0x00000000070F0000-0x0000000007130000-memory.dmp
memory/1220-1059-0x00000000070F0000-0x0000000007130000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
memory/1640-1072-0x0000000004920000-0x0000000004966000-memory.dmp
memory/1640-1536-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1640-1537-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1640-1981-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1640-1984-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1640-1983-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1640-1985-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1640-1986-0x00000000048C0000-0x0000000004900000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 19df35dcb6394e6fe7551b0513700e88 |
| SHA1 | c3a5c0488c0f4f48f8e64d539e7217434b2e099e |
| SHA256 | 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c |
| SHA512 | 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b |
\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 19df35dcb6394e6fe7551b0513700e88 |
| SHA1 | c3a5c0488c0f4f48f8e64d539e7217434b2e099e |
| SHA256 | 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c |
| SHA512 | 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 19df35dcb6394e6fe7551b0513700e88 |
| SHA1 | c3a5c0488c0f4f48f8e64d539e7217434b2e099e |
| SHA256 | 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c |
| SHA512 | 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b |
\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 19df35dcb6394e6fe7551b0513700e88 |
| SHA1 | c3a5c0488c0f4f48f8e64d539e7217434b2e099e |
| SHA256 | 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c |
| SHA512 | 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | 19df35dcb6394e6fe7551b0513700e88 |
| SHA1 | c3a5c0488c0f4f48f8e64d539e7217434b2e099e |
| SHA256 | 4e2d3adc929b8c7b11b5279dc234fa57ecdbdc270a1a3bf8c2d7d99b4624eb6c |
| SHA512 | 0b24373c735abe314848ca25568adbe4fc5d0718686ec92766426b81e9ba8c017e86cf9be436404a9eca1495b4eca9b19b48123bc2143ff6b1032c223cf0db5b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\eAP03dq58.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
memory/1340-2035-0x0000000004820000-0x0000000004864000-memory.dmp
memory/1340-2383-0x0000000004640000-0x0000000004680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
memory/1340-2968-0x0000000004640000-0x0000000004680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/396-3003-0x000000013FFF0000-0x0000000140068000-memory.dmp
memory/396-3004-0x00000000009C0000-0x0000000000A60000-memory.dmp
memory/396-3268-0x000000001BD00000-0x000000001BD80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
| MD5 | ffd3071e0de056dee2c9383add4f387a |
| SHA1 | 0e2c325aff25e2b6ddc5ff72eb0dc12eb5511c65 |
| SHA256 | 302696014b7c9236d548a7174446284b5cd03e755cc5b180a0cf927a3e74be06 |
| SHA512 | eb22095064366451dabb2cc4fa7da66c4a071d86b32f22d8f824aa7df04aa9d49c25e0858f7ac489e5570a5949f39d8cc80f075064694aee39fabd2112aab906 |
memory/1780-3300-0x0000000000BA0000-0x0000000000BD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
| MD5 | 7634ebd082abbba35a8e6a300ec83c51 |
| SHA1 | 953666e70fbed932e4bed446f1d1e432781972b7 |
| SHA256 | 792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f |
| SHA512 | 6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e |
memory/1780-3332-0x0000000000F60000-0x0000000000FA0000-memory.dmp
memory/396-3349-0x000000001BD00000-0x000000001BD80000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-25 07:46
Reported
2023-02-25 07:48
Platform
win10v2004-20230220-en
Max time kernel
111s
Max time network
125s
Command Line
Signatures
Amadey
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe
"C:\Users\Admin\AppData\Local\Temp\413f2d21e656ca5d875fff0d6447288b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 312 -ip 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1176
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 332 -ip 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1260 -ip 1260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1916
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| NL | 8.238.177.126:80 | tcp | |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
| MD5 | be3686b0767c13a4fee96ed82e683d77 |
| SHA1 | c23211cd77f6856bfc0b28b0d7be9329e9e112d7 |
| SHA256 | c0ce38a3f35e619dd0e57e5abb1e8c4b2200ce732c86a55c31df673b072d4dcd |
| SHA512 | 54f8dcba755dca3f24b3a7ac54673320f8fbf77a44135a1a7f1e9288120d67fbc5524873a625ab15a4c2b1e610e36b2b5bc05614db84f586618e0ca137773cfa |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smz89Ic16.exe
| MD5 | be3686b0767c13a4fee96ed82e683d77 |
| SHA1 | c23211cd77f6856bfc0b28b0d7be9329e9e112d7 |
| SHA256 | c0ce38a3f35e619dd0e57e5abb1e8c4b2200ce732c86a55c31df673b072d4dcd |
| SHA512 | 54f8dcba755dca3f24b3a7ac54673320f8fbf77a44135a1a7f1e9288120d67fbc5524873a625ab15a4c2b1e610e36b2b5bc05614db84f586618e0ca137773cfa |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
| MD5 | 9342ae833d7ccdacf077501e08964240 |
| SHA1 | d7925e70ffbb66cb7040c0737ae1c7bf27e5ccf6 |
| SHA256 | e88f13434f3ea0590ec7dc9ef419b216578c07bd28ba2a81ce9bfaec12898f60 |
| SHA512 | 223a1ba53a75d9de86a3f15ef5369ea81cdf76bf9749601e4aa785eaeed8ce3f89f928676aba177b266d7d752dbd873ded0ad3d397fb23d3bcb3a9ada8b111da |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVZ00FB07.exe
| MD5 | 9342ae833d7ccdacf077501e08964240 |
| SHA1 | d7925e70ffbb66cb7040c0737ae1c7bf27e5ccf6 |
| SHA256 | e88f13434f3ea0590ec7dc9ef419b216578c07bd28ba2a81ce9bfaec12898f60 |
| SHA512 | 223a1ba53a75d9de86a3f15ef5369ea81cdf76bf9749601e4aa785eaeed8ce3f89f928676aba177b266d7d752dbd873ded0ad3d397fb23d3bcb3a9ada8b111da |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
| MD5 | 2349d99436c45db5501873b4e1910f23 |
| SHA1 | 992a3977338f06de6c4b0c977570440ea5ae0e82 |
| SHA256 | d313b34f625513f8c48dc58fb425feda4debc387c6f7bf40575297a2ace3d106 |
| SHA512 | 53a66bbae1bcdeaa09cdb2f0f344bf78672be4ade855661bb737c7e859309f3582842f6eb82e51202a6a659e7e58ec98fa28f887370380f8069a7a1ed98d48a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sra99tZ89.exe
| MD5 | 2349d99436c45db5501873b4e1910f23 |
| SHA1 | 992a3977338f06de6c4b0c977570440ea5ae0e82 |
| SHA256 | d313b34f625513f8c48dc58fb425feda4debc387c6f7bf40575297a2ace3d106 |
| SHA512 | 53a66bbae1bcdeaa09cdb2f0f344bf78672be4ade855661bb737c7e859309f3582842f6eb82e51202a6a659e7e58ec98fa28f887370380f8069a7a1ed98d48a5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
| MD5 | ef36915953487fc84279c436635d4a3a |
| SHA1 | f3ee5b10c606a9f3e63f88c965992d754d68902b |
| SHA256 | d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a |
| SHA512 | 700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iny21Cm.exe
| MD5 | ef36915953487fc84279c436635d4a3a |
| SHA1 | f3ee5b10c606a9f3e63f88c965992d754d68902b |
| SHA256 | d8e291ba4a960ff4548551080729d200655eab4fba46bb8cf2300876cd764f4a |
| SHA512 | 700b0de9cda6a6381b79533af1e7ff74e510cc43c613e40f8889804f7e25ac50be365190861b68d4cc2323ce025b486b8582c8eabb05010bcc7734e4ae5ab7eb |
memory/4724-161-0x0000000000FB0000-0x0000000000FBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kib36qY.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
memory/312-167-0x00000000072F0000-0x0000000007894000-memory.dmp
memory/312-168-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-171-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-169-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-172-0x00000000047C0000-0x000000000480B000-memory.dmp
memory/312-174-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-176-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-175-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-179-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-178-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-181-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-183-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-185-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-187-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-189-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-191-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-193-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-195-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-197-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-199-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-201-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-203-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-205-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-207-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-209-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-211-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-213-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-215-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-217-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-219-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-221-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-223-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-225-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-229-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-231-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-227-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-233-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-235-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/312-1078-0x00000000079A0000-0x0000000007FB8000-memory.dmp
memory/312-1079-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/312-1080-0x00000000080D0000-0x00000000080E2000-memory.dmp
memory/312-1081-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-1082-0x00000000080F0000-0x000000000812C000-memory.dmp
memory/312-1084-0x00000000083E0000-0x0000000008472000-memory.dmp
memory/312-1085-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-1086-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-1087-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/312-1088-0x0000000008480000-0x00000000084E6000-memory.dmp
memory/312-1089-0x0000000008CA0000-0x0000000008E62000-memory.dmp
memory/312-1090-0x0000000008E80000-0x00000000093AC000-memory.dmp
memory/312-1091-0x0000000009630000-0x00000000096A6000-memory.dmp
memory/312-1092-0x00000000096B0000-0x0000000009700000-memory.dmp
memory/312-1093-0x00000000072E0000-0x00000000072F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mkl25Nd.exe
| MD5 | 651c8de2c842222f48c74fb0715f3c6f |
| SHA1 | e44a7175b5764c0725bdf56d323b1def32de7b4e |
| SHA256 | c94c4c986988c2d336aac0ddce64bde2eb6d4c00fcfd5dfa63f639e8977fa0f9 |
| SHA512 | 5098233d1f25b37efcd5f433c9d157f9e49b3139bc9125100244ef68eb0e7ddcfe2b5b38b09d07b940d516142a86c54fb99701b6f60b0816c9a98703c53d1820 |
memory/332-1119-0x0000000002E30000-0x0000000002E5D000-memory.dmp
memory/332-1120-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/332-1124-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/332-1123-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/332-1134-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/332-1135-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/332-1136-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGk75Mx90.exe
| MD5 | 33f7a8a830b6f71569fe84d90c995211 |
| SHA1 | ff85b25988e83baa5c1b274c55d37fec1d372551 |
| SHA256 | 99f78854c29d1125cf28e474d1da61aa2e8a3f68c28dcefec345ee39be0f1ea3 |
| SHA512 | 90f0c014d9139b13b6aad785c3e58933c353af2f961f41b872a6cecda926db5e61d4f78a4db8c392a637ecf5831e97c7ece93f41ab3730327dd2154581993f23 |
memory/1260-1360-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/1260-1361-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/1260-2052-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/1260-2051-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rcW31Tq61.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | fe5442d749cd85c84e95aa4215485a11 |
| SHA1 | e9f3dcce2c92321739648ff32fc2bdb362afa30a |
| SHA256 | 570109eba035848ef06561c95290c06b11ca5615782fcde1630b378b60656bc3 |
| SHA512 | 565517543a9308baba63634fb4775b3e5d55be2702a8af9b7f4136bd176d9c02423fc4591744552b43bf848390d9c4d082415570a8779fda20ccd7ceb1348356 |