Malware Analysis Report

2024-11-30 23:15

Sample ID 230225-jwjwaacd3y
Target eecb0540013d4bfe183405ead20dd10d.exe
SHA256 bac9f6dcd75de21c18ef60527607e6da611e2591241ae3fa8485f5fc80619411
Tags
amadey aurora redline rodik discovery evasion infostealer persistence pyinstaller spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bac9f6dcd75de21c18ef60527607e6da611e2591241ae3fa8485f5fc80619411

Threat Level: Known bad

The file eecb0540013d4bfe183405ead20dd10d.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rodik discovery evasion infostealer persistence pyinstaller spyware stealer trojan

RedLine payload

RedLine

Amadey

Aurora

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Detects Pyinstaller

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-25 08:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 08:01

Reported

2023-02-25 08:03

Platform

win7-20230220-en

Max time kernel

138s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A

Checks installed software on the system

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1236 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 2036 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1648 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 2036 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1236 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1272 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 1664 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe

"C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9e0894bcc4" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe

"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe

"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {D31239F2-C1DD-4B8A-9680-BC3FB11D136A} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1180 -s 320

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 288 -s 1248

Network

Country Destination Domain Proto
DE 193.233.20.23:4124 tcp
DE 193.233.20.23:4124 tcp
DE 193.233.20.15:80 193.233.20.15 tcp
DE 193.233.20.19:80 193.233.20.19 tcp
RU 62.204.41.245:80 62.204.41.245 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
NL 45.15.159.15:80 45.15.159.15 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 cracked23.site udp
NL 185.241.208.138:80 cracked23.site tcp
US 8.8.8.8:53 xiaoxiaojue.duckdns.org udp
NL 212.87.204.245:55215 xiaoxiaojue.duckdns.org tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

MD5 23fc5671a7d9ee4b4ec2345dcb66abbc
SHA1 57080a876eca050b0cdc3eca911cd36be50b7982
SHA256 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366
SHA512 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

MD5 23fc5671a7d9ee4b4ec2345dcb66abbc
SHA1 57080a876eca050b0cdc3eca911cd36be50b7982
SHA256 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366
SHA512 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

MD5 23fc5671a7d9ee4b4ec2345dcb66abbc
SHA1 57080a876eca050b0cdc3eca911cd36be50b7982
SHA256 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366
SHA512 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0

\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

MD5 23fc5671a7d9ee4b4ec2345dcb66abbc
SHA1 57080a876eca050b0cdc3eca911cd36be50b7982
SHA256 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366
SHA512 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

MD5 7a14595bc45736b4e701b91803a59a1f
SHA1 bd1c0d1ece4576fab742f5df4ecc40ede4d458cb
SHA256 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944
SHA512 f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

MD5 7a14595bc45736b4e701b91803a59a1f
SHA1 bd1c0d1ece4576fab742f5df4ecc40ede4d458cb
SHA256 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944
SHA512 f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

MD5 7a14595bc45736b4e701b91803a59a1f
SHA1 bd1c0d1ece4576fab742f5df4ecc40ede4d458cb
SHA256 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944
SHA512 f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

MD5 7a14595bc45736b4e701b91803a59a1f
SHA1 bd1c0d1ece4576fab742f5df4ecc40ede4d458cb
SHA256 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944
SHA512 f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

MD5 61868a90f9fcded16083eaf9a3e7b000
SHA1 20f666f5fda2b304366aded2a73edb3486c1951e
SHA256 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e
SHA512 a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71

\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

MD5 61868a90f9fcded16083eaf9a3e7b000
SHA1 20f666f5fda2b304366aded2a73edb3486c1951e
SHA256 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e
SHA512 a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

MD5 61868a90f9fcded16083eaf9a3e7b000
SHA1 20f666f5fda2b304366aded2a73edb3486c1951e
SHA256 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e
SHA512 a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71

\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

MD5 61868a90f9fcded16083eaf9a3e7b000
SHA1 20f666f5fda2b304366aded2a73edb3486c1951e
SHA256 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e
SHA512 a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

MD5 21a74780fad5de45dbc0f4df2d0a2030
SHA1 69d551428ab4ca135c96609e759da744674bda32
SHA256 ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512 d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

MD5 21a74780fad5de45dbc0f4df2d0a2030
SHA1 69d551428ab4ca135c96609e759da744674bda32
SHA256 ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512 d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

MD5 21a74780fad5de45dbc0f4df2d0a2030
SHA1 69d551428ab4ca135c96609e759da744674bda32
SHA256 ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512 d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906

memory/1772-92-0x0000000000F10000-0x0000000000F1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

memory/1360-103-0x0000000002300000-0x0000000002346000-memory.dmp

memory/1360-104-0x0000000002340000-0x0000000002384000-memory.dmp

memory/1360-105-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-106-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-108-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-110-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-112-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-114-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-116-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-118-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-120-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-122-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-124-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-126-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-128-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-130-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-134-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-132-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-136-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-138-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-140-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-142-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-144-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-146-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-148-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-150-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-152-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-154-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-156-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-158-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-160-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-162-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-164-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-166-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-168-0x0000000000270000-0x00000000002BB000-memory.dmp

memory/1360-170-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1360-172-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1360-169-0x0000000002340000-0x000000000237F000-memory.dmp

memory/1360-1014-0x0000000004B80000-0x0000000004BC0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

memory/1948-1027-0x00000000007A0000-0x00000000007BA000-memory.dmp

memory/1948-1028-0x00000000007F0000-0x0000000000808000-memory.dmp

memory/1948-1057-0x00000000002E0000-0x000000000030D000-memory.dmp

memory/1948-1058-0x00000000024B0000-0x00000000024F0000-memory.dmp

memory/1948-1059-0x00000000024B0000-0x00000000024F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

memory/1716-1589-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/1716-1591-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/1716-1980-0x00000000027F0000-0x0000000002830000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 bdc32a00188b5ca16f18424915afb4f3
SHA1 53a0abbc4d0d5376ff7a948ac226326966c35f84
SHA256 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4
SHA512 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba

\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 bdc32a00188b5ca16f18424915afb4f3
SHA1 53a0abbc4d0d5376ff7a948ac226326966c35f84
SHA256 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4
SHA512 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba

\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 bdc32a00188b5ca16f18424915afb4f3
SHA1 53a0abbc4d0d5376ff7a948ac226326966c35f84
SHA256 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4
SHA512 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 bdc32a00188b5ca16f18424915afb4f3
SHA1 53a0abbc4d0d5376ff7a948ac226326966c35f84
SHA256 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4
SHA512 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba

C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe

MD5 bdc32a00188b5ca16f18424915afb4f3
SHA1 53a0abbc4d0d5376ff7a948ac226326966c35f84
SHA256 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4
SHA512 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba

\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

memory/640-2032-0x0000000007160000-0x00000000071A0000-memory.dmp

memory/640-2034-0x0000000007160000-0x00000000071A0000-memory.dmp

memory/640-2036-0x0000000007160000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

MD5 ebd584e9c1a400cd5d4bafa0e7936468
SHA1 d263c62902326425ed17855d49d35003abcd797b
SHA256 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512 e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

\Users\Admin\AppData\Local\Temp\1000279001\bin.exe

MD5 af4268c094f2a9c6e6a85f8626b9a5c7
SHA1 7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe

MD5 b7c05216d55cd437ddd7edd811cdee80
SHA1 ba0490a14b8243f684d9b9975b7e6c5087f976e1
SHA256 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
SHA512 d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10

memory/288-2587-0x000000013FA00000-0x000000013FA78000-memory.dmp

memory/288-2588-0x0000000000870000-0x0000000000910000-memory.dmp

memory/288-2621-0x000000001BBA0000-0x000000001BC20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe

MD5 ffd3071e0de056dee2c9383add4f387a
SHA1 0e2c325aff25e2b6ddc5ff72eb0dc12eb5511c65
SHA256 302696014b7c9236d548a7174446284b5cd03e755cc5b180a0cf927a3e74be06
SHA512 eb22095064366451dabb2cc4fa7da66c4a071d86b32f22d8f824aa7df04aa9d49c25e0858f7ac489e5570a5949f39d8cc80f075064694aee39fabd2112aab906

memory/640-2805-0x0000000007160000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 dfeffc3924409d9c9d3c8cae05be922b
SHA1 a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4
SHA256 06ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6
SHA512 d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33

memory/288-3132-0x000000001BBA0000-0x000000001BC20000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/288-3486-0x0000000000A20000-0x0000000000A76000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 d1eb5caae43e95e1f369ca373a5e192d
SHA1 bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256 cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512 e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1 dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA256 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512 e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

memory/288-3507-0x0000000000620000-0x000000000066C000-memory.dmp

memory/288-3508-0x0000000002510000-0x0000000002564000-memory.dmp

memory/288-3510-0x000000001BBA0000-0x000000001BC20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-25 08:01

Reported

2023-02-25 08:03

Platform

win10v2004-20230220-en

Max time kernel

111s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1040 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 1040 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
PID 3128 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 3128 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 3128 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
PID 4172 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 4172 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 4172 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
PID 4272 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 4272 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
PID 4272 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 4272 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 4272 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
PID 4172 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 4172 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 4172 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
PID 3128 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 3128 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 3128 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
PID 1040 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1040 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 1040 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
PID 4140 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 4140 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 4140 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
PID 3976 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1096 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3976 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\rundll32.exe
PID 3976 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\rundll32.exe
PID 3976 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe

"C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2960 -ip 2960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1332

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "mnolyk.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\4f9dd6f8a7" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.20.233.193.in-addr.arpa udp
FR 51.11.192.49:443 tcp
DE 193.233.20.23:4124 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
DE 193.233.20.15:80 193.233.20.15 tcp
US 8.8.8.8:53 15.20.233.193.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

MD5 23fc5671a7d9ee4b4ec2345dcb66abbc
SHA1 57080a876eca050b0cdc3eca911cd36be50b7982
SHA256 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366
SHA512 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe

MD5 23fc5671a7d9ee4b4ec2345dcb66abbc
SHA1 57080a876eca050b0cdc3eca911cd36be50b7982
SHA256 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366
SHA512 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

MD5 7a14595bc45736b4e701b91803a59a1f
SHA1 bd1c0d1ece4576fab742f5df4ecc40ede4d458cb
SHA256 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944
SHA512 f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe

MD5 7a14595bc45736b4e701b91803a59a1f
SHA1 bd1c0d1ece4576fab742f5df4ecc40ede4d458cb
SHA256 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944
SHA512 f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

MD5 61868a90f9fcded16083eaf9a3e7b000
SHA1 20f666f5fda2b304366aded2a73edb3486c1951e
SHA256 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e
SHA512 a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe

MD5 61868a90f9fcded16083eaf9a3e7b000
SHA1 20f666f5fda2b304366aded2a73edb3486c1951e
SHA256 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e
SHA512 a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

MD5 21a74780fad5de45dbc0f4df2d0a2030
SHA1 69d551428ab4ca135c96609e759da744674bda32
SHA256 ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512 d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe

MD5 21a74780fad5de45dbc0f4df2d0a2030
SHA1 69d551428ab4ca135c96609e759da744674bda32
SHA256 ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512 d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906

memory/2164-161-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

memory/860-167-0x00000000021E0000-0x000000000222B000-memory.dmp

memory/860-168-0x0000000004D40000-0x00000000052E4000-memory.dmp

memory/860-169-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-170-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-172-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-174-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-176-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-178-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-180-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-182-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-184-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-186-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-188-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-190-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-192-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-194-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-196-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-198-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-201-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-202-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-199-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-205-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-204-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-207-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-209-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-211-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-213-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-215-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-217-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-219-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-221-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-223-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-225-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-227-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-231-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-229-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-233-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-235-0x0000000002560000-0x000000000259F000-memory.dmp

memory/860-1078-0x00000000052F0000-0x0000000005908000-memory.dmp

memory/860-1079-0x0000000005910000-0x0000000005A1A000-memory.dmp

memory/860-1080-0x0000000004C80000-0x0000000004C92000-memory.dmp

memory/860-1081-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

memory/860-1082-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-1083-0x0000000005C80000-0x0000000005CE6000-memory.dmp

memory/860-1085-0x0000000006330000-0x00000000063C2000-memory.dmp

memory/860-1086-0x0000000006440000-0x0000000006602000-memory.dmp

memory/860-1087-0x0000000006610000-0x0000000006B3C000-memory.dmp

memory/860-1088-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-1089-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-1090-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/860-1091-0x00000000070C0000-0x0000000007136000-memory.dmp

memory/860-1092-0x0000000007150000-0x00000000071A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe

MD5 7e818871ddd9b0f2b1e15ece6317c306
SHA1 2028d32eaa1816242cb05f9b0299f26632848030
SHA256 cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b
SHA512 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110

memory/2960-1127-0x00000000006D0000-0x00000000006FD000-memory.dmp

memory/2960-1128-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/2960-1129-0x00000000025D0000-0x00000000025E0000-memory.dmp

memory/2960-1130-0x00000000025D0000-0x00000000025E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe

MD5 f7cfcb9cda4db6395dd94268a2ffcb52
SHA1 c6f71249e450c25c7d588b88bf2abde2f0fe23d3
SHA256 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500
SHA512 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6

memory/1780-1138-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1780-1140-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1780-1139-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1780-2047-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1780-2049-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1780-2050-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1780-2051-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 937b902b8ad05afb922313d2341143f4
SHA1 b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256 f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA512 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

MD5 039e614993219303b020db2f0f00b035
SHA1 c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f
SHA256 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a
SHA512 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4