Analysis Overview
SHA256
bac9f6dcd75de21c18ef60527607e6da611e2591241ae3fa8485f5fc80619411
Threat Level: Known bad
The file eecb0540013d4bfe183405ead20dd10d.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Detects Pyinstaller
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 08:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 08:01
Reported
2023-02-25 08:03
Platform
win7-20230220-en
Max time kernel
138s
Max time network
139s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe | N/A |
Checks installed software on the system
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe
"C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\taskeng.exe
taskeng.exe {D31239F2-C1DD-4B8A-9680-BC3FB11D136A} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1180 -s 320
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 288 -s 1248
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | cracked23.site | udp |
| NL | 185.241.208.138:80 | cracked23.site | tcp |
| US | 8.8.8.8:53 | xiaoxiaojue.duckdns.org | udp |
| NL | 212.87.204.245:55215 | xiaoxiaojue.duckdns.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
| MD5 | 23fc5671a7d9ee4b4ec2345dcb66abbc |
| SHA1 | 57080a876eca050b0cdc3eca911cd36be50b7982 |
| SHA256 | 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366 |
| SHA512 | 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
| MD5 | 23fc5671a7d9ee4b4ec2345dcb66abbc |
| SHA1 | 57080a876eca050b0cdc3eca911cd36be50b7982 |
| SHA256 | 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366 |
| SHA512 | 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
| MD5 | 23fc5671a7d9ee4b4ec2345dcb66abbc |
| SHA1 | 57080a876eca050b0cdc3eca911cd36be50b7982 |
| SHA256 | 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366 |
| SHA512 | 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
| MD5 | 23fc5671a7d9ee4b4ec2345dcb66abbc |
| SHA1 | 57080a876eca050b0cdc3eca911cd36be50b7982 |
| SHA256 | 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366 |
| SHA512 | 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
| MD5 | 7a14595bc45736b4e701b91803a59a1f |
| SHA1 | bd1c0d1ece4576fab742f5df4ecc40ede4d458cb |
| SHA256 | 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944 |
| SHA512 | f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
| MD5 | 7a14595bc45736b4e701b91803a59a1f |
| SHA1 | bd1c0d1ece4576fab742f5df4ecc40ede4d458cb |
| SHA256 | 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944 |
| SHA512 | f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
| MD5 | 7a14595bc45736b4e701b91803a59a1f |
| SHA1 | bd1c0d1ece4576fab742f5df4ecc40ede4d458cb |
| SHA256 | 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944 |
| SHA512 | f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
| MD5 | 7a14595bc45736b4e701b91803a59a1f |
| SHA1 | bd1c0d1ece4576fab742f5df4ecc40ede4d458cb |
| SHA256 | 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944 |
| SHA512 | f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
| MD5 | 61868a90f9fcded16083eaf9a3e7b000 |
| SHA1 | 20f666f5fda2b304366aded2a73edb3486c1951e |
| SHA256 | 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e |
| SHA512 | a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
| MD5 | 61868a90f9fcded16083eaf9a3e7b000 |
| SHA1 | 20f666f5fda2b304366aded2a73edb3486c1951e |
| SHA256 | 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e |
| SHA512 | a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
| MD5 | 61868a90f9fcded16083eaf9a3e7b000 |
| SHA1 | 20f666f5fda2b304366aded2a73edb3486c1951e |
| SHA256 | 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e |
| SHA512 | a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
| MD5 | 61868a90f9fcded16083eaf9a3e7b000 |
| SHA1 | 20f666f5fda2b304366aded2a73edb3486c1951e |
| SHA256 | 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e |
| SHA512 | a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
| MD5 | 21a74780fad5de45dbc0f4df2d0a2030 |
| SHA1 | 69d551428ab4ca135c96609e759da744674bda32 |
| SHA256 | ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7 |
| SHA512 | d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
| MD5 | 21a74780fad5de45dbc0f4df2d0a2030 |
| SHA1 | 69d551428ab4ca135c96609e759da744674bda32 |
| SHA256 | ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7 |
| SHA512 | d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
| MD5 | 21a74780fad5de45dbc0f4df2d0a2030 |
| SHA1 | 69d551428ab4ca135c96609e759da744674bda32 |
| SHA256 | ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7 |
| SHA512 | d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906 |
memory/1772-92-0x0000000000F10000-0x0000000000F1A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
memory/1360-103-0x0000000002300000-0x0000000002346000-memory.dmp
memory/1360-104-0x0000000002340000-0x0000000002384000-memory.dmp
memory/1360-105-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-106-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-108-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-110-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-112-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-114-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-116-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-118-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-120-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-122-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-124-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-126-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-128-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-130-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-134-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-132-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-136-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-138-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-140-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-142-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-144-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-146-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-148-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-150-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-152-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-154-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-156-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-158-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-160-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-162-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-164-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-166-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-168-0x0000000000270000-0x00000000002BB000-memory.dmp
memory/1360-170-0x0000000004B80000-0x0000000004BC0000-memory.dmp
memory/1360-172-0x0000000004B80000-0x0000000004BC0000-memory.dmp
memory/1360-169-0x0000000002340000-0x000000000237F000-memory.dmp
memory/1360-1014-0x0000000004B80000-0x0000000004BC0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
memory/1948-1027-0x00000000007A0000-0x00000000007BA000-memory.dmp
memory/1948-1028-0x00000000007F0000-0x0000000000808000-memory.dmp
memory/1948-1057-0x00000000002E0000-0x000000000030D000-memory.dmp
memory/1948-1058-0x00000000024B0000-0x00000000024F0000-memory.dmp
memory/1948-1059-0x00000000024B0000-0x00000000024F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
memory/1716-1589-0x00000000027F0000-0x0000000002830000-memory.dmp
memory/1716-1591-0x00000000027F0000-0x0000000002830000-memory.dmp
memory/1716-1980-0x00000000027F0000-0x0000000002830000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | bdc32a00188b5ca16f18424915afb4f3 |
| SHA1 | 53a0abbc4d0d5376ff7a948ac226326966c35f84 |
| SHA256 | 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4 |
| SHA512 | 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba |
\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | bdc32a00188b5ca16f18424915afb4f3 |
| SHA1 | 53a0abbc4d0d5376ff7a948ac226326966c35f84 |
| SHA256 | 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4 |
| SHA512 | 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba |
\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | bdc32a00188b5ca16f18424915afb4f3 |
| SHA1 | 53a0abbc4d0d5376ff7a948ac226326966c35f84 |
| SHA256 | 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4 |
| SHA512 | 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | bdc32a00188b5ca16f18424915afb4f3 |
| SHA1 | 53a0abbc4d0d5376ff7a948ac226326966c35f84 |
| SHA256 | 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4 |
| SHA512 | 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | bdc32a00188b5ca16f18424915afb4f3 |
| SHA1 | 53a0abbc4d0d5376ff7a948ac226326966c35f84 |
| SHA256 | 6deb4088a1d31addc6bd52e5baa79a52a0da62feabe847459ff1c8fcf8a198b4 |
| SHA512 | 93c63fabddd886c1ecf3da6425e5c6250bbaf9ca98a2f6706c1ae71a9d7b155e08bf2348166694f5160b42b46882f90656bdc004c459bdd2141e173e8de465ba |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\enU73Dm07.exe
| MD5 | 41666d628279dd911f993bd01968f61a |
| SHA1 | 9fbb99c1f257d58eeb3636727502224b9b1d3517 |
| SHA256 | 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f |
| SHA512 | e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793 |
memory/640-2032-0x0000000007160000-0x00000000071A0000-memory.dmp
memory/640-2034-0x0000000007160000-0x00000000071A0000-memory.dmp
memory/640-2036-0x0000000007160000-0x00000000071A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/288-2587-0x000000013FA00000-0x000000013FA78000-memory.dmp
memory/288-2588-0x0000000000870000-0x0000000000910000-memory.dmp
memory/288-2621-0x000000001BBA0000-0x000000001BC20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
| MD5 | ffd3071e0de056dee2c9383add4f387a |
| SHA1 | 0e2c325aff25e2b6ddc5ff72eb0dc12eb5511c65 |
| SHA256 | 302696014b7c9236d548a7174446284b5cd03e755cc5b180a0cf927a3e74be06 |
| SHA512 | eb22095064366451dabb2cc4fa7da66c4a071d86b32f22d8f824aa7df04aa9d49c25e0858f7ac489e5570a5949f39d8cc80f075064694aee39fabd2112aab906 |
memory/640-2805-0x0000000007160000-0x00000000071A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
| MD5 | dfeffc3924409d9c9d3c8cae05be922b |
| SHA1 | a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4 |
| SHA256 | 06ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6 |
| SHA512 | d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33 |
memory/288-3132-0x000000001BBA0000-0x000000001BC20000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/288-3486-0x0000000000A20000-0x0000000000A76000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
memory/288-3507-0x0000000000620000-0x000000000066C000-memory.dmp
memory/288-3508-0x0000000002510000-0x0000000002564000-memory.dmp
memory/288-3510-0x000000001BBA0000-0x000000001BC20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-25 08:01
Reported
2023-02-25 08:03
Platform
win10v2004-20230220-en
Max time kernel
111s
Max time network
131s
Command Line
Signatures
Amadey
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe
"C:\Users\Admin\AppData\Local\Temp\eecb0540013d4bfe183405ead20dd10d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 860 -ip 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1312
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2960 -ip 2960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1780 -ip 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1332
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| FR | 51.11.192.49:443 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
| MD5 | 23fc5671a7d9ee4b4ec2345dcb66abbc |
| SHA1 | 57080a876eca050b0cdc3eca911cd36be50b7982 |
| SHA256 | 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366 |
| SHA512 | 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scx83Zp20.exe
| MD5 | 23fc5671a7d9ee4b4ec2345dcb66abbc |
| SHA1 | 57080a876eca050b0cdc3eca911cd36be50b7982 |
| SHA256 | 757ffa884ddba63b72e70957b1b214bfed596222045768d54831fe2498c30366 |
| SHA512 | 3eb373fd0510046a112bf09c43532fe06731eb58c2be3cdf3cb32d7c51fea33122f09ea9d1fb72eaaa482595ebe34a64627a41aadb300121f6c4d668b58a3ff0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
| MD5 | 7a14595bc45736b4e701b91803a59a1f |
| SHA1 | bd1c0d1ece4576fab742f5df4ecc40ede4d458cb |
| SHA256 | 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944 |
| SHA512 | f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOo19TK95.exe
| MD5 | 7a14595bc45736b4e701b91803a59a1f |
| SHA1 | bd1c0d1ece4576fab742f5df4ecc40ede4d458cb |
| SHA256 | 29475d7c18eb38ff64efb1f258f822fad7dc0fddb32c81b725ec48f295d1d944 |
| SHA512 | f2d045adf9918c04e3cf7aeb294b7f20e691306b1b3d525d66b3f4ce4a3b7e1b61aa9b29af2967b1b5b8d69dedecec2a6079eca98256f2c3702af0ee1cdef26c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
| MD5 | 61868a90f9fcded16083eaf9a3e7b000 |
| SHA1 | 20f666f5fda2b304366aded2a73edb3486c1951e |
| SHA256 | 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e |
| SHA512 | a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\snX60rC46.exe
| MD5 | 61868a90f9fcded16083eaf9a3e7b000 |
| SHA1 | 20f666f5fda2b304366aded2a73edb3486c1951e |
| SHA256 | 46261c58e90fa545cf23f37c4d95f42669316bb8eab93bca92eb9dd737547f8e |
| SHA512 | a287a3bde0323323208dbc74bf5796cc1a8477728afbbc30739ea2779aaddd54790a370a9239d619978696282a4136a9f217d3092b53ba17ba9986c656d94e71 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
| MD5 | 21a74780fad5de45dbc0f4df2d0a2030 |
| SHA1 | 69d551428ab4ca135c96609e759da744674bda32 |
| SHA256 | ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7 |
| SHA512 | d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ikj12ly.exe
| MD5 | 21a74780fad5de45dbc0f4df2d0a2030 |
| SHA1 | 69d551428ab4ca135c96609e759da744674bda32 |
| SHA256 | ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7 |
| SHA512 | d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906 |
memory/2164-161-0x0000000000FF0000-0x0000000000FFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kME89fo.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
memory/860-167-0x00000000021E0000-0x000000000222B000-memory.dmp
memory/860-168-0x0000000004D40000-0x00000000052E4000-memory.dmp
memory/860-169-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-170-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-172-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-174-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-176-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-178-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-180-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-182-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-184-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-186-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-188-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-190-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-192-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-194-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-196-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-198-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-201-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-202-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-199-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-205-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-204-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-207-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-209-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-211-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-213-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-215-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-217-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-219-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-221-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-223-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-225-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-227-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-231-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-229-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-233-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-235-0x0000000002560000-0x000000000259F000-memory.dmp
memory/860-1078-0x00000000052F0000-0x0000000005908000-memory.dmp
memory/860-1079-0x0000000005910000-0x0000000005A1A000-memory.dmp
memory/860-1080-0x0000000004C80000-0x0000000004C92000-memory.dmp
memory/860-1081-0x0000000004CA0000-0x0000000004CDC000-memory.dmp
memory/860-1082-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-1083-0x0000000005C80000-0x0000000005CE6000-memory.dmp
memory/860-1085-0x0000000006330000-0x00000000063C2000-memory.dmp
memory/860-1086-0x0000000006440000-0x0000000006602000-memory.dmp
memory/860-1087-0x0000000006610000-0x0000000006B3C000-memory.dmp
memory/860-1088-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-1089-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-1090-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/860-1091-0x00000000070C0000-0x0000000007136000-memory.dmp
memory/860-1092-0x0000000007150000-0x00000000071A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mlY22Hm.exe
| MD5 | 7e818871ddd9b0f2b1e15ece6317c306 |
| SHA1 | 2028d32eaa1816242cb05f9b0299f26632848030 |
| SHA256 | cb49a3c3b95cfcd83d9fb29d6c140aff21f109dfbb418a10f3f2ff164970b82b |
| SHA512 | 17e4b415bfce6c125a4277b07f35b22338b69753ba1a8579794e2868f6e8af2d28e9e27c685f0090e1054be979f3756d70f64cd79f966760ec04ee3c2c71c110 |
memory/2960-1127-0x00000000006D0000-0x00000000006FD000-memory.dmp
memory/2960-1128-0x00000000025D0000-0x00000000025E0000-memory.dmp
memory/2960-1129-0x00000000025D0000-0x00000000025E0000-memory.dmp
memory/2960-1130-0x00000000025D0000-0x00000000025E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLp61Qf38.exe
| MD5 | f7cfcb9cda4db6395dd94268a2ffcb52 |
| SHA1 | c6f71249e450c25c7d588b88bf2abde2f0fe23d3 |
| SHA256 | 7a8fd4402847f8fcca1a8310d625bec0ab12d826624e27d20f6d33f0ea6da500 |
| SHA512 | 4762ac4dbf57e7d8bf90d71ba4b0b22fe1331b9c20482b5078e02b84eac39693857278b2f14f587af02fb2e9d4282c98e51650e7d407eb5ce8a2e9eae5c54fd6 |
memory/1780-1138-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1780-1140-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1780-1139-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1780-2047-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1780-2049-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1780-2050-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1780-2051-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rjy45mt32.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 039e614993219303b020db2f0f00b035 |
| SHA1 | c7b3635e5658fa92a2a2a0e86b1c6a225949ef7f |
| SHA256 | 047f5549f9b16ccf809fcda102bea966a1e5e3f80da22f170d661a22b7aa5d5a |
| SHA512 | 689c8ba1fe819fc67fefa1b0c9adda7ea40798196c6b1214317952bfd4334d3078cc479cc83b937c96423936b06b234efb616a9c223852f8e33437f3e9362cc4 |