Malware Analysis Report

2025-06-16 04:56

Sample ID 230317-vbc3sabb91
Target 22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41
SHA256 22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41
Tags
amadey laplas redline lint rockins clipper discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41

Threat Level: Known bad

The file 22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41 was found to be: Known bad.

Malicious Activity Summary

amadey laplas redline lint rockins clipper discovery evasion infostealer persistence spyware stealer trojan

RedLine

Laplas Clipper

Amadey

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 16:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 16:48

Reported

2023-03-17 16:51

Platform

win10-20230220-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe"

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A

RedLine

infostealer redline

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3452 set thread context of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe
PID 2460 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe
PID 2460 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe
PID 2512 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe
PID 2512 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe
PID 2512 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe
PID 3028 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe
PID 3028 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe
PID 3028 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe
PID 3028 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe
PID 3028 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe
PID 2512 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe
PID 2512 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe
PID 2512 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe
PID 2460 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe
PID 2460 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe
PID 2460 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe
PID 3696 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3696 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3696 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3948 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe
PID 3948 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe
PID 3948 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe
PID 3948 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe
PID 3948 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe
PID 3948 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3452 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4980 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4980 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4980 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 3948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 3948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 3948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe

"C:\Users\Admin\AppData\Local\Temp\22e87e7e3b8c1e4b76d00905d17206c0359978f1da6960f3ae5bcd99070f2e41.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe"

C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 584

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.28:4125 tcp
US 8.8.8.8:53 28.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 88.41.204.62.in-addr.arpa udp
RU 46.3.197.223:44446 tcp
US 8.8.8.8:53 223.197.3.46.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp
NL 45.159.189.105:80 45.159.189.105 tcp
US 8.8.8.8:53 105.189.159.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe

MD5 70f7bef2d04b8f6fa43d40ba809293c9
SHA1 26a8404bfc0cd0fa7ef43639988161b65a4bd1ed
SHA256 0a01fd77439399a33270833e11e9c21fc1a9b99f8e483e62ca9f8f2eee95eb60
SHA512 cbe59d83afd45a61ece65c8da500c75d8811cdb718a0f3860245f985ba5d5c189a1e1fbb1aa0da2035b2c8c66cd177554bdf2a6592be19340bd7f00a21c4a250

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8940.exe

MD5 70f7bef2d04b8f6fa43d40ba809293c9
SHA1 26a8404bfc0cd0fa7ef43639988161b65a4bd1ed
SHA256 0a01fd77439399a33270833e11e9c21fc1a9b99f8e483e62ca9f8f2eee95eb60
SHA512 cbe59d83afd45a61ece65c8da500c75d8811cdb718a0f3860245f985ba5d5c189a1e1fbb1aa0da2035b2c8c66cd177554bdf2a6592be19340bd7f00a21c4a250

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe

MD5 8e97d0eb573ca96237a6160426181d0c
SHA1 71660d372f75840e9e6f326d2d4375d1a9d76692
SHA256 91534683a3137949eb1fc0e187d18062ad140cc5398ca94a176733e9065cc703
SHA512 c8651cdc35abb74d517f8d6e0a82113b5d354ab80c81e3dc644184629ba1ae7638d240e4d308c0035fa082164f0359cdb575329164a7943dc636b0acad65569f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will5647.exe

MD5 8e97d0eb573ca96237a6160426181d0c
SHA1 71660d372f75840e9e6f326d2d4375d1a9d76692
SHA256 91534683a3137949eb1fc0e187d18062ad140cc5398ca94a176733e9065cc703
SHA512 c8651cdc35abb74d517f8d6e0a82113b5d354ab80c81e3dc644184629ba1ae7638d240e4d308c0035fa082164f0359cdb575329164a7943dc636b0acad65569f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1313xH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3616-139-0x0000000000710000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe

MD5 6aa07ba7c584a0fa9cf94a6f7700142e
SHA1 0ad671ff6a217783019d3aab2b25674aa6a6bd9c
SHA256 f4677536775bad52b933ab83dcaa63bbfa310e188d58635bd9c8173566494e3f
SHA512 424bc53736ff5bc3b05a043fbe9f3a8cbdcc25b6256e7b0f90ed94f443673749a9dc00268759b8bac17386448c9ebc670d02b7be1526913b6974bf05d0d6f2d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py36lg66.exe

MD5 6aa07ba7c584a0fa9cf94a6f7700142e
SHA1 0ad671ff6a217783019d3aab2b25674aa6a6bd9c
SHA256 f4677536775bad52b933ab83dcaa63bbfa310e188d58635bd9c8173566494e3f
SHA512 424bc53736ff5bc3b05a043fbe9f3a8cbdcc25b6256e7b0f90ed94f443673749a9dc00268759b8bac17386448c9ebc670d02b7be1526913b6974bf05d0d6f2d3

memory/2908-145-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/2908-146-0x0000000004890000-0x00000000048AA000-memory.dmp

memory/2908-147-0x0000000007090000-0x000000000758E000-memory.dmp

memory/2908-148-0x0000000004730000-0x0000000004740000-memory.dmp

memory/2908-150-0x0000000004730000-0x0000000004740000-memory.dmp

memory/2908-151-0x0000000004A40000-0x0000000004A58000-memory.dmp

memory/2908-149-0x0000000004730000-0x0000000004740000-memory.dmp

memory/2908-152-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-153-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-155-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-157-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-159-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-161-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-163-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-165-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-167-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-169-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-171-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-173-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-175-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-177-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-179-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/2908-180-0x0000000000400000-0x0000000002B05000-memory.dmp

memory/2908-181-0x0000000004730000-0x0000000004740000-memory.dmp

memory/2908-182-0x0000000004730000-0x0000000004740000-memory.dmp

memory/2908-183-0x0000000004730000-0x0000000004740000-memory.dmp

memory/2908-185-0x0000000000400000-0x0000000002B05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe

MD5 0ecc8ab62b7278cc6650517251f1543c
SHA1 b4273cda193a20d48e83241275ffc34ddad412f2
SHA256 b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a
SHA512 c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0632bT.exe

MD5 0ecc8ab62b7278cc6650517251f1543c
SHA1 b4273cda193a20d48e83241275ffc34ddad412f2
SHA256 b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a
SHA512 c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

memory/1412-189-0x0000000000980000-0x00000000009B2000-memory.dmp

memory/1412-190-0x0000000005720000-0x0000000005D26000-memory.dmp

memory/1412-191-0x00000000052B0000-0x00000000053BA000-memory.dmp

memory/1412-192-0x00000000051E0000-0x00000000051F2000-memory.dmp

memory/1412-193-0x0000000005530000-0x0000000005540000-memory.dmp

memory/1412-194-0x0000000005240000-0x000000000527E000-memory.dmp

memory/1412-195-0x00000000053C0000-0x000000000540B000-memory.dmp

memory/1412-196-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/1412-197-0x00000000060D0000-0x0000000006162000-memory.dmp

memory/1412-198-0x0000000005530000-0x0000000005540000-memory.dmp

memory/1412-199-0x00000000065D0000-0x0000000006646000-memory.dmp

memory/1412-200-0x0000000007B70000-0x0000000007BC0000-memory.dmp

memory/1412-201-0x0000000007D90000-0x0000000007F52000-memory.dmp

memory/1412-202-0x0000000008490000-0x00000000089BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry54oH17.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe

MD5 57e3fc905b5cb1811f155ec4aef82795
SHA1 2ca77867f751067d96d1eb27828de238b403e414
SHA256 a8509b53acec11ea8c6ca3845a9110d0c3477a60f4ca418f7dfd1a29f320765d
SHA512 f843a3b6a93dea4f1375cd7098bb36edab2096d0657abc0cebf2d95c7b8a424a12c0dfe281bacab26f9b38fc8bb673c0731a39f6b7eccaa111ef3e00286d835d

C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe

MD5 57e3fc905b5cb1811f155ec4aef82795
SHA1 2ca77867f751067d96d1eb27828de238b403e414
SHA256 a8509b53acec11ea8c6ca3845a9110d0c3477a60f4ca418f7dfd1a29f320765d
SHA512 f843a3b6a93dea4f1375cd7098bb36edab2096d0657abc0cebf2d95c7b8a424a12c0dfe281bacab26f9b38fc8bb673c0731a39f6b7eccaa111ef3e00286d835d

C:\Users\Admin\AppData\Local\Temp\1000056001\w6auj9ii3rp.exe

MD5 57e3fc905b5cb1811f155ec4aef82795
SHA1 2ca77867f751067d96d1eb27828de238b403e414
SHA256 a8509b53acec11ea8c6ca3845a9110d0c3477a60f4ca418f7dfd1a29f320765d
SHA512 f843a3b6a93dea4f1375cd7098bb36edab2096d0657abc0cebf2d95c7b8a424a12c0dfe281bacab26f9b38fc8bb673c0731a39f6b7eccaa111ef3e00286d835d

C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe

MD5 665c62d3bd6c21614fafb9a9b50bb574
SHA1 56322f2bb8a61954e6ec974612154402cdd98b29
SHA256 a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99
SHA512 07fda86a50c1aca80db3906e4201ec4f97be00d1563eb386d750b28160cd30bed1435e473c9330943d5c854a55fc7078bcdd3c99731fabd8019b1b22e10f9ed7

C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe

MD5 665c62d3bd6c21614fafb9a9b50bb574
SHA1 56322f2bb8a61954e6ec974612154402cdd98b29
SHA256 a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99
SHA512 07fda86a50c1aca80db3906e4201ec4f97be00d1563eb386d750b28160cd30bed1435e473c9330943d5c854a55fc7078bcdd3c99731fabd8019b1b22e10f9ed7

C:\Users\Admin\AppData\Local\Temp\1000058001\svhostе.exe

MD5 665c62d3bd6c21614fafb9a9b50bb574
SHA1 56322f2bb8a61954e6ec974612154402cdd98b29
SHA256 a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99
SHA512 07fda86a50c1aca80db3906e4201ec4f97be00d1563eb386d750b28160cd30bed1435e473c9330943d5c854a55fc7078bcdd3c99731fabd8019b1b22e10f9ed7

memory/4980-240-0x0000000004870000-0x0000000004C40000-memory.dmp

memory/5024-241-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5024-242-0x00000000054B0000-0x00000000054FB000-memory.dmp

memory/5024-243-0x00000000052D0000-0x00000000052E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 8d33b8e41c8e8ed049df0770f5b9de90
SHA1 7d088549fe4f70d96c5994b95e15c8a05a6cc387
SHA256 a611aed9d9058be159cc6c1577289e19133c4ccd001b8bbff185b599d62bceb0
SHA512 ca413ce22953d8c83d8da88d8650e2886256af7c71a3122433536f26153784a7951e189a2a77b0c9d28e71760cf2e51a4b1182b43d0fcbca09dfc86d1de1b23e

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f770c7696e889f308c45f076b2500d9e
SHA1 3fa6d47bed04de4b18366dbd7dfc96dd31966681
SHA256 02f5ad09096f76933122b71792684db47bdabc69d8de78ad4916fa7315febc24
SHA512 12a20e80ff66ea598505342d925f5c1c91ad7cd17bfc90c8d6f0f94bceecc9669cb881bc4ff8b6cf86b3ff81cf8d7388c1341beb1402f35305fe077545ed9913

memory/4980-249-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/5024-250-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/4780-251-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/4780-253-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/4780-254-0x0000000000400000-0x0000000002C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

memory/4780-256-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/4780-277-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/4780-278-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/4780-279-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/4780-280-0x0000000000400000-0x0000000002C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5