Malware Analysis Report

2024-11-15 09:17

Sample ID 230318-19f5zsdh95
Target af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97
SHA256 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97

Threat Level: Known bad

The file af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Rhadamanthys

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detect rhadamanthys stealer shellcode

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Aurora

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Windows security modification

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 22:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 22:20

Reported

2023-03-18 22:23

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

127s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5044 created 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\system32\taskhostw.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe
PID 4024 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe
PID 4024 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe
PID 5092 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe
PID 5092 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe
PID 5092 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe
PID 384 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe
PID 384 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe
PID 384 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe
PID 3540 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe
PID 3540 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe
PID 3540 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe
PID 3540 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe
PID 3540 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe
PID 384 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe
PID 384 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe
PID 384 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe
PID 5092 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe
PID 5092 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe
PID 5092 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe
PID 4024 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe
PID 4024 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe
PID 4024 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe
PID 1460 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1460 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1460 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4184 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4184 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4184 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4184 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4184 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4184 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4184 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4184 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4184 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4184 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 5044 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe

"C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1072

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 736

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 141.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 86.192.144.4.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 20.189.173.9:443 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 89.190.157.61:80 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe

MD5 dda85794ac803d7bfc64db2a7cb65861
SHA1 50e0dd9c7a8a4ff733b25474f8b9fd128d00669b
SHA256 d47e32569e8935baa2244f2607113cdec10a242d28e340a5edabbb0c5ee926c8
SHA512 18ce994cffdb1e7f7f106d5bf008302141940f5dde067b089af9d8dc6d259e75d21e2b63902a683b1488b250ecef29e5a58528c3083ef83d132ad97cd8c46ba9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe

MD5 dda85794ac803d7bfc64db2a7cb65861
SHA1 50e0dd9c7a8a4ff733b25474f8b9fd128d00669b
SHA256 d47e32569e8935baa2244f2607113cdec10a242d28e340a5edabbb0c5ee926c8
SHA512 18ce994cffdb1e7f7f106d5bf008302141940f5dde067b089af9d8dc6d259e75d21e2b63902a683b1488b250ecef29e5a58528c3083ef83d132ad97cd8c46ba9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe

MD5 8cffa78cd8d4e7857dff42e365ebff98
SHA1 fb81bf71a1c488cb4e9b09bd96beea5d2f3d735a
SHA256 5630d17cb8fcbd96b782cd6c8467855a2db221445c8f9f85b22717759b80d556
SHA512 8305e766792eaef700c2eece3cbb6edf396ca16c9a5759c76390d133a75aa77f001d2b945d821ef59009d39de45fac19d15e3bd94a628e36a65c826d8039f280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe

MD5 8cffa78cd8d4e7857dff42e365ebff98
SHA1 fb81bf71a1c488cb4e9b09bd96beea5d2f3d735a
SHA256 5630d17cb8fcbd96b782cd6c8467855a2db221445c8f9f85b22717759b80d556
SHA512 8305e766792eaef700c2eece3cbb6edf396ca16c9a5759c76390d133a75aa77f001d2b945d821ef59009d39de45fac19d15e3bd94a628e36a65c826d8039f280

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe

MD5 31b9b36a423ca915fca3f9c9848b90ac
SHA1 b8db13207dda9b2074b0597e10732ae772f63c41
SHA256 ec933d4f6d24a35435154e9bb05755d5493fb7f85212b00b4bbe9e147166c738
SHA512 dcb65c2f534d99defb44c61fc2038a6854244ba2dd2e47c72c3b59213c3ba299f4ea71444db62afb1fcbe23bb550c58d94aef45eae1d0924f7d808dd612389a7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe

MD5 31b9b36a423ca915fca3f9c9848b90ac
SHA1 b8db13207dda9b2074b0597e10732ae772f63c41
SHA256 ec933d4f6d24a35435154e9bb05755d5493fb7f85212b00b4bbe9e147166c738
SHA512 dcb65c2f534d99defb44c61fc2038a6854244ba2dd2e47c72c3b59213c3ba299f4ea71444db62afb1fcbe23bb550c58d94aef45eae1d0924f7d808dd612389a7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4496-161-0x0000000000C60000-0x0000000000C6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe

MD5 eb1e756fcabe7969892940ebc54d1ead
SHA1 f27910803d2e63995fb32b04cf0a8549ae31a9ae
SHA256 db91f71c2676b2b38a4a869bf7d57112af0ca6504ef4f710ffae35d49e2505fe
SHA512 0c9dee39ed0fbf77b3b7dd3c2129294eb8247d23d48d80d1fce9de9c94fb0e5da666a9b4c03291535d100d57b3c6d7ece6f248d1b61f04b931137234bc5a5009

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe

MD5 eb1e756fcabe7969892940ebc54d1ead
SHA1 f27910803d2e63995fb32b04cf0a8549ae31a9ae
SHA256 db91f71c2676b2b38a4a869bf7d57112af0ca6504ef4f710ffae35d49e2505fe
SHA512 0c9dee39ed0fbf77b3b7dd3c2129294eb8247d23d48d80d1fce9de9c94fb0e5da666a9b4c03291535d100d57b3c6d7ece6f248d1b61f04b931137234bc5a5009

memory/1856-167-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/1856-168-0x0000000007130000-0x00000000076D4000-memory.dmp

memory/1856-174-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-178-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-188-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-190-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-196-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-194-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-192-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-186-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-184-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-182-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-180-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-176-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-172-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-170-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-197-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/1856-169-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1856-199-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/1856-198-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/1856-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1856-202-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/1856-203-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/1856-204-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/1856-205-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe

MD5 97e2deb73ee562336cb217b60425a460
SHA1 a28457059ae50328c2a3baa6bb703b2997f3c771
SHA256 407ea311113aa14282741ee64c72fd2e2e537d9ddae181cf8d6e39defb300651
SHA512 2e9790a732f6f26842a49107b1cc5ad7ad22979f40b85ad7bfeafa0833a90ab669928c2286d183765170767c87551c2c6645862677d085df3b0e09555dd76d73

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe

MD5 97e2deb73ee562336cb217b60425a460
SHA1 a28457059ae50328c2a3baa6bb703b2997f3c771
SHA256 407ea311113aa14282741ee64c72fd2e2e537d9ddae181cf8d6e39defb300651
SHA512 2e9790a732f6f26842a49107b1cc5ad7ad22979f40b85ad7bfeafa0833a90ab669928c2286d183765170767c87551c2c6645862677d085df3b0e09555dd76d73

memory/4744-210-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-211-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-217-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-215-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-213-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-219-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-229-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-231-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-235-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-233-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-237-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-241-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-243-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-239-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-227-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-225-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-223-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-221-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/4744-395-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-397-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-399-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-393-0x0000000002C70000-0x0000000002CBB000-memory.dmp

memory/4744-1120-0x0000000007860000-0x0000000007E78000-memory.dmp

memory/4744-1121-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/4744-1122-0x0000000008040000-0x0000000008052000-memory.dmp

memory/4744-1123-0x0000000008060000-0x000000000809C000-memory.dmp

memory/4744-1124-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-1125-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/4744-1126-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/4744-1128-0x0000000008C10000-0x0000000008DD2000-memory.dmp

memory/4744-1129-0x0000000008DF0000-0x000000000931C000-memory.dmp

memory/4744-1132-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-1131-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-1130-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4744-1134-0x0000000009630000-0x0000000009680000-memory.dmp

memory/4744-1133-0x00000000095B0000-0x0000000009626000-memory.dmp

memory/4744-1136-0x0000000004990000-0x00000000049A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/3824-1141-0x0000000000440000-0x0000000000472000-memory.dmp

memory/3824-1142-0x0000000005060000-0x0000000005070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 056d73be069d88974d2d40c5c61d21b3
SHA1 2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA256 2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA512 4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 056d73be069d88974d2d40c5c61d21b3
SHA1 2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA256 2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA512 4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 056d73be069d88974d2d40c5c61d21b3
SHA1 2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA256 2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA512 4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

memory/5000-1218-0x0000000002C90000-0x0000000002CBE000-memory.dmp

memory/860-1219-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240609796.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/860-1226-0x00000000051E0000-0x00000000051F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 5aeeafe26d1e0441647e0b0d7b880c81
SHA1 45a00f65a99d1cec35bd6a21891ac469a86f451c
SHA256 c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd
SHA512 3e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 8c7576873886d730d55e52070f35fea0
SHA1 cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1
SHA256 06b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa
SHA512 374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/860-1281-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/5000-1287-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/5000-1286-0x0000000002B90000-0x0000000002BAC000-memory.dmp

memory/1828-1291-0x00000000013E0000-0x00000000013FC000-memory.dmp

memory/5000-1293-0x0000000004AC0000-0x0000000005AC0000-memory.dmp

memory/5000-1296-0x0000000002B90000-0x0000000002BAC000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5