Malware Analysis Report

2024-11-15 09:17

Sample ID 230318-1jwsrafh8y
Target aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0
SHA256 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0

Threat Level: Known bad

The file aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Amadey

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Detect rhadamanthys stealer shellcode

Aurora

RedLine payload

Downloads MZ/PE file

Windows security modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 21:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 21:41

Reported

2023-03-18 21:43

Platform

win10v2004-20230221-en

Max time kernel

107s

Max time network

140s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1388 created 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\system32\taskhostw.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1388 set thread context of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe
PID 4284 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe
PID 4284 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe
PID 4292 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe
PID 4292 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe
PID 4292 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe
PID 3136 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe
PID 3136 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe
PID 3136 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe
PID 4620 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe
PID 4620 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe
PID 4620 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe
PID 4620 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe
PID 4620 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe
PID 3136 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe
PID 3136 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe
PID 3136 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe
PID 4292 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe
PID 4292 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe
PID 4292 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe
PID 4284 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe
PID 4284 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe
PID 4284 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe
PID 3088 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3088 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3088 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 444 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 444 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 444 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 444 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 1388 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1388 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1388 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1388 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1388 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1388 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\SysWOW64\fontview.exe
PID 1388 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\SysWOW64\fontview.exe
PID 1388 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\SysWOW64\fontview.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe

"C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1312

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.192.144.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe

MD5 31043375de02867b4aa7b463e03b208b
SHA1 995817f616ed36454ac599972f9aeb5ab78b527b
SHA256 87da24875b20fdddcfa17ac87dc9466f8df1a2114d4300119895915e1ac917e0
SHA512 b5faea84dc1cc75af3ab06c0f3f68df8b0d86d5e9cc3b1add251bb217ebc1ccd9104c302cef8f4c191d8ffc036cd8ff81be5435ffb57f25ac860ab93c1bb5414

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe

MD5 31043375de02867b4aa7b463e03b208b
SHA1 995817f616ed36454ac599972f9aeb5ab78b527b
SHA256 87da24875b20fdddcfa17ac87dc9466f8df1a2114d4300119895915e1ac917e0
SHA512 b5faea84dc1cc75af3ab06c0f3f68df8b0d86d5e9cc3b1add251bb217ebc1ccd9104c302cef8f4c191d8ffc036cd8ff81be5435ffb57f25ac860ab93c1bb5414

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe

MD5 a322e2c74393f62ddc83481852841ce4
SHA1 504f86eb696128a761bdbe4a02d161b615798b3a
SHA256 db2ae494ad5ebe803bc8337c70f78810408f1748cbab711bd010a543fd3e0279
SHA512 1d14c1a2e5d3d382aff8963312f611bf61657c1186b627641cb1cc324daaf9a6024fa8a2f2752b133dd4b76a6e33906e3f08e44a36dee4683a892d3c4f0349b2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe

MD5 a322e2c74393f62ddc83481852841ce4
SHA1 504f86eb696128a761bdbe4a02d161b615798b3a
SHA256 db2ae494ad5ebe803bc8337c70f78810408f1748cbab711bd010a543fd3e0279
SHA512 1d14c1a2e5d3d382aff8963312f611bf61657c1186b627641cb1cc324daaf9a6024fa8a2f2752b133dd4b76a6e33906e3f08e44a36dee4683a892d3c4f0349b2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe

MD5 e6484b0faf3acec4f90dae38af51d220
SHA1 f60f6c8172e849468a813a2f8a429496ecdbd760
SHA256 643e4c5ee272a26038a0f505025d2149a6f7343c4ddd933c465617871c6a89ae
SHA512 b5afe33ae9450c9a08dfb108d464a2d13b76611f081675036f4265ae054cad56a4b1e6aa52d3e4c82287a0435e15525e6179e742be16e085e8a679df18f26872

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe

MD5 e6484b0faf3acec4f90dae38af51d220
SHA1 f60f6c8172e849468a813a2f8a429496ecdbd760
SHA256 643e4c5ee272a26038a0f505025d2149a6f7343c4ddd933c465617871c6a89ae
SHA512 b5afe33ae9450c9a08dfb108d464a2d13b76611f081675036f4265ae054cad56a4b1e6aa52d3e4c82287a0435e15525e6179e742be16e085e8a679df18f26872

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2156-161-0x00000000008E0000-0x00000000008EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe

MD5 02f7997c083388579222546f4d0a121a
SHA1 670fa35ae642eead02ace76f948f5d4387460cfa
SHA256 3c2c908bcd780a3701a2afe69e282958d1c6d8cb408acaa47af9b5fbfeedb7fc
SHA512 076a0ecd8f8a32fa1307cba03d71129b3ab6f1ffefb20ecbd739e7932b6886bc16e90da813b01d23a5086c220a100fc8aa723449d7aacd176bec9247c058302b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe

MD5 02f7997c083388579222546f4d0a121a
SHA1 670fa35ae642eead02ace76f948f5d4387460cfa
SHA256 3c2c908bcd780a3701a2afe69e282958d1c6d8cb408acaa47af9b5fbfeedb7fc
SHA512 076a0ecd8f8a32fa1307cba03d71129b3ab6f1ffefb20ecbd739e7932b6886bc16e90da813b01d23a5086c220a100fc8aa723449d7aacd176bec9247c058302b

memory/1908-167-0x0000000004760000-0x000000000478D000-memory.dmp

memory/1908-168-0x0000000007160000-0x0000000007704000-memory.dmp

memory/1908-169-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-170-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-172-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-174-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-176-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-178-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-180-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-182-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-184-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-186-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-188-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-190-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-192-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-194-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-196-0x0000000007070000-0x0000000007082000-memory.dmp

memory/1908-198-0x0000000007150000-0x0000000007160000-memory.dmp

memory/1908-197-0x0000000007150000-0x0000000007160000-memory.dmp

memory/1908-199-0x0000000007150000-0x0000000007160000-memory.dmp

memory/1908-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1908-202-0x0000000007150000-0x0000000007160000-memory.dmp

memory/1908-203-0x0000000007150000-0x0000000007160000-memory.dmp

memory/1908-204-0x0000000007150000-0x0000000007160000-memory.dmp

memory/1908-205-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe

MD5 63dcda13c6b7020f7b7f5ae86805e147
SHA1 f30f082bbe2d5847c04a0abb1186eb6946c9c8a1
SHA256 029a5e35b849959de4134307fd5c309a5348354491774b8120bf1d7d98afd7b6
SHA512 33553a064493b8d278657ad75f6acbd036738f500af1f3ed4c2d6dd62d44b7741fb6637264ebd1ab0a0076dbb1b69dfa356aa82f3c4cb2bbf237aee506c1fa2b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe

MD5 63dcda13c6b7020f7b7f5ae86805e147
SHA1 f30f082bbe2d5847c04a0abb1186eb6946c9c8a1
SHA256 029a5e35b849959de4134307fd5c309a5348354491774b8120bf1d7d98afd7b6
SHA512 33553a064493b8d278657ad75f6acbd036738f500af1f3ed4c2d6dd62d44b7741fb6637264ebd1ab0a0076dbb1b69dfa356aa82f3c4cb2bbf237aee506c1fa2b

memory/4900-210-0x0000000002F30000-0x0000000002F7B000-memory.dmp

memory/4900-214-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-213-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-215-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-217-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-212-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-211-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-219-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-221-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-223-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-225-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-227-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-229-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-231-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-233-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-235-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-237-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-239-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-241-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-243-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-247-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-245-0x0000000004D70000-0x0000000004DAE000-memory.dmp

memory/4900-1120-0x0000000007930000-0x0000000007F48000-memory.dmp

memory/4900-1121-0x0000000007F50000-0x000000000805A000-memory.dmp

memory/4900-1122-0x0000000007250000-0x0000000007262000-memory.dmp

memory/4900-1123-0x0000000008060000-0x000000000809C000-memory.dmp

memory/4900-1124-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-1125-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/4900-1127-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/4900-1128-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-1129-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-1130-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-1131-0x0000000008C10000-0x0000000008DD2000-memory.dmp

memory/4900-1132-0x0000000008DF0000-0x000000000931C000-memory.dmp

memory/4900-1133-0x0000000007270000-0x0000000007280000-memory.dmp

memory/4900-1134-0x000000000A720000-0x000000000A796000-memory.dmp

memory/4900-1135-0x000000000A7B0000-0x000000000A800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/636-1141-0x0000000000040000-0x0000000000072000-memory.dmp

memory/636-1142-0x0000000004C00000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

memory/2456-1198-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240611687.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/2456-1205-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/2456-1206-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/4472-1211-0x0000000002A00000-0x0000000002A1C000-memory.dmp

memory/4472-1212-0x00000000029E0000-0x00000000029E2000-memory.dmp

memory/4472-1213-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

memory/4472-1216-0x0000000002A00000-0x0000000002A1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2