Malware Analysis Report

2024-11-15 09:17

Sample ID 230318-1l7b9sdg97
Target f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab
SHA256 f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab

Threat Level: Known bad

The file f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Amadey

Detect rhadamanthys stealer shellcode

Aurora

RedLine

Rhadamanthys

Modifies Windows Defender Real-time Protection settings

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Checks computer location settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 21:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 21:45

Reported

2023-03-18 21:47

Platform

win10v2004-20230220-en

Max time kernel

106s

Max time network

141s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4436 created 2920 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\system32\taskhostw.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4436 set thread context of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe
PID 3788 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe
PID 3788 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe
PID 3376 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe
PID 3376 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe
PID 3376 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe
PID 1496 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe
PID 1496 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe
PID 1496 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe
PID 4400 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe
PID 4400 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe
PID 4400 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe
PID 4400 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe
PID 4400 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe
PID 1496 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe
PID 1496 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe
PID 1496 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe
PID 3376 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe
PID 3376 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe
PID 3376 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe
PID 3788 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe
PID 3788 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe
PID 3788 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe
PID 2076 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2076 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2076 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4660 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3112 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4660 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4660 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4660 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4660 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4660 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4660 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4436 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4436 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4436 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4436 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4436 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4436 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\SysWOW64\fontview.exe
PID 4436 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\SysWOW64\fontview.exe
PID 4436 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\SysWOW64\fontview.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe

"C:\Users\Admin\AppData\Local\Temp\f885473dc3cab098f61e3922a606be67b53deb001f79305fa21a55a39a1718ab.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1060

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3740 -ip 3740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 636

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

Network

Country Destination Domain Proto
NL 8.238.179.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 36.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 52.182.141.63:443 tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe

MD5 2ee60e64cc0a55432dd3032e6ba3e91a
SHA1 d47cfd8e057174d6bae12a18c6419aeb98dfb743
SHA256 6e2d74a93553fafc8ded76cd9a73d1992ee530670916c800d1cd02f5a5e79250
SHA512 e903f6ef1238fe5ec234f6aa8ccc3cec3d752622881ffd2bf2808ac3b564749e72886124496a19f0519a5aac21a394f1af7683e3466a1269ed80d0ea64d80fe4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8027.exe

MD5 2ee60e64cc0a55432dd3032e6ba3e91a
SHA1 d47cfd8e057174d6bae12a18c6419aeb98dfb743
SHA256 6e2d74a93553fafc8ded76cd9a73d1992ee530670916c800d1cd02f5a5e79250
SHA512 e903f6ef1238fe5ec234f6aa8ccc3cec3d752622881ffd2bf2808ac3b564749e72886124496a19f0519a5aac21a394f1af7683e3466a1269ed80d0ea64d80fe4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe

MD5 81f942b10cc991c38142006cb3e5ae60
SHA1 226f5acfd8be587b028d950753bd2df7c794c12b
SHA256 f018f95d735f4351a2be660c7b5f96c43a73e386af2e746edfedbf68574accaf
SHA512 3396712969c6a38a818f3d4d57938d2742c422170a69d5d6dafedb075055604c3b68b2a56500286fade7a9b77539cf28a55561a2182a5d020dec37db2274a29d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9042.exe

MD5 81f942b10cc991c38142006cb3e5ae60
SHA1 226f5acfd8be587b028d950753bd2df7c794c12b
SHA256 f018f95d735f4351a2be660c7b5f96c43a73e386af2e746edfedbf68574accaf
SHA512 3396712969c6a38a818f3d4d57938d2742c422170a69d5d6dafedb075055604c3b68b2a56500286fade7a9b77539cf28a55561a2182a5d020dec37db2274a29d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe

MD5 cb354026706f1dac82f3fcbb4c012130
SHA1 d1c409729004b788275c65bee88c5dd3331a8783
SHA256 aa29c16f1ae756910dc3a34f47f9f09df8bbb1606fa639606070c67a4563594e
SHA512 3aa58c4806e733a2a5f4e8c23dc40342c58134a9b10799e3fcdfa1d259acb9ec8e4cc50e13e588bbf1e2d6d82738f8643d98b9ea3946158e07ff7658c6613d10

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9702.exe

MD5 cb354026706f1dac82f3fcbb4c012130
SHA1 d1c409729004b788275c65bee88c5dd3331a8783
SHA256 aa29c16f1ae756910dc3a34f47f9f09df8bbb1606fa639606070c67a4563594e
SHA512 3aa58c4806e733a2a5f4e8c23dc40342c58134a9b10799e3fcdfa1d259acb9ec8e4cc50e13e588bbf1e2d6d82738f8643d98b9ea3946158e07ff7658c6613d10

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx3885Sw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5076-161-0x0000000000610000-0x000000000061A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe

MD5 d71a1bfdf5009ee40726271d3e91b474
SHA1 bf895da86fabaa3646f551727fa6b56637169291
SHA256 e46c9c13265c353796852c087d8d962cb24af721b6ba3f636da58e6e7b762784
SHA512 01ee89edca5a345fa4308c410518c86f31a56e29bf590191b1b1df349592d8eb45e0ffec15b76e2bda7fac70d5e30e0aaad7b50a5d68242ff5619ae4b5265fe5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0715AO.exe

MD5 d71a1bfdf5009ee40726271d3e91b474
SHA1 bf895da86fabaa3646f551727fa6b56637169291
SHA256 e46c9c13265c353796852c087d8d962cb24af721b6ba3f636da58e6e7b762784
SHA512 01ee89edca5a345fa4308c410518c86f31a56e29bf590191b1b1df349592d8eb45e0ffec15b76e2bda7fac70d5e30e0aaad7b50a5d68242ff5619ae4b5265fe5

memory/3696-167-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/3696-168-0x0000000007120000-0x0000000007130000-memory.dmp

memory/3696-169-0x0000000007120000-0x0000000007130000-memory.dmp

memory/3696-170-0x0000000007120000-0x0000000007130000-memory.dmp

memory/3696-171-0x0000000007130000-0x00000000076D4000-memory.dmp

memory/3696-172-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-173-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-175-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-177-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-179-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-181-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-183-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-185-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-187-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-189-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-191-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-193-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-195-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-197-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-199-0x0000000007070000-0x0000000007082000-memory.dmp

memory/3696-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3696-201-0x0000000007120000-0x0000000007130000-memory.dmp

memory/3696-202-0x0000000007120000-0x0000000007130000-memory.dmp

memory/3696-204-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe

MD5 2a23d1fbb469f2863db6b5269074ef9b
SHA1 005261efb9f109caf92e7bba94819f28d7f70083
SHA256 f111b180c370ed3bdd7e906ee65a36f26070c0c0c8e521708057280eb13a37c1
SHA512 09b2b0f97d23427e2d439a259060ac4f741e569c59af36364666627655adf6acf1b9b341ed07cc9473e512d37d3a783608f33b2f83002bb0c42e2bfca3b986a4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69ui89.exe

MD5 2a23d1fbb469f2863db6b5269074ef9b
SHA1 005261efb9f109caf92e7bba94819f28d7f70083
SHA256 f111b180c370ed3bdd7e906ee65a36f26070c0c0c8e521708057280eb13a37c1
SHA512 09b2b0f97d23427e2d439a259060ac4f741e569c59af36364666627655adf6acf1b9b341ed07cc9473e512d37d3a783608f33b2f83002bb0c42e2bfca3b986a4

memory/3740-209-0x0000000002C90000-0x0000000002CDB000-memory.dmp

memory/3740-210-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3740-212-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-211-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3740-213-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-215-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-217-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-219-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-221-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-223-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-225-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-227-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-229-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-231-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-233-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-237-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-235-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-239-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-241-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-243-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-245-0x00000000070E0000-0x000000000711E000-memory.dmp

memory/3740-1118-0x0000000007860000-0x0000000007E78000-memory.dmp

memory/3740-1119-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/3740-1120-0x0000000008040000-0x0000000008052000-memory.dmp

memory/3740-1121-0x0000000008060000-0x000000000809C000-memory.dmp

memory/3740-1122-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3740-1124-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/3740-1125-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/3740-1126-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3740-1127-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3740-1128-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3740-1129-0x0000000008D50000-0x0000000008F12000-memory.dmp

memory/3740-1130-0x0000000008F30000-0x000000000945C000-memory.dmp

memory/3740-1131-0x00000000096E0000-0x0000000009756000-memory.dmp

memory/3740-1132-0x0000000009760000-0x00000000097B0000-memory.dmp

memory/3740-1133-0x0000000007160000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6500PU.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4700-1139-0x0000000000A10000-0x0000000000A42000-memory.dmp

memory/4700-1140-0x0000000005280000-0x0000000005290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry97ia04.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

memory/2552-1196-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240607531.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/2552-1203-0x0000000005060000-0x0000000005070000-memory.dmp

memory/2552-1204-0x0000000005060000-0x0000000005070000-memory.dmp

memory/4816-1208-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

memory/4816-1207-0x00000000026E0000-0x00000000026FC000-memory.dmp

memory/4816-1211-0x00000000028A0000-0x00000000038A0000-memory.dmp

memory/4816-1214-0x00000000026E0000-0x00000000026FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2