Malware Analysis Report

2024-11-15 09:17

Sample ID 230318-1w2jrsdh43
Target c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53
SHA256 c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53

Threat Level: Known bad

The file c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Amadey

Rhadamanthys

Aurora

Detect rhadamanthys stealer shellcode

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

RedLine

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 22:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 22:00

Reported

2023-03-18 22:03

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

152s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 432 created 2848 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\system32\taskhostw.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 432 set thread context of 3932 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe
PID 2056 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe
PID 2056 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe
PID 2356 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe
PID 2356 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe
PID 2356 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe
PID 3688 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe
PID 3688 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe
PID 3688 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe
PID 3264 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe
PID 3264 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe
PID 3264 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe
PID 3264 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe
PID 3264 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe
PID 3688 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe
PID 3688 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe
PID 3688 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe
PID 2356 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe
PID 2356 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe
PID 2356 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe
PID 2056 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe
PID 2056 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe
PID 2056 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe
PID 232 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 232 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 232 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4976 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4452 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4976 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4976 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4976 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4976 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4976 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4976 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 3312 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3312 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3312 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3312 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe

"C:\Users\Admin\AppData\Local\Temp\c834766cdf35db3a9e64cb71bf9b3af0432ae0ac6f0a215f80bdf71b02be3d53.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4672 -ip 4672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2260 -ip 2260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 200

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
IE 20.50.80.209:443 tcp
DE 193.233.20.30:4125 tcp
NL 84.53.175.11:80 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
NL 173.223.113.164:443 tcp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.247.210.254:80 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 19.101.122.92.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe

MD5 9a68fd133571ef5742a66e57395cf557
SHA1 d2096f59828337d982cdbdf0f3599973be41c0e7
SHA256 dadfd6efd877259d6678a1791b96731f5e8f9fc4c7610d892c4155486539b0ff
SHA512 97d3f9155aafd38eb5c4d09caf88c75e792e3ff97fb855a2d00469bd3f040227e9c8e5995699474ac98169eacb68ffe6cf1b297a2088631dc47425bb89217d63

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9982.exe

MD5 9a68fd133571ef5742a66e57395cf557
SHA1 d2096f59828337d982cdbdf0f3599973be41c0e7
SHA256 dadfd6efd877259d6678a1791b96731f5e8f9fc4c7610d892c4155486539b0ff
SHA512 97d3f9155aafd38eb5c4d09caf88c75e792e3ff97fb855a2d00469bd3f040227e9c8e5995699474ac98169eacb68ffe6cf1b297a2088631dc47425bb89217d63

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe

MD5 58781e6086b090efe4fb8f81855c9661
SHA1 c6483602829b64169014bad84dc9a76c8ef471fc
SHA256 ef60fa4eb810b723f56efa7e2d20225975284286415e39616ec93c1d30053961
SHA512 c10dcaaeb0640104b04c5171afab3c7c27a17df250489ed243793fcf75bd9d1a5f19e88f53da4c58d203268cbf1f27747db3fa73bddac3be591ed0aaa4d2be75

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1130.exe

MD5 58781e6086b090efe4fb8f81855c9661
SHA1 c6483602829b64169014bad84dc9a76c8ef471fc
SHA256 ef60fa4eb810b723f56efa7e2d20225975284286415e39616ec93c1d30053961
SHA512 c10dcaaeb0640104b04c5171afab3c7c27a17df250489ed243793fcf75bd9d1a5f19e88f53da4c58d203268cbf1f27747db3fa73bddac3be591ed0aaa4d2be75

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe

MD5 a36b0d794f31806e572e4789abfc9198
SHA1 456f70d977608384219fa228d8ec83bb5fcd2e43
SHA256 8a60b11fd9006b740a40813eb6d4cc0c3abdd581594c8af2a1f4ecb873b0ac31
SHA512 e54aca883568036f0e1a3edb6408a04019034c166bd2db90d0e64e156a302ad1c1cabc6ceb55c9fe0c6080e2d88bfedefd1b74bcf920a786785ce1f58bfb29c4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3961.exe

MD5 a36b0d794f31806e572e4789abfc9198
SHA1 456f70d977608384219fa228d8ec83bb5fcd2e43
SHA256 8a60b11fd9006b740a40813eb6d4cc0c3abdd581594c8af2a1f4ecb873b0ac31
SHA512 e54aca883568036f0e1a3edb6408a04019034c166bd2db90d0e64e156a302ad1c1cabc6ceb55c9fe0c6080e2d88bfedefd1b74bcf920a786785ce1f58bfb29c4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx0044oA.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4716-161-0x00000000004B0000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe

MD5 fc2c0e6240ee394dd397c37864ca61a7
SHA1 c14df694b1616b704e1f377c55bf2bea99c7dcac
SHA256 2d00af943f2a3c6ec70e7c62d67809547bab95cb4f87c37a6bfacd0c5908766e
SHA512 47c13d8bc8deae8391ac56903a7be80b298179246892141d9f6aaa453b337ad4fe7dfadc9939f73e51713d01874690c8c108fdc030e3eba01478bc0610519fad

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8899xV.exe

MD5 fc2c0e6240ee394dd397c37864ca61a7
SHA1 c14df694b1616b704e1f377c55bf2bea99c7dcac
SHA256 2d00af943f2a3c6ec70e7c62d67809547bab95cb4f87c37a6bfacd0c5908766e
SHA512 47c13d8bc8deae8391ac56903a7be80b298179246892141d9f6aaa453b337ad4fe7dfadc9939f73e51713d01874690c8c108fdc030e3eba01478bc0610519fad

memory/4672-167-0x0000000002D70000-0x0000000002D9D000-memory.dmp

memory/4672-168-0x0000000007160000-0x0000000007704000-memory.dmp

memory/4672-170-0x0000000007150000-0x0000000007160000-memory.dmp

memory/4672-171-0x0000000007150000-0x0000000007160000-memory.dmp

memory/4672-169-0x0000000007150000-0x0000000007160000-memory.dmp

memory/4672-172-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-173-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-175-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-177-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-179-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-181-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-183-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-185-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-187-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-189-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-191-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-193-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-195-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-197-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-199-0x0000000007070000-0x0000000007082000-memory.dmp

memory/4672-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/4672-202-0x0000000007150000-0x0000000007160000-memory.dmp

memory/4672-203-0x0000000007150000-0x0000000007160000-memory.dmp

memory/4672-204-0x0000000007150000-0x0000000007160000-memory.dmp

memory/4672-205-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe

MD5 68af9adac1caadbff356d1bd5d1f93f7
SHA1 114d45e177ff00ce928650285e38258e8f7781c2
SHA256 ed11e71f04d9c54e6ea75d7ecc51eb9c9946b7d45b0037498a1501b9d9966d95
SHA512 3b1655fd8e87c10c04c981b930155d128f76e3d6b9ebe0f9402d6cde4c2f4cb2189f28dcc684c7032c8f87ac0525eba42885c7eb26e016d1081b1f8c834a46e9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py94uY85.exe

MD5 68af9adac1caadbff356d1bd5d1f93f7
SHA1 114d45e177ff00ce928650285e38258e8f7781c2
SHA256 ed11e71f04d9c54e6ea75d7ecc51eb9c9946b7d45b0037498a1501b9d9966d95
SHA512 3b1655fd8e87c10c04c981b930155d128f76e3d6b9ebe0f9402d6cde4c2f4cb2189f28dcc684c7032c8f87ac0525eba42885c7eb26e016d1081b1f8c834a46e9

memory/2900-210-0x00000000047C0000-0x000000000480B000-memory.dmp

memory/2900-212-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-211-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-214-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-213-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-216-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-218-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-220-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-222-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-224-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-226-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-228-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-230-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-232-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-234-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-236-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-238-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-240-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-242-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-244-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-245-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-247-0x00000000070C0000-0x00000000070FE000-memory.dmp

memory/2900-1120-0x00000000078A0000-0x0000000007EB8000-memory.dmp

memory/2900-1121-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/2900-1122-0x0000000008040000-0x0000000008052000-memory.dmp

memory/2900-1123-0x0000000008060000-0x000000000809C000-memory.dmp

memory/2900-1124-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-1126-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-1127-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-1128-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/2900-1129-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/2900-1130-0x0000000008C10000-0x0000000008DD2000-memory.dmp

memory/2900-1131-0x0000000008DF0000-0x000000000931C000-memory.dmp

memory/2900-1132-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2900-1133-0x00000000095A0000-0x0000000009616000-memory.dmp

memory/2900-1134-0x0000000009630000-0x0000000009680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5236Nk.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/3664-1140-0x0000000000AF0000-0x0000000000B22000-memory.dmp

memory/3664-1141-0x00000000053D0000-0x00000000053E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry15Wr00.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 056d73be069d88974d2d40c5c61d21b3
SHA1 2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA256 2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA512 4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 056d73be069d88974d2d40c5c61d21b3
SHA1 2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA256 2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA512 4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 056d73be069d88974d2d40c5c61d21b3
SHA1 2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA256 2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA512 4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

memory/2260-1215-0x0000000002BB0000-0x0000000002BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 53bf804f75123ed2339305be1d298398
SHA1 33a337e3e219da8ecd237b44fbcaf4864124a012
SHA256 7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8
SHA512 7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 b2446d155f77cf70a33bb0c25172fa3f
SHA1 c20d68dad9e872b4607a5677c4851f863c28daf7
SHA256 0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb
SHA512 5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654

memory/3932-1268-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240658390.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/3932-1278-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3932-1281-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2260-1288-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2260-1287-0x0000000002BE0000-0x0000000002BFC000-memory.dmp

memory/2260-1289-0x0000000004A10000-0x0000000005A10000-memory.dmp

memory/2260-1292-0x0000000002BE0000-0x0000000002BFC000-memory.dmp

memory/3756-1295-0x0000000001330000-0x000000000134C000-memory.dmp

memory/3756-1296-0x0000000002D40000-0x0000000003D40000-memory.dmp

memory/3756-1299-0x0000000001330000-0x000000000134C000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5