Malware Analysis Report

2024-11-15 09:17

Sample ID 230318-29qj4agb8s
Target f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2
SHA256 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2

Threat Level: Known bad

The file f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Amadey

Rhadamanthys

Detect rhadamanthys stealer shellcode

Modifies Windows Defender Real-time Protection settings

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

Aurora

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 23:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 23:17

Reported

2023-03-18 23:19

Platform

win10-20230220-en

Max time kernel

98s

Max time network

145s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5000 created 3044 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe c:\windows\system32\taskhostw.exe

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5000 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
PID 3012 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
PID 3012 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
PID 3012 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
PID 4068 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
PID 4068 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
PID 4068 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
PID 3444 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe
PID 3444 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe
PID 3444 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
PID 3444 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
PID 3444 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
PID 4068 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
PID 4068 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
PID 4068 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
PID 3012 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
PID 3012 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
PID 3012 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
PID 2572 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
PID 2572 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
PID 2572 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
PID 4656 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4656 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4656 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4840 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4840 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4840 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4840 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4840 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4840 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4840 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4840 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4840 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4840 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4840 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4840 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4840 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 5000 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5000 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5000 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5000 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5000 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Processes

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe

"C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SYSWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 784

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe

MD5 9bf44609f0414e6c7aa8b4f52a598aa7
SHA1 4756c4789573d29cdc5ea6cadf0a5791d8aa8e2f
SHA256 710192c3bc3a34eb8a2747edb269c3b1d1f582a0cfa1669dd999b1f7db7a345e
SHA512 509bd38f859be11aa943fbac8fb5ad14c0a669345a23ed5c4400fb5b7021c469d4a876e5c8d4eaba16e3b734e76a62a5766b9797cf3a0e9b338aabc241aa6af9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe

MD5 9bf44609f0414e6c7aa8b4f52a598aa7
SHA1 4756c4789573d29cdc5ea6cadf0a5791d8aa8e2f
SHA256 710192c3bc3a34eb8a2747edb269c3b1d1f582a0cfa1669dd999b1f7db7a345e
SHA512 509bd38f859be11aa943fbac8fb5ad14c0a669345a23ed5c4400fb5b7021c469d4a876e5c8d4eaba16e3b734e76a62a5766b9797cf3a0e9b338aabc241aa6af9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe

MD5 33955a5bc1fbca0597b2e4b4f820f9d8
SHA1 a75913036cbe87d487aea38024870dd23aca05a9
SHA256 179ef0e1ee99de42d894eb2ccb480ef0de66ef086c9a93afee91e38de9b737b6
SHA512 64ceedd75360d9d9390bf83e15a981eefc9bb20ccb5bf688ee0f320d12307d8f531258a00d537883af0c74849232416b67adfb278a5f588bbf6d7349c19ad450

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe

MD5 33955a5bc1fbca0597b2e4b4f820f9d8
SHA1 a75913036cbe87d487aea38024870dd23aca05a9
SHA256 179ef0e1ee99de42d894eb2ccb480ef0de66ef086c9a93afee91e38de9b737b6
SHA512 64ceedd75360d9d9390bf83e15a981eefc9bb20ccb5bf688ee0f320d12307d8f531258a00d537883af0c74849232416b67adfb278a5f588bbf6d7349c19ad450

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe

MD5 051a8750c51c7462f8a75cd57fc1e521
SHA1 e000ad99634dcdf9baf253a9ad55da7f75076e7e
SHA256 00b8924ef8445b6b3cbd60beeda1800d1c5ee2484b744e8e8e3a6eb1bece5e60
SHA512 2b31ff98626785ef787987a4d58adfa05030407649ec6e8b196dbe114477e94e194f9ae2c143c4bc0e006ff33bbff00e5225900bc68798bcb04d30d6cfb02211

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe

MD5 051a8750c51c7462f8a75cd57fc1e521
SHA1 e000ad99634dcdf9baf253a9ad55da7f75076e7e
SHA256 00b8924ef8445b6b3cbd60beeda1800d1c5ee2484b744e8e8e3a6eb1bece5e60
SHA512 2b31ff98626785ef787987a4d58adfa05030407649ec6e8b196dbe114477e94e194f9ae2c143c4bc0e006ff33bbff00e5225900bc68798bcb04d30d6cfb02211

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4176-149-0x0000000000030000-0x000000000003A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe

MD5 a0694e7a23b2a99990cdb744270fc2d9
SHA1 dcdde2a8ddcb505e3574db8df03db3c9c96b2308
SHA256 83b1502f49b347cc0176b888e8dac30a711583a2ad20610497dd1c9592e498b9
SHA512 8991a650f6bb02f5f8921de212269e74a79ea322b796d40b3c7ceb8fb54cadcd8c7a716235c3020b0ee9f1ecb067c489af032c41762d3064f26834bca6b3d7f8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe

MD5 a0694e7a23b2a99990cdb744270fc2d9
SHA1 dcdde2a8ddcb505e3574db8df03db3c9c96b2308
SHA256 83b1502f49b347cc0176b888e8dac30a711583a2ad20610497dd1c9592e498b9
SHA512 8991a650f6bb02f5f8921de212269e74a79ea322b796d40b3c7ceb8fb54cadcd8c7a716235c3020b0ee9f1ecb067c489af032c41762d3064f26834bca6b3d7f8

memory/1536-155-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/1536-156-0x00000000046E0000-0x00000000046FA000-memory.dmp

memory/1536-157-0x0000000007170000-0x000000000766E000-memory.dmp

memory/1536-158-0x0000000007040000-0x0000000007058000-memory.dmp

memory/1536-159-0x0000000007160000-0x0000000007170000-memory.dmp

memory/1536-160-0x0000000007160000-0x0000000007170000-memory.dmp

memory/1536-161-0x0000000007160000-0x0000000007170000-memory.dmp

memory/1536-162-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-163-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-165-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-167-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-169-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-171-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-173-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-175-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-177-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-179-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-181-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-183-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-185-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-187-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-189-0x0000000007040000-0x0000000007052000-memory.dmp

memory/1536-190-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1536-191-0x0000000007160000-0x0000000007170000-memory.dmp

memory/1536-192-0x0000000007160000-0x0000000007170000-memory.dmp

memory/1536-194-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe

MD5 39b2b07d9b232d2169440fcba5867c98
SHA1 bcc08e9f5bd45436990b2e0b9ecb7408859f3a16
SHA256 bd093a3c9afd5f0db449a55ff9cdc5634a33f69db82a6de068ab276f6b461c94
SHA512 88cedd60a530d046a31fa07f103bb30d674214adbf22ee731e3b1abbf55fab65b499555336732916dbefe9e221f244e0a201aaec5ada99e6a560565ba44cad03

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe

MD5 39b2b07d9b232d2169440fcba5867c98
SHA1 bcc08e9f5bd45436990b2e0b9ecb7408859f3a16
SHA256 bd093a3c9afd5f0db449a55ff9cdc5634a33f69db82a6de068ab276f6b461c94
SHA512 88cedd60a530d046a31fa07f103bb30d674214adbf22ee731e3b1abbf55fab65b499555336732916dbefe9e221f244e0a201aaec5ada99e6a560565ba44cad03

memory/4672-200-0x00000000046A0000-0x00000000046E6000-memory.dmp

memory/4672-199-0x0000000002B20000-0x0000000002B6B000-memory.dmp

memory/4672-201-0x00000000075F0000-0x0000000007634000-memory.dmp

memory/4672-202-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-203-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-205-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-207-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-209-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-211-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-213-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-215-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-217-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-219-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-221-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-220-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-224-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-222-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-226-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-228-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-230-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-232-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-234-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-236-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-238-0x00000000075F0000-0x000000000762E000-memory.dmp

memory/4672-1111-0x0000000007630000-0x0000000007C36000-memory.dmp

memory/4672-1112-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

memory/4672-1113-0x0000000007E00000-0x0000000007E12000-memory.dmp

memory/4672-1114-0x0000000007E20000-0x0000000007E5E000-memory.dmp

memory/4672-1115-0x0000000007F70000-0x0000000007FBB000-memory.dmp

memory/4672-1116-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-1118-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-1119-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-1120-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-1121-0x0000000008100000-0x0000000008192000-memory.dmp

memory/4672-1122-0x00000000081A0000-0x0000000008206000-memory.dmp

memory/4672-1123-0x00000000088B0000-0x0000000008A72000-memory.dmp

memory/4672-1124-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4672-1125-0x0000000008A80000-0x0000000008FAC000-memory.dmp

memory/4672-1126-0x00000000090E0000-0x0000000009156000-memory.dmp

memory/4672-1127-0x0000000009160000-0x00000000091B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4968-1134-0x0000000000030000-0x0000000000062000-memory.dmp

memory/4968-1135-0x0000000004960000-0x00000000049AB000-memory.dmp

memory/4968-1136-0x0000000002280000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 6d81d19b6e02e1dc86b1bd2eb40e1507
SHA1 645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA512 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 6d81d19b6e02e1dc86b1bd2eb40e1507
SHA1 645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA512 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 6d81d19b6e02e1dc86b1bd2eb40e1507
SHA1 645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA512 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc

memory/4308-1196-0x00000000001D0000-0x00000000001FE000-memory.dmp

memory/5040-1200-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5040-1202-0x0000000006130000-0x000000000617B000-memory.dmp

\Users\Admin\AppData\Local\Temp\240636500.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/5040-1208-0x0000000005820000-0x0000000005830000-memory.dmp

memory/5040-1211-0x0000000005820000-0x0000000005830000-memory.dmp

memory/4308-1217-0x0000000002C60000-0x0000000002C7C000-memory.dmp

memory/4308-1218-0x0000000002C80000-0x0000000002C82000-memory.dmp

memory/4308-1219-0x0000000002C80000-0x0000000002C83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 37d3ac31e4c461ff9653acc7dd3b84f4
SHA1 25eb0affe01e06afc46a66fa183fe33e02c62975
SHA256 2e9f14bd648e3a8e98f8a5fbc1d9290d46420a3c15b16a78f8e9e7cbaa8ab073
SHA512 2c1aede1b467729fd8f00eedd863c8d8226b582af658f42aad7ffe79dab3e14c6e55d0426dc997ac73e6d8cd78511bc37da5a211bb5e2c1faed372bc4674ecf4

memory/416-1236-0x00000000008B0000-0x00000000008CC000-memory.dmp

memory/4308-1238-0x0000000002C60000-0x0000000002C7C000-memory.dmp