Malware Analysis Report

2024-11-15 09:17

Sample ID 230318-2f5rxsgb3t
Target bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d
SHA256 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d

Threat Level: Known bad

The file bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Detect rhadamanthys stealer shellcode

RedLine payload

Aurora

RedLine

Amadey

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 22:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 22:32

Reported

2023-03-18 22:35

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

129s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4988 created 2592 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\system32\taskhostw.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4988 set thread context of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
PID 2676 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
PID 2676 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
PID 2140 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
PID 2140 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
PID 2140 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
PID 2452 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
PID 2452 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
PID 2452 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
PID 2500 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe
PID 2500 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe
PID 2500 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
PID 2500 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
PID 2500 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
PID 2452 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
PID 2452 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
PID 2452 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
PID 2140 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
PID 2140 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
PID 2140 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
PID 2676 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
PID 2676 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
PID 2676 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
PID 2884 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2884 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2884 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1524 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1524 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 1524 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 1524 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 1524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 1524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 1524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 1524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 1524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 1524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4988 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4988 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4988 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4988 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4988 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe

"C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1952

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 692

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 134.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 20.189.173.4:443 tcp
DE 193.233.20.30:4125 tcp
US 117.18.237.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe

MD5 5f964c2fa494030bd675007fea7a340a
SHA1 1e2d50ca003c04165f09a6d04dab8e20b73e688f
SHA256 ea909381b9a73697f4278a7cbba9b6ddd98f2822a228389d046f0a54a40df8d9
SHA512 81d327bc80088b4a7499ed185743c82cc28fa3940d1f722bf9d3a91aa8e61dc203eb4d109d2622cda16143a202040155f094ff59540fa3e8b4ced9a232bf0321

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe

MD5 5f964c2fa494030bd675007fea7a340a
SHA1 1e2d50ca003c04165f09a6d04dab8e20b73e688f
SHA256 ea909381b9a73697f4278a7cbba9b6ddd98f2822a228389d046f0a54a40df8d9
SHA512 81d327bc80088b4a7499ed185743c82cc28fa3940d1f722bf9d3a91aa8e61dc203eb4d109d2622cda16143a202040155f094ff59540fa3e8b4ced9a232bf0321

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe

MD5 cb61c0fd640171298eaff3bb7b096591
SHA1 19dc47bc150c090cac0bbd11e8cad26c89f6f3a2
SHA256 a1c172d051708b428f8d064e994aa7aceb031e817008648da7c49541e1e5610b
SHA512 360da9cad5dc60f1439b4a567f5d1a2f50530e9e98260d42f4d908321033cfcedae9b676748c6aa5410a4e66e52c28663a54d9ec855ffec1ad3bba7e0f69eee4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe

MD5 cb61c0fd640171298eaff3bb7b096591
SHA1 19dc47bc150c090cac0bbd11e8cad26c89f6f3a2
SHA256 a1c172d051708b428f8d064e994aa7aceb031e817008648da7c49541e1e5610b
SHA512 360da9cad5dc60f1439b4a567f5d1a2f50530e9e98260d42f4d908321033cfcedae9b676748c6aa5410a4e66e52c28663a54d9ec855ffec1ad3bba7e0f69eee4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe

MD5 dae37348bb5a160cc1e011b011654178
SHA1 f7b8491cb68cc2aa1989ecb38c72130879ff9b2d
SHA256 cb459dd0dbf0cc23615ab13b8ff459f5349bd05fc81ad089bff1a869d742fbd6
SHA512 d1bff775cff9fd369e92bb989a25c62b7349dc172f662645e819099f12772eeb6c6c5e4299064e1a6d902a61f5bb9b731fc1d52666a42ab55c1080e7a9ab1a16

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe

MD5 dae37348bb5a160cc1e011b011654178
SHA1 f7b8491cb68cc2aa1989ecb38c72130879ff9b2d
SHA256 cb459dd0dbf0cc23615ab13b8ff459f5349bd05fc81ad089bff1a869d742fbd6
SHA512 d1bff775cff9fd369e92bb989a25c62b7349dc172f662645e819099f12772eeb6c6c5e4299064e1a6d902a61f5bb9b731fc1d52666a42ab55c1080e7a9ab1a16

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3804-161-0x0000000000440000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe

MD5 0d788ff51f171840cebd933821d299c7
SHA1 826846204120eb248b9e64fc2898a461099d3f57
SHA256 5b125ab9166a213a34694e085eee5a08dc4984b56afa6011a1b6f8ac2ba3b14b
SHA512 46c923a6548a2ee09b2a7100ef9ecd39f5ec4b804386e6b2fc877165b869c5dd58eab6827397ac3b455ba92f7dcb32ff57710c01bcc92817afbd160057c6e975

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe

MD5 0d788ff51f171840cebd933821d299c7
SHA1 826846204120eb248b9e64fc2898a461099d3f57
SHA256 5b125ab9166a213a34694e085eee5a08dc4984b56afa6011a1b6f8ac2ba3b14b
SHA512 46c923a6548a2ee09b2a7100ef9ecd39f5ec4b804386e6b2fc877165b869c5dd58eab6827397ac3b455ba92f7dcb32ff57710c01bcc92817afbd160057c6e975

memory/3584-167-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/3584-168-0x0000000007290000-0x0000000007834000-memory.dmp

memory/3584-169-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-170-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-172-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-176-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-174-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-178-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-180-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-182-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-184-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-186-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-188-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-190-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-195-0x0000000007280000-0x0000000007290000-memory.dmp

memory/3584-197-0x0000000007280000-0x0000000007290000-memory.dmp

memory/3584-193-0x0000000007280000-0x0000000007290000-memory.dmp

memory/3584-196-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-192-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-199-0x0000000004C20000-0x0000000004C32000-memory.dmp

memory/3584-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3584-202-0x0000000007280000-0x0000000007290000-memory.dmp

memory/3584-203-0x0000000007280000-0x0000000007290000-memory.dmp

memory/3584-204-0x0000000007280000-0x0000000007290000-memory.dmp

memory/3584-205-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe

MD5 6f556cb991c66123db790dc867974aac
SHA1 7c2276b09e48a3e809f4b6695ad558f116c516e6
SHA256 66de5a29b8802ad91ea116be0b6fd3c7974655d0f7b2308d5f96e36a13b470db
SHA512 ff8e059b12ebdd9dd7d1375eafe5c778e996d343705c2092b8479610a822073076f5f33afca13fadcf303caec0c70707ca58928a70199b488dfe56d0d247982b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe

MD5 6f556cb991c66123db790dc867974aac
SHA1 7c2276b09e48a3e809f4b6695ad558f116c516e6
SHA256 66de5a29b8802ad91ea116be0b6fd3c7974655d0f7b2308d5f96e36a13b470db
SHA512 ff8e059b12ebdd9dd7d1375eafe5c778e996d343705c2092b8479610a822073076f5f33afca13fadcf303caec0c70707ca58928a70199b488dfe56d0d247982b

memory/2728-210-0x00000000047C0000-0x000000000480B000-memory.dmp

memory/2728-214-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-213-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-212-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-211-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-215-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-217-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-219-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-221-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-223-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-225-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-227-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-229-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-231-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-233-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-235-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-237-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-239-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-241-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-243-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-247-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-245-0x0000000007100000-0x000000000713E000-memory.dmp

memory/2728-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

memory/2728-1121-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/2728-1122-0x0000000008040000-0x0000000008052000-memory.dmp

memory/2728-1123-0x0000000008060000-0x000000000809C000-memory.dmp

memory/2728-1124-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-1126-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-1127-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-1128-0x0000000007210000-0x0000000007220000-memory.dmp

memory/2728-1129-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/2728-1130-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/2728-1131-0x0000000008B10000-0x0000000008CD2000-memory.dmp

memory/2728-1132-0x0000000008CE0000-0x000000000920C000-memory.dmp

memory/2728-1133-0x00000000096E0000-0x0000000009756000-memory.dmp

memory/2728-1134-0x0000000009760000-0x00000000097B0000-memory.dmp

memory/2728-1136-0x0000000007210000-0x0000000007220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/1816-1141-0x00000000002B0000-0x00000000002E2000-memory.dmp

memory/1816-1142-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 6d81d19b6e02e1dc86b1bd2eb40e1507
SHA1 645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA512 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 6d81d19b6e02e1dc86b1bd2eb40e1507
SHA1 645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA512 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 6d81d19b6e02e1dc86b1bd2eb40e1507
SHA1 645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA512 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc

memory/2712-1221-0x0000000004760000-0x000000000478E000-memory.dmp

memory/4548-1222-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240618281.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/4548-1229-0x0000000005770000-0x0000000005780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 92d24961d2ebaacf1ace5463dfc9930d
SHA1 99ffaf6904ab616c33a37ce01d383e4a493df335
SHA256 9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA512 77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 dce9b749d38fdc247ab517e8a76e6102
SHA1 d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA256 5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA512 56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

memory/4548-1283-0x0000000005770000-0x0000000005780000-memory.dmp

memory/2712-1290-0x0000000004790000-0x00000000047AC000-memory.dmp

memory/2712-1291-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2712-1292-0x00000000001F0000-0x00000000001F3000-memory.dmp

memory/4260-1294-0x0000000000C20000-0x0000000000C3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/2712-1299-0x0000000004790000-0x00000000047AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5