Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-a7yddaec59
Target 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39
SHA256 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39

Threat Level: Known bad

The file 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Rhadamanthys

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detect rhadamanthys stealer shellcode

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Aurora

Downloads MZ/PE file

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 00:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 00:51

Reported

2023-03-19 00:54

Platform

win10-20230220-en

Max time kernel

127s

Max time network

122s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4980 created 2888 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe c:\windows\system32\taskhostw.exe

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4980 set thread context of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SYSWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SYSWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SYSWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SYSWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SYSWOW64\fontview.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1444 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1444 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1604 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1604 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1604 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1288 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1288 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1288 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1288 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1288 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1860 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1860 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1860 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1604 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1604 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1604 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1444 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1444 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1444 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 3248 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3248 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3248 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4672 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4672 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4672 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4672 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 796 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4672 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4672 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4672 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4672 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4672 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4672 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4672 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4672 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4672 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4980 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4980 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4980 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Processes

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe

"C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SYSWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 280

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 20.42.65.90:443 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 116.172.5.23.in-addr.arpa udp
US 8.8.8.8:53 9.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 254.138.241.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2352-149-0x0000000000C90000-0x0000000000C9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

memory/3112-155-0x0000000002D30000-0x0000000002D4A000-memory.dmp

memory/3112-156-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/3112-157-0x0000000004960000-0x0000000004970000-memory.dmp

memory/3112-158-0x00000000070A0000-0x000000000759E000-memory.dmp

memory/3112-159-0x0000000002FF0000-0x0000000003008000-memory.dmp

memory/3112-161-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-160-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-167-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-165-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-163-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-177-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-179-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-185-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-183-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-187-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-181-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-175-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-173-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-171-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-169-0x0000000002FF0000-0x0000000003002000-memory.dmp

memory/3112-188-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3112-189-0x0000000004960000-0x0000000004970000-memory.dmp

memory/3112-191-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

memory/3548-196-0x00000000049B0000-0x00000000049F6000-memory.dmp

memory/3548-197-0x0000000004A70000-0x0000000004AB4000-memory.dmp

memory/3548-198-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-201-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-199-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-203-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-205-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-207-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-215-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-217-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-213-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-219-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-225-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-223-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-229-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-227-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-221-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-231-0x0000000002D50000-0x0000000002D9B000-memory.dmp

memory/3548-233-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-235-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-237-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-232-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-211-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-209-0x0000000004A70000-0x0000000004AAE000-memory.dmp

memory/3548-1108-0x0000000007710000-0x0000000007D16000-memory.dmp

memory/3548-1109-0x0000000007D20000-0x0000000007E2A000-memory.dmp

memory/3548-1110-0x00000000071D0000-0x00000000071E2000-memory.dmp

memory/3548-1111-0x0000000007E30000-0x0000000007E6E000-memory.dmp

memory/3548-1112-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-1113-0x0000000007F70000-0x0000000007FBB000-memory.dmp

memory/3548-1115-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-1116-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-1117-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3548-1118-0x0000000008100000-0x0000000008166000-memory.dmp

memory/3548-1119-0x00000000087C0000-0x0000000008852000-memory.dmp

memory/3548-1120-0x0000000008860000-0x00000000088D6000-memory.dmp

memory/3548-1121-0x0000000008900000-0x0000000008950000-memory.dmp

memory/3548-1122-0x0000000008BE0000-0x0000000008DA2000-memory.dmp

memory/3548-1123-0x0000000008DB0000-0x00000000092DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4792-1129-0x0000000000190000-0x00000000001C2000-memory.dmp

memory/4792-1130-0x0000000004BD0000-0x0000000004C1B000-memory.dmp

memory/4792-1131-0x0000000004A30000-0x0000000004A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 8ad47f6bd62975254ede9b4737429715
SHA1 f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA256 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512 dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 8ad47f6bd62975254ede9b4737429715
SHA1 f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA256 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512 dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 8ad47f6bd62975254ede9b4737429715
SHA1 f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA256 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512 dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7

memory/2596-1191-0x00000000001D0000-0x00000000001FE000-memory.dmp

memory/3064-1195-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/3064-1197-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/3064-1198-0x0000000007DD0000-0x0000000007E1B000-memory.dmp

\Users\Admin\AppData\Local\Temp\240621453.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

memory/3064-1207-0x00000000056D0000-0x00000000056E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 95a12fa5756d0040e1c1284371ea17e4
SHA1 a9c9c457a87ecca994364b6b0a8bbe815c64197d
SHA256 805458918a058fbae738b7e4fc57e4d3b8317adf26d11b9b9e53e22bc946b562
SHA512 1d71748f56e83e3d8e68bcec6a17ace238d904e767a10ef20c86be8c785ab3c3fea60c832e3b68e0277467ac1b053849d1f3d52bd872b2b9aa7206616ced56c5

memory/2596-1226-0x0000000002C30000-0x0000000002C4C000-memory.dmp

memory/2596-1227-0x0000000002C50000-0x0000000002C52000-memory.dmp

memory/2596-1228-0x0000000002C50000-0x0000000002C53000-memory.dmp

memory/2596-1249-0x0000000002C30000-0x0000000002C4C000-memory.dmp

memory/4048-1265-0x0000000003520000-0x000000000353C000-memory.dmp

memory/4048-1268-0x0000000003520000-0x000000000353C000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5