Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-ae7fkseb69
Target 67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067
SHA256 67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067
Tags
amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067

Threat Level: Known bad

The file 67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

RedLine payload

Amadey

Aurora

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Modifies Windows Defender Real-time Protection settings

Detect rhadamanthys stealer shellcode

Downloads MZ/PE file

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 00:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 00:08

Reported

2023-03-19 00:11

Platform

win10-20230220-en

Max time kernel

143s

Max time network

149s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3364 created 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe c:\windows\system32\taskhostw.exe

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3364 set thread context of 212 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4140 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
PID 4140 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
PID 4140 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
PID 2512 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
PID 2512 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
PID 2512 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
PID 4960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
PID 4960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
PID 4960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
PID 2064 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe
PID 2064 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe
PID 2064 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
PID 2064 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
PID 2064 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
PID 4960 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
PID 4960 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
PID 4960 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
PID 2512 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
PID 2512 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
PID 2512 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
PID 4140 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
PID 4140 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
PID 4140 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
PID 3780 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3780 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3780 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4772 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4772 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4772 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4772 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4772 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4772 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
PID 4772 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4772 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4772 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
PID 4772 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4772 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 4772 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
PID 3364 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 3364 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 3364 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 756 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 756 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe

"C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SYSWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 456

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
FR 40.79.141.152:443 tcp
DE 193.233.20.30:4125 tcp
NL 88.221.25.155:80 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh udp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 52.4.107.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe

MD5 ef5889763c11ca181c56e65b2f5b2a0e
SHA1 23d60bfbffeacb9958fa55dbe80d88fbd2d96a7e
SHA256 b2234873cd79f834d388fcea9ab543d6a884f5e4e5dcadf50056a556bab7e68d
SHA512 fb51ba58e24fb73ba5dfc50cf3afafbd076cc4380aa48a2719860245d1a77f37325ebb82bfb4ad8e8d52782b64b2b00a04061f5ac8b140a05987917fb55b910b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe

MD5 ef5889763c11ca181c56e65b2f5b2a0e
SHA1 23d60bfbffeacb9958fa55dbe80d88fbd2d96a7e
SHA256 b2234873cd79f834d388fcea9ab543d6a884f5e4e5dcadf50056a556bab7e68d
SHA512 fb51ba58e24fb73ba5dfc50cf3afafbd076cc4380aa48a2719860245d1a77f37325ebb82bfb4ad8e8d52782b64b2b00a04061f5ac8b140a05987917fb55b910b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe

MD5 63a2649ae317c013c51c5b875b96c7e0
SHA1 18c8397a3b61c5db1d38dcbf10cd1871941563e3
SHA256 83343d77de6bdd56694309bc4af0906418c0266227e3f531145d6edd0cbe1042
SHA512 ae98fb451158c82cafa85ae7fb3e9f776bce4d6cfd0a491851c909964fe83a82a308030e4cec34ff67b71c7f157f75d92a009464535ad0b81d9130052edd20a9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe

MD5 63a2649ae317c013c51c5b875b96c7e0
SHA1 18c8397a3b61c5db1d38dcbf10cd1871941563e3
SHA256 83343d77de6bdd56694309bc4af0906418c0266227e3f531145d6edd0cbe1042
SHA512 ae98fb451158c82cafa85ae7fb3e9f776bce4d6cfd0a491851c909964fe83a82a308030e4cec34ff67b71c7f157f75d92a009464535ad0b81d9130052edd20a9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe

MD5 2c1d2d8088f4064e1fb0ef5d6c4cbb91
SHA1 7824674546f86e63db81ca7c6f33990154f81493
SHA256 c18dd165b2688f9afb6e723a4da90d42a85943471aacfd4b1c84d3742166d178
SHA512 c281ae614fc85753e736804d1dfdeae91a880b8e8e56216a3082a7c1ca0c46d16618bea992796b28da171fe9be4cca91c82061c52ec40f5d8029a5c4e1bc8a48

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe

MD5 2c1d2d8088f4064e1fb0ef5d6c4cbb91
SHA1 7824674546f86e63db81ca7c6f33990154f81493
SHA256 c18dd165b2688f9afb6e723a4da90d42a85943471aacfd4b1c84d3742166d178
SHA512 c281ae614fc85753e736804d1dfdeae91a880b8e8e56216a3082a7c1ca0c46d16618bea992796b28da171fe9be4cca91c82061c52ec40f5d8029a5c4e1bc8a48

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2688-144-0x0000000000440000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe

MD5 ac0c7b7b2f53a198c9a3ce08ad47d2ae
SHA1 2636d0f8bfe5cdac7977f55f51b19d87a4e901fa
SHA256 6bebaf5dbdcaebca0bf98f08b0a2da800c22010f51b647c2014c865f66cabbfd
SHA512 91080422faa7119ed7777e3f66ff2c5a489481abeb18792d1b2b9e30c69f085df6bdf7dd59befac5d286db1037c070dacf9504b7cadd0d3e8df725dfc103287f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe

MD5 ac0c7b7b2f53a198c9a3ce08ad47d2ae
SHA1 2636d0f8bfe5cdac7977f55f51b19d87a4e901fa
SHA256 6bebaf5dbdcaebca0bf98f08b0a2da800c22010f51b647c2014c865f66cabbfd
SHA512 91080422faa7119ed7777e3f66ff2c5a489481abeb18792d1b2b9e30c69f085df6bdf7dd59befac5d286db1037c070dacf9504b7cadd0d3e8df725dfc103287f

memory/3888-150-0x0000000004650000-0x000000000466A000-memory.dmp

memory/3888-151-0x0000000007210000-0x000000000770E000-memory.dmp

memory/3888-152-0x0000000004BE0000-0x0000000004BF8000-memory.dmp

memory/3888-153-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

memory/3888-154-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3888-155-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3888-156-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3888-157-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-158-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-160-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-162-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-164-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-166-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-168-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-170-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-172-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-174-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-176-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-178-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-180-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-182-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-184-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3888-185-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3888-186-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3888-187-0x0000000007200000-0x0000000007210000-memory.dmp

memory/3888-189-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe

MD5 324d31bcb4e62eea8a833e89ac9bd158
SHA1 9910f4606c492dbaa071321b3e69ee7d53e7836e
SHA256 f1f4076aa99a72dba7c5e722d018217ae8463176b6292157229ba4e0977dbc12
SHA512 d9a16348a2d870790f962bdcb0dc5f57ce882f62ac5749e95e76073b3eb6f840ac4ddc1fd8fcaf323f88ec77fdb9e8c441597d3d6a30f39133b581be8075c5c7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe

MD5 324d31bcb4e62eea8a833e89ac9bd158
SHA1 9910f4606c492dbaa071321b3e69ee7d53e7836e
SHA256 f1f4076aa99a72dba7c5e722d018217ae8463176b6292157229ba4e0977dbc12
SHA512 d9a16348a2d870790f962bdcb0dc5f57ce882f62ac5749e95e76073b3eb6f840ac4ddc1fd8fcaf323f88ec77fdb9e8c441597d3d6a30f39133b581be8075c5c7

memory/4836-194-0x00000000047D0000-0x0000000004816000-memory.dmp

memory/4836-195-0x00000000070D0000-0x0000000007114000-memory.dmp

memory/4836-196-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-197-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-199-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-201-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-205-0x0000000002B20000-0x0000000002B6B000-memory.dmp

memory/4836-206-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-203-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-207-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-209-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-213-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-211-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-210-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-215-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-217-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-219-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-221-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-223-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-225-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-227-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-229-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-231-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-233-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4836-1106-0x0000000007770000-0x0000000007D76000-memory.dmp

memory/4836-1107-0x0000000007E00000-0x0000000007F0A000-memory.dmp

memory/4836-1108-0x0000000007F40000-0x0000000007F52000-memory.dmp

memory/4836-1109-0x0000000007F60000-0x0000000007F9E000-memory.dmp

memory/4836-1110-0x00000000080B0000-0x00000000080FB000-memory.dmp

memory/4836-1111-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-1113-0x0000000008240000-0x00000000082A6000-memory.dmp

memory/4836-1114-0x0000000008900000-0x0000000008992000-memory.dmp

memory/4836-1115-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-1116-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-1117-0x0000000007160000-0x0000000007170000-memory.dmp

memory/4836-1118-0x0000000008AF0000-0x0000000008B66000-memory.dmp

memory/4836-1119-0x0000000008B90000-0x0000000008BE0000-memory.dmp

memory/4836-1120-0x0000000008C20000-0x0000000008DE2000-memory.dmp

memory/4836-1121-0x0000000008DF0000-0x000000000931C000-memory.dmp

memory/4836-1122-0x0000000007160000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/2672-1128-0x0000000000E60000-0x0000000000E92000-memory.dmp

memory/2672-1129-0x00000000058A0000-0x00000000058EB000-memory.dmp

memory/2672-1130-0x0000000005A20000-0x0000000005A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe

MD5 103f1dc5270469cf9414ee95dee9561f
SHA1 f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA256 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512 a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 8ad47f6bd62975254ede9b4737429715
SHA1 f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA256 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512 dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 8ad47f6bd62975254ede9b4737429715
SHA1 f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA256 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512 dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 8ad47f6bd62975254ede9b4737429715
SHA1 f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA256 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512 dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7

memory/2268-1190-0x00000000001D0000-0x00000000001FE000-memory.dmp

memory/212-1194-0x0000000000400000-0x0000000000432000-memory.dmp

memory/212-1195-0x00000000061E0000-0x000000000622B000-memory.dmp

memory/212-1196-0x00000000057D0000-0x00000000057E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\240603796.dll

MD5 098a4aa93e275de54bbc35ae4b981301
SHA1 d03646dc7c63e0784393f74085405c794b8555af
SHA256 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA512 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 a3eb5f22bc8e7f4060e3ff18c4ac70b9
SHA1 8480869a34c9723063dba9cc8279cf4e7c2bc4cd
SHA256 0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6
SHA512 3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

memory/212-1235-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/2268-1242-0x0000000002C20000-0x0000000002C3C000-memory.dmp

memory/2268-1243-0x0000000002C50000-0x0000000002C52000-memory.dmp

memory/2268-1244-0x0000000002C50000-0x0000000002C53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/1060-1247-0x0000000000E30000-0x0000000000E4C000-memory.dmp

memory/2268-1251-0x0000000002C20000-0x0000000002C3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5