Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-jjpwrshe7s
Target 36d56d783d89fa962428e75d53fa1577.exe
SHA256 8d60d0f19ac81c852a30662032988c9d48fb3300ae03ca9744be2a030bddcede
Tags
amadey aurora redline gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d60d0f19ac81c852a30662032988c9d48fb3300ae03ca9744be2a030bddcede

Threat Level: Known bad

The file 36d56d783d89fa962428e75d53fa1577.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline gena vint discovery evasion infostealer persistence spyware stealer trojan

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Aurora

Amadey

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 07:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 07:42

Reported

2023-03-19 07:44

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1944 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1220 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1064 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1064 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1220 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1260 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 744 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe

"C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {34211E58-8919-4118-BD5C-8D3F1DCC9DAB} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
US 66.42.108.195:40499 tcp
US 66.42.108.195:40499 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

MD5 562fb7a6699a72b309c38d95c1e3831d
SHA1 16dae93cd9b220acf5653bf5bbd6c4d81bd35316
SHA256 ee2bbd4a08f1d25ba0b22d6bc5e0d68696bf73e530aeb8c5d88af5d6862c19a6
SHA512 7bcfc18e60362ea4f857774275fa9e6777af0459db88848b4c6c5434f920537a6d217c2072aee323ae7da6920e8c52fc68dd1816e992852b703b552d037093f1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

MD5 562fb7a6699a72b309c38d95c1e3831d
SHA1 16dae93cd9b220acf5653bf5bbd6c4d81bd35316
SHA256 ee2bbd4a08f1d25ba0b22d6bc5e0d68696bf73e530aeb8c5d88af5d6862c19a6
SHA512 7bcfc18e60362ea4f857774275fa9e6777af0459db88848b4c6c5434f920537a6d217c2072aee323ae7da6920e8c52fc68dd1816e992852b703b552d037093f1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

MD5 562fb7a6699a72b309c38d95c1e3831d
SHA1 16dae93cd9b220acf5653bf5bbd6c4d81bd35316
SHA256 ee2bbd4a08f1d25ba0b22d6bc5e0d68696bf73e530aeb8c5d88af5d6862c19a6
SHA512 7bcfc18e60362ea4f857774275fa9e6777af0459db88848b4c6c5434f920537a6d217c2072aee323ae7da6920e8c52fc68dd1816e992852b703b552d037093f1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

MD5 562fb7a6699a72b309c38d95c1e3831d
SHA1 16dae93cd9b220acf5653bf5bbd6c4d81bd35316
SHA256 ee2bbd4a08f1d25ba0b22d6bc5e0d68696bf73e530aeb8c5d88af5d6862c19a6
SHA512 7bcfc18e60362ea4f857774275fa9e6777af0459db88848b4c6c5434f920537a6d217c2072aee323ae7da6920e8c52fc68dd1816e992852b703b552d037093f1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

MD5 273115a58ca529858aebc852361bc126
SHA1 cf2aeba2f2b82ed09c821fc5dda32db8454ca1d8
SHA256 db0709add0004d175ed3a82c387ff2941c658bf3e1a13baf2a159153213f3ad9
SHA512 060880cd200830266894968ff65dcc60f857af6b1d464b0efdda451773ea999628f317f560f373b89c755500215e7c52d3a803f74ffcc25ac9e0a9a09dc343c4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

MD5 273115a58ca529858aebc852361bc126
SHA1 cf2aeba2f2b82ed09c821fc5dda32db8454ca1d8
SHA256 db0709add0004d175ed3a82c387ff2941c658bf3e1a13baf2a159153213f3ad9
SHA512 060880cd200830266894968ff65dcc60f857af6b1d464b0efdda451773ea999628f317f560f373b89c755500215e7c52d3a803f74ffcc25ac9e0a9a09dc343c4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

MD5 273115a58ca529858aebc852361bc126
SHA1 cf2aeba2f2b82ed09c821fc5dda32db8454ca1d8
SHA256 db0709add0004d175ed3a82c387ff2941c658bf3e1a13baf2a159153213f3ad9
SHA512 060880cd200830266894968ff65dcc60f857af6b1d464b0efdda451773ea999628f317f560f373b89c755500215e7c52d3a803f74ffcc25ac9e0a9a09dc343c4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

MD5 273115a58ca529858aebc852361bc126
SHA1 cf2aeba2f2b82ed09c821fc5dda32db8454ca1d8
SHA256 db0709add0004d175ed3a82c387ff2941c658bf3e1a13baf2a159153213f3ad9
SHA512 060880cd200830266894968ff65dcc60f857af6b1d464b0efdda451773ea999628f317f560f373b89c755500215e7c52d3a803f74ffcc25ac9e0a9a09dc343c4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

MD5 dd32b5107c6fe7cf76fd8ddc795b10f4
SHA1 c3aa88665a0abf314e3185a636540bf40136b31d
SHA256 d3cb9326d4ae5876cba30ce5cd00c5bf5377cb4d619619b9c97bc1f5f2d76a80
SHA512 dbd346bd78010bed17af369aa1f7537b86858269d9073c62dc371f63c2a0a3466ff54517b0ed2de74571525b963a8e95d71a4de8640d46784d1701d5f656c895

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

MD5 dd32b5107c6fe7cf76fd8ddc795b10f4
SHA1 c3aa88665a0abf314e3185a636540bf40136b31d
SHA256 d3cb9326d4ae5876cba30ce5cd00c5bf5377cb4d619619b9c97bc1f5f2d76a80
SHA512 dbd346bd78010bed17af369aa1f7537b86858269d9073c62dc371f63c2a0a3466ff54517b0ed2de74571525b963a8e95d71a4de8640d46784d1701d5f656c895

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

MD5 dd32b5107c6fe7cf76fd8ddc795b10f4
SHA1 c3aa88665a0abf314e3185a636540bf40136b31d
SHA256 d3cb9326d4ae5876cba30ce5cd00c5bf5377cb4d619619b9c97bc1f5f2d76a80
SHA512 dbd346bd78010bed17af369aa1f7537b86858269d9073c62dc371f63c2a0a3466ff54517b0ed2de74571525b963a8e95d71a4de8640d46784d1701d5f656c895

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

MD5 dd32b5107c6fe7cf76fd8ddc795b10f4
SHA1 c3aa88665a0abf314e3185a636540bf40136b31d
SHA256 d3cb9326d4ae5876cba30ce5cd00c5bf5377cb4d619619b9c97bc1f5f2d76a80
SHA512 dbd346bd78010bed17af369aa1f7537b86858269d9073c62dc371f63c2a0a3466ff54517b0ed2de74571525b963a8e95d71a4de8640d46784d1701d5f656c895

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1704-92-0x0000000000C90000-0x0000000000C9A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

memory/1752-103-0x0000000002FD0000-0x0000000002FEA000-memory.dmp

memory/1752-104-0x00000000003D0000-0x00000000003FD000-memory.dmp

memory/1752-105-0x0000000007020000-0x0000000007060000-memory.dmp

memory/1752-106-0x0000000007020000-0x0000000007060000-memory.dmp

memory/1752-107-0x0000000003000000-0x0000000003018000-memory.dmp

memory/1752-108-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-109-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-111-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-113-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-115-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-117-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-119-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-121-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-123-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-125-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-127-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-129-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-131-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-133-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-135-0x0000000003000000-0x0000000003012000-memory.dmp

memory/1752-136-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1752-137-0x0000000000400000-0x0000000002B03000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

memory/1868-148-0x00000000046A0000-0x00000000046E6000-memory.dmp

memory/1868-149-0x0000000004720000-0x0000000004764000-memory.dmp

memory/1868-150-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-153-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-155-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-159-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-161-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-165-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-169-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-173-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-175-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-179-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-182-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-184-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-186-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-181-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/1868-178-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/1868-177-0x0000000000290000-0x00000000002DB000-memory.dmp

memory/1868-171-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-167-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-163-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-157-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-151-0x0000000004720000-0x000000000475E000-memory.dmp

memory/1868-1059-0x00000000071F0000-0x0000000007230000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/1672-1068-0x0000000000330000-0x0000000000362000-memory.dmp

memory/1672-1069-0x0000000000820000-0x0000000000860000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

memory/528-1147-0x0000000000270000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/1644-1164-0x0000000000B40000-0x0000000000B72000-memory.dmp

memory/1644-1165-0x0000000004F00000-0x0000000004F40000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/2024-1182-0x0000000000330000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 6a3c2fe239e67cd5804a699b9aa54b07
SHA1 018091f0c903173dec18cd10e0e00889f0717d67
SHA256 160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168
SHA512 aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

memory/2024-1214-0x00000000049F0000-0x0000000004A30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-19 07:42

Reported

2023-03-19 07:44

Platform

win10v2004-20230220-en

Max time kernel

110s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 4768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 4768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe
PID 544 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 544 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 544 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe
PID 1804 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1804 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 1804 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe
PID 3088 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 3088 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe
PID 3088 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 3088 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 3088 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe
PID 1804 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1804 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 1804 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe
PID 544 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 544 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 544 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe
PID 4768 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 4768 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 4768 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe
PID 524 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 524 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 524 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2652 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4008 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe

"C:\Users\Admin\AppData\Local\Temp\36d56d783d89fa962428e75d53fa1577.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3412 -ip 3412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
AU 104.46.162.224:443 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
NL 8.238.22.254:80 tcp
NL 8.238.22.254:80 tcp
NL 8.238.22.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

MD5 562fb7a6699a72b309c38d95c1e3831d
SHA1 16dae93cd9b220acf5653bf5bbd6c4d81bd35316
SHA256 ee2bbd4a08f1d25ba0b22d6bc5e0d68696bf73e530aeb8c5d88af5d6862c19a6
SHA512 7bcfc18e60362ea4f857774275fa9e6777af0459db88848b4c6c5434f920537a6d217c2072aee323ae7da6920e8c52fc68dd1816e992852b703b552d037093f1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9650.exe

MD5 562fb7a6699a72b309c38d95c1e3831d
SHA1 16dae93cd9b220acf5653bf5bbd6c4d81bd35316
SHA256 ee2bbd4a08f1d25ba0b22d6bc5e0d68696bf73e530aeb8c5d88af5d6862c19a6
SHA512 7bcfc18e60362ea4f857774275fa9e6777af0459db88848b4c6c5434f920537a6d217c2072aee323ae7da6920e8c52fc68dd1816e992852b703b552d037093f1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

MD5 273115a58ca529858aebc852361bc126
SHA1 cf2aeba2f2b82ed09c821fc5dda32db8454ca1d8
SHA256 db0709add0004d175ed3a82c387ff2941c658bf3e1a13baf2a159153213f3ad9
SHA512 060880cd200830266894968ff65dcc60f857af6b1d464b0efdda451773ea999628f317f560f373b89c755500215e7c52d3a803f74ffcc25ac9e0a9a09dc343c4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8347.exe

MD5 273115a58ca529858aebc852361bc126
SHA1 cf2aeba2f2b82ed09c821fc5dda32db8454ca1d8
SHA256 db0709add0004d175ed3a82c387ff2941c658bf3e1a13baf2a159153213f3ad9
SHA512 060880cd200830266894968ff65dcc60f857af6b1d464b0efdda451773ea999628f317f560f373b89c755500215e7c52d3a803f74ffcc25ac9e0a9a09dc343c4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

MD5 dd32b5107c6fe7cf76fd8ddc795b10f4
SHA1 c3aa88665a0abf314e3185a636540bf40136b31d
SHA256 d3cb9326d4ae5876cba30ce5cd00c5bf5377cb4d619619b9c97bc1f5f2d76a80
SHA512 dbd346bd78010bed17af369aa1f7537b86858269d9073c62dc371f63c2a0a3466ff54517b0ed2de74571525b963a8e95d71a4de8640d46784d1701d5f656c895

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0934.exe

MD5 dd32b5107c6fe7cf76fd8ddc795b10f4
SHA1 c3aa88665a0abf314e3185a636540bf40136b31d
SHA256 d3cb9326d4ae5876cba30ce5cd00c5bf5377cb4d619619b9c97bc1f5f2d76a80
SHA512 dbd346bd78010bed17af369aa1f7537b86858269d9073c62dc371f63c2a0a3466ff54517b0ed2de74571525b963a8e95d71a4de8640d46784d1701d5f656c895

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7838XH.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2360-161-0x0000000000D20000-0x0000000000D2A000-memory.dmp

memory/2360-162-0x000000001CE00000-0x000000001CF4E000-memory.dmp

memory/2360-164-0x000000001CE00000-0x000000001CF4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns1739nd.exe

MD5 66d4817a82cbd67f1777abd575ac3458
SHA1 dc74149ee8c0d1c34e318bee6e149116bc8ac28a
SHA256 f0f23af9d25368adc3c3fd2f699aa12029253d71e56033c8ef1e85dcc3726d64
SHA512 e87a246d45e913080ce19f5102890dd74b397c1b8092fbc23bc248f044a194dae22fa390e62630cc66cbdd0f44471293579c3fe5e17667b8364a916278d14975

memory/3808-169-0x0000000007180000-0x0000000007724000-memory.dmp

memory/3808-170-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-171-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-173-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-179-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-177-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-181-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-175-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-185-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-183-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-187-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-189-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-197-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-195-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-193-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-191-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/3808-198-0x0000000004640000-0x000000000466D000-memory.dmp

memory/3808-199-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3808-200-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3808-201-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3808-202-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3808-204-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3808-205-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3808-206-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3808-207-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py72Or87.exe

MD5 34852a61e6566663b4bcdaf5e248206d
SHA1 d31e05f18136aac97317d4672a6b8b2d4ce1a7de
SHA256 211e7ee40dd8791b8a413842fad6cf626a877e862b739298dc55ac307a92f9ef
SHA512 26ad36f0bd3a9c319f58f7aee8e0174ca5f528d65f20f0d79e6880a6fe9c27bcb08dba97fe51b668d0550a9841c0600396f4c496a441686228c968d224ef5359

memory/3412-212-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-213-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-215-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-217-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-219-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-223-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-221-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-225-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-227-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-233-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-231-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-229-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-235-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-237-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-239-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-241-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-243-0x0000000007680000-0x00000000076BE000-memory.dmp

memory/3412-287-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/3412-285-0x0000000004770000-0x00000000047BB000-memory.dmp

memory/3412-289-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/3412-1121-0x0000000007860000-0x0000000007E78000-memory.dmp

memory/3412-1122-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/3412-1123-0x0000000008040000-0x0000000008052000-memory.dmp

memory/3412-1124-0x0000000008060000-0x000000000809C000-memory.dmp

memory/3412-1125-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/3412-1126-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/3412-1127-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/3412-1129-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/3412-1130-0x0000000008C50000-0x0000000008E12000-memory.dmp

memory/3412-1131-0x0000000008E30000-0x000000000935C000-memory.dmp

memory/3412-1132-0x000000000A620000-0x000000000A696000-memory.dmp

memory/3412-1133-0x000000000A6B0000-0x000000000A700000-memory.dmp

memory/3412-1134-0x0000000004B90000-0x0000000004BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8999sJ.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry91Vf41.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5