Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-jta6cshf31
Target d16e87bd29ec89a18d8a477ad08b6f0b.exe
SHA256 809d5bdb8703636ee347d5faf1c775ce89240c394bb1078a84d890265548b4bc
Tags
amadey aurora redline rhadamanthys @redlinevipchat cloud (tg: @fatherofcarders) gena redline vint discovery evasion infostealer persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

809d5bdb8703636ee347d5faf1c775ce89240c394bb1078a84d890265548b4bc

Threat Level: Known bad

The file d16e87bd29ec89a18d8a477ad08b6f0b.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys @redlinevipchat cloud (tg: @fatherofcarders) gena redline vint discovery evasion infostealer persistence spyware stealer trojan upx

Amadey

Rhadamanthys

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detect rhadamanthys stealer shellcode

Aurora

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Downloads MZ/PE file

Checks BIOS information in registry

Windows security modification

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 07:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 07:57

Reported

2023-03-19 07:59

Platform

win7-20230220-en

Max time kernel

143s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1468 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1704 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1700 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1704 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1468 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1936 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe

"C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

"C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe"

C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

"C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\7zSFX" "Setupdark.exe""

C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

"C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe"

C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe

"C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell gc cache.tmp|iex

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\taskeng.exe

taskeng.exe {F3ABFBAB-CFBB-4BD1-8550-DCCD0D86BEAB} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
FR 151.80.89.234:19388 tcp
US 85.31.54.181:43728 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
US 66.42.108.195:40499 tcp
US 66.42.108.195:40499 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

MD5 9fdaff13d4f89f261f1722bf94ae4bc2
SHA1 87a3adade38979ef026a5d282929e18a391f4ccc
SHA256 77f0d3e51180f77a67f7643d6ca673d34b5632c7919ae53d61478568eb2be581
SHA512 4bce5c3865ee1ba0033eda5db12c4168648c57928f1d8c367a1bd0ff876a936cda5337e31097ee74ca41fef93824972616dffb69869073bf0953819ffb41e614

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

MD5 9fdaff13d4f89f261f1722bf94ae4bc2
SHA1 87a3adade38979ef026a5d282929e18a391f4ccc
SHA256 77f0d3e51180f77a67f7643d6ca673d34b5632c7919ae53d61478568eb2be581
SHA512 4bce5c3865ee1ba0033eda5db12c4168648c57928f1d8c367a1bd0ff876a936cda5337e31097ee74ca41fef93824972616dffb69869073bf0953819ffb41e614

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

MD5 9fdaff13d4f89f261f1722bf94ae4bc2
SHA1 87a3adade38979ef026a5d282929e18a391f4ccc
SHA256 77f0d3e51180f77a67f7643d6ca673d34b5632c7919ae53d61478568eb2be581
SHA512 4bce5c3865ee1ba0033eda5db12c4168648c57928f1d8c367a1bd0ff876a936cda5337e31097ee74ca41fef93824972616dffb69869073bf0953819ffb41e614

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

MD5 9fdaff13d4f89f261f1722bf94ae4bc2
SHA1 87a3adade38979ef026a5d282929e18a391f4ccc
SHA256 77f0d3e51180f77a67f7643d6ca673d34b5632c7919ae53d61478568eb2be581
SHA512 4bce5c3865ee1ba0033eda5db12c4168648c57928f1d8c367a1bd0ff876a936cda5337e31097ee74ca41fef93824972616dffb69869073bf0953819ffb41e614

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

MD5 07871531794fc724953a9ba368f7951d
SHA1 e9a82c509bb2d0d8b4a0d0ddfb58353d7a6e1f2b
SHA256 4a9772784085262ab613a791115f837f84ce6264ff5517a72b2653e8f7699bfd
SHA512 facad9a82e016d89bcad9b65f3f0126468b8739b3fb61b65d0f0ac56c467c2cc1ab929592e1c67940024bed60fd9682bb31e8312023604b59484d81451c103be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

MD5 07871531794fc724953a9ba368f7951d
SHA1 e9a82c509bb2d0d8b4a0d0ddfb58353d7a6e1f2b
SHA256 4a9772784085262ab613a791115f837f84ce6264ff5517a72b2653e8f7699bfd
SHA512 facad9a82e016d89bcad9b65f3f0126468b8739b3fb61b65d0f0ac56c467c2cc1ab929592e1c67940024bed60fd9682bb31e8312023604b59484d81451c103be

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

MD5 07871531794fc724953a9ba368f7951d
SHA1 e9a82c509bb2d0d8b4a0d0ddfb58353d7a6e1f2b
SHA256 4a9772784085262ab613a791115f837f84ce6264ff5517a72b2653e8f7699bfd
SHA512 facad9a82e016d89bcad9b65f3f0126468b8739b3fb61b65d0f0ac56c467c2cc1ab929592e1c67940024bed60fd9682bb31e8312023604b59484d81451c103be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

MD5 07871531794fc724953a9ba368f7951d
SHA1 e9a82c509bb2d0d8b4a0d0ddfb58353d7a6e1f2b
SHA256 4a9772784085262ab613a791115f837f84ce6264ff5517a72b2653e8f7699bfd
SHA512 facad9a82e016d89bcad9b65f3f0126468b8739b3fb61b65d0f0ac56c467c2cc1ab929592e1c67940024bed60fd9682bb31e8312023604b59484d81451c103be

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

MD5 b5d8008e42c97fe466a1440c9553a2bb
SHA1 a8032ee4cddbc3784512c44761b9cb2e962e8788
SHA256 f2417dedb4a93e4672b955b21b4d6900dd43a33e00177dcda1d4828381e42023
SHA512 61ee78daad9eae1ac04d291fdaff81b78711dc43e8c012936c34511dcda7159606ad7a39266d88a958bbed819cedf9bd818aa9dd12eee6b695214aa24a6bab43

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

MD5 b5d8008e42c97fe466a1440c9553a2bb
SHA1 a8032ee4cddbc3784512c44761b9cb2e962e8788
SHA256 f2417dedb4a93e4672b955b21b4d6900dd43a33e00177dcda1d4828381e42023
SHA512 61ee78daad9eae1ac04d291fdaff81b78711dc43e8c012936c34511dcda7159606ad7a39266d88a958bbed819cedf9bd818aa9dd12eee6b695214aa24a6bab43

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

MD5 b5d8008e42c97fe466a1440c9553a2bb
SHA1 a8032ee4cddbc3784512c44761b9cb2e962e8788
SHA256 f2417dedb4a93e4672b955b21b4d6900dd43a33e00177dcda1d4828381e42023
SHA512 61ee78daad9eae1ac04d291fdaff81b78711dc43e8c012936c34511dcda7159606ad7a39266d88a958bbed819cedf9bd818aa9dd12eee6b695214aa24a6bab43

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

MD5 b5d8008e42c97fe466a1440c9553a2bb
SHA1 a8032ee4cddbc3784512c44761b9cb2e962e8788
SHA256 f2417dedb4a93e4672b955b21b4d6900dd43a33e00177dcda1d4828381e42023
SHA512 61ee78daad9eae1ac04d291fdaff81b78711dc43e8c012936c34511dcda7159606ad7a39266d88a958bbed819cedf9bd818aa9dd12eee6b695214aa24a6bab43

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/336-92-0x0000000000990000-0x000000000099A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

memory/1052-103-0x00000000031E0000-0x00000000031FA000-memory.dmp

memory/1052-104-0x0000000003250000-0x0000000003268000-memory.dmp

memory/1052-106-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-105-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-108-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-110-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-112-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-114-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-116-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-118-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-120-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-122-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-124-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-126-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-128-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-130-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-132-0x0000000003250000-0x0000000003262000-memory.dmp

memory/1052-133-0x0000000000250000-0x000000000027D000-memory.dmp

memory/1052-134-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/1052-135-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/1052-136-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1052-137-0x0000000000400000-0x0000000002B0C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

memory/1020-148-0x0000000004940000-0x0000000004986000-memory.dmp

memory/1020-149-0x0000000004980000-0x00000000049C4000-memory.dmp

memory/1020-151-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-171-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-169-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-179-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-183-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-181-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-177-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-175-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-173-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-167-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-165-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-163-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-161-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-159-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-157-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-155-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-153-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-150-0x0000000004980000-0x00000000049BE000-memory.dmp

memory/1020-419-0x0000000004900000-0x0000000004940000-memory.dmp

memory/1020-421-0x0000000004900000-0x0000000004940000-memory.dmp

memory/1020-423-0x0000000004900000-0x0000000004940000-memory.dmp

memory/1020-417-0x00000000002B0000-0x00000000002FB000-memory.dmp

memory/1020-1060-0x0000000004900000-0x0000000004940000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/308-1069-0x0000000001080000-0x00000000010B2000-memory.dmp

memory/308-1070-0x0000000004800000-0x0000000004840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

MD5 ff7f91fa0ee41b37bb8196d9bb44070c
SHA1 b332b64d585e605dddc0c6d88a47323d8c3fc4d1
SHA256 04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e
SHA512 58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

MD5 ff7f91fa0ee41b37bb8196d9bb44070c
SHA1 b332b64d585e605dddc0c6d88a47323d8c3fc4d1
SHA256 04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e
SHA512 58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

MD5 ff7f91fa0ee41b37bb8196d9bb44070c
SHA1 b332b64d585e605dddc0c6d88a47323d8c3fc4d1
SHA256 04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e
SHA512 58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

MD5 ff7f91fa0ee41b37bb8196d9bb44070c
SHA1 b332b64d585e605dddc0c6d88a47323d8c3fc4d1
SHA256 04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e
SHA512 58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

MD5 ff7f91fa0ee41b37bb8196d9bb44070c
SHA1 b332b64d585e605dddc0c6d88a47323d8c3fc4d1
SHA256 04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e
SHA512 58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

memory/1548-1102-0x0000000000200000-0x0000000000232000-memory.dmp

memory/1548-1103-0x00000000050C0000-0x0000000005100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

MD5 d4fc8415802d26f5902a925dafa09f95
SHA1 76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
SHA256 b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
SHA512 741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

MD5 d4fc8415802d26f5902a925dafa09f95
SHA1 76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
SHA256 b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
SHA512 741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

MD5 d4fc8415802d26f5902a925dafa09f95
SHA1 76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
SHA256 b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
SHA512 741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

MD5 d4fc8415802d26f5902a925dafa09f95
SHA1 76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
SHA256 b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
SHA512 741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

MD5 d4fc8415802d26f5902a925dafa09f95
SHA1 76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
SHA256 b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
SHA512 741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe

MD5 0191cb1f788338484c31712a343f0b52
SHA1 f78ef09e96fa492639253bb10d0153f0f27053a9
SHA256 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad66e01819d2f7a9a539cb
SHA512 f894517f6629a01e673ae82e339f9aa364eb4ca0f5f42e0a8fcdad31fdb22a0a3a64d749723c2965a441361f805ba598375cdfef281e2c8a06c4616caed47004

memory/1936-1132-0x0000000002610000-0x0000000002652000-memory.dmp

memory/1508-1134-0x0000000140000000-0x0000000140042000-memory.dmp

memory/1508-1136-0x0000000000300000-0x0000000000342000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

MD5 b9ea6d0a56eff17b279b59f1e1a16383
SHA1 610b6cb023fa2bc49b9ab52d58b3451a8ec577dd
SHA256 0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c
SHA512 bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

MD5 b9ea6d0a56eff17b279b59f1e1a16383
SHA1 610b6cb023fa2bc49b9ab52d58b3451a8ec577dd
SHA256 0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c
SHA512 bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

MD5 b9ea6d0a56eff17b279b59f1e1a16383
SHA1 610b6cb023fa2bc49b9ab52d58b3451a8ec577dd
SHA256 0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c
SHA512 bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

MD5 b9ea6d0a56eff17b279b59f1e1a16383
SHA1 610b6cb023fa2bc49b9ab52d58b3451a8ec577dd
SHA256 0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c
SHA512 bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

memory/1604-1152-0x0000000000950000-0x0000000000982000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe

MD5 0191cb1f788338484c31712a343f0b52
SHA1 f78ef09e96fa492639253bb10d0153f0f27053a9
SHA256 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad66e01819d2f7a9a539cb
SHA512 f894517f6629a01e673ae82e339f9aa364eb4ca0f5f42e0a8fcdad31fdb22a0a3a64d749723c2965a441361f805ba598375cdfef281e2c8a06c4616caed47004

C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe

MD5 0191cb1f788338484c31712a343f0b52
SHA1 f78ef09e96fa492639253bb10d0153f0f27053a9
SHA256 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad66e01819d2f7a9a539cb
SHA512 f894517f6629a01e673ae82e339f9aa364eb4ca0f5f42e0a8fcdad31fdb22a0a3a64d749723c2965a441361f805ba598375cdfef281e2c8a06c4616caed47004

\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

MD5 b9ea6d0a56eff17b279b59f1e1a16383
SHA1 610b6cb023fa2bc49b9ab52d58b3451a8ec577dd
SHA256 0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c
SHA512 bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

MD5 b9ea6d0a56eff17b279b59f1e1a16383
SHA1 610b6cb023fa2bc49b9ab52d58b3451a8ec577dd
SHA256 0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c
SHA512 bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

C:\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe

MD5 0191cb1f788338484c31712a343f0b52
SHA1 f78ef09e96fa492639253bb10d0153f0f27053a9
SHA256 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad66e01819d2f7a9a539cb
SHA512 f894517f6629a01e673ae82e339f9aa364eb4ca0f5f42e0a8fcdad31fdb22a0a3a64d749723c2965a441361f805ba598375cdfef281e2c8a06c4616caed47004

\Users\Admin\AppData\Local\Temp\1000063001\matywonexe.exe

MD5 0191cb1f788338484c31712a343f0b52
SHA1 f78ef09e96fa492639253bb10d0153f0f27053a9
SHA256 263d1a091eafd115e0f9f2e408df14b7ce5e1f06c3ad66e01819d2f7a9a539cb
SHA512 f894517f6629a01e673ae82e339f9aa364eb4ca0f5f42e0a8fcdad31fdb22a0a3a64d749723c2965a441361f805ba598375cdfef281e2c8a06c4616caed47004

memory/1508-1153-0x0000000003130000-0x000000000418D000-memory.dmp

memory/1508-1154-0x0000000003130000-0x000000000418D000-memory.dmp

memory/856-1155-0x0000000140000000-0x000000014105D000-memory.dmp

memory/1604-1158-0x0000000004F70000-0x0000000004FB0000-memory.dmp

memory/856-1159-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

memory/856-1157-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/856-1156-0x0000000000820000-0x000000000187D000-memory.dmp

memory/856-1168-0x0000000002630000-0x0000000002640000-memory.dmp

memory/856-1169-0x0000000076FE0000-0x0000000076FF0000-memory.dmp

memory/1808-1175-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

memory/1808-1177-0x00000000000D0000-0x0000000000173000-memory.dmp

memory/1808-1176-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/1808-1178-0x0000000001D40000-0x0000000001D50000-memory.dmp

memory/1808-1179-0x0000000002AE0000-0x0000000002B60000-memory.dmp

memory/1808-1180-0x0000000002AE0000-0x0000000002B60000-memory.dmp

memory/1808-1181-0x0000000002AE0000-0x0000000002B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cache.tmp

MD5 406ba1e5cfa6101e565515385b29f333
SHA1 7a5e5f9a0d9364b46053c8ac2c8e13bb28e00d1a
SHA256 b42a50dcef4464d91c34cef6c06e75818231e71aa5dafaf3a04bd7ee24f5d61a
SHA512 745c012e216be360ee6a5c36b7f200726ace28c15d3c23a03ca681a6a13a43fc6d0bdaa17b8caa917bc7d88b4648b039e9644c3b19f5afaa19716502554455db

memory/1808-1185-0x0000000002AE0000-0x0000000002B60000-memory.dmp

memory/1808-1186-0x00000000000D0000-0x0000000000173000-memory.dmp

memory/856-1188-0x0000000140000000-0x000000014105D000-memory.dmp

memory/856-1189-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

MD5 4aff70807f90401da3849fc97e501876
SHA1 aa420e90d073ea664130250fe853198dc68aa9f3
SHA256 c665d23e2a7c83cd991f54b63ab002ea7c218a40d0c38e18488c1de5576fe982
SHA512 40db537527a6346bdd316cfdb56c33b59f7b83fd6a61f18f73d178b9dc0c433eb1733f2ca81b8c13c14d020752ab158349dac8d6c187d64f6213aff934c930d2

memory/1508-1201-0x0000000140000000-0x0000000140042000-memory.dmp

memory/1508-1202-0x0000000000300000-0x0000000000302000-memory.dmp

memory/1936-1203-0x0000000002610000-0x0000000002652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 96a1826acb653006f7528f77dc88a8f1
SHA1 f2d8b92a9a2c9cb043606a24697c28b01136ae2c
SHA256 74bb06f6276fec8207c129228abb064fc1dc1b3d499f258c5630d3069b032d2c
SHA512 347bbaf38e8852e30417cdb5dfe1891167f6b1c187eaff6bc9f625ad34cc74899e4c3ae741dba86f48d92a66bf5b5791fe7c9f060958c0cd1d638bd3bb11b8e8

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/1920-1252-0x0000000000270000-0x000000000029E000-memory.dmp

memory/1316-1256-0x0000000001320000-0x0000000001352000-memory.dmp

memory/1316-1266-0x0000000000A10000-0x0000000000A50000-memory.dmp

memory/1740-1270-0x00000000013C0000-0x00000000013F2000-memory.dmp

memory/1740-1276-0x0000000000810000-0x0000000000850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 dfeffc3924409d9c9d3c8cae05be922b
SHA1 a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4
SHA256 06ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6
SHA512 d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

memory/1920-1326-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1920-1325-0x00000000001D0000-0x00000000001EC000-memory.dmp

memory/1920-1333-0x00000000001D0000-0x00000000001EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-19 07:57

Reported

2023-03-19 07:59

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1544 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1544 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe
PID 1980 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1980 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 1980 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe
PID 2280 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 2280 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 2280 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe
PID 1244 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1244 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe
PID 1244 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1244 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 1244 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe
PID 2280 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 2280 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 2280 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe
PID 1980 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1980 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1980 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe
PID 1544 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1544 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 1544 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe
PID 4544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2676 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3432 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2676 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe

"C:\Users\Admin\AppData\Local\Temp\d16e87bd29ec89a18d8a477ad08b6f0b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1616

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 52.168.112.67:443 tcp
US 52.152.110.14:443 tcp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.154.139.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

MD5 9fdaff13d4f89f261f1722bf94ae4bc2
SHA1 87a3adade38979ef026a5d282929e18a391f4ccc
SHA256 77f0d3e51180f77a67f7643d6ca673d34b5632c7919ae53d61478568eb2be581
SHA512 4bce5c3865ee1ba0033eda5db12c4168648c57928f1d8c367a1bd0ff876a936cda5337e31097ee74ca41fef93824972616dffb69869073bf0953819ffb41e614

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8268.exe

MD5 9fdaff13d4f89f261f1722bf94ae4bc2
SHA1 87a3adade38979ef026a5d282929e18a391f4ccc
SHA256 77f0d3e51180f77a67f7643d6ca673d34b5632c7919ae53d61478568eb2be581
SHA512 4bce5c3865ee1ba0033eda5db12c4168648c57928f1d8c367a1bd0ff876a936cda5337e31097ee74ca41fef93824972616dffb69869073bf0953819ffb41e614

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

MD5 07871531794fc724953a9ba368f7951d
SHA1 e9a82c509bb2d0d8b4a0d0ddfb58353d7a6e1f2b
SHA256 4a9772784085262ab613a791115f837f84ce6264ff5517a72b2653e8f7699bfd
SHA512 facad9a82e016d89bcad9b65f3f0126468b8739b3fb61b65d0f0ac56c467c2cc1ab929592e1c67940024bed60fd9682bb31e8312023604b59484d81451c103be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2226.exe

MD5 07871531794fc724953a9ba368f7951d
SHA1 e9a82c509bb2d0d8b4a0d0ddfb58353d7a6e1f2b
SHA256 4a9772784085262ab613a791115f837f84ce6264ff5517a72b2653e8f7699bfd
SHA512 facad9a82e016d89bcad9b65f3f0126468b8739b3fb61b65d0f0ac56c467c2cc1ab929592e1c67940024bed60fd9682bb31e8312023604b59484d81451c103be

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

MD5 b5d8008e42c97fe466a1440c9553a2bb
SHA1 a8032ee4cddbc3784512c44761b9cb2e962e8788
SHA256 f2417dedb4a93e4672b955b21b4d6900dd43a33e00177dcda1d4828381e42023
SHA512 61ee78daad9eae1ac04d291fdaff81b78711dc43e8c012936c34511dcda7159606ad7a39266d88a958bbed819cedf9bd818aa9dd12eee6b695214aa24a6bab43

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will1619.exe

MD5 b5d8008e42c97fe466a1440c9553a2bb
SHA1 a8032ee4cddbc3784512c44761b9cb2e962e8788
SHA256 f2417dedb4a93e4672b955b21b4d6900dd43a33e00177dcda1d4828381e42023
SHA512 61ee78daad9eae1ac04d291fdaff81b78711dc43e8c012936c34511dcda7159606ad7a39266d88a958bbed819cedf9bd818aa9dd12eee6b695214aa24a6bab43

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1177jw.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4696-161-0x0000000000610000-0x000000000061A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9609pH.exe

MD5 9a5b9872499b719a5687a38ccf296b5d
SHA1 fabf53c7926d6e48c7facdccbddc1c3e7ae2c4a6
SHA256 5b0ad1423450d2e51d1b7a1603fdefe5bb1cc6488dd6d78ad7cc45d0cc1b30fa
SHA512 483f235b1ee360d0ba2622c0b1e76ee5eb92619f3b3b5f8a98d3b70b1468be9e6b0808fc9dfe3d5479a93a253d64ac7d6b1d4fa10608b103fa7d32b94c35c291

memory/1152-167-0x0000000004770000-0x000000000479D000-memory.dmp

memory/1152-168-0x00000000071C0000-0x0000000007764000-memory.dmp

memory/1152-169-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/1152-170-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/1152-171-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-172-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-174-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-176-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-178-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-180-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-182-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-184-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-186-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-188-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-190-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-192-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-194-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-196-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-198-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/1152-199-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1152-201-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/1152-203-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/1152-204-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/1152-202-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py05km82.exe

MD5 54961599136072b5951bc91ece44987d
SHA1 d783aa0a436123c0fcd2a3dfdd1453b4afce79dc
SHA256 966228e0ba8627c4f6de84f2b18277abf862e766f8cf0caae340d55394cd0835
SHA512 c608d0f6eaeadb7120b9332b1c6ef6b8ac7fec9bfed311403f3fd5ec5ba0ce3bccac7ec5ac8dcf5be32e3db260427ece3b15581a5ab8f3fc0bcfcb9409777e2f

memory/4348-209-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-210-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-212-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-213-0x00000000047B0000-0x00000000047FB000-memory.dmp

memory/4348-216-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-217-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-218-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-215-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-220-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-222-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-224-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-226-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-230-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-228-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-232-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-234-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-236-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-238-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-240-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-242-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-244-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-246-0x00000000076A0000-0x00000000076DE000-memory.dmp

memory/4348-1119-0x0000000007860000-0x0000000007E78000-memory.dmp

memory/4348-1120-0x0000000007F00000-0x000000000800A000-memory.dmp

memory/4348-1121-0x0000000008040000-0x0000000008052000-memory.dmp

memory/4348-1122-0x0000000008060000-0x000000000809C000-memory.dmp

memory/4348-1123-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-1125-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-1126-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-1127-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4348-1128-0x0000000008350000-0x00000000083E2000-memory.dmp

memory/4348-1129-0x00000000083F0000-0x0000000008456000-memory.dmp

memory/4348-1130-0x0000000008C10000-0x0000000008DD2000-memory.dmp

memory/4348-1131-0x0000000008DF0000-0x000000000931C000-memory.dmp

memory/4348-1132-0x0000000009590000-0x0000000009606000-memory.dmp

memory/4348-1133-0x0000000009620000-0x0000000009670000-memory.dmp

memory/4348-1134-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3906zu.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/216-1140-0x00000000008F0000-0x0000000000922000-memory.dmp

memory/216-1141-0x00000000054C0000-0x00000000054D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry78jE89.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5