Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-lhl5lafh32
Target ebff635dc32332e97d81077f0c5e2726.exe
SHA256 cb94b689b4d92eef77e32334201271fcc9ae884bafd0419b176935c00f59a4d2
Tags
amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb94b689b4d92eef77e32334201271fcc9ae884bafd0419b176935c00f59a4d2

Threat Level: Known bad

The file ebff635dc32332e97d81077f0c5e2726.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Amadey

Rhadamanthys

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Aurora

Detect rhadamanthys stealer shellcode

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VMWare Tools registry key

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks system information in the registry

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 09:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 09:32

Reported

2023-03-19 09:34

Platform

win7-20230220-en

Max time kernel

124s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 796 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1500 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 548 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1500 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 796 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1596 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 956 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1580 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe

"C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {3711A5D4-C5A9-428F-8AE7-2B4146B14717} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
US 66.42.108.195:40499 tcp
US 66.42.108.195:40499 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

MD5 d8e4067a46ac4964b8defe3ae2b24f46
SHA1 bf52487f628e2022afee8d276471f79d8fd72fa9
SHA256 5e7cde260b95b11e6a79bde58af0cb762ab92a5149e2ae267a9bb8852ec29a06
SHA512 38df0343839782370a1fb8f1f573cf1833f48352cbc26798d926cc3ca1095b659b7a336e5e6009f0b013b3e431b599e12894c7f8a9096d3c59ce0c7faccbe902

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

MD5 d8e4067a46ac4964b8defe3ae2b24f46
SHA1 bf52487f628e2022afee8d276471f79d8fd72fa9
SHA256 5e7cde260b95b11e6a79bde58af0cb762ab92a5149e2ae267a9bb8852ec29a06
SHA512 38df0343839782370a1fb8f1f573cf1833f48352cbc26798d926cc3ca1095b659b7a336e5e6009f0b013b3e431b599e12894c7f8a9096d3c59ce0c7faccbe902

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

MD5 d8e4067a46ac4964b8defe3ae2b24f46
SHA1 bf52487f628e2022afee8d276471f79d8fd72fa9
SHA256 5e7cde260b95b11e6a79bde58af0cb762ab92a5149e2ae267a9bb8852ec29a06
SHA512 38df0343839782370a1fb8f1f573cf1833f48352cbc26798d926cc3ca1095b659b7a336e5e6009f0b013b3e431b599e12894c7f8a9096d3c59ce0c7faccbe902

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

MD5 d8e4067a46ac4964b8defe3ae2b24f46
SHA1 bf52487f628e2022afee8d276471f79d8fd72fa9
SHA256 5e7cde260b95b11e6a79bde58af0cb762ab92a5149e2ae267a9bb8852ec29a06
SHA512 38df0343839782370a1fb8f1f573cf1833f48352cbc26798d926cc3ca1095b659b7a336e5e6009f0b013b3e431b599e12894c7f8a9096d3c59ce0c7faccbe902

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

MD5 3602fe731e3684fb26de63747ab9d651
SHA1 71cba68c9588cfe375a0ff1a46385fb850c4c611
SHA256 f4719cb7e1931f470de73e0ce2423120ce2aaa875b91eaa5c3e4cafba484f781
SHA512 348ad26484208f4ce7aed95b12383b5b6d7213d65309d887dd08b4405882b19cf9899754910ee1fedfb939945063eede87d625f08d09afe9d931b7d840f28613

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

MD5 3602fe731e3684fb26de63747ab9d651
SHA1 71cba68c9588cfe375a0ff1a46385fb850c4c611
SHA256 f4719cb7e1931f470de73e0ce2423120ce2aaa875b91eaa5c3e4cafba484f781
SHA512 348ad26484208f4ce7aed95b12383b5b6d7213d65309d887dd08b4405882b19cf9899754910ee1fedfb939945063eede87d625f08d09afe9d931b7d840f28613

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

MD5 3602fe731e3684fb26de63747ab9d651
SHA1 71cba68c9588cfe375a0ff1a46385fb850c4c611
SHA256 f4719cb7e1931f470de73e0ce2423120ce2aaa875b91eaa5c3e4cafba484f781
SHA512 348ad26484208f4ce7aed95b12383b5b6d7213d65309d887dd08b4405882b19cf9899754910ee1fedfb939945063eede87d625f08d09afe9d931b7d840f28613

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

MD5 3602fe731e3684fb26de63747ab9d651
SHA1 71cba68c9588cfe375a0ff1a46385fb850c4c611
SHA256 f4719cb7e1931f470de73e0ce2423120ce2aaa875b91eaa5c3e4cafba484f781
SHA512 348ad26484208f4ce7aed95b12383b5b6d7213d65309d887dd08b4405882b19cf9899754910ee1fedfb939945063eede87d625f08d09afe9d931b7d840f28613

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

MD5 f79ddbc16e58be9233f10d1f21d54aa4
SHA1 2588fb73afbcaf3aee37b2b2eea1dfe2c6cdcba0
SHA256 292217a119116ef95750f6cb18f3c2eefe7d457d26388c7b2bc6a90c5e020df6
SHA512 3712a9d7228c73489deb506cd6ff11a150461e8a778a728780c7982d0d24e27271b0b13a4e30893256763c7c66c54aedb9bebe2a5f433b8844467b21c2e00888

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

MD5 f79ddbc16e58be9233f10d1f21d54aa4
SHA1 2588fb73afbcaf3aee37b2b2eea1dfe2c6cdcba0
SHA256 292217a119116ef95750f6cb18f3c2eefe7d457d26388c7b2bc6a90c5e020df6
SHA512 3712a9d7228c73489deb506cd6ff11a150461e8a778a728780c7982d0d24e27271b0b13a4e30893256763c7c66c54aedb9bebe2a5f433b8844467b21c2e00888

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

MD5 f79ddbc16e58be9233f10d1f21d54aa4
SHA1 2588fb73afbcaf3aee37b2b2eea1dfe2c6cdcba0
SHA256 292217a119116ef95750f6cb18f3c2eefe7d457d26388c7b2bc6a90c5e020df6
SHA512 3712a9d7228c73489deb506cd6ff11a150461e8a778a728780c7982d0d24e27271b0b13a4e30893256763c7c66c54aedb9bebe2a5f433b8844467b21c2e00888

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

MD5 f79ddbc16e58be9233f10d1f21d54aa4
SHA1 2588fb73afbcaf3aee37b2b2eea1dfe2c6cdcba0
SHA256 292217a119116ef95750f6cb18f3c2eefe7d457d26388c7b2bc6a90c5e020df6
SHA512 3712a9d7228c73489deb506cd6ff11a150461e8a778a728780c7982d0d24e27271b0b13a4e30893256763c7c66c54aedb9bebe2a5f433b8844467b21c2e00888

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/940-92-0x00000000000C0000-0x00000000000CA000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

memory/1380-103-0x00000000002A0000-0x00000000002CD000-memory.dmp

memory/1380-104-0x0000000004760000-0x000000000477A000-memory.dmp

memory/1380-105-0x00000000047A0000-0x00000000047B8000-memory.dmp

memory/1380-106-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-107-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-109-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-111-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-113-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-115-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-117-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-119-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-121-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-123-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-125-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-127-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-129-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-131-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-133-0x00000000047A0000-0x00000000047B2000-memory.dmp

memory/1380-134-0x0000000007090000-0x00000000070D0000-memory.dmp

memory/1380-136-0x0000000007090000-0x00000000070D0000-memory.dmp

memory/1380-135-0x0000000007090000-0x00000000070D0000-memory.dmp

memory/1380-137-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1380-138-0x0000000000400000-0x0000000002B03000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

memory/1692-149-0x0000000004830000-0x0000000004876000-memory.dmp

memory/1692-150-0x0000000004880000-0x00000000048C4000-memory.dmp

memory/1692-154-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-156-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-152-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-151-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-158-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-160-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-164-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-162-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-166-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-170-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-168-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-172-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-176-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-174-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-178-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-180-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-182-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-184-0x0000000004880000-0x00000000048BE000-memory.dmp

memory/1692-190-0x00000000003A0000-0x00000000003EB000-memory.dmp

memory/1692-1058-0x00000000048C0000-0x0000000004900000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/1776-1067-0x0000000000B30000-0x0000000000B62000-memory.dmp

memory/1776-1068-0x0000000002410000-0x0000000002450000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 da694bea0ba6b289fc4d690d936f9a66
SHA1 9326c3e39d5cc8b48f1d53de91b01927b1b17ccc
SHA256 1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153
SHA512 486fbb2dd84c6205c8700de60b23143080eaf9de99c617bbcc5a7664502fdfeaf52faeb721aa40f36fd4dcd8fb1cae3d6b8133ea503d1d7bb738f4842b8a3ce5

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 da694bea0ba6b289fc4d690d936f9a66
SHA1 9326c3e39d5cc8b48f1d53de91b01927b1b17ccc
SHA256 1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153
SHA512 486fbb2dd84c6205c8700de60b23143080eaf9de99c617bbcc5a7664502fdfeaf52faeb721aa40f36fd4dcd8fb1cae3d6b8133ea503d1d7bb738f4842b8a3ce5

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 da694bea0ba6b289fc4d690d936f9a66
SHA1 9326c3e39d5cc8b48f1d53de91b01927b1b17ccc
SHA256 1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153
SHA512 486fbb2dd84c6205c8700de60b23143080eaf9de99c617bbcc5a7664502fdfeaf52faeb721aa40f36fd4dcd8fb1cae3d6b8133ea503d1d7bb738f4842b8a3ce5

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 da694bea0ba6b289fc4d690d936f9a66
SHA1 9326c3e39d5cc8b48f1d53de91b01927b1b17ccc
SHA256 1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153
SHA512 486fbb2dd84c6205c8700de60b23143080eaf9de99c617bbcc5a7664502fdfeaf52faeb721aa40f36fd4dcd8fb1cae3d6b8133ea503d1d7bb738f4842b8a3ce5

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 da694bea0ba6b289fc4d690d936f9a66
SHA1 9326c3e39d5cc8b48f1d53de91b01927b1b17ccc
SHA256 1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153
SHA512 486fbb2dd84c6205c8700de60b23143080eaf9de99c617bbcc5a7664502fdfeaf52faeb721aa40f36fd4dcd8fb1cae3d6b8133ea503d1d7bb738f4842b8a3ce5

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 da694bea0ba6b289fc4d690d936f9a66
SHA1 9326c3e39d5cc8b48f1d53de91b01927b1b17ccc
SHA256 1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153
SHA512 486fbb2dd84c6205c8700de60b23143080eaf9de99c617bbcc5a7664502fdfeaf52faeb721aa40f36fd4dcd8fb1cae3d6b8133ea503d1d7bb738f4842b8a3ce5

memory/1632-1123-0x00000000002C0000-0x00000000002EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/1244-1140-0x0000000000D40000-0x0000000000D72000-memory.dmp

memory/1244-1150-0x0000000004F40000-0x0000000004F80000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/1704-1158-0x0000000000D10000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 e5e81f0ae5ba9a2ac3db0a17d3c9f810
SHA1 c2d6bdf002325094ff399b1e4c36df575b48ee4f
SHA256 a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3
SHA512 cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

memory/1704-1190-0x0000000000A40000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/1632-1220-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1632-1219-0x00000000002F0000-0x000000000030C000-memory.dmp

memory/1632-1229-0x00000000002F0000-0x000000000030C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-19 09:32

Reported

2023-03-19 09:34

Platform

win10v2004-20230221-en

Max time kernel

113s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1420 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 1420 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe
PID 4368 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 4368 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 4368 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe
PID 1296 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1296 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 1296 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe
PID 3428 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 3428 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe
PID 3428 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 3428 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 3428 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe
PID 1296 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1296 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 1296 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe
PID 4368 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 4368 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 4368 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe
PID 1420 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1420 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 1420 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe
PID 2564 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2564 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2564 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3512 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2568 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3512 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe

"C:\Users\Admin\AppData\Local\Temp\ebff635dc32332e97d81077f0c5e2726.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4256 -ip 4256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 1352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

MD5 d8e4067a46ac4964b8defe3ae2b24f46
SHA1 bf52487f628e2022afee8d276471f79d8fd72fa9
SHA256 5e7cde260b95b11e6a79bde58af0cb762ab92a5149e2ae267a9bb8852ec29a06
SHA512 38df0343839782370a1fb8f1f573cf1833f48352cbc26798d926cc3ca1095b659b7a336e5e6009f0b013b3e431b599e12894c7f8a9096d3c59ce0c7faccbe902

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1157.exe

MD5 d8e4067a46ac4964b8defe3ae2b24f46
SHA1 bf52487f628e2022afee8d276471f79d8fd72fa9
SHA256 5e7cde260b95b11e6a79bde58af0cb762ab92a5149e2ae267a9bb8852ec29a06
SHA512 38df0343839782370a1fb8f1f573cf1833f48352cbc26798d926cc3ca1095b659b7a336e5e6009f0b013b3e431b599e12894c7f8a9096d3c59ce0c7faccbe902

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

MD5 3602fe731e3684fb26de63747ab9d651
SHA1 71cba68c9588cfe375a0ff1a46385fb850c4c611
SHA256 f4719cb7e1931f470de73e0ce2423120ce2aaa875b91eaa5c3e4cafba484f781
SHA512 348ad26484208f4ce7aed95b12383b5b6d7213d65309d887dd08b4405882b19cf9899754910ee1fedfb939945063eede87d625f08d09afe9d931b7d840f28613

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9780.exe

MD5 3602fe731e3684fb26de63747ab9d651
SHA1 71cba68c9588cfe375a0ff1a46385fb850c4c611
SHA256 f4719cb7e1931f470de73e0ce2423120ce2aaa875b91eaa5c3e4cafba484f781
SHA512 348ad26484208f4ce7aed95b12383b5b6d7213d65309d887dd08b4405882b19cf9899754910ee1fedfb939945063eede87d625f08d09afe9d931b7d840f28613

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

MD5 f79ddbc16e58be9233f10d1f21d54aa4
SHA1 2588fb73afbcaf3aee37b2b2eea1dfe2c6cdcba0
SHA256 292217a119116ef95750f6cb18f3c2eefe7d457d26388c7b2bc6a90c5e020df6
SHA512 3712a9d7228c73489deb506cd6ff11a150461e8a778a728780c7982d0d24e27271b0b13a4e30893256763c7c66c54aedb9bebe2a5f433b8844467b21c2e00888

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0823.exe

MD5 f79ddbc16e58be9233f10d1f21d54aa4
SHA1 2588fb73afbcaf3aee37b2b2eea1dfe2c6cdcba0
SHA256 292217a119116ef95750f6cb18f3c2eefe7d457d26388c7b2bc6a90c5e020df6
SHA512 3712a9d7228c73489deb506cd6ff11a150461e8a778a728780c7982d0d24e27271b0b13a4e30893256763c7c66c54aedb9bebe2a5f433b8844467b21c2e00888

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6989gi.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1020-161-0x0000000000940000-0x000000000094A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8759rO.exe

MD5 d50e7ca3bcc7c18cb9a99b4d05d8bca8
SHA1 457459430e7949cd2ee096ba502088a23e2a41d3
SHA256 14a9649be92bc774a723a5721cdac3061d0095e5332b9d6defc5163c5b6e1fed
SHA512 44d2306b6407082a3ae3fd40b1a1e6fdb80651d0b43e69221d026b690a9f12339209a61aa28dd0cae314be26fe6e49e14b54fde401736a60391404ca9e66dfd6

memory/2496-167-0x00000000071C0000-0x0000000007764000-memory.dmp

memory/2496-168-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-169-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-171-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-174-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-175-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/2496-177-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/2496-178-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-173-0x0000000002B90000-0x0000000002BBD000-memory.dmp

memory/2496-179-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/2496-181-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-183-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-185-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-187-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-189-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-191-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-193-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-195-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-197-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-199-0x0000000004B10000-0x0000000004B22000-memory.dmp

memory/2496-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/2496-201-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/2496-202-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/2496-203-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/2496-205-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py59Wf77.exe

MD5 78289d755de86f6f4b54240a4729e102
SHA1 1da7ab9dd684c4bfa359466800b61ccf04182206
SHA256 61a0fd355e0b70976431f0a011bf254edbc61ea2928f7a518bb8c3afe110b7fd
SHA512 72f07e4b890f78f78766de45a55df0d72cde3d951faf45b931e3ccd3652866f99a94c2e0282b4f5c6dcb22333a18c4d32a28940e50ea084745aac12b66379beb

memory/4256-210-0x0000000002C70000-0x0000000002CBB000-memory.dmp

memory/4256-211-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-212-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-213-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-215-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-217-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-219-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-221-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-223-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-225-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-227-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-229-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-231-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-233-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-235-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-237-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-239-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-243-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-242-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-241-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-245-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-247-0x0000000004B80000-0x0000000004BBE000-memory.dmp

memory/4256-1120-0x0000000007980000-0x0000000007F98000-memory.dmp

memory/4256-1121-0x00000000071F0000-0x00000000072FA000-memory.dmp

memory/4256-1122-0x0000000007320000-0x0000000007332000-memory.dmp

memory/4256-1123-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-1124-0x0000000007340000-0x000000000737C000-memory.dmp

memory/4256-1126-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-1127-0x0000000008210000-0x00000000082A2000-memory.dmp

memory/4256-1128-0x00000000082B0000-0x0000000008316000-memory.dmp

memory/4256-1129-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-1130-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/4256-1131-0x0000000008AD0000-0x0000000008B46000-memory.dmp

memory/4256-1132-0x0000000008B50000-0x0000000008BA0000-memory.dmp

memory/4256-1133-0x0000000008BE0000-0x0000000008DA2000-memory.dmp

memory/4256-1134-0x0000000008DB0000-0x00000000092DC000-memory.dmp

memory/4256-1135-0x00000000073C0000-0x00000000073D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs4454KK.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4464-1141-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4464-1142-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67Ao56.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5