Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-nkeveaab8z
Target eb0734706587d9148fafb254af106bae.exe
SHA256 f2958f14dac131c5f0215e035bd7991c8e79e1b019cd344aa5a79eb24e0b3016
Tags
amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2958f14dac131c5f0215e035bd7991c8e79e1b019cd344aa5a79eb24e0b3016

Threat Level: Known bad

The file eb0734706587d9148fafb254af106bae.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Rhadamanthys

Amadey

Aurora

RedLine payload

Detect rhadamanthys stealer shellcode

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Windows security modification

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 11:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 11:27

Reported

2023-03-19 11:29

Platform

win7-20230220-en

Max time kernel

122s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1648 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1036 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 648 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1036 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1648 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1724 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1136 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe

"C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {D1F78D9F-5E62-4ACB-887E-5B5A802C35D9} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
US 66.42.108.195:40499 tcp
US 66.42.108.195:40499 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

MD5 725c8b40b532d6e70a9c20607c3b61e4
SHA1 3897a755f84a8884c5097687f50c925224f08ffb
SHA256 d7125c66eb52f624d97f2e1948831c8a0d549bd575b16d7d14a4ebb141279470
SHA512 0a4befe9c8e89674e16efccb33999e0c0be9e88b635899fd73d910ce71701e7bed0280db5fe9bf9bd3e42fd68c58a4549aad63bf9c8adab4da70d2026021fade

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

MD5 725c8b40b532d6e70a9c20607c3b61e4
SHA1 3897a755f84a8884c5097687f50c925224f08ffb
SHA256 d7125c66eb52f624d97f2e1948831c8a0d549bd575b16d7d14a4ebb141279470
SHA512 0a4befe9c8e89674e16efccb33999e0c0be9e88b635899fd73d910ce71701e7bed0280db5fe9bf9bd3e42fd68c58a4549aad63bf9c8adab4da70d2026021fade

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

MD5 725c8b40b532d6e70a9c20607c3b61e4
SHA1 3897a755f84a8884c5097687f50c925224f08ffb
SHA256 d7125c66eb52f624d97f2e1948831c8a0d549bd575b16d7d14a4ebb141279470
SHA512 0a4befe9c8e89674e16efccb33999e0c0be9e88b635899fd73d910ce71701e7bed0280db5fe9bf9bd3e42fd68c58a4549aad63bf9c8adab4da70d2026021fade

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

MD5 725c8b40b532d6e70a9c20607c3b61e4
SHA1 3897a755f84a8884c5097687f50c925224f08ffb
SHA256 d7125c66eb52f624d97f2e1948831c8a0d549bd575b16d7d14a4ebb141279470
SHA512 0a4befe9c8e89674e16efccb33999e0c0be9e88b635899fd73d910ce71701e7bed0280db5fe9bf9bd3e42fd68c58a4549aad63bf9c8adab4da70d2026021fade

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

MD5 9f6894c24b35c5e5308f199b61e38f94
SHA1 03c65e919e525ea801c7e570ac8da0b53131ad35
SHA256 5552ae7be64ed79680665eb1c555d0603cffc6239eff799f5fecb4353b443c03
SHA512 8dbc61a60f66f2edd15da886aded56abdf593119cea82c0cc68e9dff67652459faa8bf689d7ea5ee5720f258eb2f7653dab443bf7a977a73b9566130ad614623

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

MD5 9f6894c24b35c5e5308f199b61e38f94
SHA1 03c65e919e525ea801c7e570ac8da0b53131ad35
SHA256 5552ae7be64ed79680665eb1c555d0603cffc6239eff799f5fecb4353b443c03
SHA512 8dbc61a60f66f2edd15da886aded56abdf593119cea82c0cc68e9dff67652459faa8bf689d7ea5ee5720f258eb2f7653dab443bf7a977a73b9566130ad614623

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

MD5 9f6894c24b35c5e5308f199b61e38f94
SHA1 03c65e919e525ea801c7e570ac8da0b53131ad35
SHA256 5552ae7be64ed79680665eb1c555d0603cffc6239eff799f5fecb4353b443c03
SHA512 8dbc61a60f66f2edd15da886aded56abdf593119cea82c0cc68e9dff67652459faa8bf689d7ea5ee5720f258eb2f7653dab443bf7a977a73b9566130ad614623

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

MD5 9f6894c24b35c5e5308f199b61e38f94
SHA1 03c65e919e525ea801c7e570ac8da0b53131ad35
SHA256 5552ae7be64ed79680665eb1c555d0603cffc6239eff799f5fecb4353b443c03
SHA512 8dbc61a60f66f2edd15da886aded56abdf593119cea82c0cc68e9dff67652459faa8bf689d7ea5ee5720f258eb2f7653dab443bf7a977a73b9566130ad614623

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

MD5 3d6e5e5d4ba7330182afa604c501ba25
SHA1 a4bb7d12a8c9e08e848d9fdfcca7eb93fba9c11c
SHA256 534fa0dce825a05cd5cdbd9ea552ce9930d60bd87643161c2a228a6fbeb591cb
SHA512 fb2994d17742cb63c5ecc4e6ef9147e61cfd306d54c8864b0f86023b0909be65a3d4e3ef4aa81415512f0cfcbc52d671ca1ff4b6b7769d05fcff2b3f13ec7d06

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

MD5 3d6e5e5d4ba7330182afa604c501ba25
SHA1 a4bb7d12a8c9e08e848d9fdfcca7eb93fba9c11c
SHA256 534fa0dce825a05cd5cdbd9ea552ce9930d60bd87643161c2a228a6fbeb591cb
SHA512 fb2994d17742cb63c5ecc4e6ef9147e61cfd306d54c8864b0f86023b0909be65a3d4e3ef4aa81415512f0cfcbc52d671ca1ff4b6b7769d05fcff2b3f13ec7d06

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

MD5 3d6e5e5d4ba7330182afa604c501ba25
SHA1 a4bb7d12a8c9e08e848d9fdfcca7eb93fba9c11c
SHA256 534fa0dce825a05cd5cdbd9ea552ce9930d60bd87643161c2a228a6fbeb591cb
SHA512 fb2994d17742cb63c5ecc4e6ef9147e61cfd306d54c8864b0f86023b0909be65a3d4e3ef4aa81415512f0cfcbc52d671ca1ff4b6b7769d05fcff2b3f13ec7d06

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

MD5 3d6e5e5d4ba7330182afa604c501ba25
SHA1 a4bb7d12a8c9e08e848d9fdfcca7eb93fba9c11c
SHA256 534fa0dce825a05cd5cdbd9ea552ce9930d60bd87643161c2a228a6fbeb591cb
SHA512 fb2994d17742cb63c5ecc4e6ef9147e61cfd306d54c8864b0f86023b0909be65a3d4e3ef4aa81415512f0cfcbc52d671ca1ff4b6b7769d05fcff2b3f13ec7d06

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/668-92-0x0000000000A00000-0x0000000000A0A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

memory/1372-103-0x0000000000270000-0x000000000029D000-memory.dmp

memory/1372-104-0x0000000004740000-0x000000000475A000-memory.dmp

memory/1372-105-0x00000000047F0000-0x0000000004808000-memory.dmp

memory/1372-106-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-107-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-109-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-111-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-113-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-115-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-117-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-119-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-121-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-123-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-125-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-127-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-129-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-131-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-133-0x00000000047F0000-0x0000000004802000-memory.dmp

memory/1372-134-0x0000000007370000-0x00000000073B0000-memory.dmp

memory/1372-135-0x0000000007370000-0x00000000073B0000-memory.dmp

memory/1372-136-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1372-137-0x0000000000400000-0x0000000002B03000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

memory/304-148-0x0000000002F20000-0x0000000002F66000-memory.dmp

memory/304-149-0x00000000046C0000-0x0000000004704000-memory.dmp

memory/304-153-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-150-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-151-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-155-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-157-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-159-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-161-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-163-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-165-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-167-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-169-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-171-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-173-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-175-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-177-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-179-0x0000000000250000-0x000000000029B000-memory.dmp

memory/304-180-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-184-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-182-0x00000000046C0000-0x00000000046FE000-memory.dmp

memory/304-1057-0x0000000007280000-0x00000000072C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/864-1066-0x0000000000310000-0x0000000000342000-memory.dmp

memory/864-1067-0x00000000008C0000-0x0000000000900000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 99719531adaefc2c8544a65562aa8af8
SHA1 bf0bd1742a2589b5f5ac032a3efa81d95f961e09
SHA256 afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935
SHA512 fa54827557d53568c4bc5c7479f86e9fd3f27634657e2b6381a7238ad214b2247afca5a56ee8966de96e9b02b4443514e37be94dd15f3c4b008efb8862130318

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 99719531adaefc2c8544a65562aa8af8
SHA1 bf0bd1742a2589b5f5ac032a3efa81d95f961e09
SHA256 afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935
SHA512 fa54827557d53568c4bc5c7479f86e9fd3f27634657e2b6381a7238ad214b2247afca5a56ee8966de96e9b02b4443514e37be94dd15f3c4b008efb8862130318

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 99719531adaefc2c8544a65562aa8af8
SHA1 bf0bd1742a2589b5f5ac032a3efa81d95f961e09
SHA256 afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935
SHA512 fa54827557d53568c4bc5c7479f86e9fd3f27634657e2b6381a7238ad214b2247afca5a56ee8966de96e9b02b4443514e37be94dd15f3c4b008efb8862130318

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 99719531adaefc2c8544a65562aa8af8
SHA1 bf0bd1742a2589b5f5ac032a3efa81d95f961e09
SHA256 afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935
SHA512 fa54827557d53568c4bc5c7479f86e9fd3f27634657e2b6381a7238ad214b2247afca5a56ee8966de96e9b02b4443514e37be94dd15f3c4b008efb8862130318

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 99719531adaefc2c8544a65562aa8af8
SHA1 bf0bd1742a2589b5f5ac032a3efa81d95f961e09
SHA256 afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935
SHA512 fa54827557d53568c4bc5c7479f86e9fd3f27634657e2b6381a7238ad214b2247afca5a56ee8966de96e9b02b4443514e37be94dd15f3c4b008efb8862130318

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 99719531adaefc2c8544a65562aa8af8
SHA1 bf0bd1742a2589b5f5ac032a3efa81d95f961e09
SHA256 afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935
SHA512 fa54827557d53568c4bc5c7479f86e9fd3f27634657e2b6381a7238ad214b2247afca5a56ee8966de96e9b02b4443514e37be94dd15f3c4b008efb8862130318

memory/480-1122-0x0000000000250000-0x000000000027E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/956-1139-0x00000000013E0000-0x0000000001412000-memory.dmp

memory/956-1140-0x00000000009E0000-0x0000000000A20000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/1880-1157-0x00000000011C0000-0x00000000011F2000-memory.dmp

memory/1880-1167-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 7634ebd082abbba35a8e6a300ec83c51
SHA1 953666e70fbed932e4bed446f1d1e432781972b7
SHA256 792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f
SHA512 6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

memory/956-1192-0x00000000009E0000-0x0000000000A20000-memory.dmp

memory/1880-1194-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

memory/480-1217-0x00000000002D0000-0x00000000002EC000-memory.dmp

memory/480-1218-0x0000000000280000-0x0000000000281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/480-1225-0x00000000002D0000-0x00000000002EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-19 11:27

Reported

2023-03-19 11:29

Platform

win10v2004-20230220-en

Max time kernel

79s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 3928 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 3928 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe
PID 3600 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 3600 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 3600 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe
PID 540 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 540 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 540 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe
PID 1852 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 1852 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe
PID 1852 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 1852 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 1852 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe
PID 540 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 540 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 540 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe
PID 3600 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 3600 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 3600 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe
PID 3928 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 3928 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 3928 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe
PID 3128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3128 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2608 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2608 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2608 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2608 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 932 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe

"C:\Users\Admin\AppData\Local\Temp\eb0734706587d9148fafb254af106bae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2612 -ip 2612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1064

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2432 -ip 2432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 32.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

MD5 725c8b40b532d6e70a9c20607c3b61e4
SHA1 3897a755f84a8884c5097687f50c925224f08ffb
SHA256 d7125c66eb52f624d97f2e1948831c8a0d549bd575b16d7d14a4ebb141279470
SHA512 0a4befe9c8e89674e16efccb33999e0c0be9e88b635899fd73d910ce71701e7bed0280db5fe9bf9bd3e42fd68c58a4549aad63bf9c8adab4da70d2026021fade

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6442.exe

MD5 725c8b40b532d6e70a9c20607c3b61e4
SHA1 3897a755f84a8884c5097687f50c925224f08ffb
SHA256 d7125c66eb52f624d97f2e1948831c8a0d549bd575b16d7d14a4ebb141279470
SHA512 0a4befe9c8e89674e16efccb33999e0c0be9e88b635899fd73d910ce71701e7bed0280db5fe9bf9bd3e42fd68c58a4549aad63bf9c8adab4da70d2026021fade

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

MD5 9f6894c24b35c5e5308f199b61e38f94
SHA1 03c65e919e525ea801c7e570ac8da0b53131ad35
SHA256 5552ae7be64ed79680665eb1c555d0603cffc6239eff799f5fecb4353b443c03
SHA512 8dbc61a60f66f2edd15da886aded56abdf593119cea82c0cc68e9dff67652459faa8bf689d7ea5ee5720f258eb2f7653dab443bf7a977a73b9566130ad614623

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6595.exe

MD5 9f6894c24b35c5e5308f199b61e38f94
SHA1 03c65e919e525ea801c7e570ac8da0b53131ad35
SHA256 5552ae7be64ed79680665eb1c555d0603cffc6239eff799f5fecb4353b443c03
SHA512 8dbc61a60f66f2edd15da886aded56abdf593119cea82c0cc68e9dff67652459faa8bf689d7ea5ee5720f258eb2f7653dab443bf7a977a73b9566130ad614623

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

MD5 3d6e5e5d4ba7330182afa604c501ba25
SHA1 a4bb7d12a8c9e08e848d9fdfcca7eb93fba9c11c
SHA256 534fa0dce825a05cd5cdbd9ea552ce9930d60bd87643161c2a228a6fbeb591cb
SHA512 fb2994d17742cb63c5ecc4e6ef9147e61cfd306d54c8864b0f86023b0909be65a3d4e3ef4aa81415512f0cfcbc52d671ca1ff4b6b7769d05fcff2b3f13ec7d06

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3879.exe

MD5 3d6e5e5d4ba7330182afa604c501ba25
SHA1 a4bb7d12a8c9e08e848d9fdfcca7eb93fba9c11c
SHA256 534fa0dce825a05cd5cdbd9ea552ce9930d60bd87643161c2a228a6fbeb591cb
SHA512 fb2994d17742cb63c5ecc4e6ef9147e61cfd306d54c8864b0f86023b0909be65a3d4e3ef4aa81415512f0cfcbc52d671ca1ff4b6b7769d05fcff2b3f13ec7d06

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7584jg.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4940-161-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0042lZ.exe

MD5 27e97543d2943d4e3328eee4f379072a
SHA1 f777ff09e359096a65a784e013eddfcfa92fbffc
SHA256 76d2aa7ea443f961af1ee7ba293762da7b2bc763ad3a958569b14adca2d02c00
SHA512 b9086f19a5a3620b29636bb7edef9ea5f27caeecd6ccdac6c29e2d81f8f7b475ed84373d5d18b43936b8c60e4013279dfc42932c14dc496eb7921a4b2e711ba9

memory/2612-167-0x00000000071F0000-0x0000000007794000-memory.dmp

memory/2612-168-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-169-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-171-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-175-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-173-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-183-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-181-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-186-0x0000000002B70000-0x0000000002B9D000-memory.dmp

memory/2612-185-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-187-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2612-179-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-190-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2612-191-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2612-189-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-193-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-177-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-195-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-197-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-199-0x0000000004B20000-0x0000000004B32000-memory.dmp

memory/2612-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/2612-202-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2612-203-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/2612-204-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86Ff33.exe

MD5 3c5764bc7303c3adde42c91c587543af
SHA1 84f55f7c8d1581bac4adb4ac073161bf0842a1f5
SHA256 d59de7b99f189271f6565234f545e3cf00271452638c8711747919f777527f2c
SHA512 dc5ce76bd5e97eae80f28a538b0dc71f5841e07ec280a46f44fc7e305d72c7201353a475393ed00e2852f361e4de2da9a5004bfdf2c06377d2eb8da184ea7eb2

memory/2432-209-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-210-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-212-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-215-0x0000000004790000-0x00000000047DB000-memory.dmp

memory/2432-214-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-218-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-220-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-217-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-222-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-221-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-224-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-226-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-228-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-230-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-232-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-234-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-236-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-238-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-240-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-242-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-244-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-246-0x0000000007690000-0x00000000076CE000-memory.dmp

memory/2432-1119-0x0000000007720000-0x0000000007D38000-memory.dmp

memory/2432-1120-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

memory/2432-1121-0x0000000007F00000-0x0000000007F12000-memory.dmp

memory/2432-1122-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-1123-0x0000000007F20000-0x0000000007F5C000-memory.dmp

memory/2432-1125-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-1126-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-1127-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/2432-1128-0x0000000008210000-0x0000000008276000-memory.dmp

memory/2432-1129-0x00000000088E0000-0x0000000008972000-memory.dmp

memory/2432-1130-0x00000000089B0000-0x0000000008A26000-memory.dmp

memory/2432-1131-0x0000000008A40000-0x0000000008A90000-memory.dmp

memory/2432-1132-0x0000000008BB0000-0x0000000008D72000-memory.dmp

memory/2432-1133-0x0000000008D90000-0x00000000092BC000-memory.dmp

memory/2432-1134-0x00000000070D0000-0x00000000070E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs6103QG.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4936-1140-0x0000000000850000-0x0000000000882000-memory.dmp

memory/4936-1141-0x0000000005120000-0x0000000005130000-memory.dmp

memory/4936-1142-0x0000000005120000-0x0000000005130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry95Wg85.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5