Malware Analysis Report

2024-11-15 09:17

Sample ID 230319-q3h1wsaf6w
Target setup.exe
SHA256 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39
Tags
amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Amadey

Aurora

Detect rhadamanthys stealer shellcode

Rhadamanthys

RedLine payload

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Looks for VMWare Tools registry key

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 13:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 13:47

Reported

2023-03-19 13:49

Platform

win7-20230220-en

Max time kernel

119s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1556 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1456 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1268 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1476 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1456 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1556 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1740 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 560 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {2BC66047-80FF-4A97-9363-BF52DD28B7AC} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 212.87.204.93:8081 tcp
RU 62.204.41.88:80 62.204.41.88 tcp
US 66.42.108.195:40499 tcp
US 66.42.108.195:40499 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1772-92-0x0000000000A30000-0x0000000000A3A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

memory/892-103-0x0000000002D40000-0x0000000002D5A000-memory.dmp

memory/892-104-0x0000000002D60000-0x0000000002D78000-memory.dmp

memory/892-105-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-106-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-108-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-110-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-112-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-114-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-116-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-118-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-120-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-122-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-124-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-126-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-128-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-130-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-132-0x0000000002D60000-0x0000000002D72000-memory.dmp

memory/892-133-0x00000000002F0000-0x000000000031D000-memory.dmp

memory/892-134-0x0000000007480000-0x00000000074C0000-memory.dmp

memory/892-135-0x0000000007480000-0x00000000074C0000-memory.dmp

memory/892-136-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/892-137-0x0000000000400000-0x0000000002B03000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

memory/912-148-0x0000000004620000-0x0000000004666000-memory.dmp

memory/912-151-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/912-150-0x0000000004B90000-0x0000000004BD4000-memory.dmp

memory/912-149-0x0000000000260000-0x00000000002AB000-memory.dmp

memory/912-153-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-152-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-155-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-157-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-159-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-161-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-163-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-165-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-167-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-169-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-171-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-173-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-175-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-177-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-181-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-183-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-179-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-185-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/912-1058-0x0000000004B50000-0x0000000004B90000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/2032-1067-0x0000000000B60000-0x0000000000B92000-memory.dmp

memory/2032-1068-0x0000000004F20000-0x0000000004F60000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 a066e3ec415d829fdb9cafe585ddafd1
SHA1 d20bbd0a85d830258c6f49415b6aa047e154490c
SHA256 4f8035db83d6bb34bf4d2027f64c7995376a63c6353e2f46f67fd1b2875792b4
SHA512 1a98da4936ab1591020dc27d85cacbf3be27ea24670ef07fe8be036754e35fb6c895905d41f7bffac4b53e63362edf95fdc69fd7ddbf73ea7168669e06af8233

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 a066e3ec415d829fdb9cafe585ddafd1
SHA1 d20bbd0a85d830258c6f49415b6aa047e154490c
SHA256 4f8035db83d6bb34bf4d2027f64c7995376a63c6353e2f46f67fd1b2875792b4
SHA512 1a98da4936ab1591020dc27d85cacbf3be27ea24670ef07fe8be036754e35fb6c895905d41f7bffac4b53e63362edf95fdc69fd7ddbf73ea7168669e06af8233

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 a066e3ec415d829fdb9cafe585ddafd1
SHA1 d20bbd0a85d830258c6f49415b6aa047e154490c
SHA256 4f8035db83d6bb34bf4d2027f64c7995376a63c6353e2f46f67fd1b2875792b4
SHA512 1a98da4936ab1591020dc27d85cacbf3be27ea24670ef07fe8be036754e35fb6c895905d41f7bffac4b53e63362edf95fdc69fd7ddbf73ea7168669e06af8233

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 a066e3ec415d829fdb9cafe585ddafd1
SHA1 d20bbd0a85d830258c6f49415b6aa047e154490c
SHA256 4f8035db83d6bb34bf4d2027f64c7995376a63c6353e2f46f67fd1b2875792b4
SHA512 1a98da4936ab1591020dc27d85cacbf3be27ea24670ef07fe8be036754e35fb6c895905d41f7bffac4b53e63362edf95fdc69fd7ddbf73ea7168669e06af8233

\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 a066e3ec415d829fdb9cafe585ddafd1
SHA1 d20bbd0a85d830258c6f49415b6aa047e154490c
SHA256 4f8035db83d6bb34bf4d2027f64c7995376a63c6353e2f46f67fd1b2875792b4
SHA512 1a98da4936ab1591020dc27d85cacbf3be27ea24670ef07fe8be036754e35fb6c895905d41f7bffac4b53e63362edf95fdc69fd7ddbf73ea7168669e06af8233

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe

MD5 a066e3ec415d829fdb9cafe585ddafd1
SHA1 d20bbd0a85d830258c6f49415b6aa047e154490c
SHA256 4f8035db83d6bb34bf4d2027f64c7995376a63c6353e2f46f67fd1b2875792b4
SHA512 1a98da4936ab1591020dc27d85cacbf3be27ea24670ef07fe8be036754e35fb6c895905d41f7bffac4b53e63362edf95fdc69fd7ddbf73ea7168669e06af8233

memory/1552-1123-0x0000000000240000-0x000000000026E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/1204-1140-0x00000000000D0000-0x0000000000102000-memory.dmp

memory/1204-1141-0x0000000004E60000-0x0000000004EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe

MD5 20b01b94fec9143a2adf624945aa41c3
SHA1 3e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA256 97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA512 52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

memory/820-1158-0x0000000000D30000-0x0000000000D62000-memory.dmp

memory/820-1159-0x0000000004A80000-0x0000000004AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 6082dd13ad8102d17f9db9cd07600e97
SHA1 39becc88cea914d843b3c5521038907f2f2f4e71
SHA256 40a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a
SHA512 b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

memory/1552-1219-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1552-1218-0x0000000000280000-0x000000000029C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/1552-1224-0x0000000000280000-0x000000000029C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-19 13:47

Reported

2023-03-19 13:49

Platform

win10v2004-20230220-en

Max time kernel

114s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 4324 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 4324 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe
PID 3932 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 3932 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 3932 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe
PID 3864 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 3864 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 3864 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe
PID 4764 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 4764 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe
PID 4764 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 4764 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 4764 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe
PID 3864 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 3864 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 3864 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe
PID 3932 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 3932 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 3932 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe
PID 4324 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 4324 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 4324 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe
PID 4388 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4388 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4388 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 648 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 648 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 648 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4220 -ip 4220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 1336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 209.197.3.8:80 tcp
GB 51.105.71.137:443 tcp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe

MD5 782d216a4f582d45553683c01068736c
SHA1 541ae93ca19b07383015c653b9f3b52657ee30e3
SHA256 1a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA512 25c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe

MD5 78cab8fe13c9427f62d98627a56786a7
SHA1 e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256 fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512 b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe

MD5 ac867c4ad850585add83bd34d7da1c03
SHA1 c85503c1a347f84ff6d53952f7c79f177709a53f
SHA256 58b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA512 5976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3868-161-0x00000000002B0000-0x00000000002BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe

MD5 a42942e66c568c2c7c9f9fe00d6cb8b9
SHA1 6a56fe2d6a86763f4f489b82656322426bd84481
SHA256 c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512 329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602

memory/4804-167-0x0000000007300000-0x00000000078A4000-memory.dmp

memory/4804-168-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/4804-169-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4804-170-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4804-171-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-173-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4804-172-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-175-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-177-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-179-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-181-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-183-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-185-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-187-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-189-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-191-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-193-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-195-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-197-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-199-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

memory/4804-200-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/4804-201-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4804-202-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4804-204-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe

MD5 54bf561258c9508f24ddaf2efa7d8d24
SHA1 35aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256 cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512 c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2

memory/4220-209-0x0000000002DB0000-0x0000000002DFB000-memory.dmp

memory/4220-210-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4220-211-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-212-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-214-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-216-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-218-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-220-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-222-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-224-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-226-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-228-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-230-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-232-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-234-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-236-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-239-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4220-238-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-241-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-243-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-245-0x00000000070D0000-0x000000000710E000-memory.dmp

memory/4220-1118-0x00000000077F0000-0x0000000007E08000-memory.dmp

memory/4220-1119-0x0000000007E10000-0x0000000007F1A000-memory.dmp

memory/4220-1120-0x0000000007210000-0x0000000007222000-memory.dmp

memory/4220-1121-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4220-1122-0x0000000007F20000-0x0000000007F5C000-memory.dmp

memory/4220-1124-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4220-1125-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4220-1126-0x0000000007230000-0x0000000007240000-memory.dmp

memory/4220-1127-0x0000000008210000-0x00000000082A2000-memory.dmp

memory/4220-1128-0x00000000082B0000-0x0000000008316000-memory.dmp

memory/4220-1129-0x0000000008AD0000-0x0000000008B46000-memory.dmp

memory/4220-1130-0x0000000008B70000-0x0000000008BC0000-memory.dmp

memory/4220-1131-0x0000000008BF0000-0x0000000008DB2000-memory.dmp

memory/4220-1132-0x0000000008DC0000-0x00000000092EC000-memory.dmp

memory/4220-1133-0x0000000007230000-0x0000000007240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4780-1139-0x0000000000EC0000-0x0000000000EF2000-memory.dmp

memory/4780-1140-0x0000000005820000-0x0000000005830000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5