Malware Analysis Report

2024-11-13 17:11

Sample ID 230321-tmyyysdh5x
Target 8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97
SHA256 8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97
Tags
amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97

Threat Level: Known bad

The file 8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Amadey

RedLine payload

RedLine

Aurora

Rhadamanthys

Detect rhadamanthys stealer shellcode

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 16:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 16:11

Reported

2023-03-21 16:13

Platform

win10-20230220-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe
PID 4144 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe
PID 4144 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe
PID 4624 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe
PID 4624 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe
PID 4624 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe
PID 4376 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe
PID 4376 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe
PID 4376 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe
PID 1608 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe
PID 1608 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe
PID 1608 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe
PID 1608 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe
PID 1608 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe
PID 4376 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe
PID 4376 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe
PID 4376 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe
PID 4624 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe
PID 4624 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe
PID 4624 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe
PID 4144 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe
PID 4144 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe
PID 4144 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe
PID 3512 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3512 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3512 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 5080 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3404 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5080 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 5080 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 5080 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 5080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 5080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 5080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 880 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 880 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 880 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1932 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe

"C:\Users\Admin\AppData\Local\Temp\8ac88ae271259846109827c9d51c495c6400e29df34fcb26693560ec6ebf2e97.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
GB 51.132.193.104:443 tcp
NL 8.238.21.126:80 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe

MD5 c1825a6d84364b8930a9555bcffbe3fa
SHA1 1755b5725ce2673a881ea22d7eb49b93b013e257
SHA256 d0e06835ccba4ff54406baaba7766f047d40f275712839dd3b88ba8b573fd7b4
SHA512 ad4d3bfa7dcc8b08b88786777b7b0b4f66667023c3995347ac1df78059603f4a8bd04b58f6f5c18fae5c1fa3886778cbad1247e072e22637e8cc8d7184769b45

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7009.exe

MD5 c1825a6d84364b8930a9555bcffbe3fa
SHA1 1755b5725ce2673a881ea22d7eb49b93b013e257
SHA256 d0e06835ccba4ff54406baaba7766f047d40f275712839dd3b88ba8b573fd7b4
SHA512 ad4d3bfa7dcc8b08b88786777b7b0b4f66667023c3995347ac1df78059603f4a8bd04b58f6f5c18fae5c1fa3886778cbad1247e072e22637e8cc8d7184769b45

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe

MD5 b38d654d62860dc514500f5885d0152e
SHA1 bba9de5a7b47a12442b5f338c512c347913bcc19
SHA256 23dea44b382ea1f5552f6e623341f32838bb6bdc222c2a3bf784018af93b2e96
SHA512 a199fec82898117a8dd3b6190023bcca094ce41f033b8c8afb8f2b5b2e17d1e258da8daa73c492abed8132264048cc82a5ec3be523d3be65d4e00e1715481cc9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1669.exe

MD5 b38d654d62860dc514500f5885d0152e
SHA1 bba9de5a7b47a12442b5f338c512c347913bcc19
SHA256 23dea44b382ea1f5552f6e623341f32838bb6bdc222c2a3bf784018af93b2e96
SHA512 a199fec82898117a8dd3b6190023bcca094ce41f033b8c8afb8f2b5b2e17d1e258da8daa73c492abed8132264048cc82a5ec3be523d3be65d4e00e1715481cc9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe

MD5 e39c10fbf21bd0d89d23f07abf3643ac
SHA1 1013c61b6d4da2b453f8b0813157add4ee9aa646
SHA256 6fbef9ba7caae6514149d24b0a4294b8c87e86311ec55435d4daf1d3c3320bec
SHA512 61db540037b32319e5442e325c1ccae38e8e6710806231837089a34320fe6cef71adce5049546f466194689e1c658f93feb135577c8f2ed25f29339e6e8a7997

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2042.exe

MD5 e39c10fbf21bd0d89d23f07abf3643ac
SHA1 1013c61b6d4da2b453f8b0813157add4ee9aa646
SHA256 6fbef9ba7caae6514149d24b0a4294b8c87e86311ec55435d4daf1d3c3320bec
SHA512 61db540037b32319e5442e325c1ccae38e8e6710806231837089a34320fe6cef71adce5049546f466194689e1c658f93feb135577c8f2ed25f29339e6e8a7997

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1052.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/992-148-0x00000000009C0000-0x00000000009CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe

MD5 bccdc93fa6818977f9a080d7ff197c79
SHA1 ca7e355ef290fe9c07617e69e4873681b4a21e92
SHA256 fb49a92fc87cb9fe98b54afc34994fd2219a72cc36258e363de690f19e1d8181
SHA512 799354bd23dfb544f47259a9c69b9d3250550dd15886a1b06cae66a016105b1e25f57c3ec28fad5f4cbd07f08783c38abddcc6493f5064ecaf99243b39c5c512

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7675cQ.exe

MD5 bccdc93fa6818977f9a080d7ff197c79
SHA1 ca7e355ef290fe9c07617e69e4873681b4a21e92
SHA256 fb49a92fc87cb9fe98b54afc34994fd2219a72cc36258e363de690f19e1d8181
SHA512 799354bd23dfb544f47259a9c69b9d3250550dd15886a1b06cae66a016105b1e25f57c3ec28fad5f4cbd07f08783c38abddcc6493f5064ecaf99243b39c5c512

memory/2832-154-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/2832-155-0x0000000002450000-0x000000000246A000-memory.dmp

memory/2832-156-0x0000000004CA0000-0x000000000519E000-memory.dmp

memory/2832-157-0x0000000002810000-0x0000000002828000-memory.dmp

memory/2832-158-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-159-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-161-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-163-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-165-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-167-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-169-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-171-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-173-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-175-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-177-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-179-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-181-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-183-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-185-0x0000000002810000-0x0000000002822000-memory.dmp

memory/2832-186-0x0000000002240000-0x0000000002250000-memory.dmp

memory/2832-187-0x0000000002240000-0x0000000002250000-memory.dmp

memory/2832-188-0x0000000002240000-0x0000000002250000-memory.dmp

memory/2832-189-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2832-191-0x0000000000400000-0x000000000071D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe

MD5 4b5004beae0f188ade8547cb09c7ba92
SHA1 c002f7d95b2825aa9f7e7e967bff036d33b9f392
SHA256 48eca4b0f5fe4828d2f9d64d08344b5a4725e15766fc2755392bd9ab8634f6d1
SHA512 e2e67a427f434ac7d7bfe3cbefd6040f2a0afdd723c3fcf61153ef6799bb0344ab86aeb643961b76ba587ab2cdb5e3209c4b35c0b831e4bee5857ddf94459d5e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95cJ58.exe

MD5 4b5004beae0f188ade8547cb09c7ba92
SHA1 c002f7d95b2825aa9f7e7e967bff036d33b9f392
SHA256 48eca4b0f5fe4828d2f9d64d08344b5a4725e15766fc2755392bd9ab8634f6d1
SHA512 e2e67a427f434ac7d7bfe3cbefd6040f2a0afdd723c3fcf61153ef6799bb0344ab86aeb643961b76ba587ab2cdb5e3209c4b35c0b831e4bee5857ddf94459d5e

memory/1528-196-0x0000000000A00000-0x0000000000A46000-memory.dmp

memory/1528-197-0x0000000002560000-0x00000000025A4000-memory.dmp

memory/1528-198-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-199-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-201-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-203-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-205-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-207-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-209-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-211-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-213-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-215-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-217-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-219-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-221-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-223-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-225-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-227-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-229-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-231-0x0000000002560000-0x000000000259E000-memory.dmp

memory/1528-485-0x0000000000800000-0x000000000084B000-memory.dmp

memory/1528-486-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-491-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-489-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-1108-0x00000000055A0000-0x0000000005BA6000-memory.dmp

memory/1528-1109-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

memory/1528-1110-0x00000000029D0000-0x00000000029E2000-memory.dmp

memory/1528-1111-0x00000000029F0000-0x0000000002A2E000-memory.dmp

memory/1528-1112-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-1113-0x0000000004FD0000-0x000000000501B000-memory.dmp

memory/1528-1114-0x0000000005E50000-0x0000000005EE2000-memory.dmp

memory/1528-1115-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/1528-1117-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-1118-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-1119-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1528-1120-0x00000000066F0000-0x00000000068B2000-memory.dmp

memory/1528-1121-0x00000000068E0000-0x0000000006E0C000-memory.dmp

memory/1528-1122-0x0000000007070000-0x00000000070E6000-memory.dmp

memory/1528-1123-0x0000000007100000-0x0000000007150000-memory.dmp

memory/1528-1124-0x0000000005090000-0x00000000050A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzvTZ25.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/4840-1130-0x00000000009B0000-0x00000000009E2000-memory.dmp

memory/4840-1131-0x00000000053F0000-0x000000000543B000-memory.dmp

memory/4840-1132-0x00000000055B0000-0x00000000055C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y81ev36.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

memory/3392-1168-0x00000000001D0000-0x00000000001FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 2b8e1b75b4d4fdf0c640838191ac3946
SHA1 dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f
SHA256 17a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e
SHA512 3c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038

memory/3392-1209-0x0000000000800000-0x0000000000802000-memory.dmp

memory/3392-1208-0x00000000008F0000-0x000000000090C000-memory.dmp

memory/3392-1210-0x0000000000800000-0x0000000000803000-memory.dmp

memory/3392-1213-0x00000000008F0000-0x000000000090C000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5