Malware Analysis Report

2024-11-13 17:10

Sample ID 230321-vnzsbaeb4x
Target ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc
SHA256 ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc
Tags
amadey aurora redline gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc

Threat Level: Known bad

The file ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline gena vint discovery evasion infostealer persistence spyware stealer trojan

Aurora

RedLine payload

RedLine

Amadey

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 17:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 17:08

Reported

2023-03-21 17:11

Platform

win10v2004-20230220-en

Max time kernel

126s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe
PID 1444 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe
PID 1444 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe
PID 988 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe
PID 988 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe
PID 988 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe
PID 2568 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe
PID 2568 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe
PID 2568 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe
PID 3400 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe
PID 3400 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe
PID 3400 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe
PID 3400 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe
PID 3400 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe
PID 2568 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe
PID 2568 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe
PID 2568 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe
PID 988 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe
PID 988 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe
PID 988 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe
PID 1444 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe
PID 1444 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe
PID 1444 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe
PID 1296 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1296 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1296 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4216 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4616 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4216 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 4216 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 4216 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 1244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2784 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2784 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1244 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe

"C:\Users\Admin\AppData\Local\Temp\ff536ca4a26e8707141eadce9b6fbec029d9f247866d9281dfd2a6a1de1077cc.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 52.152.110.14:443 tcp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 52.168.112.67:443 tcp
US 52.152.110.14:443 tcp
DE 193.233.20.30:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe

MD5 1a704eed31c535af05e9cf594d7a6fb5
SHA1 2093abe99725d9586b43d2e944617137d329eaa7
SHA256 582466f8082f6d673d1fc89ac9da2f174b21c06090c6352c6d3e2d102e862045
SHA512 74439a4c11f62d035dc5548337985fa08c7bb1933bf6afc9047a38bb0724041533a567ff0d9311342a2bef3997f552014a93e20aa7870124fd4cf6c7f288d7e5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7923.exe

MD5 1a704eed31c535af05e9cf594d7a6fb5
SHA1 2093abe99725d9586b43d2e944617137d329eaa7
SHA256 582466f8082f6d673d1fc89ac9da2f174b21c06090c6352c6d3e2d102e862045
SHA512 74439a4c11f62d035dc5548337985fa08c7bb1933bf6afc9047a38bb0724041533a567ff0d9311342a2bef3997f552014a93e20aa7870124fd4cf6c7f288d7e5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe

MD5 0da6f5e29fc6e1bcd34c636460d25f46
SHA1 33030fa9164cbae2b829caac87921a9a6b6b0303
SHA256 81edf6c31fea274f126f43b7b2df9bfd85b10bbff3276dcb327c97de86024701
SHA512 30df9d4f778615093b81aaad73e65d39490aa39b55760d79261cf4b4d99013ec5e721e3ea2f20f658307918fa3e4fbdc11a586ddc20b4821360cdcfeca45127a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1552.exe

MD5 0da6f5e29fc6e1bcd34c636460d25f46
SHA1 33030fa9164cbae2b829caac87921a9a6b6b0303
SHA256 81edf6c31fea274f126f43b7b2df9bfd85b10bbff3276dcb327c97de86024701
SHA512 30df9d4f778615093b81aaad73e65d39490aa39b55760d79261cf4b4d99013ec5e721e3ea2f20f658307918fa3e4fbdc11a586ddc20b4821360cdcfeca45127a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe

MD5 da4224e40479c326ab3756ffc03ec2dd
SHA1 3cae5febaedf3e80afa5098d6384cb8e9e8f3fbd
SHA256 19ae19253bcc12a5bd19914e4a69558117687a76875a41002ae05b7678223d9f
SHA512 919e32609014504d9cd9f8fe1b905f04900b062d4c1e342a6513e34e3fd2c67ff446ba78b9383a7e3e68c2a13500968f5b3dfccec4271c7b760fcd7be6f4aced

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6482.exe

MD5 da4224e40479c326ab3756ffc03ec2dd
SHA1 3cae5febaedf3e80afa5098d6384cb8e9e8f3fbd
SHA256 19ae19253bcc12a5bd19914e4a69558117687a76875a41002ae05b7678223d9f
SHA512 919e32609014504d9cd9f8fe1b905f04900b062d4c1e342a6513e34e3fd2c67ff446ba78b9383a7e3e68c2a13500968f5b3dfccec4271c7b760fcd7be6f4aced

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6299.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/952-161-0x0000000000B00000-0x0000000000B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe

MD5 5e126c5e78683024780f4f991ea6ad44
SHA1 85a5540dbdcb1967fbb35976af049be1a55f3d9e
SHA256 403f76da1f7968d2c7af854e697b3a9d114e7c78406ca3c8536377b463892476
SHA512 5822389752788602ae2d60eac47d57cad958f8d340a750b51b824ee8fd770f147621a0431be147e2d229c96018606a900e120d9a4cfca2fad8aec2990611f531

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7056ZK.exe

MD5 5e126c5e78683024780f4f991ea6ad44
SHA1 85a5540dbdcb1967fbb35976af049be1a55f3d9e
SHA256 403f76da1f7968d2c7af854e697b3a9d114e7c78406ca3c8536377b463892476
SHA512 5822389752788602ae2d60eac47d57cad958f8d340a750b51b824ee8fd770f147621a0431be147e2d229c96018606a900e120d9a4cfca2fad8aec2990611f531

memory/552-167-0x0000000000820000-0x000000000084D000-memory.dmp

memory/552-168-0x0000000004E60000-0x0000000005404000-memory.dmp

memory/552-169-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-170-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-172-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-174-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-176-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-178-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-180-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-182-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-184-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-186-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-188-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-190-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-192-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-194-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-196-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/552-197-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/552-198-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/552-199-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/552-200-0x0000000000400000-0x0000000000726000-memory.dmp

memory/552-202-0x0000000000400000-0x0000000000726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe

MD5 b5c7157a2a2e521b0bc9dd2de3fb810e
SHA1 2e3160ce72e5a67f11a65471ed346ace966e14b9
SHA256 58185af4ec3e8ebfbd77603cd494fa99d8dc4338fb6e70cd8720d8869365b292
SHA512 a6494b3aa1f81e19781f5128f87287f98ab8d07d05296a37db9bf18d8a1f034ea7ded09fcaed9bd13a81dd13baf5484c99236271f6badf062c6f16e8464b9d0a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22NY54.exe

MD5 b5c7157a2a2e521b0bc9dd2de3fb810e
SHA1 2e3160ce72e5a67f11a65471ed346ace966e14b9
SHA256 58185af4ec3e8ebfbd77603cd494fa99d8dc4338fb6e70cd8720d8869365b292
SHA512 a6494b3aa1f81e19781f5128f87287f98ab8d07d05296a37db9bf18d8a1f034ea7ded09fcaed9bd13a81dd13baf5484c99236271f6badf062c6f16e8464b9d0a

memory/4800-207-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-208-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-210-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-212-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-214-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-216-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-218-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-220-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-222-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-224-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-226-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-228-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-230-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-232-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-234-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-236-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-238-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-240-0x00000000028A0000-0x00000000028DE000-memory.dmp

memory/4800-549-0x0000000000740000-0x000000000078B000-memory.dmp

memory/4800-553-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-551-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-554-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-1117-0x0000000005480000-0x0000000005A98000-memory.dmp

memory/4800-1118-0x0000000005B20000-0x0000000005C2A000-memory.dmp

memory/4800-1119-0x0000000005C60000-0x0000000005C72000-memory.dmp

memory/4800-1120-0x0000000005C80000-0x0000000005CBC000-memory.dmp

memory/4800-1121-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-1122-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/4800-1123-0x0000000006630000-0x00000000066C2000-memory.dmp

memory/4800-1125-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-1126-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-1127-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-1128-0x0000000006830000-0x00000000068A6000-memory.dmp

memory/4800-1129-0x00000000068D0000-0x0000000006920000-memory.dmp

memory/4800-1130-0x0000000006950000-0x0000000006B12000-memory.dmp

memory/4800-1131-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/4800-1132-0x0000000006B20000-0x000000000704C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbqUH26.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/2012-1138-0x00000000009A0000-0x00000000009D2000-memory.dmp

memory/2012-1139-0x0000000005570000-0x0000000005580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y21EN96.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 dc2b0f48d8f547d5ff7d67b371d850f0
SHA1 84d02ddbf478bf7cfe9ccb466362860ee18b3839
SHA256 0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890
SHA512 3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 dd7a4110e2dc0760efdd47ee918c0deb
SHA1 5ed5efe128e521023e0caf4fff9af747522c8166
SHA256 550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084
SHA512 c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5