Malware Analysis Report

2024-11-13 17:11

Sample ID 230321-vwjq3acb68
Target f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4
SHA256 f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4
Tags
amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4

Threat Level: Known bad

The file f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Aurora

Rhadamanthys

RedLine payload

Amadey

RedLine

Detect rhadamanthys stealer shellcode

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 17:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 17:20

Reported

2023-03-21 17:22

Platform

win10v2004-20230220-en

Max time kernel

113s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
PID 1708 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
PID 1708 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
PID 2492 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
PID 2492 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
PID 2492 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
PID 3052 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
PID 3052 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
PID 3052 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
PID 1344 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
PID 1344 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
PID 1344 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
PID 1344 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
PID 1344 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
PID 3052 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
PID 3052 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
PID 3052 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
PID 2492 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
PID 2492 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
PID 2492 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
PID 1708 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
PID 1708 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
PID 1708 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
PID 5116 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 5116 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 5116 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 2144 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2304 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2144 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 2144 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 2144 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 2144 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 2144 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 2144 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 3620 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3620 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3620 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2292 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe

"C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1104

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2796 -ip 2796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 348

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.20.233.193.in-addr.arpa udp
US 13.89.179.10:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
DE 193.233.20.30:4125 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe

MD5 e1c5095f4a1354814b74d4b3233c982e
SHA1 466549a809237e1822871702416df4e2b0c22e31
SHA256 b93a981773363d635081f6eb1d9b7368fb65ef408146233d13c85c53d84156b7
SHA512 54f02169c015dff78f6ac9c7dd27afbe6e10e7b37932c1fe894f68e5cc4ba140429149c2757757f4c9775e01dde2bc52a1a85f8d6bf6c6234cac35ce3157d65d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe

MD5 e1c5095f4a1354814b74d4b3233c982e
SHA1 466549a809237e1822871702416df4e2b0c22e31
SHA256 b93a981773363d635081f6eb1d9b7368fb65ef408146233d13c85c53d84156b7
SHA512 54f02169c015dff78f6ac9c7dd27afbe6e10e7b37932c1fe894f68e5cc4ba140429149c2757757f4c9775e01dde2bc52a1a85f8d6bf6c6234cac35ce3157d65d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe

MD5 7653f7488ea94889e089aa4878e487d1
SHA1 5373bf80109e483f849eaf96504d1bce3eb9369d
SHA256 52f4c2f9bc0706513f46d43a7a4632796a97cc6c14d36139029d38ae05e8dcb9
SHA512 ea5e351cd27a908ba33edbb397d56c33179fd7bb02b1247539b36656b03ea79350d3e65353bee9d1e50a639c8ff4ef954559fa0c04e04a44dcc29164c70b52cc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe

MD5 7653f7488ea94889e089aa4878e487d1
SHA1 5373bf80109e483f849eaf96504d1bce3eb9369d
SHA256 52f4c2f9bc0706513f46d43a7a4632796a97cc6c14d36139029d38ae05e8dcb9
SHA512 ea5e351cd27a908ba33edbb397d56c33179fd7bb02b1247539b36656b03ea79350d3e65353bee9d1e50a639c8ff4ef954559fa0c04e04a44dcc29164c70b52cc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe

MD5 860a8ef0cbc6c563fe9a3389761bd2d5
SHA1 39aa6e1688fb12ac7ae109839844ca63e569d801
SHA256 904a83dbf02fe546c6ea88969bb07fdf74cd34a44247991287b1e7e4aaf58b4a
SHA512 20850384762158037c52b6191f2411f3455932d36a46162c1f3e518615f4024c82f6a3dd615b642186dc26248e03775d82852e02c749c9d92c1c07c0011b35f7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe

MD5 860a8ef0cbc6c563fe9a3389761bd2d5
SHA1 39aa6e1688fb12ac7ae109839844ca63e569d801
SHA256 904a83dbf02fe546c6ea88969bb07fdf74cd34a44247991287b1e7e4aaf58b4a
SHA512 20850384762158037c52b6191f2411f3455932d36a46162c1f3e518615f4024c82f6a3dd615b642186dc26248e03775d82852e02c749c9d92c1c07c0011b35f7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3364-161-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe

MD5 9f6a2aee7f5a0a2dfc233bdddc186ed3
SHA1 be670efc0da3fded3263e5e23c2daa68c5213df4
SHA256 d06f3062a13b95f39f046b9af1be52944bcc7591e476c687314bb20fd7e0bdb3
SHA512 068889e8eb298b34ea26698f44292523e588e19ea4fbfec8588bf78fb3097d73fb77755e80e86107804e8ea5598bc29ef5ff0882e3b230678ad29f1c7f1089d3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe

MD5 9f6a2aee7f5a0a2dfc233bdddc186ed3
SHA1 be670efc0da3fded3263e5e23c2daa68c5213df4
SHA256 d06f3062a13b95f39f046b9af1be52944bcc7591e476c687314bb20fd7e0bdb3
SHA512 068889e8eb298b34ea26698f44292523e588e19ea4fbfec8588bf78fb3097d73fb77755e80e86107804e8ea5598bc29ef5ff0882e3b230678ad29f1c7f1089d3

memory/3132-167-0x0000000000810000-0x000000000083D000-memory.dmp

memory/3132-168-0x0000000004EE0000-0x0000000005484000-memory.dmp

memory/3132-169-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3132-170-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3132-171-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-172-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-174-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-176-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-178-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-180-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-182-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-184-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-186-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-188-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-190-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-192-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-194-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-196-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-198-0x0000000002940000-0x0000000002952000-memory.dmp

memory/3132-199-0x0000000000400000-0x0000000000726000-memory.dmp

memory/3132-200-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3132-201-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3132-202-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3132-204-0x0000000000400000-0x0000000000726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe

MD5 b1b874bda45255c1918822acdee76b7a
SHA1 4d6447fdf8f78a5a01d9266d8b50df839e4068fa
SHA256 518b12541919c4d3a6d6f50a00b1e1fc0b4cea5c006033e49e291d4b0f5386d3
SHA512 b1bd9dfcdd2f006c165bd489628e2e2e226e75a31f0d5c7d1b6f5d9f6a9e89ec3968d1fc2cd4f41de67b9eb911a7375ef884f084eb9ff9522deabfd814f3612f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe

MD5 b1b874bda45255c1918822acdee76b7a
SHA1 4d6447fdf8f78a5a01d9266d8b50df839e4068fa
SHA256 518b12541919c4d3a6d6f50a00b1e1fc0b4cea5c006033e49e291d4b0f5386d3
SHA512 b1bd9dfcdd2f006c165bd489628e2e2e226e75a31f0d5c7d1b6f5d9f6a9e89ec3968d1fc2cd4f41de67b9eb911a7375ef884f084eb9ff9522deabfd814f3612f

memory/320-209-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-210-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-212-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-214-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-216-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-218-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-220-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-222-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-224-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-226-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-228-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-230-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-232-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-234-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-236-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-238-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-240-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-242-0x00000000028B0000-0x00000000028EE000-memory.dmp

memory/320-381-0x0000000000740000-0x000000000078B000-memory.dmp

memory/320-383-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-384-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-386-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-1119-0x0000000005360000-0x0000000005978000-memory.dmp

memory/320-1120-0x00000000059E0000-0x0000000005AEA000-memory.dmp

memory/320-1121-0x0000000005B20000-0x0000000005B32000-memory.dmp

memory/320-1122-0x0000000005B40000-0x0000000005B7C000-memory.dmp

memory/320-1123-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-1125-0x0000000005E30000-0x0000000005EC2000-memory.dmp

memory/320-1126-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/320-1127-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-1128-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-1129-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-1130-0x0000000007890000-0x0000000007A52000-memory.dmp

memory/320-1131-0x0000000007A70000-0x0000000007F9C000-memory.dmp

memory/320-1132-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/320-1133-0x00000000082C0000-0x0000000008336000-memory.dmp

memory/320-1134-0x0000000008340000-0x0000000008390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe

MD5 3389637c0d072121bf1b127629736d37
SHA1 300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA256 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512 a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

memory/3628-1141-0x0000000000BF0000-0x0000000000C22000-memory.dmp

memory/3628-1142-0x00000000057E0000-0x00000000057F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

memory/2796-1192-0x0000000000800000-0x000000000082E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 53bf804f75123ed2339305be1d298398
SHA1 33a337e3e219da8ecd237b44fbcaf4864124a012
SHA256 7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8
SHA512 7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 b2446d155f77cf70a33bb0c25172fa3f
SHA1 c20d68dad9e872b4607a5677c4851f863c28daf7
SHA256 0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb
SHA512 5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654

memory/2796-1248-0x0000000000870000-0x000000000088C000-memory.dmp

memory/2796-1249-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2796-1252-0x00000000001F0000-0x00000000001F3000-memory.dmp

memory/2796-1255-0x0000000000870000-0x000000000088C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2