Malware Analysis Report

2024-11-13 17:11

Sample ID 230321-x3q5tscf92
Target 991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9
SHA256 991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9
Tags
amadey aurora redline down mix1 sint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9

Threat Level: Known bad

The file 991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9 was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline down mix1 sint discovery evasion infostealer persistence spyware stealer trojan

Amadey

Aurora

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender Real-time Protection settings

RedLine

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 19:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 19:22

Reported

2023-03-21 19:25

Platform

win10v2004-20230220-en

Max time kernel

116s

Max time network

153s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1948 created 2904 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\system32\taskhostw.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1948 set thread context of 2804 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\fontview.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe
PID 4596 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe
PID 4596 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe
PID 648 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe
PID 648 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe
PID 648 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe
PID 2436 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe
PID 2436 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe
PID 2436 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe
PID 2972 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe
PID 2972 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe
PID 2972 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe
PID 2972 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe
PID 2972 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe
PID 2436 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe
PID 2436 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe
PID 2436 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe
PID 648 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe
PID 648 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe
PID 648 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe
PID 4596 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe
PID 4596 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe
PID 4596 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe
PID 4972 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4972 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4972 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4844 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4844 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4844 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 4844 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3804 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4844 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 4844 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 4844 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 4844 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
PID 4844 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
PID 4844 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
PID 1648 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1648 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1648 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe

"C:\Users\Admin\AppData\Local\Temp\991122c6d54cdc6073df5725baed8b769dfbdb821043a99615e3a9227def36c9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1224 -ip 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

"C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe"

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2964 -ip 2964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1848

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
DE 193.233.20.31:4125 tcp
US 8.8.8.8:53 31.20.233.193.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
DE 193.233.20.31:4125 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
ES 18.100.155.25:80 18.100.155.25 tcp
US 8.8.8.8:53 25.155.100.18.in-addr.arpa udp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 ckuauohuihgms1p7u00gflazwnzxizd.aeu8hjm3ltchpyqwsnx9enrqaud udp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 168.156.85.80.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.203.141.215:80 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
FI 65.109.236.2:80 tcp
DE 157.90.161.227:80 157.90.161.227 tcp
US 8.8.8.8:53 227.161.90.157.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe

MD5 219ffee54933c1e446e535d99685dda9
SHA1 84c87359a9a2af130a39ddaed7aa4eff463f3931
SHA256 14b7f355a7fe6b4250901bb7b9b68699146d1bdcdc969a9ca526612a132ba493
SHA512 a39f659ba56efc0203e720f7d7e26d04d46b427c306a277e806c4994cf0a232fc7f86e7f70fb9323f05450d9f9eaf0e57a4b023caa7df2ee40a3121f3fcf05d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4248.exe

MD5 219ffee54933c1e446e535d99685dda9
SHA1 84c87359a9a2af130a39ddaed7aa4eff463f3931
SHA256 14b7f355a7fe6b4250901bb7b9b68699146d1bdcdc969a9ca526612a132ba493
SHA512 a39f659ba56efc0203e720f7d7e26d04d46b427c306a277e806c4994cf0a232fc7f86e7f70fb9323f05450d9f9eaf0e57a4b023caa7df2ee40a3121f3fcf05d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe

MD5 64baa813943f309fed8b80a5dd771857
SHA1 c5fb9238ce94eb464a43babd0736fcaeb7abb919
SHA256 22c67c1e2adef56ca5ef62d3a06bd82414512b192ec2a5f07fd06f7b733eef07
SHA512 8988dac6bbdf058f86a148ff8120231a52f376810a3ea23cd646a948f4178e04bb119240d227c8682e86d09b3a693180c09e62cde511282112d190a6509c3f9a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1484.exe

MD5 64baa813943f309fed8b80a5dd771857
SHA1 c5fb9238ce94eb464a43babd0736fcaeb7abb919
SHA256 22c67c1e2adef56ca5ef62d3a06bd82414512b192ec2a5f07fd06f7b733eef07
SHA512 8988dac6bbdf058f86a148ff8120231a52f376810a3ea23cd646a948f4178e04bb119240d227c8682e86d09b3a693180c09e62cde511282112d190a6509c3f9a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe

MD5 4c8c39c19e79ea266a3df1078d348806
SHA1 03e96c00a3ac04997e25ff680c279ac01fc223bd
SHA256 d704b0f46ff94d054a2f35458768a09a52e878fffd88468a4ff619f736629442
SHA512 85417ef7cf699c073fadb8996abb79e14ad3756fe7d105f41d4236a3fd743218700e45bc7f77d3d4ebf24388462bdb33b812819ff5411516b8adebf719be137c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5539.exe

MD5 4c8c39c19e79ea266a3df1078d348806
SHA1 03e96c00a3ac04997e25ff680c279ac01fc223bd
SHA256 d704b0f46ff94d054a2f35458768a09a52e878fffd88468a4ff619f736629442
SHA512 85417ef7cf699c073fadb8996abb79e14ad3756fe7d105f41d4236a3fd743218700e45bc7f77d3d4ebf24388462bdb33b812819ff5411516b8adebf719be137c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0713.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3476-161-0x00000000000A0000-0x00000000000AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe

MD5 ee6c44086e51bc7c963cc01083659ba8
SHA1 a3505b80a95c0a10a5e98f1ef5af89c3ac856617
SHA256 b6bb0a8eb3e5402115b6cb33897a09c1523f3ba7ffe102215651aede36218dfb
SHA512 805e7e0fac2628d2a14d8efbaf9d50f102808d44286ea7efc65b264ca5161d9ad7305d674cfdcc915eee7c2cade427cbea23da65c8db24d95d5b0ef06d182851

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2702WQ.exe

MD5 ee6c44086e51bc7c963cc01083659ba8
SHA1 a3505b80a95c0a10a5e98f1ef5af89c3ac856617
SHA256 b6bb0a8eb3e5402115b6cb33897a09c1523f3ba7ffe102215651aede36218dfb
SHA512 805e7e0fac2628d2a14d8efbaf9d50f102808d44286ea7efc65b264ca5161d9ad7305d674cfdcc915eee7c2cade427cbea23da65c8db24d95d5b0ef06d182851

memory/4600-167-0x0000000005000000-0x00000000055A4000-memory.dmp

memory/4600-169-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-168-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-171-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-181-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-179-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-185-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-195-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-193-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-191-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-189-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-187-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-183-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-177-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-175-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-173-0x0000000002870000-0x0000000002882000-memory.dmp

memory/4600-196-0x0000000000800000-0x000000000082D000-memory.dmp

memory/4600-199-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4600-198-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4600-197-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4600-200-0x0000000000400000-0x0000000000726000-memory.dmp

memory/4600-203-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4600-202-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4600-204-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4600-205-0x0000000000400000-0x0000000000726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe

MD5 679067ebf69b7ad4d5064dbcf5a5b6fa
SHA1 d5a1d38b13a4ed97a40592534c8ff1bff9eb2505
SHA256 67d8e8acbf2509066cf48bf1a035fe988baf1f9e44434609ab51b2ea1e4bd993
SHA512 3e2c369425d5cb6a863d2fa0b4235fa560886fb5241abd113b70fd5b01d0115c47097153227d3e8090ed46deacf9ae162b500dfb63dbbc04f56dad09e37bbf25

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76hR59.exe

MD5 679067ebf69b7ad4d5064dbcf5a5b6fa
SHA1 d5a1d38b13a4ed97a40592534c8ff1bff9eb2505
SHA256 67d8e8acbf2509066cf48bf1a035fe988baf1f9e44434609ab51b2ea1e4bd993
SHA512 3e2c369425d5cb6a863d2fa0b4235fa560886fb5241abd113b70fd5b01d0115c47097153227d3e8090ed46deacf9ae162b500dfb63dbbc04f56dad09e37bbf25

memory/1224-210-0x0000000000860000-0x00000000008AB000-memory.dmp

memory/1224-211-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-213-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-214-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-216-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-217-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-212-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-219-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-221-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-223-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-225-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-227-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-229-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-231-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-233-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-235-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-237-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-239-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-241-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-243-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-245-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-247-0x0000000002890000-0x00000000028CE000-memory.dmp

memory/1224-1120-0x0000000005550000-0x0000000005B68000-memory.dmp

memory/1224-1121-0x0000000005B70000-0x0000000005C7A000-memory.dmp

memory/1224-1122-0x0000000004E70000-0x0000000004E82000-memory.dmp

memory/1224-1123-0x0000000005C80000-0x0000000005CBC000-memory.dmp

memory/1224-1124-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-1126-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/1224-1127-0x0000000006770000-0x0000000006802000-memory.dmp

memory/1224-1128-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-1129-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-1130-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/1224-1131-0x0000000006970000-0x0000000006B32000-memory.dmp

memory/1224-1132-0x0000000006B50000-0x000000000707C000-memory.dmp

memory/1224-1133-0x0000000007300000-0x0000000007376000-memory.dmp

memory/1224-1134-0x0000000007390000-0x00000000073E0000-memory.dmp

memory/1224-1136-0x0000000004E90000-0x0000000004EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xjjHp89.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

memory/4364-1141-0x0000000000FF0000-0x0000000001022000-memory.dmp

memory/4364-1142-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17uL67.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

memory/2804-1194-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2804-1195-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240618890.dll

MD5 87a0c31ef2e03ee553605ca1bebbd354
SHA1 19c69d245f75814f495beb4770c55f0c9003b53c
SHA256 4e6a47c072dc87cc310995ebdf10db5d76fa180e8ce8a0909db751121927afff
SHA512 fe08f217bfa56d003eb174de9e1418384989da71ab6b504893b3ee88da975da9e2b593afc4213be3c1054f2ba7d62003cbb34dcea3644d85d1db6817d5815a76

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 386c014d0948d4fc41afa98cfca9022e
SHA1 786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256 448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA512 13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 77e31b1123e94ce5720ceb729a425798
SHA1 2b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA256 68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA512 9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

memory/2804-1263-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\10009388627719994203443650

MD5 367544a2a5551a41c869eb1b0b5871c3
SHA1 9051340b95090c07deda0a1df3a9c0b9233f5054
SHA256 eb0e2b2ee04cab66e2f7930ea82a5f1b42469ac50e063a8492f9c585f90bc542
SHA512 6d1275291530cb8b9944db296c4aed376765015ad6bbf51f4475a347776c99dbb2e748d0c331d89c9e6118adf641ed10e390c8ccb8ae4de4811c858d195cc34c

C:\ProgramData\96536156473371220074632749

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\ProgramData\66124836048392424759811977

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\ProgramData\83497966192819000986803199

MD5 780853cddeaee8de70f28a4b255a600b
SHA1 ad7a5da33f7ad12946153c497e990720b09005ed
SHA256 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512 e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5