Malware Analysis Report

2024-11-13 17:11

Sample ID 230322-bqnchsea94
Target setup.exe
SHA256 5e3b337f41ccbe39106b15ea3a07759c01ee41e7d18ed62395f277767634c768
Tags
amadey aurora redline rhadamanthys down sint discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e3b337f41ccbe39106b15ea3a07759c01ee41e7d18ed62395f277767634c768

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys down sint discovery evasion infostealer persistence spyware stealer trojan

Amadey

Rhadamanthys

RedLine payload

Detect rhadamanthys stealer shellcode

Modifies Windows Defender Real-time Protection settings

Aurora

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Downloads MZ/PE file

Looks for VMWare Tools registry key

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-22 01:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-22 01:21

Reported

2023-03-22 01:23

Platform

win7-20230220-en

Max time kernel

115s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1696 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1692 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 1544 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1544 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1692 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1696 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1448 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 1108 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

"C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {C0EE1DA2-F301-44E8-83D3-5E89D61F7F85} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
DE 193.233.20.31:4125 tcp
DE 193.233.20.31:4125 tcp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
NL 185.246.221.126:80 185.246.221.126 tcp
ES 18.100.155.25:80 18.100.155.25 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 ckuauohuihgms1p7u00gflazwnzxizd.aeu8hjm3ltchpyqwsnx9enrqaud udp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

MD5 b474361e6d4c06b5b77d910eec6bcd7b
SHA1 61711104e8cf388c8cafc74375e9c420bcd73525
SHA256 a306874020ba6cc2b74d3c846210340b2beb096047dd1ec67656cd6c119f20a8
SHA512 9afc3e1a398450251ed88e22585d3ead185d6f0a4a63db3190f3255fbf841727c10bccc58f97af1e836fe5e296190ddca8a7f11616a8721752aba5c91a2af5f5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

MD5 b474361e6d4c06b5b77d910eec6bcd7b
SHA1 61711104e8cf388c8cafc74375e9c420bcd73525
SHA256 a306874020ba6cc2b74d3c846210340b2beb096047dd1ec67656cd6c119f20a8
SHA512 9afc3e1a398450251ed88e22585d3ead185d6f0a4a63db3190f3255fbf841727c10bccc58f97af1e836fe5e296190ddca8a7f11616a8721752aba5c91a2af5f5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

MD5 b474361e6d4c06b5b77d910eec6bcd7b
SHA1 61711104e8cf388c8cafc74375e9c420bcd73525
SHA256 a306874020ba6cc2b74d3c846210340b2beb096047dd1ec67656cd6c119f20a8
SHA512 9afc3e1a398450251ed88e22585d3ead185d6f0a4a63db3190f3255fbf841727c10bccc58f97af1e836fe5e296190ddca8a7f11616a8721752aba5c91a2af5f5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

MD5 b474361e6d4c06b5b77d910eec6bcd7b
SHA1 61711104e8cf388c8cafc74375e9c420bcd73525
SHA256 a306874020ba6cc2b74d3c846210340b2beb096047dd1ec67656cd6c119f20a8
SHA512 9afc3e1a398450251ed88e22585d3ead185d6f0a4a63db3190f3255fbf841727c10bccc58f97af1e836fe5e296190ddca8a7f11616a8721752aba5c91a2af5f5

\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

MD5 b4e5ba6e8dada93db400e75be9db1a77
SHA1 93f799d4b6215ed00d685050235df0d6665741f2
SHA256 cb9a19c8ca26734917f8543199d470b3ecd637a2333101894c3b4c94c60f6dcd
SHA512 e1a1e051d6c8069f76da3e6832f8451d531005fa1b9e22ace0d31585034b795916a82bd9cc2ffa71e822f81c18b26089b560dd7d6d2542889b4f1c0fedf35807

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

MD5 b4e5ba6e8dada93db400e75be9db1a77
SHA1 93f799d4b6215ed00d685050235df0d6665741f2
SHA256 cb9a19c8ca26734917f8543199d470b3ecd637a2333101894c3b4c94c60f6dcd
SHA512 e1a1e051d6c8069f76da3e6832f8451d531005fa1b9e22ace0d31585034b795916a82bd9cc2ffa71e822f81c18b26089b560dd7d6d2542889b4f1c0fedf35807

\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

MD5 b4e5ba6e8dada93db400e75be9db1a77
SHA1 93f799d4b6215ed00d685050235df0d6665741f2
SHA256 cb9a19c8ca26734917f8543199d470b3ecd637a2333101894c3b4c94c60f6dcd
SHA512 e1a1e051d6c8069f76da3e6832f8451d531005fa1b9e22ace0d31585034b795916a82bd9cc2ffa71e822f81c18b26089b560dd7d6d2542889b4f1c0fedf35807

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

MD5 b4e5ba6e8dada93db400e75be9db1a77
SHA1 93f799d4b6215ed00d685050235df0d6665741f2
SHA256 cb9a19c8ca26734917f8543199d470b3ecd637a2333101894c3b4c94c60f6dcd
SHA512 e1a1e051d6c8069f76da3e6832f8451d531005fa1b9e22ace0d31585034b795916a82bd9cc2ffa71e822f81c18b26089b560dd7d6d2542889b4f1c0fedf35807

\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

MD5 b1b5c38eea3dde7e578ff8d03f70b605
SHA1 1ab733019ff0ec00566f311812815df4c9b08a30
SHA256 e06453f0f82758d3abcd8b1e7b1aaa1ece9a2b10c6227d3b809bcf4629d8a896
SHA512 7366d9a4749c90f3e88e6e07707701ae8a0b932cca9406be104f455a6a341c2b19aeb835239c113e117d4aa0450f584b71b44e6d90d3e138abf26f43cf9c9289

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

MD5 b1b5c38eea3dde7e578ff8d03f70b605
SHA1 1ab733019ff0ec00566f311812815df4c9b08a30
SHA256 e06453f0f82758d3abcd8b1e7b1aaa1ece9a2b10c6227d3b809bcf4629d8a896
SHA512 7366d9a4749c90f3e88e6e07707701ae8a0b932cca9406be104f455a6a341c2b19aeb835239c113e117d4aa0450f584b71b44e6d90d3e138abf26f43cf9c9289

\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

MD5 b1b5c38eea3dde7e578ff8d03f70b605
SHA1 1ab733019ff0ec00566f311812815df4c9b08a30
SHA256 e06453f0f82758d3abcd8b1e7b1aaa1ece9a2b10c6227d3b809bcf4629d8a896
SHA512 7366d9a4749c90f3e88e6e07707701ae8a0b932cca9406be104f455a6a341c2b19aeb835239c113e117d4aa0450f584b71b44e6d90d3e138abf26f43cf9c9289

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

MD5 b1b5c38eea3dde7e578ff8d03f70b605
SHA1 1ab733019ff0ec00566f311812815df4c9b08a30
SHA256 e06453f0f82758d3abcd8b1e7b1aaa1ece9a2b10c6227d3b809bcf4629d8a896
SHA512 7366d9a4749c90f3e88e6e07707701ae8a0b932cca9406be104f455a6a341c2b19aeb835239c113e117d4aa0450f584b71b44e6d90d3e138abf26f43cf9c9289

\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/648-92-0x0000000001110000-0x000000000111A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

memory/1796-103-0x00000000008C0000-0x00000000008DA000-memory.dmp

memory/1796-104-0x0000000000250000-0x000000000027D000-memory.dmp

memory/1796-105-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/1796-106-0x0000000000B30000-0x0000000000B48000-memory.dmp

memory/1796-108-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-107-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-110-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-112-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-114-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-116-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-118-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-120-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-122-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-124-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-126-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-128-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-130-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-134-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-132-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1796-135-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/1796-136-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/1796-137-0x0000000000400000-0x0000000000726000-memory.dmp

memory/1796-138-0x0000000000400000-0x0000000000726000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

memory/804-149-0x0000000002470000-0x00000000024B6000-memory.dmp

memory/804-150-0x00000000024B0000-0x00000000024F4000-memory.dmp

memory/804-151-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-152-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-156-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-154-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-158-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-162-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-160-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-164-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-170-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-168-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-166-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-172-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-174-0x0000000000280000-0x00000000002CB000-memory.dmp

memory/804-176-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/804-175-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-178-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/804-179-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-183-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-181-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-185-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-187-0x00000000024B0000-0x00000000024EE000-memory.dmp

memory/804-1060-0x0000000004D70000-0x0000000004DB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

memory/892-1069-0x0000000000A30000-0x0000000000A62000-memory.dmp

memory/892-1070-0x00000000049D0000-0x0000000004A10000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

memory/1724-1114-0x00000000002D0000-0x00000000002FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 7634ebd082abbba35a8e6a300ec83c51
SHA1 953666e70fbed932e4bed446f1d1e432781972b7
SHA256 792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f
SHA512 6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

memory/1724-1180-0x0000000000310000-0x000000000032C000-memory.dmp

memory/1724-1181-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1724-1185-0x0000000000310000-0x000000000032C000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-22 01:21

Reported

2023-03-22 01:23

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 4116 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 4116 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe
PID 1984 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1984 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 1984 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe
PID 3600 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 3600 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 3600 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe
PID 3316 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 3316 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe
PID 3316 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 3316 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 3316 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe
PID 3600 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 3600 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 3600 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe
PID 4116 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 4116 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 4116 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe
PID 4228 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4228 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4228 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3324 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3392 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3324 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 3324 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe
PID 3324 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2732 -ip 2732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2056 -ip 2056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 135.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
IE 20.50.80.209:443 tcp
DE 193.233.20.31:4125 tcp
US 8.8.8.8:53 31.20.233.193.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
DE 193.233.20.31:4125 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

MD5 b474361e6d4c06b5b77d910eec6bcd7b
SHA1 61711104e8cf388c8cafc74375e9c420bcd73525
SHA256 a306874020ba6cc2b74d3c846210340b2beb096047dd1ec67656cd6c119f20a8
SHA512 9afc3e1a398450251ed88e22585d3ead185d6f0a4a63db3190f3255fbf841727c10bccc58f97af1e836fe5e296190ddca8a7f11616a8721752aba5c91a2af5f5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6706.exe

MD5 b474361e6d4c06b5b77d910eec6bcd7b
SHA1 61711104e8cf388c8cafc74375e9c420bcd73525
SHA256 a306874020ba6cc2b74d3c846210340b2beb096047dd1ec67656cd6c119f20a8
SHA512 9afc3e1a398450251ed88e22585d3ead185d6f0a4a63db3190f3255fbf841727c10bccc58f97af1e836fe5e296190ddca8a7f11616a8721752aba5c91a2af5f5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

MD5 b4e5ba6e8dada93db400e75be9db1a77
SHA1 93f799d4b6215ed00d685050235df0d6665741f2
SHA256 cb9a19c8ca26734917f8543199d470b3ecd637a2333101894c3b4c94c60f6dcd
SHA512 e1a1e051d6c8069f76da3e6832f8451d531005fa1b9e22ace0d31585034b795916a82bd9cc2ffa71e822f81c18b26089b560dd7d6d2542889b4f1c0fedf35807

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1083.exe

MD5 b4e5ba6e8dada93db400e75be9db1a77
SHA1 93f799d4b6215ed00d685050235df0d6665741f2
SHA256 cb9a19c8ca26734917f8543199d470b3ecd637a2333101894c3b4c94c60f6dcd
SHA512 e1a1e051d6c8069f76da3e6832f8451d531005fa1b9e22ace0d31585034b795916a82bd9cc2ffa71e822f81c18b26089b560dd7d6d2542889b4f1c0fedf35807

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

MD5 b1b5c38eea3dde7e578ff8d03f70b605
SHA1 1ab733019ff0ec00566f311812815df4c9b08a30
SHA256 e06453f0f82758d3abcd8b1e7b1aaa1ece9a2b10c6227d3b809bcf4629d8a896
SHA512 7366d9a4749c90f3e88e6e07707701ae8a0b932cca9406be104f455a6a341c2b19aeb835239c113e117d4aa0450f584b71b44e6d90d3e138abf26f43cf9c9289

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0037.exe

MD5 b1b5c38eea3dde7e578ff8d03f70b605
SHA1 1ab733019ff0ec00566f311812815df4c9b08a30
SHA256 e06453f0f82758d3abcd8b1e7b1aaa1ece9a2b10c6227d3b809bcf4629d8a896
SHA512 7366d9a4749c90f3e88e6e07707701ae8a0b932cca9406be104f455a6a341c2b19aeb835239c113e117d4aa0450f584b71b44e6d90d3e138abf26f43cf9c9289

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6332.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3392-161-0x0000000000540000-0x000000000054A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1584Cq.exe

MD5 3eb5681ab72f87531c2ccebf96499c19
SHA1 d22d0a1ad438bae7f3c33505976be2848e1209cd
SHA256 f035db1a38743adc459ff39f23b66005534110a2785760b73bb0209b4a8e799b
SHA512 1b858708befe94791064b7bb05232e7fe90ae1d3e2ff05b7e42642c4825d807834822248b2728ebbddd1b81644c4c0b6664093fc1eb6a92aa6b411a6a50fbbb8

memory/2732-167-0x0000000000980000-0x00000000009AD000-memory.dmp

memory/2732-168-0x0000000004EA0000-0x0000000005444000-memory.dmp

memory/2732-169-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-170-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-174-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-176-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-172-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-178-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-182-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-180-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-184-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-186-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-188-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-190-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-192-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-194-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-196-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/2732-198-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/2732-199-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/2732-197-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/2732-200-0x0000000000400000-0x0000000000726000-memory.dmp

memory/2732-202-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/2732-203-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/2732-204-0x0000000000400000-0x0000000000726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71By41.exe

MD5 7d758686e19a844146f89622e11e45eb
SHA1 fe00975a1c773b32e1fd18b3a00db5013524d6f5
SHA256 8438bc1b31a4b3bf1a0818995a502c4016345e26f89d53973d0a743ecb349df3
SHA512 eb68ec51dbaaab40f2d361039ea1d8f5fe2d7b98c3b51b68b4f8cb784a64226272ab733f08e3e5807ff52030bed775460dfa2a452bbdf7d1bb384b3196f422e4

memory/2056-209-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-210-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-212-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-214-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-216-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-218-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-220-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-222-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-224-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-226-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-228-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-230-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-232-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-234-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-236-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-238-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-240-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-242-0x0000000004D20000-0x0000000004D5E000-memory.dmp

memory/2056-369-0x00000000009F0000-0x0000000000A3B000-memory.dmp

memory/2056-370-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-372-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-1118-0x00000000053A0000-0x00000000059B8000-memory.dmp

memory/2056-1119-0x00000000059E0000-0x0000000005AEA000-memory.dmp

memory/2056-1120-0x0000000005B20000-0x0000000005B32000-memory.dmp

memory/2056-1121-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-1122-0x0000000005B40000-0x0000000005B7C000-memory.dmp

memory/2056-1124-0x0000000005E30000-0x0000000005EC2000-memory.dmp

memory/2056-1125-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/2056-1126-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-1128-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-1127-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-1129-0x00000000065C0000-0x0000000006636000-memory.dmp

memory/2056-1130-0x0000000006660000-0x00000000066B0000-memory.dmp

memory/2056-1131-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/2056-1132-0x00000000066D0000-0x0000000006892000-memory.dmp

memory/2056-1133-0x00000000068B0000-0x0000000006DDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbsuQ12.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

memory/2804-1139-0x00000000005E0000-0x0000000000612000-memory.dmp

memory/2804-1140-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73Vf37.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5