Malware Analysis Report

2024-11-13 17:10

Sample ID 230322-mdkawaab7v
Target 3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d
SHA256 3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d
Tags
amadey aurora redline rhadamanthys 0001 down mix1 sint discovery evasion infostealer persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d

Threat Level: Known bad

The file 3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d was found to be: Known bad.

Malicious Activity Summary

amadey aurora redline rhadamanthys 0001 down mix1 sint discovery evasion infostealer persistence spyware stealer trojan upx

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender Real-time Protection settings

Aurora

Detect rhadamanthys stealer shellcode

RedLine

Rhadamanthys

Amadey

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-22 10:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-22 10:20

Reported

2023-03-22 10:23

Platform

win10-20230220-en

Max time kernel

147s

Max time network

150s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Amadey

trojan amadey

Aurora

stealer aurora

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4356 created 3044 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe c:\windows\system32\taskhostw.exe

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe" C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe" C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe" C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe N/A
Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe" C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\clip.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000123001\\clip.exe" C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4356 set thread context of 2924 N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SYSWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SYSWOW64\fontview.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe N/A
N/A N/A C:\Windows\SYSWOW64\fontview.exe N/A
N/A N/A C:\Windows\SYSWOW64\fontview.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe
PID 2572 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe
PID 2572 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe
PID 3260 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe
PID 3260 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe
PID 3260 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe
PID 4068 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe
PID 4068 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe
PID 4068 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe
PID 3448 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe
PID 3448 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe
PID 3448 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe
PID 3448 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe
PID 3448 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe
PID 4068 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe
PID 4068 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe
PID 4068 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe
PID 3260 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe
PID 3260 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe
PID 3260 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe
PID 2572 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe
PID 2572 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe
PID 2572 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe
PID 4764 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4764 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 4764 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
PID 3236 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3236 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 3236 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 3236 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
PID 3236 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 3236 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 3236 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
PID 3236 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
PID 3236 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
PID 3236 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
PID 3236 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe
PID 3236 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe
PID 3236 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe
PID 3236 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe
PID 3236 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe

Processes

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe

"C:\Users\Admin\AppData\Local\Temp\3f5f56c11734ce4fc5d2bccc9253012435dbcab27e433c6442a9e660be89cf3d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legenda.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\f22b669919" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

"C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe"

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe"

C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe"

C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe

"C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe" 0

C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe

"C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe" 0

C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe

"C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe" 0

C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe

"C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe" 0

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SYSWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\SysWOW64\fontview.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
DE 193.233.20.31:4125 tcp
US 8.8.8.8:53 31.20.233.193.in-addr.arpa udp
DE 193.233.20.31:4125 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
RU 62.204.41.87:80 62.204.41.87 tcp
US 8.8.8.8:53 ebfertility.com udp
US 89.190.157.61:80 ebfertility.com tcp
US 8.8.8.8:53 87.41.204.62.in-addr.arpa udp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
NL 185.246.221.126:80 185.246.221.126 tcp
US 8.8.8.8:53 126.221.246.185.in-addr.arpa udp
ES 18.100.155.25:80 18.100.155.25 tcp
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 25.155.100.18.in-addr.arpa udp
NL 193.42.33.216:80 193.42.33.216 tcp
US 8.8.8.8:53 ckuauohuihgms1p7u00gflazwnzxizd.aeu8hjm3ltchpyqwsnx9enrqaud udp
US 8.8.8.8:53 216.33.42.193.in-addr.arpa udp
NL 193.42.33.216:80 193.42.33.216 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 195.133.40.209:13527 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 209.40.133.195.in-addr.arpa udp
NL 195.133.40.209:13527 tcp
RU 80.85.156.168:20189 tcp
US 8.8.8.8:53 154.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.203.141.215:80 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
NL 212.87.204.93:8081 tcp
FI 65.109.236.2:80 tcp
RU 80.85.156.168:20189 tcp
NL 212.87.204.93:8081 tcp
DE 157.90.161.227:80 157.90.161.227 tcp
US 8.8.8.8:53 227.161.90.157.in-addr.arpa udp
RU 80.85.156.168:20189 tcp
NL 212.87.204.93:8081 tcp
RU 80.85.156.168:20189 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe

MD5 592d16383fe365cbc4d5320a577edd3f
SHA1 032ec277706fe45f2291c3cec1f795fe68cf5393
SHA256 73ab53c907e3cf58172f5923444a1c994615ffbea6a43941d1cd73a0f32bea6d
SHA512 a0d0baeb036c91d91a5948e8a9f82c34cb8a7f400e9ab4cc2578d1cd85719bc6aab23d9d8ae95a08efb96c3a759b8ae2815bda499ae79f235ab9d77e4ea28e55

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1819.exe

MD5 592d16383fe365cbc4d5320a577edd3f
SHA1 032ec277706fe45f2291c3cec1f795fe68cf5393
SHA256 73ab53c907e3cf58172f5923444a1c994615ffbea6a43941d1cd73a0f32bea6d
SHA512 a0d0baeb036c91d91a5948e8a9f82c34cb8a7f400e9ab4cc2578d1cd85719bc6aab23d9d8ae95a08efb96c3a759b8ae2815bda499ae79f235ab9d77e4ea28e55

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe

MD5 e80b6c01c7f10c4cea996b6b0177c919
SHA1 3bd067618d2626c45ec60bda241b07b213bcc85b
SHA256 75182ce61842d5d7e9bb1419185ef90294d60ecec6971afd5b5b7f4dd1b1a86a
SHA512 4c358b8838ee666a01d1abce0d5b06205d1ec8b501c473ede31c77b824710c30ddedb893717cdce8de8224c1621c6a4ba480ee843d704cb8ad1feccde044a3d0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3947.exe

MD5 e80b6c01c7f10c4cea996b6b0177c919
SHA1 3bd067618d2626c45ec60bda241b07b213bcc85b
SHA256 75182ce61842d5d7e9bb1419185ef90294d60ecec6971afd5b5b7f4dd1b1a86a
SHA512 4c358b8838ee666a01d1abce0d5b06205d1ec8b501c473ede31c77b824710c30ddedb893717cdce8de8224c1621c6a4ba480ee843d704cb8ad1feccde044a3d0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe

MD5 8b24be478a77e13531439aefa3bde109
SHA1 e8c31db5a41953c0c63a76235dfb1f789b156f1d
SHA256 1fa3c218ad4c19632cc12b4a64b25ad2b5552dd9434d358d542da709d1ce9c73
SHA512 010b02917641bacd312006d0235602792a84f2a1023de05514af18846fa132ecb936a6117fe86b2af88819c20507301f2c60b262b540c3705ed98cc29cc2c078

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2290.exe

MD5 8b24be478a77e13531439aefa3bde109
SHA1 e8c31db5a41953c0c63a76235dfb1f789b156f1d
SHA256 1fa3c218ad4c19632cc12b4a64b25ad2b5552dd9434d358d542da709d1ce9c73
SHA512 010b02917641bacd312006d0235602792a84f2a1023de05514af18846fa132ecb936a6117fe86b2af88819c20507301f2c60b262b540c3705ed98cc29cc2c078

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5604.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4924-149-0x0000000000820000-0x000000000082A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe

MD5 b85561fd3c3a2f1c5ca49b9b515ede1c
SHA1 5d36348d4fd975e34be601f5d13d9da359bda577
SHA256 5e4b4619a8b299bb89030215a5f5d226dec1cdaaea2545f4f24390505d8f49ed
SHA512 177eaf08e15c66e93c9c5c5090ed159b2d3c41bd2d5d8631f40ca15642bd07df5c59c359f5683fb7d07726fbf0dbc63d874a1f08fef726a987637d5a758c3d86

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8385DP.exe

MD5 b85561fd3c3a2f1c5ca49b9b515ede1c
SHA1 5d36348d4fd975e34be601f5d13d9da359bda577
SHA256 5e4b4619a8b299bb89030215a5f5d226dec1cdaaea2545f4f24390505d8f49ed
SHA512 177eaf08e15c66e93c9c5c5090ed159b2d3c41bd2d5d8631f40ca15642bd07df5c59c359f5683fb7d07726fbf0dbc63d874a1f08fef726a987637d5a758c3d86

memory/1492-155-0x00000000005C0000-0x00000000005ED000-memory.dmp

memory/1492-156-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1492-157-0x00000000021E0000-0x00000000021FA000-memory.dmp

memory/1492-158-0x0000000004A90000-0x0000000004F8E000-memory.dmp

memory/1492-159-0x0000000004A10000-0x0000000004A28000-memory.dmp

memory/1492-160-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-161-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-163-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-165-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-167-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-171-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-169-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-179-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-177-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-183-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-181-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-187-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-185-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-175-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-173-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1492-189-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1492-188-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1492-190-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/1492-192-0x0000000000400000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe

MD5 6056abf492e40688d83062e67c69fb78
SHA1 1989f4ab2a03af57b21e98fee4557f60081f40ae
SHA256 0e2ca3e2ce956c25fa79821cd15ca0f36c678796d783006021103c81b5cf52d4
SHA512 0189422285003395edb4f4dd632ac7df88133a7bff67a066142e018b1d4d426739bb2b4031e095b8716756bf9978298a553d7ad14d2d881a3f4af531d8a3fd9a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w95FP33.exe

MD5 6056abf492e40688d83062e67c69fb78
SHA1 1989f4ab2a03af57b21e98fee4557f60081f40ae
SHA256 0e2ca3e2ce956c25fa79821cd15ca0f36c678796d783006021103c81b5cf52d4
SHA512 0189422285003395edb4f4dd632ac7df88133a7bff67a066142e018b1d4d426739bb2b4031e095b8716756bf9978298a553d7ad14d2d881a3f4af531d8a3fd9a

memory/4672-197-0x0000000002260000-0x00000000022A6000-memory.dmp

memory/4672-198-0x0000000002320000-0x0000000002364000-memory.dmp

memory/4672-199-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-200-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-203-0x0000000000720000-0x000000000076B000-memory.dmp

memory/4672-202-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-205-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-207-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-209-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-210-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-206-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-212-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-214-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-216-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-218-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-220-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-222-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-224-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-228-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-230-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-232-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-226-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-234-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-236-0x0000000002320000-0x000000000235E000-memory.dmp

memory/4672-1109-0x00000000050E0000-0x00000000056E6000-memory.dmp

memory/4672-1110-0x00000000056F0000-0x00000000057FA000-memory.dmp

memory/4672-1111-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

memory/4672-1112-0x0000000005800000-0x000000000583E000-memory.dmp

memory/4672-1113-0x0000000005950000-0x000000000599B000-memory.dmp

memory/4672-1114-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-1116-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-1117-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-1118-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-1119-0x0000000005AE0000-0x0000000005B72000-memory.dmp

memory/4672-1120-0x0000000005B80000-0x0000000005BE6000-memory.dmp

memory/4672-1121-0x0000000006610000-0x0000000006686000-memory.dmp

memory/4672-1122-0x0000000006690000-0x00000000066E0000-memory.dmp

memory/4672-1123-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4672-1124-0x0000000006700000-0x00000000068C2000-memory.dmp

memory/4672-1125-0x00000000068D0000-0x0000000006DFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyQwF63.exe

MD5 87d8308e8cda648f980eaded98c6dd64
SHA1 8e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256 dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA512 04add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200

memory/4784-1131-0x0000000000C90000-0x0000000000CC2000-memory.dmp

memory/4784-1132-0x00000000056D0000-0x000000000571B000-memory.dmp

memory/4784-1133-0x0000000005590000-0x00000000055A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11ge21.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe

MD5 166d22ed93c723326a6d5fead162fdd3
SHA1 17cfd9649a4f68ef90c72689820876dbe4ca22d1
SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA512 c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe

MD5 a8a106555b9e1f92569d623c66ee8c12
SHA1 a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

memory/4956-1171-0x00000000001D0000-0x00000000001FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe

MD5 a631f66eb7c5e6e476ebac0baa5b0dbe
SHA1 3ec553f7caffff701451fad841a7b0d38f538895
SHA256 d3f3ea77ce48cf9b66dd2e067f8c7555b1b1ba5d8cb3f61a91ce68db5a8e8e7e
SHA512 57dfed65f52374400d1f3193442ed2244a6d9797f360a46ef5a998bc8c2a7b30a501f6a0ab080e60541c4f4dce8502e0992d67cb45f69324893c56832438eb45

C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe

MD5 75d45ac139ac9630ef44d1952e574633
SHA1 e684a7529bcb2be60468c88694d81d26cf82677f
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
SHA512 7dc3fbf1623bb818f592762d11fcd5ea485a793b34705adaa63d01bfc16b30cadf068d14007b50cdb527e5753e92280b312abad0d42f1e3ede2a862344b622f1

C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe

MD5 75d45ac139ac9630ef44d1952e574633
SHA1 e684a7529bcb2be60468c88694d81d26cf82677f
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
SHA512 7dc3fbf1623bb818f592762d11fcd5ea485a793b34705adaa63d01bfc16b30cadf068d14007b50cdb527e5753e92280b312abad0d42f1e3ede2a862344b622f1

C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe

MD5 75d45ac139ac9630ef44d1952e574633
SHA1 e684a7529bcb2be60468c88694d81d26cf82677f
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
SHA512 7dc3fbf1623bb818f592762d11fcd5ea485a793b34705adaa63d01bfc16b30cadf068d14007b50cdb527e5753e92280b312abad0d42f1e3ede2a862344b622f1

C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe

MD5 75d45ac139ac9630ef44d1952e574633
SHA1 e684a7529bcb2be60468c88694d81d26cf82677f
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
SHA512 7dc3fbf1623bb818f592762d11fcd5ea485a793b34705adaa63d01bfc16b30cadf068d14007b50cdb527e5753e92280b312abad0d42f1e3ede2a862344b622f1

C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe

MD5 75d45ac139ac9630ef44d1952e574633
SHA1 e684a7529bcb2be60468c88694d81d26cf82677f
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
SHA512 7dc3fbf1623bb818f592762d11fcd5ea485a793b34705adaa63d01bfc16b30cadf068d14007b50cdb527e5753e92280b312abad0d42f1e3ede2a862344b622f1

C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe

MD5 ab64460cd667c1964fc0ee034ec60d15
SHA1 50aff9e5027939a6f3cb4d56dfa414f875e86f53
SHA256 7a762cd556ed7f6246e19b479783886714833f25e614e7ed922b2e1aae28e2ec
SHA512 4121eded29991d2273c5dab7937146fe1ae09af64138972d6c51952b8fba12847a3c9a76d7e32e9fa0a30294b5cee08fd428cf6150162fa0dba698ad7c288301

C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe

MD5 ab64460cd667c1964fc0ee034ec60d15
SHA1 50aff9e5027939a6f3cb4d56dfa414f875e86f53
SHA256 7a762cd556ed7f6246e19b479783886714833f25e614e7ed922b2e1aae28e2ec
SHA512 4121eded29991d2273c5dab7937146fe1ae09af64138972d6c51952b8fba12847a3c9a76d7e32e9fa0a30294b5cee08fd428cf6150162fa0dba698ad7c288301

C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe

MD5 ab64460cd667c1964fc0ee034ec60d15
SHA1 50aff9e5027939a6f3cb4d56dfa414f875e86f53
SHA256 7a762cd556ed7f6246e19b479783886714833f25e614e7ed922b2e1aae28e2ec
SHA512 4121eded29991d2273c5dab7937146fe1ae09af64138972d6c51952b8fba12847a3c9a76d7e32e9fa0a30294b5cee08fd428cf6150162fa0dba698ad7c288301

memory/320-1228-0x0000000000270000-0x00000000002A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Meteorite.exe

MD5 75d45ac139ac9630ef44d1952e574633
SHA1 e684a7529bcb2be60468c88694d81d26cf82677f
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
SHA512 7dc3fbf1623bb818f592762d11fcd5ea485a793b34705adaa63d01bfc16b30cadf068d14007b50cdb527e5753e92280b312abad0d42f1e3ede2a862344b622f1

C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe

MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA1 a36452da8888b88e8ad9753c0d0cb0cef6a3dee1
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
SHA512 04d4b26fde8376834c736ad3e09787872338d2f0b38505d0b53f2122efe1da75cd89c0684ce3ef4295f56cb3976eb59e2a9f5b02b933256573d9331e71429eb5

C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe

MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA1 a36452da8888b88e8ad9753c0d0cb0cef6a3dee1
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
SHA512 04d4b26fde8376834c736ad3e09787872338d2f0b38505d0b53f2122efe1da75cd89c0684ce3ef4295f56cb3976eb59e2a9f5b02b933256573d9331e71429eb5

memory/320-1242-0x0000000004AF0000-0x0000000004B3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe

MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA1 a36452da8888b88e8ad9753c0d0cb0cef6a3dee1
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
SHA512 04d4b26fde8376834c736ad3e09787872338d2f0b38505d0b53f2122efe1da75cd89c0684ce3ef4295f56cb3976eb59e2a9f5b02b933256573d9331e71429eb5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\myp[1].exe

MD5 ab64460cd667c1964fc0ee034ec60d15
SHA1 50aff9e5027939a6f3cb4d56dfa414f875e86f53
SHA256 7a762cd556ed7f6246e19b479783886714833f25e614e7ed922b2e1aae28e2ec
SHA512 4121eded29991d2273c5dab7937146fe1ae09af64138972d6c51952b8fba12847a3c9a76d7e32e9fa0a30294b5cee08fd428cf6150162fa0dba698ad7c288301

memory/320-1243-0x0000000004B60000-0x0000000004B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe

MD5 ab64460cd667c1964fc0ee034ec60d15
SHA1 50aff9e5027939a6f3cb4d56dfa414f875e86f53
SHA256 7a762cd556ed7f6246e19b479783886714833f25e614e7ed922b2e1aae28e2ec
SHA512 4121eded29991d2273c5dab7937146fe1ae09af64138972d6c51952b8fba12847a3c9a76d7e32e9fa0a30294b5cee08fd428cf6150162fa0dba698ad7c288301

memory/3292-1251-0x0000000000E60000-0x000000000162F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe

MD5 ab64460cd667c1964fc0ee034ec60d15
SHA1 50aff9e5027939a6f3cb4d56dfa414f875e86f53
SHA256 7a762cd556ed7f6246e19b479783886714833f25e614e7ed922b2e1aae28e2ec
SHA512 4121eded29991d2273c5dab7937146fe1ae09af64138972d6c51952b8fba12847a3c9a76d7e32e9fa0a30294b5cee08fd428cf6150162fa0dba698ad7c288301

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\480JMPRZ\clip[1].exe

MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA1 a36452da8888b88e8ad9753c0d0cb0cef6a3dee1
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
SHA512 04d4b26fde8376834c736ad3e09787872338d2f0b38505d0b53f2122efe1da75cd89c0684ce3ef4295f56cb3976eb59e2a9f5b02b933256573d9331e71429eb5

C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe

MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA1 a36452da8888b88e8ad9753c0d0cb0cef6a3dee1
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
SHA512 04d4b26fde8376834c736ad3e09787872338d2f0b38505d0b53f2122efe1da75cd89c0684ce3ef4295f56cb3976eb59e2a9f5b02b933256573d9331e71429eb5

C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe

MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA1 a36452da8888b88e8ad9753c0d0cb0cef6a3dee1
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
SHA512 04d4b26fde8376834c736ad3e09787872338d2f0b38505d0b53f2122efe1da75cd89c0684ce3ef4295f56cb3976eb59e2a9f5b02b933256573d9331e71429eb5

memory/2924-1259-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2456-1260-0x00000000010E0000-0x00000000018AF000-memory.dmp

memory/532-1261-0x00000000053C0000-0x00000000053D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\240632046.dll

MD5 87a0c31ef2e03ee553605ca1bebbd354
SHA1 19c69d245f75814f495beb4770c55f0c9003b53c
SHA256 4e6a47c072dc87cc310995ebdf10db5d76fa180e8ce8a0909db751121927afff
SHA512 fe08f217bfa56d003eb174de9e1418384989da71ab6b504893b3ee88da975da9e2b593afc4213be3c1054f2ba7d62003cbb34dcea3644d85d1db6817d5815a76

memory/2924-1266-0x0000000005500000-0x0000000005510000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\myp.exe.log

MD5 2fd4fbb7b6565a4e4516f1910668acdf
SHA1 e37236649b1b975dc6f3ce3fa70ef6f071058ea8
SHA256 20452eeceae35e2a0fef5159b2d106ce229d308d392f769a7b16c97729dac7bc
SHA512 a78919bc1f3bae7dec3ef418b8dea66b6944cdb1cf7ee61ff84ca0c526d212e9081afdf8736a6a015ca9c82d0c01e21b062e185a1e36615a11bf3ea44f836410

memory/3292-1288-0x0000000000E60000-0x000000000162F000-memory.dmp

memory/2924-1289-0x0000000005500000-0x0000000005510000-memory.dmp

memory/4956-1294-0x00000000008B0000-0x00000000008B2000-memory.dmp

memory/4956-1293-0x0000000000890000-0x00000000008AC000-memory.dmp

memory/4956-1295-0x00000000008B0000-0x00000000008B3000-memory.dmp

memory/4956-1299-0x0000000000890000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 94cbeec5d4343918fd0e48760e40539c
SHA1 a049266c5c1131f692f306c8710d7e72586ae79d
SHA256 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA512 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 16cf28ebb6d37dbaba93f18320c6086e
SHA1 eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256 c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512 f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

MD5 5086db99de54fca268169a1c6cf26122
SHA1 003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA512 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5