Malware Analysis Report

2024-10-23 19:16

Sample ID 230526-vej1hagd88
Target 03812699.exe
SHA256 c7ecaec6a3807f7bb30c6a031931c4391f65c0f8b81901f2171448443bd7fab0
Tags
gurcu redline goga lisa discovery evasion infostealer persistence spyware stealer trojan collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7ecaec6a3807f7bb30c6a031931c4391f65c0f8b81901f2171448443bd7fab0

Threat Level: Known bad

The file 03812699.exe was found to be: Known bad.

Malicious Activity Summary

gurcu redline goga lisa discovery evasion infostealer persistence spyware stealer trojan collection

Modifies Windows Defender Real-time Protection settings

RedLine

Gurcu, WhiteSnake

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

outlook_office_path

Suspicious use of FindShellTrayWindow

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-26 16:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-26 16:54

Reported

2023-05-26 16:56

Platform

win7-20230220-en

Max time kernel

111s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03812699.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1396 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1040 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1040 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1244 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1460 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03812699.exe

"C:\Users\Admin\AppData\Local\Temp\03812699.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legends.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legends.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\41bde21dc7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\41bde21dc7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {17B81FC3-E087-4CB5-AC18-44B42526C3B9} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Network

Country Destination Domain Proto
N/A 83.97.73.122:19062 tcp
N/A 83.97.73.122:19062 tcp
US 95.214.27.98:80 95.214.27.98 tcp
US 8.8.8.8:53 google.kz udp
US 8.8.8.8:53 cyware.com udp
US 8.8.8.8:53 cyware.com udp
NL 142.250.179.132:80 google.kz tcp
US 15.197.166.200:80 cyware.com tcp
NL 142.250.179.132:80 google.kz tcp
US 3.33.180.61:80 cyware.com tcp
US 8.8.8.8:53 blog.cyble.com udp
US 192.0.78.183:80 blog.cyble.com tcp
US 192.0.78.183:443 blog.cyble.com tcp
US 3.33.180.61:443 cyware.com tcp
US 3.33.180.61:443 cyware.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 3.33.180.61:443 cyware.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

MD5 0c429676ca0d7ce51c3e04e02cd92f34
SHA1 d4e75bf33a8f3972266ed5a764c23db3525ce764
SHA256 0ff56a422e406d7e558f11d2af46afe146852fcc33ac762f00be298335ec2b6f
SHA512 2e17789b5ffa6abfb430191fedb114a70963e0345f7f724827814e8fc6f8e645b08d4379ddb0910a736a07d86728d2ac61e87ea43c339810b830b6069886365f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

MD5 0c429676ca0d7ce51c3e04e02cd92f34
SHA1 d4e75bf33a8f3972266ed5a764c23db3525ce764
SHA256 0ff56a422e406d7e558f11d2af46afe146852fcc33ac762f00be298335ec2b6f
SHA512 2e17789b5ffa6abfb430191fedb114a70963e0345f7f724827814e8fc6f8e645b08d4379ddb0910a736a07d86728d2ac61e87ea43c339810b830b6069886365f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

MD5 0c429676ca0d7ce51c3e04e02cd92f34
SHA1 d4e75bf33a8f3972266ed5a764c23db3525ce764
SHA256 0ff56a422e406d7e558f11d2af46afe146852fcc33ac762f00be298335ec2b6f
SHA512 2e17789b5ffa6abfb430191fedb114a70963e0345f7f724827814e8fc6f8e645b08d4379ddb0910a736a07d86728d2ac61e87ea43c339810b830b6069886365f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

MD5 0c429676ca0d7ce51c3e04e02cd92f34
SHA1 d4e75bf33a8f3972266ed5a764c23db3525ce764
SHA256 0ff56a422e406d7e558f11d2af46afe146852fcc33ac762f00be298335ec2b6f
SHA512 2e17789b5ffa6abfb430191fedb114a70963e0345f7f724827814e8fc6f8e645b08d4379ddb0910a736a07d86728d2ac61e87ea43c339810b830b6069886365f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

MD5 b49792d900d7cc4d9182393ab96f2562
SHA1 d21ebe00d2684813a53cdffb916a37797bd282e8
SHA256 eff05df83914666d28707e31a811f7177ece381e11804459c653833571e7c54c
SHA512 5e2b6ca22b6fc30ade3a06fff4de95f64a783650163c270d36909d0d388069be5cfe2704d28a8ca5e593f512ffd854f84997b6223a6c2dc0210d14f2e64cda63

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

MD5 b49792d900d7cc4d9182393ab96f2562
SHA1 d21ebe00d2684813a53cdffb916a37797bd282e8
SHA256 eff05df83914666d28707e31a811f7177ece381e11804459c653833571e7c54c
SHA512 5e2b6ca22b6fc30ade3a06fff4de95f64a783650163c270d36909d0d388069be5cfe2704d28a8ca5e593f512ffd854f84997b6223a6c2dc0210d14f2e64cda63

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

MD5 b49792d900d7cc4d9182393ab96f2562
SHA1 d21ebe00d2684813a53cdffb916a37797bd282e8
SHA256 eff05df83914666d28707e31a811f7177ece381e11804459c653833571e7c54c
SHA512 5e2b6ca22b6fc30ade3a06fff4de95f64a783650163c270d36909d0d388069be5cfe2704d28a8ca5e593f512ffd854f84997b6223a6c2dc0210d14f2e64cda63

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

MD5 b49792d900d7cc4d9182393ab96f2562
SHA1 d21ebe00d2684813a53cdffb916a37797bd282e8
SHA256 eff05df83914666d28707e31a811f7177ece381e11804459c653833571e7c54c
SHA512 5e2b6ca22b6fc30ade3a06fff4de95f64a783650163c270d36909d0d388069be5cfe2704d28a8ca5e593f512ffd854f84997b6223a6c2dc0210d14f2e64cda63

\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

MD5 386b1c6ccb4fba69cb07745ac9859466
SHA1 bffdeb47f586a38ebc43d87c266461f58955d056
SHA256 b293a92efd4fb435fccefd323abf8a0e3b8c17ba6c36494b3f0c634bed7ccc7b
SHA512 6d54831176e028e8bc462ada21327e115e1edc895ccb674dd91d6fba50871d1075d6b6e1db70014f6e1163867ef79893ba44b12ba919dbabecb991fad1728e6e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

MD5 386b1c6ccb4fba69cb07745ac9859466
SHA1 bffdeb47f586a38ebc43d87c266461f58955d056
SHA256 b293a92efd4fb435fccefd323abf8a0e3b8c17ba6c36494b3f0c634bed7ccc7b
SHA512 6d54831176e028e8bc462ada21327e115e1edc895ccb674dd91d6fba50871d1075d6b6e1db70014f6e1163867ef79893ba44b12ba919dbabecb991fad1728e6e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

MD5 386b1c6ccb4fba69cb07745ac9859466
SHA1 bffdeb47f586a38ebc43d87c266461f58955d056
SHA256 b293a92efd4fb435fccefd323abf8a0e3b8c17ba6c36494b3f0c634bed7ccc7b
SHA512 6d54831176e028e8bc462ada21327e115e1edc895ccb674dd91d6fba50871d1075d6b6e1db70014f6e1163867ef79893ba44b12ba919dbabecb991fad1728e6e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

MD5 386b1c6ccb4fba69cb07745ac9859466
SHA1 bffdeb47f586a38ebc43d87c266461f58955d056
SHA256 b293a92efd4fb435fccefd323abf8a0e3b8c17ba6c36494b3f0c634bed7ccc7b
SHA512 6d54831176e028e8bc462ada21327e115e1edc895ccb674dd91d6fba50871d1075d6b6e1db70014f6e1163867ef79893ba44b12ba919dbabecb991fad1728e6e

memory/556-85-0x0000000000400000-0x000000000040A000-memory.dmp

memory/556-86-0x0000000000400000-0x000000000040A000-memory.dmp

memory/556-90-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/556-92-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

MD5 d7b177c2062d61469605d9ea1b30ad74
SHA1 c2196504596e7483821b93e3cd55fc8e08199974
SHA256 858a8e5c7970b665f5ee694ece8b67522b637e65b423eba82b17fb2f8eb85dbb
SHA512 9493e4896f027efe6f28627328a0f210481bb1235c28e8afaf0247e21a6f09560796e781f5d37a0d0db9d5c2bec86a1b49d96d88d6c691565db9c823364a985e

memory/556-95-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

MD5 d7b177c2062d61469605d9ea1b30ad74
SHA1 c2196504596e7483821b93e3cd55fc8e08199974
SHA256 858a8e5c7970b665f5ee694ece8b67522b637e65b423eba82b17fb2f8eb85dbb
SHA512 9493e4896f027efe6f28627328a0f210481bb1235c28e8afaf0247e21a6f09560796e781f5d37a0d0db9d5c2bec86a1b49d96d88d6c691565db9c823364a985e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

MD5 d7b177c2062d61469605d9ea1b30ad74
SHA1 c2196504596e7483821b93e3cd55fc8e08199974
SHA256 858a8e5c7970b665f5ee694ece8b67522b637e65b423eba82b17fb2f8eb85dbb
SHA512 9493e4896f027efe6f28627328a0f210481bb1235c28e8afaf0247e21a6f09560796e781f5d37a0d0db9d5c2bec86a1b49d96d88d6c691565db9c823364a985e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

MD5 d7b177c2062d61469605d9ea1b30ad74
SHA1 c2196504596e7483821b93e3cd55fc8e08199974
SHA256 858a8e5c7970b665f5ee694ece8b67522b637e65b423eba82b17fb2f8eb85dbb
SHA512 9493e4896f027efe6f28627328a0f210481bb1235c28e8afaf0247e21a6f09560796e781f5d37a0d0db9d5c2bec86a1b49d96d88d6c691565db9c823364a985e

memory/860-100-0x0000000001330000-0x000000000135A000-memory.dmp

memory/860-101-0x0000000004FD0000-0x0000000005010000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

MD5 0632bb850de3c1b87f59b3c010fbdc51
SHA1 fd06bcedaf8e32a9553ce4d9380e95d1fabd1270
SHA256 86a25d79bb947f17f50e43e7a4b75b8c16c3f0e15fd18d47b1c79a523da071a4
SHA512 a544b4f10bbaefac07f27929868865b0b8455b2084edfd20580442c0c078404871aee1f650684de224aa9a678afa2633f11eaa87db65d7f774d5ad8be2f30b77

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

MD5 0632bb850de3c1b87f59b3c010fbdc51
SHA1 fd06bcedaf8e32a9553ce4d9380e95d1fabd1270
SHA256 86a25d79bb947f17f50e43e7a4b75b8c16c3f0e15fd18d47b1c79a523da071a4
SHA512 a544b4f10bbaefac07f27929868865b0b8455b2084edfd20580442c0c078404871aee1f650684de224aa9a678afa2633f11eaa87db65d7f774d5ad8be2f30b77

\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

MD5 0632bb850de3c1b87f59b3c010fbdc51
SHA1 fd06bcedaf8e32a9553ce4d9380e95d1fabd1270
SHA256 86a25d79bb947f17f50e43e7a4b75b8c16c3f0e15fd18d47b1c79a523da071a4
SHA512 a544b4f10bbaefac07f27929868865b0b8455b2084edfd20580442c0c078404871aee1f650684de224aa9a678afa2633f11eaa87db65d7f774d5ad8be2f30b77

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

MD5 0632bb850de3c1b87f59b3c010fbdc51
SHA1 fd06bcedaf8e32a9553ce4d9380e95d1fabd1270
SHA256 86a25d79bb947f17f50e43e7a4b75b8c16c3f0e15fd18d47b1c79a523da071a4
SHA512 a544b4f10bbaefac07f27929868865b0b8455b2084edfd20580442c0c078404871aee1f650684de224aa9a678afa2633f11eaa87db65d7f774d5ad8be2f30b77

memory/1392-110-0x0000000000090000-0x00000000000BA000-memory.dmp

memory/1392-109-0x0000000000090000-0x00000000000BA000-memory.dmp

memory/1392-116-0x0000000000090000-0x00000000000BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1392-117-0x0000000000090000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1460-127-0x00000000009F0000-0x0000000000AE8000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1392-128-0x0000000004E30000-0x0000000004E70000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1460-130-0x00000000070B0000-0x00000000070F0000-memory.dmp

memory/1948-131-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1948-134-0x0000000000400000-0x0000000000438000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1948-148-0x0000000000400000-0x0000000000438000-memory.dmp

memory/320-151-0x00000000012F0000-0x00000000013E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/320-153-0x0000000000680000-0x00000000006C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/836-162-0x0000000000400000-0x0000000000438000-memory.dmp

memory/836-163-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/836-174-0x0000000000400000-0x0000000000438000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/1840-183-0x0000000000DA0000-0x0000000000E76000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/836-179-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1840-184-0x0000000004E80000-0x0000000004EC0000-memory.dmp

memory/1840-185-0x00000000004A0000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/960-187-0x00000000012F0000-0x00000000013E8000-memory.dmp

memory/960-188-0x0000000007080000-0x00000000070C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1840-190-0x0000000004E80000-0x0000000004EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/892-195-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

memory/836-213-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

memory/1840-219-0x0000000000500000-0x000000000050A000-memory.dmp

memory/1840-220-0x0000000006010000-0x00000000060A0000-memory.dmp

memory/1840-221-0x00000000026F0000-0x000000000274C000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/884-223-0x0000000000400000-0x000000000045A000-memory.dmp

memory/884-224-0x0000000000400000-0x000000000045A000-memory.dmp

memory/884-225-0x0000000000400000-0x000000000045A000-memory.dmp

memory/884-226-0x0000000000400000-0x000000000045A000-memory.dmp

memory/884-227-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/884-228-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/884-231-0x0000000000400000-0x000000000045A000-memory.dmp

memory/884-233-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/884-235-0x00000000027D0000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar55E3.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

C:\Users\Admin\AppData\Local\Temp\Cab55E2.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar56B4.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58dde73798714af3dc83d1def182a8f8
SHA1 296d26d62642d48741dd0838ba5588e51722c9fa
SHA256 6d621ba9b610d6abbdad1baf438cd90159f5dd83d6b6b882514145cae60d6438
SHA512 aa4e73e0ec48c0831231c200bae6ce9bcdbc10a98d1e2c89568cfa96b8a4681dce8f7a6ecde649c78d402d4e246737530c677bbedee9bd33a6845b0270e5da5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 dc2f5302719237bc64a1a0eb95f047a1
SHA1 1e44ab69586c4ec3dc052baeb7c424fb03bc2614
SHA256 c1e272d8596be30d93550ae1d961f80e1bd928974e22e635aedad0a6dd3f3bcf
SHA512 426e8751420b4c369b7662a5719ceb6cad00c2c07ddebada33b2b47f0b0ae7efc52f929251b8c55e8636d9ced5362ce6955a7a3ac703a3dfe4ec721d17db072a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d10dbf52315ea92e724f325b96ad426c
SHA1 b91fa0bfd54c583183122dcec68274eaf730f3e1
SHA256 56b03df307975239f5abaa1479dfad7d361d04117eb5055964b0c7cb881d87c5
SHA512 77e36014efd8a514afdb9b0346296d13b22aee8b410dbe58d17df52371ed30f5038bfb3078ad379f0cca2549f9395ad8f7a313315a9f78366fca3187fe596f04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09fe5fa9420b0dc43c89c09c880dd42b
SHA1 d9669d23bba2bd5bcdac9011597f5836883a846d
SHA256 422804cbec4ccf619e16dd9b4963fd623522c759ecb99b655359ff359f9cac92
SHA512 561310709c0bb58479201c1a0816ca4829689d06df86ac53d4980804e5d629a715d206d21fec15ae08170a7d45d81ce4e012c6e3b09c1cce742a2ca8e5b9a11e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4522c5b276cd027e148d9d0e1bd33fb
SHA1 a5c69d80839270c101508dca34da37d56d7bd652
SHA256 06f605d01da8c88175b62dda0f0d80c3a79e55ce83b99cb2f78237220545fab8
SHA512 000dba065927224470d4f972eba3c0f0a833fbe4e2512e2d9ac6b89488c4f5e0f85990f85854f0ba872b3fc90fa1fa5ac7f7e7375ea2e914644c34979fd99102

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75254c1f9ed9c2bc95ff73dde63d6389
SHA1 478ec2b5e5823ffcfa80ef439926011d6adc6e8f
SHA256 fa65482e4fee66bd7dffb4cb4531933a7bf0b9129d961ce83ef1d97b1e40e8c9
SHA512 1f2436ea23420a3ef8638da77833a2c11579e2bb552914c1a511e4ca738585975427911faa655f0efec6e6688be0d46ef6d55ae3d3630753c17a543800fdb5c7

memory/884-627-0x00000000027D0000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-26 16:54

Reported

2023-05-26 16:56

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03812699.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\03812699.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 5012 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 5012 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe
PID 1036 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1036 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1036 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe
PID 1164 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1164 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 1164 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe
PID 2172 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2172 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2172 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2172 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2172 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1164 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1164 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1164 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe
PID 1036 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1036 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 1036 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe
PID 2236 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2236 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2236 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2236 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2236 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5012 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 5012 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 5012 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\03812699.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 1352 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe
PID 4148 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 4148 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 4148 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 648 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
PID 4108 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\schtasks.exe
PID 4108 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\schtasks.exe
PID 4108 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\schtasks.exe
PID 4108 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03812699.exe

"C:\Users\Admin\AppData\Local\Temp\03812699.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legends.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legends.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\41bde21dc7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\41bde21dc7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1156

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
N/A 83.97.73.122:19062 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 122.73.97.83.in-addr.arpa udp
N/A 83.97.73.122:19062 tcp
US 95.214.27.98:80 95.214.27.98 tcp
US 8.8.8.8:53 98.27.214.95.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 cyware.com udp
US 8.8.8.8:53 twitter.com udp
US 15.197.166.200:80 cyware.com tcp
US 104.244.42.65:80 twitter.com tcp
US 104.244.42.65:80 twitter.com tcp
US 8.8.8.8:53 google.kz udp
NL 142.250.179.132:80 google.kz tcp
NL 142.250.179.132:80 google.kz tcp
US 104.244.42.65:443 twitter.com tcp
US 104.244.42.65:443 twitter.com tcp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 200.166.197.15.in-addr.arpa udp
US 8.8.8.8:53 blog.cyble.com udp
US 192.0.78.183:80 blog.cyble.com tcp
US 192.0.78.183:443 blog.cyble.com tcp
US 8.8.8.8:53 132.179.250.142.in-addr.arpa udp
US 40.125.122.176:443 tcp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 183.78.0.192.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

MD5 0c429676ca0d7ce51c3e04e02cd92f34
SHA1 d4e75bf33a8f3972266ed5a764c23db3525ce764
SHA256 0ff56a422e406d7e558f11d2af46afe146852fcc33ac762f00be298335ec2b6f
SHA512 2e17789b5ffa6abfb430191fedb114a70963e0345f7f724827814e8fc6f8e645b08d4379ddb0910a736a07d86728d2ac61e87ea43c339810b830b6069886365f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2269754.exe

MD5 0c429676ca0d7ce51c3e04e02cd92f34
SHA1 d4e75bf33a8f3972266ed5a764c23db3525ce764
SHA256 0ff56a422e406d7e558f11d2af46afe146852fcc33ac762f00be298335ec2b6f
SHA512 2e17789b5ffa6abfb430191fedb114a70963e0345f7f724827814e8fc6f8e645b08d4379ddb0910a736a07d86728d2ac61e87ea43c339810b830b6069886365f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

MD5 b49792d900d7cc4d9182393ab96f2562
SHA1 d21ebe00d2684813a53cdffb916a37797bd282e8
SHA256 eff05df83914666d28707e31a811f7177ece381e11804459c653833571e7c54c
SHA512 5e2b6ca22b6fc30ade3a06fff4de95f64a783650163c270d36909d0d388069be5cfe2704d28a8ca5e593f512ffd854f84997b6223a6c2dc0210d14f2e64cda63

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1886594.exe

MD5 b49792d900d7cc4d9182393ab96f2562
SHA1 d21ebe00d2684813a53cdffb916a37797bd282e8
SHA256 eff05df83914666d28707e31a811f7177ece381e11804459c653833571e7c54c
SHA512 5e2b6ca22b6fc30ade3a06fff4de95f64a783650163c270d36909d0d388069be5cfe2704d28a8ca5e593f512ffd854f84997b6223a6c2dc0210d14f2e64cda63

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

MD5 386b1c6ccb4fba69cb07745ac9859466
SHA1 bffdeb47f586a38ebc43d87c266461f58955d056
SHA256 b293a92efd4fb435fccefd323abf8a0e3b8c17ba6c36494b3f0c634bed7ccc7b
SHA512 6d54831176e028e8bc462ada21327e115e1edc895ccb674dd91d6fba50871d1075d6b6e1db70014f6e1163867ef79893ba44b12ba919dbabecb991fad1728e6e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7502698.exe

MD5 386b1c6ccb4fba69cb07745ac9859466
SHA1 bffdeb47f586a38ebc43d87c266461f58955d056
SHA256 b293a92efd4fb435fccefd323abf8a0e3b8c17ba6c36494b3f0c634bed7ccc7b
SHA512 6d54831176e028e8bc462ada21327e115e1edc895ccb674dd91d6fba50871d1075d6b6e1db70014f6e1163867ef79893ba44b12ba919dbabecb991fad1728e6e

memory/2332-155-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

MD5 d7b177c2062d61469605d9ea1b30ad74
SHA1 c2196504596e7483821b93e3cd55fc8e08199974
SHA256 858a8e5c7970b665f5ee694ece8b67522b637e65b423eba82b17fb2f8eb85dbb
SHA512 9493e4896f027efe6f28627328a0f210481bb1235c28e8afaf0247e21a6f09560796e781f5d37a0d0db9d5c2bec86a1b49d96d88d6c691565db9c823364a985e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2012334.exe

MD5 d7b177c2062d61469605d9ea1b30ad74
SHA1 c2196504596e7483821b93e3cd55fc8e08199974
SHA256 858a8e5c7970b665f5ee694ece8b67522b637e65b423eba82b17fb2f8eb85dbb
SHA512 9493e4896f027efe6f28627328a0f210481bb1235c28e8afaf0247e21a6f09560796e781f5d37a0d0db9d5c2bec86a1b49d96d88d6c691565db9c823364a985e

memory/2216-163-0x0000000000AB0000-0x0000000000ADA000-memory.dmp

memory/2216-164-0x0000000005890000-0x0000000005EA8000-memory.dmp

memory/2216-165-0x0000000005410000-0x000000000551A000-memory.dmp

memory/2216-166-0x0000000005340000-0x0000000005352000-memory.dmp

memory/2216-167-0x00000000053A0000-0x00000000053DC000-memory.dmp

memory/2216-168-0x00000000056F0000-0x0000000005700000-memory.dmp

memory/2216-169-0x0000000005700000-0x0000000005792000-memory.dmp

memory/2216-170-0x0000000006460000-0x0000000006A04000-memory.dmp

memory/2216-171-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/2216-172-0x0000000006360000-0x00000000063D6000-memory.dmp

memory/2216-173-0x00000000063E0000-0x0000000006430000-memory.dmp

memory/2216-174-0x0000000006CE0000-0x0000000006EA2000-memory.dmp

memory/2216-175-0x00000000073E0000-0x000000000790C000-memory.dmp

memory/2216-177-0x00000000056F0000-0x0000000005700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

MD5 0632bb850de3c1b87f59b3c010fbdc51
SHA1 fd06bcedaf8e32a9553ce4d9380e95d1fabd1270
SHA256 86a25d79bb947f17f50e43e7a4b75b8c16c3f0e15fd18d47b1c79a523da071a4
SHA512 a544b4f10bbaefac07f27929868865b0b8455b2084edfd20580442c0c078404871aee1f650684de224aa9a678afa2633f11eaa87db65d7f774d5ad8be2f30b77

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6282827.exe

MD5 0632bb850de3c1b87f59b3c010fbdc51
SHA1 fd06bcedaf8e32a9553ce4d9380e95d1fabd1270
SHA256 86a25d79bb947f17f50e43e7a4b75b8c16c3f0e15fd18d47b1c79a523da071a4
SHA512 a544b4f10bbaefac07f27929868865b0b8455b2084edfd20580442c0c078404871aee1f650684de224aa9a678afa2633f11eaa87db65d7f774d5ad8be2f30b77

memory/3596-183-0x0000000000590000-0x00000000005BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1352-192-0x0000000000330000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/1352-193-0x0000000002750000-0x0000000002760000-memory.dmp

memory/3596-194-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/4148-195-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1457388.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/4148-198-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4148-199-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4148-201-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/4148-215-0x0000000000400000-0x0000000000438000-memory.dmp

memory/648-216-0x0000000006F20000-0x0000000006F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/4108-220-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4108-221-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4108-223-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4108-224-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/4108-235-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4108-244-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

memory/4168-247-0x0000000000E20000-0x0000000000EF6000-memory.dmp

memory/4168-248-0x00000000057D0000-0x00000000057DA000-memory.dmp

memory/4168-249-0x0000000005980000-0x0000000005990000-memory.dmp

memory/4168-250-0x0000000005980000-0x0000000005990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/2128-253-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/3692-256-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3692-257-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3692-258-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4168-259-0x0000000009BD0000-0x0000000009C6C000-memory.dmp

memory/1184-260-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe

MD5 a1ce7b26712e1db177d86fa87d09c354
SHA1 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512 e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1232.exe.log

MD5 7cad59aef5a93f093b6ba494f13f796f
SHA1 3cef97b77939bfc06dfd3946fc1a8cd159f67100
SHA256 1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55
SHA512 8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

memory/1184-264-0x0000000004F30000-0x0000000004F40000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

memory/4108-282-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73c0c85e39b9a63b42f6c4ff6d634f8b
SHA1 efb047b4177ad78268f6fc8bf959f58f1123eb51
SHA256 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368
SHA512 ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/4804-286-0x00000000078B0000-0x00000000078C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

MD5 99bb0729d09a169657ea4c042ac08bc3
SHA1 55900f3f8ed78d590e1c53d22766ee311d45219d
SHA256 f37012f1943103e5757fcaad42c9a4d6e3e2585b8c8a9299a0ee23de5281c497
SHA512 6ff815ff71b57e95127a4fe4044e86a74f3c345dfca5f431b084c3c40b588ce4ce5821f78950984e1f4ba5c85a755d66eb12638be270b0c12f32a6ddd339ae8d

memory/2124-289-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2124-290-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2124-291-0x0000000000400000-0x0000000000438000-memory.dmp