Analysis Overview
SHA256
f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2
Threat Level: Known bad
The file f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2 was found to be: Known bad.
Malicious Activity Summary
Amadey
Rhadamanthys
Detect rhadamanthys stealer shellcode
Modifies Windows Defender Real-time Protection settings
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine payload
Aurora
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Windows security modification
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-18 23:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-18 23:17
Reported
2023-03-18 23:19
Platform
win10-20230220-en
Max time kernel
98s
Max time network
145s
Command Line
Signatures
Amadey
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5000 created 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | c:\windows\system32\taskhostw.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5000 set thread context of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe
"C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SYSWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 784
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 30.20.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| DE | 193.233.20.30:4125 | tcp | |
| RU | 62.204.41.87:80 | 62.204.41.87 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.95.206.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.41.204.62.in-addr.arpa | udp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ebfertility.com | udp |
| US | 89.190.157.61:80 | ebfertility.com | tcp |
| US | 8.8.8.8:53 | 61.157.190.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh | udp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| RU | 80.85.156.168:20189 | tcp | |
| US | 8.8.8.8:53 | 168.156.85.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
| MD5 | 9bf44609f0414e6c7aa8b4f52a598aa7 |
| SHA1 | 4756c4789573d29cdc5ea6cadf0a5791d8aa8e2f |
| SHA256 | 710192c3bc3a34eb8a2747edb269c3b1d1f582a0cfa1669dd999b1f7db7a345e |
| SHA512 | 509bd38f859be11aa943fbac8fb5ad14c0a669345a23ed5c4400fb5b7021c469d4a876e5c8d4eaba16e3b734e76a62a5766b9797cf3a0e9b338aabc241aa6af9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe
| MD5 | 9bf44609f0414e6c7aa8b4f52a598aa7 |
| SHA1 | 4756c4789573d29cdc5ea6cadf0a5791d8aa8e2f |
| SHA256 | 710192c3bc3a34eb8a2747edb269c3b1d1f582a0cfa1669dd999b1f7db7a345e |
| SHA512 | 509bd38f859be11aa943fbac8fb5ad14c0a669345a23ed5c4400fb5b7021c469d4a876e5c8d4eaba16e3b734e76a62a5766b9797cf3a0e9b338aabc241aa6af9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
| MD5 | 33955a5bc1fbca0597b2e4b4f820f9d8 |
| SHA1 | a75913036cbe87d487aea38024870dd23aca05a9 |
| SHA256 | 179ef0e1ee99de42d894eb2ccb480ef0de66ef086c9a93afee91e38de9b737b6 |
| SHA512 | 64ceedd75360d9d9390bf83e15a981eefc9bb20ccb5bf688ee0f320d12307d8f531258a00d537883af0c74849232416b67adfb278a5f588bbf6d7349c19ad450 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe
| MD5 | 33955a5bc1fbca0597b2e4b4f820f9d8 |
| SHA1 | a75913036cbe87d487aea38024870dd23aca05a9 |
| SHA256 | 179ef0e1ee99de42d894eb2ccb480ef0de66ef086c9a93afee91e38de9b737b6 |
| SHA512 | 64ceedd75360d9d9390bf83e15a981eefc9bb20ccb5bf688ee0f320d12307d8f531258a00d537883af0c74849232416b67adfb278a5f588bbf6d7349c19ad450 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
| MD5 | 051a8750c51c7462f8a75cd57fc1e521 |
| SHA1 | e000ad99634dcdf9baf253a9ad55da7f75076e7e |
| SHA256 | 00b8924ef8445b6b3cbd60beeda1800d1c5ee2484b744e8e8e3a6eb1bece5e60 |
| SHA512 | 2b31ff98626785ef787987a4d58adfa05030407649ec6e8b196dbe114477e94e194f9ae2c143c4bc0e006ff33bbff00e5225900bc68798bcb04d30d6cfb02211 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe
| MD5 | 051a8750c51c7462f8a75cd57fc1e521 |
| SHA1 | e000ad99634dcdf9baf253a9ad55da7f75076e7e |
| SHA256 | 00b8924ef8445b6b3cbd60beeda1800d1c5ee2484b744e8e8e3a6eb1bece5e60 |
| SHA512 | 2b31ff98626785ef787987a4d58adfa05030407649ec6e8b196dbe114477e94e194f9ae2c143c4bc0e006ff33bbff00e5225900bc68798bcb04d30d6cfb02211 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4176-149-0x0000000000030000-0x000000000003A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
| MD5 | a0694e7a23b2a99990cdb744270fc2d9 |
| SHA1 | dcdde2a8ddcb505e3574db8df03db3c9c96b2308 |
| SHA256 | 83b1502f49b347cc0176b888e8dac30a711583a2ad20610497dd1c9592e498b9 |
| SHA512 | 8991a650f6bb02f5f8921de212269e74a79ea322b796d40b3c7ceb8fb54cadcd8c7a716235c3020b0ee9f1ecb067c489af032c41762d3064f26834bca6b3d7f8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe
| MD5 | a0694e7a23b2a99990cdb744270fc2d9 |
| SHA1 | dcdde2a8ddcb505e3574db8df03db3c9c96b2308 |
| SHA256 | 83b1502f49b347cc0176b888e8dac30a711583a2ad20610497dd1c9592e498b9 |
| SHA512 | 8991a650f6bb02f5f8921de212269e74a79ea322b796d40b3c7ceb8fb54cadcd8c7a716235c3020b0ee9f1ecb067c489af032c41762d3064f26834bca6b3d7f8 |
memory/1536-155-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/1536-156-0x00000000046E0000-0x00000000046FA000-memory.dmp
memory/1536-157-0x0000000007170000-0x000000000766E000-memory.dmp
memory/1536-158-0x0000000007040000-0x0000000007058000-memory.dmp
memory/1536-159-0x0000000007160000-0x0000000007170000-memory.dmp
memory/1536-160-0x0000000007160000-0x0000000007170000-memory.dmp
memory/1536-161-0x0000000007160000-0x0000000007170000-memory.dmp
memory/1536-162-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-163-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-165-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-167-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-169-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-171-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-173-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-175-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-177-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-179-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-181-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-183-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-185-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-187-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-189-0x0000000007040000-0x0000000007052000-memory.dmp
memory/1536-190-0x0000000000400000-0x0000000002B03000-memory.dmp
memory/1536-191-0x0000000007160000-0x0000000007170000-memory.dmp
memory/1536-192-0x0000000007160000-0x0000000007170000-memory.dmp
memory/1536-194-0x0000000000400000-0x0000000002B03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
| MD5 | 39b2b07d9b232d2169440fcba5867c98 |
| SHA1 | bcc08e9f5bd45436990b2e0b9ecb7408859f3a16 |
| SHA256 | bd093a3c9afd5f0db449a55ff9cdc5634a33f69db82a6de068ab276f6b461c94 |
| SHA512 | 88cedd60a530d046a31fa07f103bb30d674214adbf22ee731e3b1abbf55fab65b499555336732916dbefe9e221f244e0a201aaec5ada99e6a560565ba44cad03 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe
| MD5 | 39b2b07d9b232d2169440fcba5867c98 |
| SHA1 | bcc08e9f5bd45436990b2e0b9ecb7408859f3a16 |
| SHA256 | bd093a3c9afd5f0db449a55ff9cdc5634a33f69db82a6de068ab276f6b461c94 |
| SHA512 | 88cedd60a530d046a31fa07f103bb30d674214adbf22ee731e3b1abbf55fab65b499555336732916dbefe9e221f244e0a201aaec5ada99e6a560565ba44cad03 |
memory/4672-200-0x00000000046A0000-0x00000000046E6000-memory.dmp
memory/4672-199-0x0000000002B20000-0x0000000002B6B000-memory.dmp
memory/4672-201-0x00000000075F0000-0x0000000007634000-memory.dmp
memory/4672-202-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-203-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-205-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-207-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-209-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-211-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-213-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-215-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-217-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-219-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-221-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-220-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-224-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-222-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-226-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-228-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-230-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-232-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-234-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-236-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-238-0x00000000075F0000-0x000000000762E000-memory.dmp
memory/4672-1111-0x0000000007630000-0x0000000007C36000-memory.dmp
memory/4672-1112-0x0000000007CC0000-0x0000000007DCA000-memory.dmp
memory/4672-1113-0x0000000007E00000-0x0000000007E12000-memory.dmp
memory/4672-1114-0x0000000007E20000-0x0000000007E5E000-memory.dmp
memory/4672-1115-0x0000000007F70000-0x0000000007FBB000-memory.dmp
memory/4672-1116-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-1118-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-1119-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-1120-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-1121-0x0000000008100000-0x0000000008192000-memory.dmp
memory/4672-1122-0x00000000081A0000-0x0000000008206000-memory.dmp
memory/4672-1123-0x00000000088B0000-0x0000000008A72000-memory.dmp
memory/4672-1124-0x00000000070E0000-0x00000000070F0000-memory.dmp
memory/4672-1125-0x0000000008A80000-0x0000000008FAC000-memory.dmp
memory/4672-1126-0x00000000090E0000-0x0000000009156000-memory.dmp
memory/4672-1127-0x0000000009160000-0x00000000091B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
memory/4968-1134-0x0000000000030000-0x0000000000062000-memory.dmp
memory/4968-1135-0x0000000004960000-0x00000000049AB000-memory.dmp
memory/4968-1136-0x0000000002280000-0x0000000002290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 6d81d19b6e02e1dc86b1bd2eb40e1507 |
| SHA1 | 645e362eb27610601c57b9ca78d80ee84a5c0640 |
| SHA256 | 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1 |
| SHA512 | 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 6d81d19b6e02e1dc86b1bd2eb40e1507 |
| SHA1 | 645e362eb27610601c57b9ca78d80ee84a5c0640 |
| SHA256 | 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1 |
| SHA512 | 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 6d81d19b6e02e1dc86b1bd2eb40e1507 |
| SHA1 | 645e362eb27610601c57b9ca78d80ee84a5c0640 |
| SHA256 | 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1 |
| SHA512 | 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc |
memory/4308-1196-0x00000000001D0000-0x00000000001FE000-memory.dmp
memory/5040-1200-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5040-1202-0x0000000006130000-0x000000000617B000-memory.dmp
\Users\Admin\AppData\Local\Temp\240636500.dll
| MD5 | 098a4aa93e275de54bbc35ae4b981301 |
| SHA1 | d03646dc7c63e0784393f74085405c794b8555af |
| SHA256 | 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b |
| SHA512 | 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46 |
memory/5040-1208-0x0000000005820000-0x0000000005830000-memory.dmp
memory/5040-1211-0x0000000005820000-0x0000000005830000-memory.dmp
memory/4308-1217-0x0000000002C60000-0x0000000002C7C000-memory.dmp
memory/4308-1218-0x0000000002C80000-0x0000000002C82000-memory.dmp
memory/4308-1219-0x0000000002C80000-0x0000000002C83000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 37d3ac31e4c461ff9653acc7dd3b84f4 |
| SHA1 | 25eb0affe01e06afc46a66fa183fe33e02c62975 |
| SHA256 | 2e9f14bd648e3a8e98f8a5fbc1d9290d46420a3c15b16a78f8e9e7cbaa8ab073 |
| SHA512 | 2c1aede1b467729fd8f00eedd863c8d8226b582af658f42aad7ffe79dab3e14c6e55d0426dc997ac73e6d8cd78511bc37da5a211bb5e2c1faed372bc4674ecf4 |
memory/416-1236-0x00000000008B0000-0x00000000008CC000-memory.dmp
memory/4308-1238-0x0000000002C60000-0x0000000002C7C000-memory.dmp