Analysis Overview
SHA256
bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d
Threat Level: Known bad
The file bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Detect rhadamanthys stealer shellcode
RedLine payload
Aurora
RedLine
Amadey
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Windows security modification
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-18 22:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-18 22:32
Reported
2023-03-18 22:35
Platform
win10v2004-20230220-en
Max time kernel
148s
Max time network
129s
Command Line
Signatures
Amadey
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4988 created 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | C:\Windows\system32\taskhostw.exe |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4988 set thread context of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe
"C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1952
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2712 -ip 2712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 692
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 30.20.233.193.in-addr.arpa | udp |
| US | 20.189.173.4:443 | tcp | |
| DE | 193.233.20.30:4125 | tcp | |
| US | 117.18.237.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| RU | 62.204.41.87:80 | 62.204.41.87 | tcp |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 87.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.95.206.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh | udp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ebfertility.com | udp |
| US | 89.190.157.61:80 | ebfertility.com | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 61.157.190.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| RU | 80.85.156.168:20189 | tcp | |
| US | 8.8.8.8:53 | 168.156.85.80.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
| MD5 | 5f964c2fa494030bd675007fea7a340a |
| SHA1 | 1e2d50ca003c04165f09a6d04dab8e20b73e688f |
| SHA256 | ea909381b9a73697f4278a7cbba9b6ddd98f2822a228389d046f0a54a40df8d9 |
| SHA512 | 81d327bc80088b4a7499ed185743c82cc28fa3940d1f722bf9d3a91aa8e61dc203eb4d109d2622cda16143a202040155f094ff59540fa3e8b4ced9a232bf0321 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe
| MD5 | 5f964c2fa494030bd675007fea7a340a |
| SHA1 | 1e2d50ca003c04165f09a6d04dab8e20b73e688f |
| SHA256 | ea909381b9a73697f4278a7cbba9b6ddd98f2822a228389d046f0a54a40df8d9 |
| SHA512 | 81d327bc80088b4a7499ed185743c82cc28fa3940d1f722bf9d3a91aa8e61dc203eb4d109d2622cda16143a202040155f094ff59540fa3e8b4ced9a232bf0321 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
| MD5 | cb61c0fd640171298eaff3bb7b096591 |
| SHA1 | 19dc47bc150c090cac0bbd11e8cad26c89f6f3a2 |
| SHA256 | a1c172d051708b428f8d064e994aa7aceb031e817008648da7c49541e1e5610b |
| SHA512 | 360da9cad5dc60f1439b4a567f5d1a2f50530e9e98260d42f4d908321033cfcedae9b676748c6aa5410a4e66e52c28663a54d9ec855ffec1ad3bba7e0f69eee4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe
| MD5 | cb61c0fd640171298eaff3bb7b096591 |
| SHA1 | 19dc47bc150c090cac0bbd11e8cad26c89f6f3a2 |
| SHA256 | a1c172d051708b428f8d064e994aa7aceb031e817008648da7c49541e1e5610b |
| SHA512 | 360da9cad5dc60f1439b4a567f5d1a2f50530e9e98260d42f4d908321033cfcedae9b676748c6aa5410a4e66e52c28663a54d9ec855ffec1ad3bba7e0f69eee4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
| MD5 | dae37348bb5a160cc1e011b011654178 |
| SHA1 | f7b8491cb68cc2aa1989ecb38c72130879ff9b2d |
| SHA256 | cb459dd0dbf0cc23615ab13b8ff459f5349bd05fc81ad089bff1a869d742fbd6 |
| SHA512 | d1bff775cff9fd369e92bb989a25c62b7349dc172f662645e819099f12772eeb6c6c5e4299064e1a6d902a61f5bb9b731fc1d52666a42ab55c1080e7a9ab1a16 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe
| MD5 | dae37348bb5a160cc1e011b011654178 |
| SHA1 | f7b8491cb68cc2aa1989ecb38c72130879ff9b2d |
| SHA256 | cb459dd0dbf0cc23615ab13b8ff459f5349bd05fc81ad089bff1a869d742fbd6 |
| SHA512 | d1bff775cff9fd369e92bb989a25c62b7349dc172f662645e819099f12772eeb6c6c5e4299064e1a6d902a61f5bb9b731fc1d52666a42ab55c1080e7a9ab1a16 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3804-161-0x0000000000440000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
| MD5 | 0d788ff51f171840cebd933821d299c7 |
| SHA1 | 826846204120eb248b9e64fc2898a461099d3f57 |
| SHA256 | 5b125ab9166a213a34694e085eee5a08dc4984b56afa6011a1b6f8ac2ba3b14b |
| SHA512 | 46c923a6548a2ee09b2a7100ef9ecd39f5ec4b804386e6b2fc877165b869c5dd58eab6827397ac3b455ba92f7dcb32ff57710c01bcc92817afbd160057c6e975 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe
| MD5 | 0d788ff51f171840cebd933821d299c7 |
| SHA1 | 826846204120eb248b9e64fc2898a461099d3f57 |
| SHA256 | 5b125ab9166a213a34694e085eee5a08dc4984b56afa6011a1b6f8ac2ba3b14b |
| SHA512 | 46c923a6548a2ee09b2a7100ef9ecd39f5ec4b804386e6b2fc877165b869c5dd58eab6827397ac3b455ba92f7dcb32ff57710c01bcc92817afbd160057c6e975 |
memory/3584-167-0x0000000002C90000-0x0000000002CBD000-memory.dmp
memory/3584-168-0x0000000007290000-0x0000000007834000-memory.dmp
memory/3584-169-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-170-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-172-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-176-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-174-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-178-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-180-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-182-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-184-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-186-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-188-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-190-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-195-0x0000000007280000-0x0000000007290000-memory.dmp
memory/3584-197-0x0000000007280000-0x0000000007290000-memory.dmp
memory/3584-193-0x0000000007280000-0x0000000007290000-memory.dmp
memory/3584-196-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-192-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-199-0x0000000004C20000-0x0000000004C32000-memory.dmp
memory/3584-200-0x0000000000400000-0x0000000002B03000-memory.dmp
memory/3584-202-0x0000000007280000-0x0000000007290000-memory.dmp
memory/3584-203-0x0000000007280000-0x0000000007290000-memory.dmp
memory/3584-204-0x0000000007280000-0x0000000007290000-memory.dmp
memory/3584-205-0x0000000000400000-0x0000000002B03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
| MD5 | 6f556cb991c66123db790dc867974aac |
| SHA1 | 7c2276b09e48a3e809f4b6695ad558f116c516e6 |
| SHA256 | 66de5a29b8802ad91ea116be0b6fd3c7974655d0f7b2308d5f96e36a13b470db |
| SHA512 | ff8e059b12ebdd9dd7d1375eafe5c778e996d343705c2092b8479610a822073076f5f33afca13fadcf303caec0c70707ca58928a70199b488dfe56d0d247982b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe
| MD5 | 6f556cb991c66123db790dc867974aac |
| SHA1 | 7c2276b09e48a3e809f4b6695ad558f116c516e6 |
| SHA256 | 66de5a29b8802ad91ea116be0b6fd3c7974655d0f7b2308d5f96e36a13b470db |
| SHA512 | ff8e059b12ebdd9dd7d1375eafe5c778e996d343705c2092b8479610a822073076f5f33afca13fadcf303caec0c70707ca58928a70199b488dfe56d0d247982b |
memory/2728-210-0x00000000047C0000-0x000000000480B000-memory.dmp
memory/2728-214-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-213-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-212-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-211-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-215-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-217-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-219-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-221-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-223-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-225-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-227-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-229-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-231-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-233-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-235-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-237-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-239-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-241-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-243-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-247-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-245-0x0000000007100000-0x000000000713E000-memory.dmp
memory/2728-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp
memory/2728-1121-0x0000000007F00000-0x000000000800A000-memory.dmp
memory/2728-1122-0x0000000008040000-0x0000000008052000-memory.dmp
memory/2728-1123-0x0000000008060000-0x000000000809C000-memory.dmp
memory/2728-1124-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-1126-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-1127-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-1128-0x0000000007210000-0x0000000007220000-memory.dmp
memory/2728-1129-0x0000000008350000-0x00000000083E2000-memory.dmp
memory/2728-1130-0x00000000083F0000-0x0000000008456000-memory.dmp
memory/2728-1131-0x0000000008B10000-0x0000000008CD2000-memory.dmp
memory/2728-1132-0x0000000008CE0000-0x000000000920C000-memory.dmp
memory/2728-1133-0x00000000096E0000-0x0000000009756000-memory.dmp
memory/2728-1134-0x0000000009760000-0x00000000097B0000-memory.dmp
memory/2728-1136-0x0000000007210000-0x0000000007220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
memory/1816-1141-0x00000000002B0000-0x00000000002E2000-memory.dmp
memory/1816-1142-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 6d81d19b6e02e1dc86b1bd2eb40e1507 |
| SHA1 | 645e362eb27610601c57b9ca78d80ee84a5c0640 |
| SHA256 | 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1 |
| SHA512 | 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 6d81d19b6e02e1dc86b1bd2eb40e1507 |
| SHA1 | 645e362eb27610601c57b9ca78d80ee84a5c0640 |
| SHA256 | 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1 |
| SHA512 | 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 6d81d19b6e02e1dc86b1bd2eb40e1507 |
| SHA1 | 645e362eb27610601c57b9ca78d80ee84a5c0640 |
| SHA256 | 178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1 |
| SHA512 | 9fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc |
memory/2712-1221-0x0000000004760000-0x000000000478E000-memory.dmp
memory/4548-1222-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240618281.dll
| MD5 | 098a4aa93e275de54bbc35ae4b981301 |
| SHA1 | d03646dc7c63e0784393f74085405c794b8555af |
| SHA256 | 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b |
| SHA512 | 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46 |
memory/4548-1229-0x0000000005770000-0x0000000005780000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 92d24961d2ebaacf1ace5463dfc9930d |
| SHA1 | 99ffaf6904ab616c33a37ce01d383e4a493df335 |
| SHA256 | 9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3 |
| SHA512 | 77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7 |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | dce9b749d38fdc247ab517e8a76e6102 |
| SHA1 | d6c5b6548e1a3da3326bd097c50c49fc7906be3f |
| SHA256 | 5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7 |
| SHA512 | 56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446 |
memory/4548-1283-0x0000000005770000-0x0000000005780000-memory.dmp
memory/2712-1290-0x0000000004790000-0x00000000047AC000-memory.dmp
memory/2712-1291-0x00000000001F0000-0x00000000001F2000-memory.dmp
memory/2712-1292-0x00000000001F0000-0x00000000001F3000-memory.dmp
memory/4260-1294-0x0000000000C20000-0x0000000000C3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
memory/2712-1299-0x0000000004790000-0x00000000047AC000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 94cbeec5d4343918fd0e48760e40539c |
| SHA1 | a049266c5c1131f692f306c8710d7e72586ae79d |
| SHA256 | 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279 |
| SHA512 | 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |