Analysis Overview
SHA256
67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067
Threat Level: Known bad
The file 67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Amadey
Aurora
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine
Modifies Windows Defender Real-time Protection settings
Detect rhadamanthys stealer shellcode
Downloads MZ/PE file
Windows security modification
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-19 00:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-19 00:08
Reported
2023-03-19 00:11
Platform
win10-20230220-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Amadey
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3364 created 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | c:\windows\system32\taskhostw.exe |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3364 set thread context of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe
"C:\Users\Admin\AppData\Local\Temp\67628faef9a814ab02d6284eef3ec4faf472a0e7535cc7c20c8e106dd2acd067.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SYSWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 456
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 30.20.233.193.in-addr.arpa | udp |
| FR | 40.79.141.152:443 | tcp | |
| DE | 193.233.20.30:4125 | tcp | |
| NL | 88.221.25.155:80 | tcp | |
| RU | 62.204.41.87:80 | 62.204.41.87 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 87.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.95.206.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fvflet2jcfcpacdzgqqforuvnzciwmz.2qjasnqlru9tyjcnp0t0lxh | udp |
| US | 8.8.8.8:53 | ebfertility.com | udp |
| US | 89.190.157.61:80 | ebfertility.com | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 61.157.190.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| RU | 80.85.156.168:20189 | tcp | |
| US | 8.8.8.8:53 | 168.156.85.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
| MD5 | ef5889763c11ca181c56e65b2f5b2a0e |
| SHA1 | 23d60bfbffeacb9958fa55dbe80d88fbd2d96a7e |
| SHA256 | b2234873cd79f834d388fcea9ab543d6a884f5e4e5dcadf50056a556bab7e68d |
| SHA512 | fb51ba58e24fb73ba5dfc50cf3afafbd076cc4380aa48a2719860245d1a77f37325ebb82bfb4ad8e8d52782b64b2b00a04061f5ac8b140a05987917fb55b910b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will0157.exe
| MD5 | ef5889763c11ca181c56e65b2f5b2a0e |
| SHA1 | 23d60bfbffeacb9958fa55dbe80d88fbd2d96a7e |
| SHA256 | b2234873cd79f834d388fcea9ab543d6a884f5e4e5dcadf50056a556bab7e68d |
| SHA512 | fb51ba58e24fb73ba5dfc50cf3afafbd076cc4380aa48a2719860245d1a77f37325ebb82bfb4ad8e8d52782b64b2b00a04061f5ac8b140a05987917fb55b910b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
| MD5 | 63a2649ae317c013c51c5b875b96c7e0 |
| SHA1 | 18c8397a3b61c5db1d38dcbf10cd1871941563e3 |
| SHA256 | 83343d77de6bdd56694309bc4af0906418c0266227e3f531145d6edd0cbe1042 |
| SHA512 | ae98fb451158c82cafa85ae7fb3e9f776bce4d6cfd0a491851c909964fe83a82a308030e4cec34ff67b71c7f157f75d92a009464535ad0b81d9130052edd20a9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0432.exe
| MD5 | 63a2649ae317c013c51c5b875b96c7e0 |
| SHA1 | 18c8397a3b61c5db1d38dcbf10cd1871941563e3 |
| SHA256 | 83343d77de6bdd56694309bc4af0906418c0266227e3f531145d6edd0cbe1042 |
| SHA512 | ae98fb451158c82cafa85ae7fb3e9f776bce4d6cfd0a491851c909964fe83a82a308030e4cec34ff67b71c7f157f75d92a009464535ad0b81d9130052edd20a9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
| MD5 | 2c1d2d8088f4064e1fb0ef5d6c4cbb91 |
| SHA1 | 7824674546f86e63db81ca7c6f33990154f81493 |
| SHA256 | c18dd165b2688f9afb6e723a4da90d42a85943471aacfd4b1c84d3742166d178 |
| SHA512 | c281ae614fc85753e736804d1dfdeae91a880b8e8e56216a3082a7c1ca0c46d16618bea992796b28da171fe9be4cca91c82061c52ec40f5d8029a5c4e1bc8a48 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0507.exe
| MD5 | 2c1d2d8088f4064e1fb0ef5d6c4cbb91 |
| SHA1 | 7824674546f86e63db81ca7c6f33990154f81493 |
| SHA256 | c18dd165b2688f9afb6e723a4da90d42a85943471aacfd4b1c84d3742166d178 |
| SHA512 | c281ae614fc85753e736804d1dfdeae91a880b8e8e56216a3082a7c1ca0c46d16618bea992796b28da171fe9be4cca91c82061c52ec40f5d8029a5c4e1bc8a48 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7407xs.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2688-144-0x0000000000440000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
| MD5 | ac0c7b7b2f53a198c9a3ce08ad47d2ae |
| SHA1 | 2636d0f8bfe5cdac7977f55f51b19d87a4e901fa |
| SHA256 | 6bebaf5dbdcaebca0bf98f08b0a2da800c22010f51b647c2014c865f66cabbfd |
| SHA512 | 91080422faa7119ed7777e3f66ff2c5a489481abeb18792d1b2b9e30c69f085df6bdf7dd59befac5d286db1037c070dacf9504b7cadd0d3e8df725dfc103287f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8993bN.exe
| MD5 | ac0c7b7b2f53a198c9a3ce08ad47d2ae |
| SHA1 | 2636d0f8bfe5cdac7977f55f51b19d87a4e901fa |
| SHA256 | 6bebaf5dbdcaebca0bf98f08b0a2da800c22010f51b647c2014c865f66cabbfd |
| SHA512 | 91080422faa7119ed7777e3f66ff2c5a489481abeb18792d1b2b9e30c69f085df6bdf7dd59befac5d286db1037c070dacf9504b7cadd0d3e8df725dfc103287f |
memory/3888-150-0x0000000004650000-0x000000000466A000-memory.dmp
memory/3888-151-0x0000000007210000-0x000000000770E000-memory.dmp
memory/3888-152-0x0000000004BE0000-0x0000000004BF8000-memory.dmp
memory/3888-153-0x0000000002BE0000-0x0000000002C0D000-memory.dmp
memory/3888-154-0x0000000007200000-0x0000000007210000-memory.dmp
memory/3888-155-0x0000000007200000-0x0000000007210000-memory.dmp
memory/3888-156-0x0000000007200000-0x0000000007210000-memory.dmp
memory/3888-157-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-158-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-160-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-162-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-164-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-166-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-168-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-170-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-172-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-174-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-176-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-178-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-180-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-182-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-184-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/3888-185-0x0000000000400000-0x0000000002B03000-memory.dmp
memory/3888-186-0x0000000007200000-0x0000000007210000-memory.dmp
memory/3888-187-0x0000000007200000-0x0000000007210000-memory.dmp
memory/3888-189-0x0000000000400000-0x0000000002B03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
| MD5 | 324d31bcb4e62eea8a833e89ac9bd158 |
| SHA1 | 9910f4606c492dbaa071321b3e69ee7d53e7836e |
| SHA256 | f1f4076aa99a72dba7c5e722d018217ae8463176b6292157229ba4e0977dbc12 |
| SHA512 | d9a16348a2d870790f962bdcb0dc5f57ce882f62ac5749e95e76073b3eb6f840ac4ddc1fd8fcaf323f88ec77fdb9e8c441597d3d6a30f39133b581be8075c5c7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py07ck14.exe
| MD5 | 324d31bcb4e62eea8a833e89ac9bd158 |
| SHA1 | 9910f4606c492dbaa071321b3e69ee7d53e7836e |
| SHA256 | f1f4076aa99a72dba7c5e722d018217ae8463176b6292157229ba4e0977dbc12 |
| SHA512 | d9a16348a2d870790f962bdcb0dc5f57ce882f62ac5749e95e76073b3eb6f840ac4ddc1fd8fcaf323f88ec77fdb9e8c441597d3d6a30f39133b581be8075c5c7 |
memory/4836-194-0x00000000047D0000-0x0000000004816000-memory.dmp
memory/4836-195-0x00000000070D0000-0x0000000007114000-memory.dmp
memory/4836-196-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-197-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-199-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-201-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-205-0x0000000002B20000-0x0000000002B6B000-memory.dmp
memory/4836-206-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-203-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-207-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-209-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-213-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-211-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-210-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-215-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-217-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-219-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-221-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-223-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-225-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-227-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-229-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-231-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-233-0x00000000070D0000-0x000000000710E000-memory.dmp
memory/4836-1106-0x0000000007770000-0x0000000007D76000-memory.dmp
memory/4836-1107-0x0000000007E00000-0x0000000007F0A000-memory.dmp
memory/4836-1108-0x0000000007F40000-0x0000000007F52000-memory.dmp
memory/4836-1109-0x0000000007F60000-0x0000000007F9E000-memory.dmp
memory/4836-1110-0x00000000080B0000-0x00000000080FB000-memory.dmp
memory/4836-1111-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-1113-0x0000000008240000-0x00000000082A6000-memory.dmp
memory/4836-1114-0x0000000008900000-0x0000000008992000-memory.dmp
memory/4836-1115-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-1116-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-1117-0x0000000007160000-0x0000000007170000-memory.dmp
memory/4836-1118-0x0000000008AF0000-0x0000000008B66000-memory.dmp
memory/4836-1119-0x0000000008B90000-0x0000000008BE0000-memory.dmp
memory/4836-1120-0x0000000008C20000-0x0000000008DE2000-memory.dmp
memory/4836-1121-0x0000000008DF0000-0x000000000931C000-memory.dmp
memory/4836-1122-0x0000000007160000-0x0000000007170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1679oq.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
memory/2672-1128-0x0000000000E60000-0x0000000000E92000-memory.dmp
memory/2672-1129-0x00000000058A0000-0x00000000058EB000-memory.dmp
memory/2672-1130-0x0000000005A20000-0x0000000005A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry67eJ11.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
| MD5 | 103f1dc5270469cf9414ee95dee9561f |
| SHA1 | f44b74ac4e35943c1b9f85ca560595bb64a8c918 |
| SHA256 | 5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac |
| SHA512 | a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 8ad47f6bd62975254ede9b4737429715 |
| SHA1 | f772c8b56828c4c5dffb1c87ac3116de3c8bbc29 |
| SHA256 | 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d |
| SHA512 | dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7 |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 8ad47f6bd62975254ede9b4737429715 |
| SHA1 | f772c8b56828c4c5dffb1c87ac3116de3c8bbc29 |
| SHA256 | 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d |
| SHA512 | dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7 |
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
| MD5 | 8ad47f6bd62975254ede9b4737429715 |
| SHA1 | f772c8b56828c4c5dffb1c87ac3116de3c8bbc29 |
| SHA256 | 7f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d |
| SHA512 | dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7 |
memory/2268-1190-0x00000000001D0000-0x00000000001FE000-memory.dmp
memory/212-1194-0x0000000000400000-0x0000000000432000-memory.dmp
memory/212-1195-0x00000000061E0000-0x000000000622B000-memory.dmp
memory/212-1196-0x00000000057D0000-0x00000000057E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\240603796.dll
| MD5 | 098a4aa93e275de54bbc35ae4b981301 |
| SHA1 | d03646dc7c63e0784393f74085405c794b8555af |
| SHA256 | 5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b |
| SHA512 | 2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46 |
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | a3eb5f22bc8e7f4060e3ff18c4ac70b9 |
| SHA1 | 8480869a34c9723063dba9cc8279cf4e7c2bc4cd |
| SHA256 | 0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6 |
| SHA512 | 3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0 |
memory/212-1235-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/2268-1242-0x0000000002C20000-0x0000000002C3C000-memory.dmp
memory/2268-1243-0x0000000002C50000-0x0000000002C52000-memory.dmp
memory/2268-1244-0x0000000002C50000-0x0000000002C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
memory/1060-1247-0x0000000000E30000-0x0000000000E4C000-memory.dmp
memory/2268-1251-0x0000000002C20000-0x0000000002C3C000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 94cbeec5d4343918fd0e48760e40539c |
| SHA1 | a049266c5c1131f692f306c8710d7e72586ae79d |
| SHA256 | 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279 |
| SHA512 | 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |