Analysis Overview
SHA256
f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4
Threat Level: Known bad
The file f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4 was found to be: Known bad.
Malicious Activity Summary
Aurora
Rhadamanthys
RedLine payload
Amadey
RedLine
Detect rhadamanthys stealer shellcode
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-21 17:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 17:20
Reported
2023-03-21 17:22
Platform
win10v2004-20230220-en
Max time kernel
113s
Max time network
154s
Command Line
Signatures
Amadey
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe
"C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 320 -ip 320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 320 -ip 320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1104
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 348
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| DE | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 30.20.233.193.in-addr.arpa | udp |
| US | 13.89.179.10:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| DE | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| RU | 62.204.41.87:80 | 62.204.41.87 | tcp |
| US | 8.8.8.8:53 | ebfertility.com | udp |
| US | 89.190.157.61:80 | ebfertility.com | tcp |
| US | 8.8.8.8:53 | 87.41.204.62.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 61.157.190.89.in-addr.arpa | udp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
| MD5 | e1c5095f4a1354814b74d4b3233c982e |
| SHA1 | 466549a809237e1822871702416df4e2b0c22e31 |
| SHA256 | b93a981773363d635081f6eb1d9b7368fb65ef408146233d13c85c53d84156b7 |
| SHA512 | 54f02169c015dff78f6ac9c7dd27afbe6e10e7b37932c1fe894f68e5cc4ba140429149c2757757f4c9775e01dde2bc52a1a85f8d6bf6c6234cac35ce3157d65d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
| MD5 | e1c5095f4a1354814b74d4b3233c982e |
| SHA1 | 466549a809237e1822871702416df4e2b0c22e31 |
| SHA256 | b93a981773363d635081f6eb1d9b7368fb65ef408146233d13c85c53d84156b7 |
| SHA512 | 54f02169c015dff78f6ac9c7dd27afbe6e10e7b37932c1fe894f68e5cc4ba140429149c2757757f4c9775e01dde2bc52a1a85f8d6bf6c6234cac35ce3157d65d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
| MD5 | 7653f7488ea94889e089aa4878e487d1 |
| SHA1 | 5373bf80109e483f849eaf96504d1bce3eb9369d |
| SHA256 | 52f4c2f9bc0706513f46d43a7a4632796a97cc6c14d36139029d38ae05e8dcb9 |
| SHA512 | ea5e351cd27a908ba33edbb397d56c33179fd7bb02b1247539b36656b03ea79350d3e65353bee9d1e50a639c8ff4ef954559fa0c04e04a44dcc29164c70b52cc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
| MD5 | 7653f7488ea94889e089aa4878e487d1 |
| SHA1 | 5373bf80109e483f849eaf96504d1bce3eb9369d |
| SHA256 | 52f4c2f9bc0706513f46d43a7a4632796a97cc6c14d36139029d38ae05e8dcb9 |
| SHA512 | ea5e351cd27a908ba33edbb397d56c33179fd7bb02b1247539b36656b03ea79350d3e65353bee9d1e50a639c8ff4ef954559fa0c04e04a44dcc29164c70b52cc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
| MD5 | 860a8ef0cbc6c563fe9a3389761bd2d5 |
| SHA1 | 39aa6e1688fb12ac7ae109839844ca63e569d801 |
| SHA256 | 904a83dbf02fe546c6ea88969bb07fdf74cd34a44247991287b1e7e4aaf58b4a |
| SHA512 | 20850384762158037c52b6191f2411f3455932d36a46162c1f3e518615f4024c82f6a3dd615b642186dc26248e03775d82852e02c749c9d92c1c07c0011b35f7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
| MD5 | 860a8ef0cbc6c563fe9a3389761bd2d5 |
| SHA1 | 39aa6e1688fb12ac7ae109839844ca63e569d801 |
| SHA256 | 904a83dbf02fe546c6ea88969bb07fdf74cd34a44247991287b1e7e4aaf58b4a |
| SHA512 | 20850384762158037c52b6191f2411f3455932d36a46162c1f3e518615f4024c82f6a3dd615b642186dc26248e03775d82852e02c749c9d92c1c07c0011b35f7 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3364-161-0x0000000000BF0000-0x0000000000BFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
| MD5 | 9f6a2aee7f5a0a2dfc233bdddc186ed3 |
| SHA1 | be670efc0da3fded3263e5e23c2daa68c5213df4 |
| SHA256 | d06f3062a13b95f39f046b9af1be52944bcc7591e476c687314bb20fd7e0bdb3 |
| SHA512 | 068889e8eb298b34ea26698f44292523e588e19ea4fbfec8588bf78fb3097d73fb77755e80e86107804e8ea5598bc29ef5ff0882e3b230678ad29f1c7f1089d3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
| MD5 | 9f6a2aee7f5a0a2dfc233bdddc186ed3 |
| SHA1 | be670efc0da3fded3263e5e23c2daa68c5213df4 |
| SHA256 | d06f3062a13b95f39f046b9af1be52944bcc7591e476c687314bb20fd7e0bdb3 |
| SHA512 | 068889e8eb298b34ea26698f44292523e588e19ea4fbfec8588bf78fb3097d73fb77755e80e86107804e8ea5598bc29ef5ff0882e3b230678ad29f1c7f1089d3 |
memory/3132-167-0x0000000000810000-0x000000000083D000-memory.dmp
memory/3132-168-0x0000000004EE0000-0x0000000005484000-memory.dmp
memory/3132-169-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/3132-170-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/3132-171-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-172-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-174-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-176-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-178-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-180-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-182-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-184-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-186-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-188-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-190-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-192-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-194-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-196-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-198-0x0000000002940000-0x0000000002952000-memory.dmp
memory/3132-199-0x0000000000400000-0x0000000000726000-memory.dmp
memory/3132-200-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/3132-201-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/3132-202-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/3132-204-0x0000000000400000-0x0000000000726000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
| MD5 | b1b874bda45255c1918822acdee76b7a |
| SHA1 | 4d6447fdf8f78a5a01d9266d8b50df839e4068fa |
| SHA256 | 518b12541919c4d3a6d6f50a00b1e1fc0b4cea5c006033e49e291d4b0f5386d3 |
| SHA512 | b1bd9dfcdd2f006c165bd489628e2e2e226e75a31f0d5c7d1b6f5d9f6a9e89ec3968d1fc2cd4f41de67b9eb911a7375ef884f084eb9ff9522deabfd814f3612f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
| MD5 | b1b874bda45255c1918822acdee76b7a |
| SHA1 | 4d6447fdf8f78a5a01d9266d8b50df839e4068fa |
| SHA256 | 518b12541919c4d3a6d6f50a00b1e1fc0b4cea5c006033e49e291d4b0f5386d3 |
| SHA512 | b1bd9dfcdd2f006c165bd489628e2e2e226e75a31f0d5c7d1b6f5d9f6a9e89ec3968d1fc2cd4f41de67b9eb911a7375ef884f084eb9ff9522deabfd814f3612f |
memory/320-209-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-210-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-212-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-214-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-216-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-218-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-220-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-222-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-224-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-226-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-228-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-230-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-232-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-234-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-236-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-238-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-240-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-242-0x00000000028B0000-0x00000000028EE000-memory.dmp
memory/320-381-0x0000000000740000-0x000000000078B000-memory.dmp
memory/320-383-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-384-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-386-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-1119-0x0000000005360000-0x0000000005978000-memory.dmp
memory/320-1120-0x00000000059E0000-0x0000000005AEA000-memory.dmp
memory/320-1121-0x0000000005B20000-0x0000000005B32000-memory.dmp
memory/320-1122-0x0000000005B40000-0x0000000005B7C000-memory.dmp
memory/320-1123-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-1125-0x0000000005E30000-0x0000000005EC2000-memory.dmp
memory/320-1126-0x0000000005ED0000-0x0000000005F36000-memory.dmp
memory/320-1127-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-1128-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-1129-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-1130-0x0000000007890000-0x0000000007A52000-memory.dmp
memory/320-1131-0x0000000007A70000-0x0000000007F9C000-memory.dmp
memory/320-1132-0x00000000028F0000-0x0000000002900000-memory.dmp
memory/320-1133-0x00000000082C0000-0x0000000008336000-memory.dmp
memory/320-1134-0x0000000008340000-0x0000000008390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
| MD5 | 3389637c0d072121bf1b127629736d37 |
| SHA1 | 300e915efdf2479bfd0d3699c0a6bc51260f9655 |
| SHA256 | 2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153 |
| SHA512 | a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4 |
memory/3628-1141-0x0000000000BF0000-0x0000000000C22000-memory.dmp
memory/3628-1142-0x00000000057E0000-0x00000000057F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
| MD5 | 166d22ed93c723326a6d5fead162fdd3 |
| SHA1 | 17cfd9649a4f68ef90c72689820876dbe4ca22d1 |
| SHA256 | e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7 |
| SHA512 | c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4 |
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
| MD5 | 166d22ed93c723326a6d5fead162fdd3 |
| SHA1 | 17cfd9649a4f68ef90c72689820876dbe4ca22d1 |
| SHA256 | e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7 |
| SHA512 | c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4 |
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
| MD5 | 166d22ed93c723326a6d5fead162fdd3 |
| SHA1 | 17cfd9649a4f68ef90c72689820876dbe4ca22d1 |
| SHA256 | e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7 |
| SHA512 | c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4 |
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
| MD5 | a8a106555b9e1f92569d623c66ee8c12 |
| SHA1 | a5080c26b5f5911c10d80654c84239a226fc75d1 |
| SHA256 | 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a |
| SHA512 | 9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26 |
memory/2796-1192-0x0000000000800000-0x000000000082E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 53bf804f75123ed2339305be1d298398 |
| SHA1 | 33a337e3e219da8ecd237b44fbcaf4864124a012 |
| SHA256 | 7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8 |
| SHA512 | 7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | b2446d155f77cf70a33bb0c25172fa3f |
| SHA1 | c20d68dad9e872b4607a5677c4851f863c28daf7 |
| SHA256 | 0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb |
| SHA512 | 5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654 |
memory/2796-1248-0x0000000000870000-0x000000000088C000-memory.dmp
memory/2796-1249-0x00000000001F0000-0x00000000001F2000-memory.dmp
memory/2796-1252-0x00000000001F0000-0x00000000001F3000-memory.dmp
memory/2796-1255-0x0000000000870000-0x000000000088C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
| MD5 | 5086db99de54fca268169a1c6cf26122 |
| SHA1 | 003f768ffcc99bda5cda1fb966fda8625a8fdc3e |
| SHA256 | 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4 |
| SHA512 | 90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 94cbeec5d4343918fd0e48760e40539c |
| SHA1 | a049266c5c1131f692f306c8710d7e72586ae79d |
| SHA256 | 48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279 |
| SHA512 | 4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 16cf28ebb6d37dbaba93f18320c6086e |
| SHA1 | eae7d4b7a9636329065877aabe8d4f721a26ab25 |
| SHA256 | c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106 |
| SHA512 | f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2 |