Analysis Overview
SHA256
efcbc7d46f779e61dd6e5356661178191397d0b35576563150490e4f25a95465
Threat Level: Known bad
The file efcbc7d46f779e61dd6e5356661178191397d0b35576563150490e4f25a95465 was found to be: Known bad.
Malicious Activity Summary
Gurcu, WhiteSnake
RedLine
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-26 17:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-26 17:34
Reported
2023-05-26 17:37
Platform
win10v2004-20230221-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Gurcu, WhiteSnake
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\efcbc7d46f779e61dd6e5356661178191397d0b35576563150490e4f25a95465.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\efcbc7d46f779e61dd6e5356661178191397d0b35576563150490e4f25a95465.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7933836.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7933836.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9264880.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9264880.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efcbc7d46f779e61dd6e5356661178191397d0b35576563150490e4f25a95465.exe
"C:\Users\Admin\AppData\Local\Temp\efcbc7d46f779e61dd6e5356661178191397d0b35576563150490e4f25a95465.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7933836.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7933836.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9264880.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9264880.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5287642.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5287642.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6049103.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6049103.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe
"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe
"C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 864 -ip 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2464
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 83.97.73.122:19062 | tcp | |
| US | 8.8.8.8:53 | 122.73.97.83.in-addr.arpa | udp |
| N/A | 83.97.73.122:19062 | tcp | |
| US | 95.214.27.98:80 | 95.214.27.98 | tcp |
| US | 8.8.8.8:53 | 98.27.214.95.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | cyware.com | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7933836.exe
| MD5 | eb0a25a432a4e12e6070849a694329b5 |
| SHA1 | 9f882a60542441a1d4481f789f5cfdbfa7dff951 |
| SHA256 | 15b55c23c5b44eab79d82ce35567a824c7f0756f4dfced48bdaf08a5c785cf3d |
| SHA512 | 197facef7975e4e36470b4e66647a50e02520496bdaa3a3e2d2e34d7b3995af3d72544f382d3f4a21d7a69235a02dcf08003e25b00b35f3d511c5b8cab5b6d6d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7933836.exe
| MD5 | eb0a25a432a4e12e6070849a694329b5 |
| SHA1 | 9f882a60542441a1d4481f789f5cfdbfa7dff951 |
| SHA256 | 15b55c23c5b44eab79d82ce35567a824c7f0756f4dfced48bdaf08a5c785cf3d |
| SHA512 | 197facef7975e4e36470b4e66647a50e02520496bdaa3a3e2d2e34d7b3995af3d72544f382d3f4a21d7a69235a02dcf08003e25b00b35f3d511c5b8cab5b6d6d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9264880.exe
| MD5 | c7754e7c38ad5cae0a3dc7b6a584553a |
| SHA1 | e62c357a3cca83c1fd8becd0f0b7adbdc4498adb |
| SHA256 | ec110f3e02a968f9c3fcc17c8fc24190458af6d2e5d2ef9482a7766502896324 |
| SHA512 | 6264e8ffd7a5aacb88c651c10ba01d38f4ae63477f031b6abe0a116f3951d30922c9533444759a57bd3bf3166b48a1d5181be3dea07cccd99db8107f81b001a5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9264880.exe
| MD5 | c7754e7c38ad5cae0a3dc7b6a584553a |
| SHA1 | e62c357a3cca83c1fd8becd0f0b7adbdc4498adb |
| SHA256 | ec110f3e02a968f9c3fcc17c8fc24190458af6d2e5d2ef9482a7766502896324 |
| SHA512 | 6264e8ffd7a5aacb88c651c10ba01d38f4ae63477f031b6abe0a116f3951d30922c9533444759a57bd3bf3166b48a1d5181be3dea07cccd99db8107f81b001a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5287642.exe
| MD5 | 3cac177db7b559e149dbf3fddda90261 |
| SHA1 | 7066cae4fcdd37a78348668d0f0003cd9e72c6d2 |
| SHA256 | 0e852c333fcbbf93825af5485d0d989ca81847841ce60bb338d48fa5478af8a4 |
| SHA512 | 4c2453de46006a1ed80d6e7ef867f327582ddf689a795914da50585349fcc7fabb363ae99441dee74f04d1ae2611fb404d4cf5ad7ea29870a49eb2159bd32e8c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5287642.exe
| MD5 | 3cac177db7b559e149dbf3fddda90261 |
| SHA1 | 7066cae4fcdd37a78348668d0f0003cd9e72c6d2 |
| SHA256 | 0e852c333fcbbf93825af5485d0d989ca81847841ce60bb338d48fa5478af8a4 |
| SHA512 | 4c2453de46006a1ed80d6e7ef867f327582ddf689a795914da50585349fcc7fabb363ae99441dee74f04d1ae2611fb404d4cf5ad7ea29870a49eb2159bd32e8c |
memory/2080-155-0x0000000000570000-0x000000000057A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe
| MD5 | abf7cd6c3b5cbac58044bab86e193be0 |
| SHA1 | 1f7f425f18c338f59890b06466f6325b8727c6e4 |
| SHA256 | d56f0771b68d903dee9e388a23a008dc2a6d018ffde83d35ad95d0a8182ad7b6 |
| SHA512 | 7b4417cee7fa8ff1076ce2ab90dae286d1ab94c3f99ddac494faf39a1bb35b71eeb39d3d06a326736f4075d263021dd2834e5b7a5e4cf4dbd6c78d1e7406a570 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0992742.exe
| MD5 | abf7cd6c3b5cbac58044bab86e193be0 |
| SHA1 | 1f7f425f18c338f59890b06466f6325b8727c6e4 |
| SHA256 | d56f0771b68d903dee9e388a23a008dc2a6d018ffde83d35ad95d0a8182ad7b6 |
| SHA512 | 7b4417cee7fa8ff1076ce2ab90dae286d1ab94c3f99ddac494faf39a1bb35b71eeb39d3d06a326736f4075d263021dd2834e5b7a5e4cf4dbd6c78d1e7406a570 |
memory/2560-163-0x0000000000F70000-0x0000000000F9A000-memory.dmp
memory/2560-164-0x0000000005E90000-0x00000000064A8000-memory.dmp
memory/2560-165-0x0000000005A10000-0x0000000005B1A000-memory.dmp
memory/2560-166-0x0000000005CF0000-0x0000000005D00000-memory.dmp
memory/2560-167-0x0000000005940000-0x0000000005952000-memory.dmp
memory/2560-168-0x00000000059A0000-0x00000000059DC000-memory.dmp
memory/2560-169-0x0000000006A60000-0x0000000007004000-memory.dmp
memory/2560-170-0x0000000006550000-0x00000000065E2000-memory.dmp
memory/2560-171-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/2560-173-0x0000000005CF0000-0x0000000005D00000-memory.dmp
memory/2560-174-0x00000000071E0000-0x00000000073A2000-memory.dmp
memory/2560-175-0x00000000078E0000-0x0000000007E0C000-memory.dmp
memory/2560-176-0x00000000073B0000-0x0000000007426000-memory.dmp
memory/2560-177-0x0000000007430000-0x0000000007480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6049103.exe
| MD5 | 24edd2a96a76f2ddf7e990d3c9d7a946 |
| SHA1 | 77df38e8acec2f195c6434d5b99edd94376edf5a |
| SHA256 | b8b06d88d35b26bacb19e32a15276c93c907586c8257ebb6b417d14cb9f96d17 |
| SHA512 | f740f8b530e4d24e8f4cb65a58a5c9d5bfe5beb3e6c701b33c6e03700c699eaeedbdb0c2fa2072b7ae07a18fc3b3fe6eb6a3fb36954e0f947d9ff09ab4887480 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6049103.exe
| MD5 | 24edd2a96a76f2ddf7e990d3c9d7a946 |
| SHA1 | 77df38e8acec2f195c6434d5b99edd94376edf5a |
| SHA256 | b8b06d88d35b26bacb19e32a15276c93c907586c8257ebb6b417d14cb9f96d17 |
| SHA512 | f740f8b530e4d24e8f4cb65a58a5c9d5bfe5beb3e6c701b33c6e03700c699eaeedbdb0c2fa2072b7ae07a18fc3b3fe6eb6a3fb36954e0f947d9ff09ab4887480 |
memory/4280-183-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/4584-192-0x0000000000850000-0x0000000000948000-memory.dmp
memory/4280-193-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
memory/4584-194-0x0000000007620000-0x0000000007630000-memory.dmp
memory/4184-195-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5820320.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/4184-198-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4184-199-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/4184-203-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/4184-214-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/1504-216-0x00000000078B0000-0x00000000078C0000-memory.dmp
memory/2984-221-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-220-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/2984-223-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-224-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe
| MD5 | a1ce7b26712e1db177d86fa87d09c354 |
| SHA1 | 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4 |
| SHA256 | b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e |
| SHA512 | e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4 |
memory/2984-235-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe
| MD5 | a1ce7b26712e1db177d86fa87d09c354 |
| SHA1 | 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4 |
| SHA256 | b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e |
| SHA512 | e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4 |
memory/2984-245-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe
| MD5 | a1ce7b26712e1db177d86fa87d09c354 |
| SHA1 | 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4 |
| SHA256 | b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e |
| SHA512 | e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4 |
memory/5000-247-0x0000000000CD0000-0x0000000000DA6000-memory.dmp
memory/5000-248-0x0000000005690000-0x000000000569A000-memory.dmp
memory/5000-249-0x0000000005650000-0x0000000005660000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |
memory/3468-252-0x0000000007310000-0x0000000007320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/616-255-0x0000000000400000-0x0000000000438000-memory.dmp
memory/616-256-0x0000000000400000-0x0000000000438000-memory.dmp
memory/616-257-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5000-258-0x0000000005650000-0x0000000005660000-memory.dmp
memory/5000-259-0x0000000009A70000-0x0000000009B0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039001\1232.exe
| MD5 | a1ce7b26712e1db177d86fa87d09c354 |
| SHA1 | 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4 |
| SHA256 | b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e |
| SHA512 | e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4 |
memory/864-260-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1232.exe.log
| MD5 | 7cad59aef5a93f093b6ba494f13f796f |
| SHA1 | 3cef97b77939bfc06dfd3946fc1a8cd159f67100 |
| SHA256 | 1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55 |
| SHA512 | 8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b |
memory/864-264-0x00000000057A0000-0x00000000057B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 73c0c85e39b9a63b42f6c4ff6d634f8b |
| SHA1 | efb047b4177ad78268f6fc8bf959f58f1123eb51 |
| SHA256 | 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368 |
| SHA512 | ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643 |
memory/2984-282-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 73c0c85e39b9a63b42f6c4ff6d634f8b |
| SHA1 | efb047b4177ad78268f6fc8bf959f58f1123eb51 |
| SHA256 | 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368 |
| SHA512 | ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 73c0c85e39b9a63b42f6c4ff6d634f8b |
| SHA1 | efb047b4177ad78268f6fc8bf959f58f1123eb51 |
| SHA256 | 477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368 |
| SHA512 | ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643 |
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/4884-286-0x00000000072E0000-0x00000000072F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |
memory/1868-289-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1868-290-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1868-291-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
| MD5 | 309080b410965d7a2bec2ffea65b9955 |
| SHA1 | efb166dfffd947a78279714eb197814628e7f0e9 |
| SHA256 | cbeaf4872c09bc8631d0934a2effb2dc820edfeaaf9166f4a37527d163307c8b |
| SHA512 | 8e53f648e31b5ae31005c324fecfe70b0590fd5a26c03d147701d9975cba701a11171e82e74acbf0c21c50e16dfbb3617b12d417f1a80f7e9e8efdaa1a005ed3 |