amadey | cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189

Analysis

max time kernel
147s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe
Size

1013KB
MD5

d58e25c40259805c7dc0ae21f52febb1
SHA1

e7e1875f6e2e3231efb464bbd44146a367a96da1
SHA256

cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189
SHA512

523e7e7560b4b7e5243359156d20caed6c1388b2f034137be6d38a08bd87cec76902bf2075f0d13756e290336480fed9590a3397d297fd53976d415b3dd05991
SSDEEP

24576:4yeq20kAPq5G9oH+lgS1xPtZI0Jn228NsQ:/M0oQE+lgS1xkm228N

Score

10^/10

amadey eternity redline build_main gena vint collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

build_main

80.85.156.168:20189

Attributes

auth_value
5e5c9cacc6d168f8ade7fb6419edb114

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9888Xf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9888Xf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9888Xf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9888Xf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9888Xf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9888Xf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7056.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/4956-210-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-215-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-217-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-213-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-211-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-219-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-221-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-223-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-225-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-227-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-229-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-231-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-235-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-233-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-237-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-239-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-241-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-243-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral1/memory/4956-259-0x0000000007210000-0x0000000007220000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y99gA92.exe

Executes dropped EXE 15 IoCs

pid	Process
3396	zap4158.exe
3164	zap1755.exe
2488	zap9095.exe
5080	tz7056.exe
4808	v9888Xf.exe
4956	w99IX77.exe
4460	xsTdL92.exe
5036	y99gA92.exe
4112	legenda.exe
3092	KMuffPQJRlr6.exe
4780	LowesDistillery.exe
3364	Player3.exe
1564	nbveek.exe
1172	legenda.exe
1816	nbveek.exe

Loads dropped DLL 4 IoCs

pid	Process
232	rundll32.exe
4696	rundll32.exe
4936	rundll32.exe
620	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9888Xf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9888Xf.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9095.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4158.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1755.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3092 set thread context of 2020	3092	KMuffPQJRlr6.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2144	4808	WerFault.exe	92
4908	4956	WerFault.exe	99
4628	4936	WerFault.exe	153

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	LowesDistillery.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LowesDistillery.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2884	schtasks.exe
4460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5080	tz7056.exe
5080	tz7056.exe
4808	v9888Xf.exe
4808	v9888Xf.exe
4956	w99IX77.exe
4956	w99IX77.exe
4460	xsTdL92.exe
4460	xsTdL92.exe
2020	AppLaunch.exe
2020	AppLaunch.exe
4780	LowesDistillery.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	tz7056.exe
Token: SeDebugPrivilege	4808	v9888Xf.exe
Token: SeDebugPrivilege	4956	w99IX77.exe
Token: SeDebugPrivilege	4460	xsTdL92.exe
Token: SeDebugPrivilege	4780	LowesDistillery.exe
Token: SeDebugPrivilege	2020	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 3396	3236	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe	83
PID 3236 wrote to memory of 3396	3236	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe	83
PID 3236 wrote to memory of 3396	3236	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe	83
PID 3396 wrote to memory of 3164	3396	zap4158.exe	84
PID 3396 wrote to memory of 3164	3396	zap4158.exe	84
PID 3396 wrote to memory of 3164	3396	zap4158.exe	84
PID 3164 wrote to memory of 2488	3164	zap1755.exe	85
PID 3164 wrote to memory of 2488	3164	zap1755.exe	85
PID 3164 wrote to memory of 2488	3164	zap1755.exe	85
PID 2488 wrote to memory of 5080	2488	zap9095.exe	86
PID 2488 wrote to memory of 5080	2488	zap9095.exe	86
PID 2488 wrote to memory of 4808	2488	zap9095.exe	92
PID 2488 wrote to memory of 4808	2488	zap9095.exe	92
PID 2488 wrote to memory of 4808	2488	zap9095.exe	92
PID 3164 wrote to memory of 4956	3164	zap1755.exe	99
PID 3164 wrote to memory of 4956	3164	zap1755.exe	99
PID 3164 wrote to memory of 4956	3164	zap1755.exe	99
PID 3396 wrote to memory of 4460	3396	zap4158.exe	104
PID 3396 wrote to memory of 4460	3396	zap4158.exe	104
PID 3396 wrote to memory of 4460	3396	zap4158.exe	104
PID 3236 wrote to memory of 5036	3236	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe	105
PID 3236 wrote to memory of 5036	3236	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe	105
PID 3236 wrote to memory of 5036	3236	cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe	105
PID 5036 wrote to memory of 4112	5036	y99gA92.exe	106
PID 5036 wrote to memory of 4112	5036	y99gA92.exe	106
PID 5036 wrote to memory of 4112	5036	y99gA92.exe	106
PID 4112 wrote to memory of 2884	4112	legenda.exe	107
PID 4112 wrote to memory of 2884	4112	legenda.exe	107
PID 4112 wrote to memory of 2884	4112	legenda.exe	107
PID 4112 wrote to memory of 1128	4112	legenda.exe	109
PID 4112 wrote to memory of 1128	4112	legenda.exe	109
PID 4112 wrote to memory of 1128	4112	legenda.exe	109
PID 1128 wrote to memory of 3376	1128	cmd.exe	111
PID 1128 wrote to memory of 3376	1128	cmd.exe	111
PID 1128 wrote to memory of 3376	1128	cmd.exe	111
PID 1128 wrote to memory of 4980	1128	cmd.exe	112
PID 1128 wrote to memory of 4980	1128	cmd.exe	112
PID 1128 wrote to memory of 4980	1128	cmd.exe	112
PID 1128 wrote to memory of 4868	1128	cmd.exe	113
PID 1128 wrote to memory of 4868	1128	cmd.exe	113
PID 1128 wrote to memory of 4868	1128	cmd.exe	113
PID 1128 wrote to memory of 960	1128	cmd.exe	114
PID 1128 wrote to memory of 960	1128	cmd.exe	114
PID 1128 wrote to memory of 960	1128	cmd.exe	114
PID 1128 wrote to memory of 1224	1128	cmd.exe	115
PID 1128 wrote to memory of 1224	1128	cmd.exe	115
PID 1128 wrote to memory of 1224	1128	cmd.exe	115
PID 1128 wrote to memory of 1216	1128	cmd.exe	116
PID 1128 wrote to memory of 1216	1128	cmd.exe	116
PID 1128 wrote to memory of 1216	1128	cmd.exe	116
PID 4112 wrote to memory of 3092	4112	legenda.exe	117
PID 4112 wrote to memory of 3092	4112	legenda.exe	117
PID 4112 wrote to memory of 3092	4112	legenda.exe	117
PID 3092 wrote to memory of 2020	3092	KMuffPQJRlr6.exe	119
PID 3092 wrote to memory of 2020	3092	KMuffPQJRlr6.exe	119
PID 3092 wrote to memory of 2020	3092	KMuffPQJRlr6.exe	119
PID 3092 wrote to memory of 2020	3092	KMuffPQJRlr6.exe	119
PID 3092 wrote to memory of 2020	3092	KMuffPQJRlr6.exe	119
PID 4112 wrote to memory of 4780	4112	legenda.exe	120
PID 4112 wrote to memory of 4780	4112	legenda.exe	120
PID 4112 wrote to memory of 4780	4112	legenda.exe	120
PID 4112 wrote to memory of 3364	4112	legenda.exe	121
PID 4112 wrote to memory of 3364	4112	legenda.exe	121
PID 4112 wrote to memory of 3364	4112	legenda.exe	121

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe

C:\Users\Admin\AppData\Local\Temp\cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe
"C:\Users\Admin\AppData\Local\Temp\cac54bbf96da5e5cceb31f15f7af5175af14882db8019bb6591d6479746b3189.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4158.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4158.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1755.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1755.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9095.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9095.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7056.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7056.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9888Xf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9888Xf.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1084
        6⤵
        Program crash
        
        PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99IX77.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99IX77.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1328
        5⤵
        Program crash
        
        PID:4908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsTdL92.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsTdL92.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99gA92.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99gA92.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3376
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:960
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:1224
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:1216
  - - C:\Users\Admin\AppData\Roaming\1000075000\KMuffPQJRlr6.exe
      "C:\Users\Admin\AppData\Roaming\1000075000\KMuffPQJRlr6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe
      "C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        
        PID:3248
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5028
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:680
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        5⤵
        
        PID:3484
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1536
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        6⤵
        
        PID:2708
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        6⤵
        
        PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe
      "C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3364
    - - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
        
        "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1564
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4460
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        7⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        7⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        7⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        7⤵
        
        PID:4792
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4696
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4936
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4936 -s 644
        8⤵
        Program crash
        
        PID:4628
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:620
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4808 -ip 4808
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4956 -ip 4956
1⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 196 -p 4936 -ip 4936
1⤵
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe

Filesize
537KB

MD5
f0a2d9e0876b2de2d5f5b7936a299e9f

SHA1
1b55b7a5c97e180d29dd884650ce7b54db1f2ab7

SHA256
b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c

SHA512
2a654178b30c5976dce0ee0272f289a526fb30cd2a2d6276ec0acfcc20c61771618ae4058914dce81863bfae0b0e87a1a310ec95c0d64aa6960dfad39a55c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe

Filesize
537KB

MD5
f0a2d9e0876b2de2d5f5b7936a299e9f

SHA1
1b55b7a5c97e180d29dd884650ce7b54db1f2ab7

SHA256
b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c

SHA512
2a654178b30c5976dce0ee0272f289a526fb30cd2a2d6276ec0acfcc20c61771618ae4058914dce81863bfae0b0e87a1a310ec95c0d64aa6960dfad39a55c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe

Filesize
537KB

MD5
f0a2d9e0876b2de2d5f5b7936a299e9f

SHA1
1b55b7a5c97e180d29dd884650ce7b54db1f2ab7

SHA256
b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c

SHA512
2a654178b30c5976dce0ee0272f289a526fb30cd2a2d6276ec0acfcc20c61771618ae4058914dce81863bfae0b0e87a1a310ec95c0d64aa6960dfad39a55c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\529757233348

Filesize
81KB

MD5
a12ec9e9eee81be7a32f1c22d2d1e104

SHA1
c98d1610b0260239bf3dc17a2c5327905c5153bc

SHA256
ee096bba3644cb7f9605af6ae57ff9719e0c72a054621ed2938606243cab3fca

SHA512
2fb979c3776b8f339db00eab9ce7f3ccc5433b59175dfca63e82a6ae044aac30cf8ddf811f139da8a7f8d115d257b58f1f21071b6d84e2ccdf1a4ea042af60b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99gA92.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99gA92.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4158.exe

Filesize
836KB

MD5
8c71d713108ee4497c9155d4332f8030

SHA1
dd41216c021335ea875d9056a8e6a6d8328e7ba6

SHA256
5614783cde705afc772af7770d332132a2ace6a349e8af8dbfcc2e82ace1fc25

SHA512
d3f446d56c2f79dcc10a85a3f15e3ec3ed53b5297ffc529eec3517597816a3b1d94fa5f3f56519ed6b97a72c5dfaf43885b1be17ee88dcf27d770e0dd3cdd623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4158.exe

Filesize
836KB

MD5
8c71d713108ee4497c9155d4332f8030

SHA1
dd41216c021335ea875d9056a8e6a6d8328e7ba6

SHA256
5614783cde705afc772af7770d332132a2ace6a349e8af8dbfcc2e82ace1fc25

SHA512
d3f446d56c2f79dcc10a85a3f15e3ec3ed53b5297ffc529eec3517597816a3b1d94fa5f3f56519ed6b97a72c5dfaf43885b1be17ee88dcf27d770e0dd3cdd623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsTdL92.exe

Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsTdL92.exe

Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1755.exe

Filesize
694KB

MD5
8ca11f1739685bea97ae1aaad217249e

SHA1
213d88802b6fc5d6f058c2897675b6164a94eac4

SHA256
b869398a7c4113766c4a33b5bbbacd6ede6c16a2ce7431c029235b55b41efeeb

SHA512
f6fa219adfeca239009d61347ebaca8ae7ff6e44a39573c21b3a83dcd2c88af48fdfb3f593325c8d270220963512f12698bf89eee8042b8abd7ad51273a173f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1755.exe

Filesize
694KB

MD5
8ca11f1739685bea97ae1aaad217249e

SHA1
213d88802b6fc5d6f058c2897675b6164a94eac4

SHA256
b869398a7c4113766c4a33b5bbbacd6ede6c16a2ce7431c029235b55b41efeeb

SHA512
f6fa219adfeca239009d61347ebaca8ae7ff6e44a39573c21b3a83dcd2c88af48fdfb3f593325c8d270220963512f12698bf89eee8042b8abd7ad51273a173f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99IX77.exe

Filesize
391KB

MD5
c9d1c8c48dafdc4ec013c2629ae94349

SHA1
18b65d7de0b9859f824ace570998a371be700f2b

SHA256
953d6c39a09b6469312064e944f51ac36724d7df93f74c01f71699d9a87a0607

SHA512
69a603b4948cb6e689094cadec5ba3d2a340a11d45cdabf07ec04233b1a7e3407c49157abc057444054648828a4177d742f9e79ec7804ea5a279e29a93e15aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99IX77.exe

Filesize
391KB

MD5
c9d1c8c48dafdc4ec013c2629ae94349

SHA1
18b65d7de0b9859f824ace570998a371be700f2b

SHA256
953d6c39a09b6469312064e944f51ac36724d7df93f74c01f71699d9a87a0607

SHA512
69a603b4948cb6e689094cadec5ba3d2a340a11d45cdabf07ec04233b1a7e3407c49157abc057444054648828a4177d742f9e79ec7804ea5a279e29a93e15aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9095.exe

Filesize
344KB

MD5
f7b97223427364eb7983ab530fad09af

SHA1
11386ba45000e0f31bab1de1b22ac0d816f824c6

SHA256
828571d7fb5c680d5a793b8cc5d862b9ad0231ca80b306be5d39709fae43d460

SHA512
18c23bc54da791f341a5ef2a5c0359a1ad3c050c8cb2faca82a1011d1bf7ded98683543292172499d32b4b9b78827c65b03b77b3c76abde7af0b05263632e339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9095.exe

Filesize
344KB

MD5
f7b97223427364eb7983ab530fad09af

SHA1
11386ba45000e0f31bab1de1b22ac0d816f824c6

SHA256
828571d7fb5c680d5a793b8cc5d862b9ad0231ca80b306be5d39709fae43d460

SHA512
18c23bc54da791f341a5ef2a5c0359a1ad3c050c8cb2faca82a1011d1bf7ded98683543292172499d32b4b9b78827c65b03b77b3c76abde7af0b05263632e339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7056.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7056.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9888Xf.exe

Filesize
334KB

MD5
a9d07c658118537a5fd42147dc47f378

SHA1
ef536d13bb8c44c753937d16ef30b4d4f7da0857

SHA256
54cfccca1cc11ac3e5cd89d847ec5731d82058a266a4414a5131f7c17893ece0

SHA512
6940e80c0749d0ca234f61e02c1c665fcea2e707f37287731ba4eb95ee2c5dd1d9b5afa2134a785f5ef52ecc9c96d86ff54fd1376755fa2343e822c62b564e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9888Xf.exe

Filesize
334KB

MD5
a9d07c658118537a5fd42147dc47f378

SHA1
ef536d13bb8c44c753937d16ef30b4d4f7da0857

SHA256
54cfccca1cc11ac3e5cd89d847ec5731d82058a266a4414a5131f7c17893ece0

SHA512
6940e80c0749d0ca234f61e02c1c665fcea2e707f37287731ba4eb95ee2c5dd1d9b5afa2134a785f5ef52ecc9c96d86ff54fd1376755fa2343e822c62b564e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\1000075000\KMuffPQJRlr6.exe

Filesize
261KB

MD5
d4dc65ad800c813f2620480ea13465c8

SHA1
706b23422f53bf4b77145621d537084686b1a84a

SHA256
6fda74eb6edbc572002d77d77ce0818d03faedd0be77367ffd02e44ff0e595c8

SHA512
a9500576f848ef86a522f19ac9b7b3cdacc2e03b38a188ef13afa11b48cd12af9f23dc838f1cfed2bf1e7b3d82a7cfdcf6e83add97191ede5a8a8011424f5608

Download Submit
C:\Users\Admin\AppData\Roaming\1000075000\KMuffPQJRlr6.exe

Filesize
261KB

MD5
d4dc65ad800c813f2620480ea13465c8

SHA1
706b23422f53bf4b77145621d537084686b1a84a

SHA256
6fda74eb6edbc572002d77d77ce0818d03faedd0be77367ffd02e44ff0e595c8

SHA512
a9500576f848ef86a522f19ac9b7b3cdacc2e03b38a188ef13afa11b48cd12af9f23dc838f1cfed2bf1e7b3d82a7cfdcf6e83add97191ede5a8a8011424f5608

Download Submit
C:\Users\Admin\AppData\Roaming\1000075000\KMuffPQJRlr6.exe

Filesize
261KB

MD5
d4dc65ad800c813f2620480ea13465c8

SHA1
706b23422f53bf4b77145621d537084686b1a84a

SHA256
6fda74eb6edbc572002d77d77ce0818d03faedd0be77367ffd02e44ff0e595c8

SHA512
a9500576f848ef86a522f19ac9b7b3cdacc2e03b38a188ef13afa11b48cd12af9f23dc838f1cfed2bf1e7b3d82a7cfdcf6e83add97191ede5a8a8011424f5608

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/2020-1180-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2020-1179-0x0000000000700000-0x0000000000732000-memory.dmp

Filesize
200KB

Download
memory/4460-1141-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4460-1140-0x00000000000C0000-0x00000000000F2000-memory.dmp

Filesize
200KB

Download
memory/4780-1342-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-5989-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-1340-0x0000000002C90000-0x0000000002CF0000-memory.dmp

Filesize
384KB

Download
memory/4780-3757-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-1353-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-1355-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-3758-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-5990-0x0000000009010000-0x00000000090AC000-memory.dmp

Filesize
624KB

Download
memory/4780-5992-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4780-3761-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4808-198-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4808-205-0x0000000000400000-0x0000000002B03000-memory.dmp

Filesize
39.0MB

Download
memory/4808-167-0x0000000007160000-0x0000000007704000-memory.dmp

Filesize
5.6MB

Download
memory/4808-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-169-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-171-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-175-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-173-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-181-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-179-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-183-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-177-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-185-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-187-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-195-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-193-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-191-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-189-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4808-196-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/4808-197-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4808-199-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4808-200-0x0000000000400000-0x0000000002B03000-memory.dmp

Filesize
39.0MB

Download
memory/4808-202-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4808-203-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4808-204-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4956-259-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-255-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/4956-227-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-225-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-223-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-221-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-219-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-211-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-213-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-217-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-215-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-210-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-231-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-235-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-233-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-237-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-239-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-241-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-243-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-229-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/4956-257-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-260-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-1134-0x0000000009630000-0x0000000009680000-memory.dmp

Filesize
320KB

Download
memory/4956-1133-0x00000000095A0000-0x0000000009616000-memory.dmp

Filesize
472KB

Download
memory/4956-1132-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-1131-0x0000000008DF0000-0x000000000931C000-memory.dmp

Filesize
5.2MB

Download
memory/4956-1130-0x0000000008C10000-0x0000000008DD2000-memory.dmp

Filesize
1.8MB

Download
memory/4956-1127-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-1129-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-1128-0x0000000008A20000-0x0000000008AB2000-memory.dmp

Filesize
584KB

Download
memory/4956-1126-0x0000000008350000-0x00000000083B6000-memory.dmp

Filesize
408KB

Download
memory/4956-1124-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/4956-1123-0x0000000008060000-0x000000000809C000-memory.dmp

Filesize
240KB

Download
memory/4956-1122-0x0000000008040000-0x0000000008052000-memory.dmp

Filesize
72KB

Download
memory/4956-1121-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/4956-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/5080-161-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download