amadey | f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0

Analysis

max time kernel
134s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe
Size

1.0MB
MD5

5d4b106083d1eb645eb5d9ee2e2fd620
SHA1

d9be6ca5f5c02f8c717a8b8da63b5a2ae4bc9eae
SHA256

f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0
SHA512

f6088bd673fae416a96a382a49388016d9b3cffd3537396f16b0cf1385270cabd2abc0ca3e6e8d82837b3faf65e7004ce079a06ff48c6fb7d20320540789daf4
SSDEEP

24576:6y/7VtQyRKQ64wTS+xOzyEZI/4aG7kUHGFZ:BTN+xxOz3W43dH

Score

10^/10

amadey aurora redline rhadamanthys build_main gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Extracted

Family

redline

Botnet

build_main

80.85.156.168:20189

Attributes

auth_value
5e5c9cacc6d168f8ade7fb6419edb114

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect rhadamanthys stealer shellcode 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-1286-0x0000000002CB0000-0x0000000002CCC000-memory.dmp	family_rhadamanthys
behavioral1/memory/4792-1290-0x0000000002B90000-0x0000000002BAC000-memory.dmp	family_rhadamanthys
behavioral1/memory/2044-1294-0x0000000002CB0000-0x0000000002CCC000-memory.dmp	family_rhadamanthys

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

mx7910Ut.exens0466GY.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mx7910Ut.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ns0466GY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ns0466GY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ns0466GY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ns0466GY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ns0466GY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ns0466GY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	mx7910Ut.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mx7910Ut.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mx7910Ut.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mx7910Ut.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mx7910Ut.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4572-213-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-216-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-214-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-218-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-220-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-222-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-224-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-226-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-228-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-230-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-232-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-234-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-236-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-238-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-240-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-242-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-244-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline
behavioral1/memory/4572-246-0x0000000004DF0000-0x0000000004E2E000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

KMuffPQJRlr6.exe

description pid process target process

PID 544 created 2924 544 KMuffPQJRlr6.exe taskhostw.exe
Downloads MZ/PE file

description	pid	process	target process
PID 544 created 2924	544	KMuffPQJRlr6.exe	taskhostw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ry73LT02.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ry73LT02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 14 IoCs

Processes:

will1435.exewill0318.exewill4593.exemx7910Ut.exens0466GY.exepy40WO30.exeqs0638Uo.exery73LT02.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exelegenda.exelegenda.exe

pid	process
4948	will1435.exe
3044	will0318.exe
4980	will4593.exe
1440	mx7910Ut.exe
1820	ns0466GY.exe
4572	py40WO30.exe
4400	qs0638Uo.exe
4500	ry73LT02.exe
60	legenda.exe
544	KMuffPQJRlr6.exe
3120	svchost.exe
2044	serv.exe
4628	legenda.exe
4920	legenda.exe

Loads dropped DLL 2 IoCs

Processes:

KMuffPQJRlr6.exerundll32.exe

pid process

544 KMuffPQJRlr6.exe
1960 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
544	KMuffPQJRlr6.exe
1960	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

mx7910Ut.exens0466GY.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	mx7910Ut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ns0466GY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ns0466GY.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exewill1435.exewill0318.exewill4593.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will1435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	will1435.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will0318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	will0318.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will4593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	will4593.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

serv.exe

pid process

2044 serv.exe
2044 serv.exe
2044 serv.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

KMuffPQJRlr6.exe

description pid process target process

PID 544 set thread context of 2736 544 KMuffPQJRlr6.exe ngentask.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2044	serv.exe
2044	serv.exe
2044	serv.exe

description	pid	process	target process
PID 544 set thread context of 2736	544	KMuffPQJRlr6.exe	ngentask.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
212	4572	WerFault.exe	py40WO30.exe
1488	544	WerFault.exe	KMuffPQJRlr6.exe
2088	544	WerFault.exe	KMuffPQJRlr6.exe
1232	2044	WerFault.exe	serv.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	serv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	serv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3892 schtasks.exe

pid	process
3892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

mx7910Ut.exens0466GY.exepy40WO30.exeqs0638Uo.exeKMuffPQJRlr6.exengentask.exe

pid	process
1440	mx7910Ut.exe
1440	mx7910Ut.exe
1820	ns0466GY.exe
1820	ns0466GY.exe
4572	py40WO30.exe
4572	py40WO30.exe
4400	qs0638Uo.exe
4400	qs0638Uo.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
544	KMuffPQJRlr6.exe
2736	ngentask.exe
2736	ngentask.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mx7910Ut.exens0466GY.exepy40WO30.exeqs0638Uo.exewmic.exengentask.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1440	mx7910Ut.exe
Token: SeDebugPrivilege	1820	ns0466GY.exe
Token: SeDebugPrivilege	4572	py40WO30.exe
Token: SeDebugPrivilege	4400	qs0638Uo.exe
Token: SeIncreaseQuotaPrivilege	3376	wmic.exe
Token: SeSecurityPrivilege	3376	wmic.exe
Token: SeTakeOwnershipPrivilege	3376	wmic.exe
Token: SeLoadDriverPrivilege	3376	wmic.exe
Token: SeSystemProfilePrivilege	3376	wmic.exe
Token: SeSystemtimePrivilege	3376	wmic.exe
Token: SeProfSingleProcessPrivilege	3376	wmic.exe
Token: SeIncBasePriorityPrivilege	3376	wmic.exe
Token: SeCreatePagefilePrivilege	3376	wmic.exe
Token: SeBackupPrivilege	3376	wmic.exe
Token: SeRestorePrivilege	3376	wmic.exe
Token: SeShutdownPrivilege	3376	wmic.exe
Token: SeDebugPrivilege	3376	wmic.exe
Token: SeSystemEnvironmentPrivilege	3376	wmic.exe
Token: SeRemoteShutdownPrivilege	3376	wmic.exe
Token: SeUndockPrivilege	3376	wmic.exe
Token: SeManageVolumePrivilege	3376	wmic.exe
Token: 33	3376	wmic.exe
Token: 34	3376	wmic.exe
Token: 35	3376	wmic.exe
Token: 36	3376	wmic.exe
Token: SeIncreaseQuotaPrivilege	3376	wmic.exe
Token: SeSecurityPrivilege	3376	wmic.exe
Token: SeTakeOwnershipPrivilege	3376	wmic.exe
Token: SeLoadDriverPrivilege	3376	wmic.exe
Token: SeSystemProfilePrivilege	3376	wmic.exe
Token: SeSystemtimePrivilege	3376	wmic.exe
Token: SeProfSingleProcessPrivilege	3376	wmic.exe
Token: SeIncBasePriorityPrivilege	3376	wmic.exe
Token: SeCreatePagefilePrivilege	3376	wmic.exe
Token: SeBackupPrivilege	3376	wmic.exe
Token: SeRestorePrivilege	3376	wmic.exe
Token: SeShutdownPrivilege	3376	wmic.exe
Token: SeDebugPrivilege	3376	wmic.exe
Token: SeSystemEnvironmentPrivilege	3376	wmic.exe
Token: SeRemoteShutdownPrivilege	3376	wmic.exe
Token: SeUndockPrivilege	3376	wmic.exe
Token: SeManageVolumePrivilege	3376	wmic.exe
Token: 33	3376	wmic.exe
Token: 34	3376	wmic.exe
Token: 35	3376	wmic.exe
Token: 36	3376	wmic.exe
Token: SeDebugPrivilege	2736	ngentask.exe
Token: SeIncreaseQuotaPrivilege	4444	WMIC.exe
Token: SeSecurityPrivilege	4444	WMIC.exe
Token: SeTakeOwnershipPrivilege	4444	WMIC.exe
Token: SeLoadDriverPrivilege	4444	WMIC.exe
Token: SeSystemProfilePrivilege	4444	WMIC.exe
Token: SeSystemtimePrivilege	4444	WMIC.exe
Token: SeProfSingleProcessPrivilege	4444	WMIC.exe
Token: SeIncBasePriorityPrivilege	4444	WMIC.exe
Token: SeCreatePagefilePrivilege	4444	WMIC.exe
Token: SeBackupPrivilege	4444	WMIC.exe
Token: SeRestorePrivilege	4444	WMIC.exe
Token: SeShutdownPrivilege	4444	WMIC.exe
Token: SeDebugPrivilege	4444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4444	WMIC.exe
Token: SeRemoteShutdownPrivilege	4444	WMIC.exe
Token: SeUndockPrivilege	4444	WMIC.exe
Token: SeManageVolumePrivilege	4444	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exewill1435.exewill0318.exewill4593.exery73LT02.exelegenda.execmd.exeKMuffPQJRlr6.exe

description	pid	process	target process
PID 1232 wrote to memory of 4948	1232	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe	will1435.exe
PID 1232 wrote to memory of 4948	1232	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe	will1435.exe
PID 1232 wrote to memory of 4948	1232	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe	will1435.exe
PID 4948 wrote to memory of 3044	4948	will1435.exe	will0318.exe
PID 4948 wrote to memory of 3044	4948	will1435.exe	will0318.exe
PID 4948 wrote to memory of 3044	4948	will1435.exe	will0318.exe
PID 3044 wrote to memory of 4980	3044	will0318.exe	will4593.exe
PID 3044 wrote to memory of 4980	3044	will0318.exe	will4593.exe
PID 3044 wrote to memory of 4980	3044	will0318.exe	will4593.exe
PID 4980 wrote to memory of 1440	4980	will4593.exe	mx7910Ut.exe
PID 4980 wrote to memory of 1440	4980	will4593.exe	mx7910Ut.exe
PID 4980 wrote to memory of 1820	4980	will4593.exe	ns0466GY.exe
PID 4980 wrote to memory of 1820	4980	will4593.exe	ns0466GY.exe
PID 4980 wrote to memory of 1820	4980	will4593.exe	ns0466GY.exe
PID 3044 wrote to memory of 4572	3044	will0318.exe	py40WO30.exe
PID 3044 wrote to memory of 4572	3044	will0318.exe	py40WO30.exe
PID 3044 wrote to memory of 4572	3044	will0318.exe	py40WO30.exe
PID 4948 wrote to memory of 4400	4948	will1435.exe	qs0638Uo.exe
PID 4948 wrote to memory of 4400	4948	will1435.exe	qs0638Uo.exe
PID 4948 wrote to memory of 4400	4948	will1435.exe	qs0638Uo.exe
PID 1232 wrote to memory of 4500	1232	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe	ry73LT02.exe
PID 1232 wrote to memory of 4500	1232	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe	ry73LT02.exe
PID 1232 wrote to memory of 4500	1232	f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe	ry73LT02.exe
PID 4500 wrote to memory of 60	4500	ry73LT02.exe	legenda.exe
PID 4500 wrote to memory of 60	4500	ry73LT02.exe	legenda.exe
PID 4500 wrote to memory of 60	4500	ry73LT02.exe	legenda.exe
PID 60 wrote to memory of 3892	60	legenda.exe	schtasks.exe
PID 60 wrote to memory of 3892	60	legenda.exe	schtasks.exe
PID 60 wrote to memory of 3892	60	legenda.exe	schtasks.exe
PID 60 wrote to memory of 2180	60	legenda.exe	cmd.exe
PID 60 wrote to memory of 2180	60	legenda.exe	cmd.exe
PID 60 wrote to memory of 2180	60	legenda.exe	cmd.exe
PID 2180 wrote to memory of 1500	2180	cmd.exe	cmd.exe
PID 2180 wrote to memory of 1500	2180	cmd.exe	cmd.exe
PID 2180 wrote to memory of 1500	2180	cmd.exe	cmd.exe
PID 2180 wrote to memory of 3380	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 3380	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 3380	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 4636	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 4636	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 4636	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 628	2180	cmd.exe	cmd.exe
PID 2180 wrote to memory of 628	2180	cmd.exe	cmd.exe
PID 2180 wrote to memory of 628	2180	cmd.exe	cmd.exe
PID 2180 wrote to memory of 1740	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 1740	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 1740	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 1312	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 1312	2180	cmd.exe	cacls.exe
PID 2180 wrote to memory of 1312	2180	cmd.exe	cacls.exe
PID 60 wrote to memory of 544	60	legenda.exe	KMuffPQJRlr6.exe
PID 60 wrote to memory of 544	60	legenda.exe	KMuffPQJRlr6.exe
PID 60 wrote to memory of 544	60	legenda.exe	KMuffPQJRlr6.exe
PID 60 wrote to memory of 3120	60	legenda.exe	svchost.exe
PID 60 wrote to memory of 3120	60	legenda.exe	svchost.exe
PID 60 wrote to memory of 3120	60	legenda.exe	svchost.exe
PID 60 wrote to memory of 2044	60	legenda.exe	serv.exe
PID 60 wrote to memory of 2044	60	legenda.exe	serv.exe
PID 60 wrote to memory of 2044	60	legenda.exe	serv.exe
PID 544 wrote to memory of 2736	544	KMuffPQJRlr6.exe	ngentask.exe
PID 544 wrote to memory of 2736	544	KMuffPQJRlr6.exe	ngentask.exe
PID 544 wrote to memory of 2736	544	KMuffPQJRlr6.exe	ngentask.exe
PID 544 wrote to memory of 2736	544	KMuffPQJRlr6.exe	ngentask.exe
PID 544 wrote to memory of 2736	544	KMuffPQJRlr6.exe	ngentask.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2924

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe
"C:\Users\Admin\AppData\Local\Temp\f0057c810a32617e94ecbc42aafd7c41b023c1c17783e5c58db6b37d0e98a5b0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1435.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1435.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0318.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0318.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will4593.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will4593.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7910Ut.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7910Ut.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0466GY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0466GY.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py40WO30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py40WO30.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1344
5⤵
- Program crash
PID:212

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0638Uo.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0638Uo.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry73LT02.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry73LT02.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3380

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1740

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1380
5⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1388
5⤵
- Program crash
PID:2088

C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"
4⤵
- Executes dropped EXE
PID:3120

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1572

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1344

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 780
5⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4572 -ip 4572
1⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 544 -ip 544
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 544 -ip 544
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2044 -ip 2044
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
Filesize
1.5MB

MD5
103f1dc5270469cf9414ee95dee9561f

SHA1
f44b74ac4e35943c1b9f85ca560595bb64a8c918

SHA256
5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

SHA512
a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
Filesize
1.5MB

MD5
103f1dc5270469cf9414ee95dee9561f

SHA1
f44b74ac4e35943c1b9f85ca560595bb64a8c918

SHA256
5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

SHA512
a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe
Filesize
1.5MB

MD5
103f1dc5270469cf9414ee95dee9561f

SHA1
f44b74ac4e35943c1b9f85ca560595bb64a8c918

SHA256
5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

SHA512
a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
Filesize
3.0MB

MD5
a8a106555b9e1f92569d623c66ee8c12

SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1

SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
Filesize
3.0MB

MD5
a8a106555b9e1f92569d623c66ee8c12

SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1

SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe
Filesize
3.0MB

MD5
a8a106555b9e1f92569d623c66ee8c12

SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1

SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
Filesize
354KB

MD5
029df110444ab7746911e96d1febee72

SHA1
26e77a415e8daea0008f8fc48de5591ed69e5a8c

SHA256
4248d58d86cfd2a671e4323f57993f95e193c94d8c33ccb7219800bacefa95a6

SHA512
38b91ecd85efd99f7d45ed46fb6a8c310ed3e4468ebf2ec406025921fba82005a646c9ff04b3ef759ba089ad0e855deaf6950c5a02c82b95fceb4945d40904e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
Filesize
354KB

MD5
029df110444ab7746911e96d1febee72

SHA1
26e77a415e8daea0008f8fc48de5591ed69e5a8c

SHA256
4248d58d86cfd2a671e4323f57993f95e193c94d8c33ccb7219800bacefa95a6

SHA512
38b91ecd85efd99f7d45ed46fb6a8c310ed3e4468ebf2ec406025921fba82005a646c9ff04b3ef759ba089ad0e855deaf6950c5a02c82b95fceb4945d40904e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe
Filesize
354KB

MD5
029df110444ab7746911e96d1febee72

SHA1
26e77a415e8daea0008f8fc48de5591ed69e5a8c

SHA256
4248d58d86cfd2a671e4323f57993f95e193c94d8c33ccb7219800bacefa95a6

SHA512
38b91ecd85efd99f7d45ed46fb6a8c310ed3e4468ebf2ec406025921fba82005a646c9ff04b3ef759ba089ad0e855deaf6950c5a02c82b95fceb4945d40904e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\240616468.dll
Filesize
334KB

MD5
098a4aa93e275de54bbc35ae4b981301

SHA1
d03646dc7c63e0784393f74085405c794b8555af

SHA256
5e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b

SHA512
2e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry73LT02.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry73LT02.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1435.exe
Filesize
866KB

MD5
fa68b36b226c6136887d87e9bf159d51

SHA1
45c73b3d531e5c9c62681981e99efe3fe853789c

SHA256
ac900741026d541f964bf0e15564f3d0350a96211993fde21ebed1b671144f64

SHA512
5af9a27863ff8e80fb2f219952d447e05713f11afda9bf80e70caef369f02fc7a236492283c5e30269b63f1c0a920c54504b1eedbab7947059fb5bbba01850ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1435.exe
Filesize
866KB

MD5
fa68b36b226c6136887d87e9bf159d51

SHA1
45c73b3d531e5c9c62681981e99efe3fe853789c

SHA256
ac900741026d541f964bf0e15564f3d0350a96211993fde21ebed1b671144f64

SHA512
5af9a27863ff8e80fb2f219952d447e05713f11afda9bf80e70caef369f02fc7a236492283c5e30269b63f1c0a920c54504b1eedbab7947059fb5bbba01850ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0638Uo.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0638Uo.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0318.exe
Filesize
721KB

MD5
e7271439bf08d287727db7cc24b8db66

SHA1
aacdb876956a6354c6a6f1c60f9d1fda97c639a6

SHA256
1148b43010aeef3873ca1883af727e6911f9e512d1bf766a4e05f1a838a383ed

SHA512
14bccd2bf413f4d52f3668507fa476e6d6b7f381705d4b8c02ef292f886f22dd6910f19751378ec93c7e256156e4e8059c541dbe8ca3103d11bc820de3d0dfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0318.exe
Filesize
721KB

MD5
e7271439bf08d287727db7cc24b8db66

SHA1
aacdb876956a6354c6a6f1c60f9d1fda97c639a6

SHA256
1148b43010aeef3873ca1883af727e6911f9e512d1bf766a4e05f1a838a383ed

SHA512
14bccd2bf413f4d52f3668507fa476e6d6b7f381705d4b8c02ef292f886f22dd6910f19751378ec93c7e256156e4e8059c541dbe8ca3103d11bc820de3d0dfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py40WO30.exe
Filesize
391KB

MD5
3f41111896e99d8378e6081b8fe4383c

SHA1
3f8ab32bd89f2a81d99fafdc12724b21af418926

SHA256
3c33f775b3899aafafc9aa043303a1b40ef2eceb66c4367f5145225a9150a644

SHA512
42eb0c26acd94d107813f4d43ac7b90ecc73c516c2639dd207cd8ae9cc8890d360181bfa23a0cfe468f6f916226b6c0e81eaf88eae8e9f5eedbc8bb0522bb71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py40WO30.exe
Filesize
391KB

MD5
3f41111896e99d8378e6081b8fe4383c

SHA1
3f8ab32bd89f2a81d99fafdc12724b21af418926

SHA256
3c33f775b3899aafafc9aa043303a1b40ef2eceb66c4367f5145225a9150a644

SHA512
42eb0c26acd94d107813f4d43ac7b90ecc73c516c2639dd207cd8ae9cc8890d360181bfa23a0cfe468f6f916226b6c0e81eaf88eae8e9f5eedbc8bb0522bb71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will4593.exe
Filesize
368KB

MD5
e0a64db4c889606c356105bce15441e3

SHA1
a3f54e5b2ce6352f192a82aa065578cc7741f9e7

SHA256
60d755475d8608038d6625b1a507125bb3e9edc382a4f9d39a5ad72287de34cf

SHA512
6a6f09ffe2d99071dc77d9534dc8b5e7cadf936221fbd908e36b361371d0cc68af7aefc1dc974b8af47a8cd5eeb2384a39be2098ba98d388a450ded138b9e35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will4593.exe
Filesize
368KB

MD5
e0a64db4c889606c356105bce15441e3

SHA1
a3f54e5b2ce6352f192a82aa065578cc7741f9e7

SHA256
60d755475d8608038d6625b1a507125bb3e9edc382a4f9d39a5ad72287de34cf

SHA512
6a6f09ffe2d99071dc77d9534dc8b5e7cadf936221fbd908e36b361371d0cc68af7aefc1dc974b8af47a8cd5eeb2384a39be2098ba98d388a450ded138b9e35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7910Ut.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx7910Ut.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0466GY.exe
Filesize
371KB

MD5
66097b615ef7238f25c616a168cc4145

SHA1
977a0cf6ad35aaff8474f7baf383360375de536a

SHA256
05aeff9546a3e28368642278b9db21652653ed8d0209a669e02d089878a56709

SHA512
2f63c0cd85ae2b0d93bec839e11ab7121e7bd85c09aecd4c072e01be1c11b0cfe0626f333b1d60c205aa4b1608a20f6c91955c266d20018be7131999934d21a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0466GY.exe
Filesize
371KB

MD5
66097b615ef7238f25c616a168cc4145

SHA1
977a0cf6ad35aaff8474f7baf383360375de536a

SHA256
05aeff9546a3e28368642278b9db21652653ed8d0209a669e02d089878a56709

SHA512
2f63c0cd85ae2b0d93bec839e11ab7121e7bd85c09aecd4c072e01be1c11b0cfe0626f333b1d60c205aa4b1608a20f6c91955c266d20018be7131999934d21a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dd7a4110e2dc0760efdd47ee918c0deb

SHA1
5ed5efe128e521023e0caf4fff9af747522c8166

SHA256
550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084

SHA512
c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
dc2b0f48d8f547d5ff7d67b371d850f0

SHA1
84d02ddbf478bf7cfe9ccb466362860ee18b3839

SHA256
0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890

SHA512
3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1440-161-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/1820-196-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/1820-195-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-167-0x00000000072A0000-0x0000000007844000-memory.dmp

Filesize
5.6MB

Download
memory/1820-168-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-169-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-171-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-173-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-202-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1820-203-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1820-204-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1820-200-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1820-175-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-199-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1820-177-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-179-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-197-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1820-198-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1820-181-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-183-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-185-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-187-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-189-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1820-191-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2044-1223-0x0000000002C80000-0x0000000002CAE000-memory.dmp

Filesize
184KB

Download
memory/2044-1286-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/2044-1287-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2044-1288-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2044-1294-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/2736-1216-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2736-1224-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2736-1240-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4400-1139-0x00000000006E0000-0x0000000000712000-memory.dmp

Filesize
200KB

Download
memory/4400-1140-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4572-242-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-212-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-209-0x0000000004690000-0x00000000046DB000-memory.dmp

Filesize
300KB

Download
memory/4572-1133-0x000000000CC10000-0x000000000CC60000-memory.dmp

Filesize
320KB

Download
memory/4572-1132-0x000000000CB80000-0x000000000CBF6000-memory.dmp

Filesize
472KB

Download
memory/4572-1131-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-1130-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-1129-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-1128-0x0000000008CF0000-0x000000000921C000-memory.dmp

Filesize
5.2MB

Download
memory/4572-1127-0x0000000008B10000-0x0000000008CD2000-memory.dmp

Filesize
1.8MB

Download
memory/4572-1125-0x00000000083F0000-0x0000000008456000-memory.dmp

Filesize
408KB

Download
memory/4572-1124-0x0000000008350000-0x00000000083E2000-memory.dmp

Filesize
584KB

Download
memory/4572-1123-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-1122-0x0000000008060000-0x000000000809C000-memory.dmp

Filesize
240KB

Download
memory/4572-1121-0x0000000008040000-0x0000000008052000-memory.dmp

Filesize
72KB

Download
memory/4572-1120-0x0000000007F00000-0x000000000800A000-memory.dmp

Filesize
1.0MB

Download
memory/4572-1119-0x00000000078A0000-0x0000000007EB8000-memory.dmp

Filesize
6.1MB

Download
memory/4572-246-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-244-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-210-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-240-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-238-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-236-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-234-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-232-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-230-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-228-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-226-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-224-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-222-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-211-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4572-220-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-218-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-214-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-216-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4572-213-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4792-1290-0x0000000002B90000-0x0000000002BAC000-memory.dmp

Filesize
112KB

Download