amadey | e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe

Analysis

max time kernel
140s
max time network
141s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19/03/2023, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe
Size

1019KB
MD5

9ef8685c101a0dfef4b9dc67233156a6
SHA1

bcb3f97c43c88aa7e193b1cb0a2a761ad4f91339
SHA256

e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe
SHA512

00ff56f50e6c4bdbadb4acbb5fc854efaa0c49f1d1ff3aa5bb6009a8b8b7c22e1f4f317370207fec8c5f5479cafc241abd0d8f968455f18de01e17e1b29a07df
SSDEEP

24576:DyRoBUc7Bb1pliiaJ7nGO47FRxZPS/eOUF0VzgOS:WBcB1pdyr47hZUeOE0zn

Score

10^/10

amadey eternity redline gena vint collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6191zJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6191zJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6191zJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6191zJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6191zJ.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/1568-194-0x0000000004A80000-0x0000000004AC6000-memory.dmp	family_redline
behavioral1/memory/1568-195-0x00000000075A0000-0x00000000075E4000-memory.dmp	family_redline
behavioral1/memory/1568-199-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-200-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-203-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-205-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-207-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-209-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-211-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-213-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-215-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-217-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-219-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-221-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-223-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-225-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-227-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-229-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-231-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline
behavioral1/memory/1568-233-0x00000000075A0000-0x00000000075DE000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
4012	zap7529.exe
2080	zap5993.exe
3888	zap9711.exe
4204	tz3623.exe
4496	v6191zJ.exe
1568	w57rn01.exe
4508	xbmaA93.exe
3412	y39st79.exe
4400	legenda.exe
540	v4cRIUet5I.exe
732	LowesDistillery.exe
2336	Player3.exe
2120	nbveek.exe
1096	legenda.exe
3804	nbveek.exe

Loads dropped DLL 4 IoCs

pid	Process
1240	rundll32.exe
4116	rundll32.exe
4464	rundll32.exe
1220	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6191zJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6191zJ.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7529.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5993.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5993.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9711.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 1108	540	v4cRIUet5I.exe	88
PID 1108 set thread context of 5088	1108	InstallUtil.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3852	5088	WerFault.exe	92
4708	4464	WerFault.exe	122

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	LowesDistillery.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LowesDistillery.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3236	schtasks.exe
4740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4204	tz3623.exe
4204	tz3623.exe
4496	v6191zJ.exe
4496	v6191zJ.exe
1568	w57rn01.exe
1568	w57rn01.exe
4508	xbmaA93.exe
4508	xbmaA93.exe
732	LowesDistillery.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	tz3623.exe
Token: SeDebugPrivilege	4496	v6191zJ.exe
Token: SeDebugPrivilege	1568	w57rn01.exe
Token: SeDebugPrivilege	4508	xbmaA93.exe
Token: SeDebugPrivilege	732	LowesDistillery.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4012	8	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe	66
PID 8 wrote to memory of 4012	8	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe	66
PID 8 wrote to memory of 4012	8	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe	66
PID 4012 wrote to memory of 2080	4012	zap7529.exe	67
PID 4012 wrote to memory of 2080	4012	zap7529.exe	67
PID 4012 wrote to memory of 2080	4012	zap7529.exe	67
PID 2080 wrote to memory of 3888	2080	zap5993.exe	68
PID 2080 wrote to memory of 3888	2080	zap5993.exe	68
PID 2080 wrote to memory of 3888	2080	zap5993.exe	68
PID 3888 wrote to memory of 4204	3888	zap9711.exe	69
PID 3888 wrote to memory of 4204	3888	zap9711.exe	69
PID 3888 wrote to memory of 4496	3888	zap9711.exe	70
PID 3888 wrote to memory of 4496	3888	zap9711.exe	70
PID 3888 wrote to memory of 4496	3888	zap9711.exe	70
PID 2080 wrote to memory of 1568	2080	zap5993.exe	71
PID 2080 wrote to memory of 1568	2080	zap5993.exe	71
PID 2080 wrote to memory of 1568	2080	zap5993.exe	71
PID 4012 wrote to memory of 4508	4012	zap7529.exe	73
PID 4012 wrote to memory of 4508	4012	zap7529.exe	73
PID 4012 wrote to memory of 4508	4012	zap7529.exe	73
PID 8 wrote to memory of 3412	8	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe	74
PID 8 wrote to memory of 3412	8	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe	74
PID 8 wrote to memory of 3412	8	e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe	74
PID 3412 wrote to memory of 4400	3412	y39st79.exe	75
PID 3412 wrote to memory of 4400	3412	y39st79.exe	75
PID 3412 wrote to memory of 4400	3412	y39st79.exe	75
PID 4400 wrote to memory of 3236	4400	legenda.exe	76
PID 4400 wrote to memory of 3236	4400	legenda.exe	76
PID 4400 wrote to memory of 3236	4400	legenda.exe	76
PID 4400 wrote to memory of 3980	4400	legenda.exe	78
PID 4400 wrote to memory of 3980	4400	legenda.exe	78
PID 4400 wrote to memory of 3980	4400	legenda.exe	78
PID 3980 wrote to memory of 2840	3980	cmd.exe	80
PID 3980 wrote to memory of 2840	3980	cmd.exe	80
PID 3980 wrote to memory of 2840	3980	cmd.exe	80
PID 3980 wrote to memory of 2848	3980	cmd.exe	81
PID 3980 wrote to memory of 2848	3980	cmd.exe	81
PID 3980 wrote to memory of 2848	3980	cmd.exe	81
PID 3980 wrote to memory of 5056	3980	cmd.exe	82
PID 3980 wrote to memory of 5056	3980	cmd.exe	82
PID 3980 wrote to memory of 5056	3980	cmd.exe	82
PID 3980 wrote to memory of 4384	3980	cmd.exe	83
PID 3980 wrote to memory of 4384	3980	cmd.exe	83
PID 3980 wrote to memory of 4384	3980	cmd.exe	83
PID 3980 wrote to memory of 5100	3980	cmd.exe	84
PID 3980 wrote to memory of 5100	3980	cmd.exe	84
PID 3980 wrote to memory of 5100	3980	cmd.exe	84
PID 3980 wrote to memory of 3364	3980	cmd.exe	85
PID 3980 wrote to memory of 3364	3980	cmd.exe	85
PID 3980 wrote to memory of 3364	3980	cmd.exe	85
PID 4400 wrote to memory of 540	4400	legenda.exe	86
PID 4400 wrote to memory of 540	4400	legenda.exe	86
PID 4400 wrote to memory of 732	4400	legenda.exe	87
PID 4400 wrote to memory of 732	4400	legenda.exe	87
PID 4400 wrote to memory of 732	4400	legenda.exe	87
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88
PID 540 wrote to memory of 1108	540	v4cRIUet5I.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LowesDistillery.exe

C:\Users\Admin\AppData\Local\Temp\e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe
"C:\Users\Admin\AppData\Local\Temp\e16ec39697f2324bc55b8fa07461a4f586c53435892a2ff6a825c5afc55b43fe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7529.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7529.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5993.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5993.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9711.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9711.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3623.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6191zJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6191zJ.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57rn01.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57rn01.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmaA93.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmaA93.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y39st79.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y39st79.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3236
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:3364
  - - C:\Users\Admin\AppData\Roaming\1000075000\v4cRIUet5I.exe
      "C:\Users\Admin\AppData\Roaming\1000075000\v4cRIUet5I.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        
        PID:1448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        
        PID:1708
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 624
        7⤵
        Program crash
        
        PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe
      "C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        
        PID:4420
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4764
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:4208
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:5028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        5⤵
        
        PID:3736
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3104
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        6⤵
        
        PID:1940
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        6⤵
        
        PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe
      "C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe"
      4⤵
      Executes dropped EXE
      PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
        
        "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
        5⤵
        Executes dropped EXE
        
        PID:2120
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        7⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        7⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        7⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        7⤵
        
        PID:4012
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4116
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4464
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4464 -s 600
        8⤵
        Program crash
        
        PID:4708
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1220
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1240

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe

Filesize
537KB

MD5
f0a2d9e0876b2de2d5f5b7936a299e9f

SHA1
1b55b7a5c97e180d29dd884650ce7b54db1f2ab7

SHA256
b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c

SHA512
2a654178b30c5976dce0ee0272f289a526fb30cd2a2d6276ec0acfcc20c61771618ae4058914dce81863bfae0b0e87a1a310ec95c0d64aa6960dfad39a55c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe

Filesize
537KB

MD5
f0a2d9e0876b2de2d5f5b7936a299e9f

SHA1
1b55b7a5c97e180d29dd884650ce7b54db1f2ab7

SHA256
b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c

SHA512
2a654178b30c5976dce0ee0272f289a526fb30cd2a2d6276ec0acfcc20c61771618ae4058914dce81863bfae0b0e87a1a310ec95c0d64aa6960dfad39a55c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000076001\LowesDistillery.exe

Filesize
537KB

MD5
f0a2d9e0876b2de2d5f5b7936a299e9f

SHA1
1b55b7a5c97e180d29dd884650ce7b54db1f2ab7

SHA256
b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c

SHA512
2a654178b30c5976dce0ee0272f289a526fb30cd2a2d6276ec0acfcc20c61771618ae4058914dce81863bfae0b0e87a1a310ec95c0d64aa6960dfad39a55c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\346939869283

Filesize
67KB

MD5
b437d2b12eb6906a14c597f27baecf5b

SHA1
c99b8c334c7a52be6d977fbf3c618e2a698bc577

SHA256
0c3e9e58bceddbbb53c357024650598f2f408d89d5c51c26508e0ceba36bac24

SHA512
5b98fcc42911f90154cbc54286f478099636fd56239e4467e7c9f7bf4680616d2cc6e9b7062693edd90e22f418acc8b95e0cd91b449d5730816f32b30a3dea80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y39st79.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y39st79.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7529.exe

Filesize
835KB

MD5
fdc5609585e197f70184316e80011745

SHA1
6b7826e5cbc1b48665f668363ecf6fa8874f6066

SHA256
7be60c7475907e5a8c3c90382cfb618d8e205fe81246d611223ac08bb60aabd6

SHA512
149a2e2567ea4825ef78c36879eab186da7b856d8edd8c9cfd654ebfcde37ad371cbafd23a8e4645d20483ae358925dcb29a43e7d8b7329c568a98248932b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7529.exe

Filesize
835KB

MD5
fdc5609585e197f70184316e80011745

SHA1
6b7826e5cbc1b48665f668363ecf6fa8874f6066

SHA256
7be60c7475907e5a8c3c90382cfb618d8e205fe81246d611223ac08bb60aabd6

SHA512
149a2e2567ea4825ef78c36879eab186da7b856d8edd8c9cfd654ebfcde37ad371cbafd23a8e4645d20483ae358925dcb29a43e7d8b7329c568a98248932b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmaA93.exe

Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xbmaA93.exe

Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5993.exe

Filesize
693KB

MD5
33c732530a8dd1f00028b28adfb1db76

SHA1
1669dd5044ce156a344e9bc839ad1ddce077547a

SHA256
6c00c985458301aa1e35e320e75f90c3ba7bbcb93a47a52db3d83c1c9bc36630

SHA512
b831d3a29ea4115810d859e4cda6aab0a8380b5b2eaf0434f9f3e4be15e62c0efc60b3c2f8f266bfa5498c65e26d785aaa56de258a9a6e234f7fd38cb7b4277e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5993.exe

Filesize
693KB

MD5
33c732530a8dd1f00028b28adfb1db76

SHA1
1669dd5044ce156a344e9bc839ad1ddce077547a

SHA256
6c00c985458301aa1e35e320e75f90c3ba7bbcb93a47a52db3d83c1c9bc36630

SHA512
b831d3a29ea4115810d859e4cda6aab0a8380b5b2eaf0434f9f3e4be15e62c0efc60b3c2f8f266bfa5498c65e26d785aaa56de258a9a6e234f7fd38cb7b4277e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57rn01.exe

Filesize
391KB

MD5
350517cf5628598c67f2daeabac0df7a

SHA1
6536c8c2caa747b8e103e21fa7db5437e630548d

SHA256
397e632e67685288bb51b54088b7602abb9aa60727820c524a56eebfbac0cc3b

SHA512
21b8b7e63cee6484ec1b42032a4401f2be6c1097d3161aa751eacf05deb7457e5c61dca4e8ff03628cec1a95f511ac470d992cd6464a21d5f65d44b796b51cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57rn01.exe

Filesize
391KB

MD5
350517cf5628598c67f2daeabac0df7a

SHA1
6536c8c2caa747b8e103e21fa7db5437e630548d

SHA256
397e632e67685288bb51b54088b7602abb9aa60727820c524a56eebfbac0cc3b

SHA512
21b8b7e63cee6484ec1b42032a4401f2be6c1097d3161aa751eacf05deb7457e5c61dca4e8ff03628cec1a95f511ac470d992cd6464a21d5f65d44b796b51cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9711.exe

Filesize
344KB

MD5
fe3ea797e5b805356d0320a0c42d085f

SHA1
31bc47e24ede267adaaf57405ce7765fb317db68

SHA256
179c0002413aae04ecac8dfb405dedaa32aef369c1a339dabbd880f2d8a0008a

SHA512
045f6c314b50a9d4162eafefee2667bf2bcd223678e01a5bd0a62b20148a55fbb910f53f1245e74a23d5c7e50815cf609076b4bcd1d4757617d04eb35921b9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9711.exe

Filesize
344KB

MD5
fe3ea797e5b805356d0320a0c42d085f

SHA1
31bc47e24ede267adaaf57405ce7765fb317db68

SHA256
179c0002413aae04ecac8dfb405dedaa32aef369c1a339dabbd880f2d8a0008a

SHA512
045f6c314b50a9d4162eafefee2667bf2bcd223678e01a5bd0a62b20148a55fbb910f53f1245e74a23d5c7e50815cf609076b4bcd1d4757617d04eb35921b9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3623.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3623.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6191zJ.exe

Filesize
334KB

MD5
c743e4a6cdbbb01cfc14536354eeb968

SHA1
fd4df2a4c6de5c270d9388f1c58b12bd21a1e5c3

SHA256
99692cf2d3e2d8e23e7578eb8f8671f181ab139dc4e208f3669d96d20148ab90

SHA512
982e42a7afab4eb543b9402261b197ab9b29ba570475f5eb5e702005992e6a8801db6b58f3ed4356567ba627402b6e1e42b61f7f19a7ddf1d9788d122d8ccc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6191zJ.exe

Filesize
334KB

MD5
c743e4a6cdbbb01cfc14536354eeb968

SHA1
fd4df2a4c6de5c270d9388f1c58b12bd21a1e5c3

SHA256
99692cf2d3e2d8e23e7578eb8f8671f181ab139dc4e208f3669d96d20148ab90

SHA512
982e42a7afab4eb543b9402261b197ab9b29ba570475f5eb5e702005992e6a8801db6b58f3ed4356567ba627402b6e1e42b61f7f19a7ddf1d9788d122d8ccc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\1000075000\v4cRIUet5I.exe

Filesize
1.4MB

MD5
3a56b65d474fc5a09e0fcf4f84eb2f06

SHA1
e8955fda40bc79085e1cb941844959a4fa443f8d

SHA256
9a7d4384137e35b1b6ae802649f3cd3187bcc891ea516d95647e2f4818029633

SHA512
017da5949b066fd3033690bf2827726c39d9eddbeac4a0f7d1826dfae5c3c10fb8ed9e7c84fda449f9191902ba3f66b86b440596bf909d9b2ce1ebe51e613c61

Download Submit
C:\Users\Admin\AppData\Roaming\1000075000\v4cRIUet5I.exe

Filesize
1.4MB

MD5
3a56b65d474fc5a09e0fcf4f84eb2f06

SHA1
e8955fda40bc79085e1cb941844959a4fa443f8d

SHA256
9a7d4384137e35b1b6ae802649f3cd3187bcc891ea516d95647e2f4818029633

SHA512
017da5949b066fd3033690bf2827726c39d9eddbeac4a0f7d1826dfae5c3c10fb8ed9e7c84fda449f9191902ba3f66b86b440596bf909d9b2ce1ebe51e613c61

Download Submit
C:\Users\Admin\AppData\Roaming\1000075000\v4cRIUet5I.exe

Filesize
1.4MB

MD5
3a56b65d474fc5a09e0fcf4f84eb2f06

SHA1
e8955fda40bc79085e1cb941844959a4fa443f8d

SHA256
9a7d4384137e35b1b6ae802649f3cd3187bcc891ea516d95647e2f4818029633

SHA512
017da5949b066fd3033690bf2827726c39d9eddbeac4a0f7d1826dfae5c3c10fb8ed9e7c84fda449f9191902ba3f66b86b440596bf909d9b2ce1ebe51e613c61

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/540-1177-0x0000027A800B0000-0x0000027A800C0000-memory.dmp

Filesize
64KB

Download
memory/540-1162-0x0000027A98B10000-0x0000027A98C10000-memory.dmp

Filesize
1024KB

Download
memory/540-1161-0x0000027AFDA20000-0x0000027AFDB80000-memory.dmp

Filesize
1.4MB

Download
memory/732-1249-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-1181-0x0000000007730000-0x00000000077AA000-memory.dmp

Filesize
488KB

Download
memory/732-1179-0x0000000006EF0000-0x0000000006F6C000-memory.dmp

Filesize
496KB

Download
memory/732-3734-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-1246-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/732-5979-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-5977-0x0000000008E10000-0x0000000008EAC000-memory.dmp

Filesize
624KB

Download
memory/732-1253-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-1250-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-5976-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-3738-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/732-3736-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/1108-1216-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1568-1108-0x00000000077F0000-0x0000000007802000-memory.dmp

Filesize
72KB

Download
memory/1568-198-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-1106-0x0000000007C40000-0x0000000008246000-memory.dmp

Filesize
6.0MB

Download
memory/1568-1107-0x00000000076B0000-0x00000000077BA000-memory.dmp

Filesize
1.0MB

Download
memory/1568-231-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-1109-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-1110-0x0000000007810000-0x000000000784E000-memory.dmp

Filesize
248KB

Download
memory/1568-1111-0x0000000007960000-0x00000000079AB000-memory.dmp

Filesize
300KB

Download
memory/1568-1113-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/1568-1114-0x0000000007B90000-0x0000000007BF6000-memory.dmp

Filesize
408KB

Download
memory/1568-1115-0x00000000088A0000-0x0000000008A62000-memory.dmp

Filesize
1.8MB

Download
memory/1568-1116-0x0000000008A70000-0x0000000008F9C000-memory.dmp

Filesize
5.2MB

Download
memory/1568-1117-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-1118-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-1119-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-1120-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-1121-0x0000000009320000-0x0000000009396000-memory.dmp

Filesize
472KB

Download
memory/1568-1122-0x00000000093A0000-0x00000000093F0000-memory.dmp

Filesize
320KB

Download
memory/1568-229-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-227-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-194-0x0000000004A80000-0x0000000004AC6000-memory.dmp

Filesize
280KB

Download
memory/1568-195-0x00000000075A0000-0x00000000075E4000-memory.dmp

Filesize
272KB

Download
memory/1568-196-0x0000000002BF0000-0x0000000002C3B000-memory.dmp

Filesize
300KB

Download
memory/1568-225-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-223-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-221-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-219-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-217-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-215-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-213-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-211-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-209-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-207-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-205-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-203-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-233-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-200-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-201-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1568-199-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/1568-197-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/4204-145-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/4496-172-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-154-0x0000000007550000-0x0000000007568000-memory.dmp

Filesize
96KB

Download
memory/4496-189-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/4496-188-0x0000000000400000-0x0000000002B03000-memory.dmp

Filesize
39.0MB

Download
memory/4496-170-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-185-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/4496-184-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/4496-183-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/4496-182-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-180-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-178-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-176-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-151-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/4496-174-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-186-0x0000000000400000-0x0000000002B03000-memory.dmp

Filesize
39.0MB

Download
memory/4496-168-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-166-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-164-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-162-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-160-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-158-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-156-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-155-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/4496-152-0x0000000004790000-0x00000000047AA000-memory.dmp

Filesize
104KB

Download
memory/4496-153-0x0000000007050000-0x000000000754E000-memory.dmp

Filesize
5.0MB

Download
memory/4508-1130-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4508-1128-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/4508-1129-0x0000000004B60000-0x0000000004BAB000-memory.dmp

Filesize
300KB

Download