amadey | 5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21

Analysis

max time kernel
149s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-03-2023 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe
Size

1021KB
MD5

8a4ea12a3c94084279d7137efffbec6a
SHA1

80ea6e1680cbf7cceb2ca47eceee1d05e4d46ad7
SHA256

5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21
SHA512

58bebfb074c81bdbbd07cccd9c2ac290a9af7079decdbf6dc0ed45df9cb0e93d84689d7a74b1c69593914f6df352e4ebc70fa955daad3f77df033b31dea5f507
SSDEEP

24576:Fy+pwMjD/ziBlISLVpFo6bowjqbyGN/JKS/wxsCdU:gSrixJpuCo1+GN/Jlwxs

Score

10^/10

amadey redline down lown discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

193.233.20.31:4125

Attributes

auth_value
4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v9430EE.exetz3576.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9430EE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9430EE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9430EE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9430EE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3576.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9430EE.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3964-197-0x0000000004C50000-0x0000000004C96000-memory.dmp	family_redline
behavioral1/memory/3964-198-0x0000000005200000-0x0000000005244000-memory.dmp	family_redline
behavioral1/memory/3964-199-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-200-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-202-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-204-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-206-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-208-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-210-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-212-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-214-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-216-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-218-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-220-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-222-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-224-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-226-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-228-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-232-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-230-0x0000000005200000-0x000000000523E000-memory.dmp	family_redline
behavioral1/memory/3964-392-0x0000000004CF0000-0x0000000004D00000-memory.dmp	family_redline
behavioral1/memory/3964-1119-0x0000000004CF0000-0x0000000004D00000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

zap1265.exezap8608.exezap1588.exetz3576.exev9430EE.exew44gG03.exexzYLI49.exey27ba32.exelegenda.exerc.exelegenda.exelegenda.exe

pid	process
3332	zap1265.exe
4216	zap8608.exe
4116	zap1588.exe
4752	tz3576.exe
4176	v9430EE.exe
3964	w44gG03.exe
512	xzYLI49.exe
4860	y27ba32.exe
5044	legenda.exe
5036	rc.exe
3744	legenda.exe
2736	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4008 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4008	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3576.exev9430EE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3576.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9430EE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9430EE.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8608.exechrome.exe5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exezap1265.exezap1588.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8608.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1265.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8608.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1588.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1265.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1588.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5068 schtasks.exe

pid	process
5068	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1796 taskkill.exe

pid	process
1796	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240764040389494"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1568 PING.EXE

pid	process
1568	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz3576.exev9430EE.exew44gG03.exexzYLI49.exechrome.exe

pid	process
4752	tz3576.exe
4752	tz3576.exe
4176	v9430EE.exe
4176	v9430EE.exe
3964	w44gG03.exe
3964	w44gG03.exe
512	xzYLI49.exe
512	xzYLI49.exe
436	chrome.exe
436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

436 chrome.exe
436 chrome.exe
436 chrome.exe
436 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz3576.exev9430EE.exew44gG03.exexzYLI49.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4752	tz3576.exe
Token: SeDebugPrivilege	4176	v9430EE.exe
Token: SeDebugPrivilege	3964	w44gG03.exe
Token: SeDebugPrivilege	512	xzYLI49.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exezap1265.exezap8608.exezap1588.exey27ba32.exelegenda.execmd.exerc.execmd.exechrome.exe

description	pid	process	target process
PID 4080 wrote to memory of 3332	4080	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe	zap1265.exe
PID 4080 wrote to memory of 3332	4080	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe	zap1265.exe
PID 4080 wrote to memory of 3332	4080	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe	zap1265.exe
PID 3332 wrote to memory of 4216	3332	zap1265.exe	zap8608.exe
PID 3332 wrote to memory of 4216	3332	zap1265.exe	zap8608.exe
PID 3332 wrote to memory of 4216	3332	zap1265.exe	zap8608.exe
PID 4216 wrote to memory of 4116	4216	zap8608.exe	zap1588.exe
PID 4216 wrote to memory of 4116	4216	zap8608.exe	zap1588.exe
PID 4216 wrote to memory of 4116	4216	zap8608.exe	zap1588.exe
PID 4116 wrote to memory of 4752	4116	zap1588.exe	tz3576.exe
PID 4116 wrote to memory of 4752	4116	zap1588.exe	tz3576.exe
PID 4116 wrote to memory of 4176	4116	zap1588.exe	v9430EE.exe
PID 4116 wrote to memory of 4176	4116	zap1588.exe	v9430EE.exe
PID 4116 wrote to memory of 4176	4116	zap1588.exe	v9430EE.exe
PID 4216 wrote to memory of 3964	4216	zap8608.exe	w44gG03.exe
PID 4216 wrote to memory of 3964	4216	zap8608.exe	w44gG03.exe
PID 4216 wrote to memory of 3964	4216	zap8608.exe	w44gG03.exe
PID 3332 wrote to memory of 512	3332	zap1265.exe	xzYLI49.exe
PID 3332 wrote to memory of 512	3332	zap1265.exe	xzYLI49.exe
PID 3332 wrote to memory of 512	3332	zap1265.exe	xzYLI49.exe
PID 4080 wrote to memory of 4860	4080	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe	y27ba32.exe
PID 4080 wrote to memory of 4860	4080	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe	y27ba32.exe
PID 4080 wrote to memory of 4860	4080	5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe	y27ba32.exe
PID 4860 wrote to memory of 5044	4860	y27ba32.exe	legenda.exe
PID 4860 wrote to memory of 5044	4860	y27ba32.exe	legenda.exe
PID 4860 wrote to memory of 5044	4860	y27ba32.exe	legenda.exe
PID 5044 wrote to memory of 5068	5044	legenda.exe	schtasks.exe
PID 5044 wrote to memory of 5068	5044	legenda.exe	schtasks.exe
PID 5044 wrote to memory of 5068	5044	legenda.exe	schtasks.exe
PID 5044 wrote to memory of 5032	5044	legenda.exe	cmd.exe
PID 5044 wrote to memory of 5032	5044	legenda.exe	cmd.exe
PID 5044 wrote to memory of 5032	5044	legenda.exe	cmd.exe
PID 5032 wrote to memory of 2132	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 2132	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 2132	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 4136	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 4136	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 4136	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 5024	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 5024	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 5024	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 1004	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 1004	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 1004	5032	cmd.exe	cmd.exe
PID 5032 wrote to memory of 5100	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 5100	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 5100	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 4404	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 4404	5032	cmd.exe	cacls.exe
PID 5032 wrote to memory of 4404	5032	cmd.exe	cacls.exe
PID 5044 wrote to memory of 5036	5044	legenda.exe	rc.exe
PID 5044 wrote to memory of 5036	5044	legenda.exe	rc.exe
PID 5044 wrote to memory of 5036	5044	legenda.exe	rc.exe
PID 5036 wrote to memory of 4256	5036	rc.exe	cmd.exe
PID 5036 wrote to memory of 4256	5036	rc.exe	cmd.exe
PID 5036 wrote to memory of 4256	5036	rc.exe	cmd.exe
PID 4256 wrote to memory of 1796	4256	cmd.exe	taskkill.exe
PID 4256 wrote to memory of 1796	4256	cmd.exe	taskkill.exe
PID 4256 wrote to memory of 1796	4256	cmd.exe	taskkill.exe
PID 5036 wrote to memory of 436	5036	rc.exe	chrome.exe
PID 5036 wrote to memory of 436	5036	rc.exe	chrome.exe
PID 436 wrote to memory of 524	436	chrome.exe	chrome.exe
PID 436 wrote to memory of 524	436	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1280	5036	rc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe
"C:\Users\Admin\AppData\Local\Temp\5f59f41a429da5d3043478ae5d8747fd1dab5f00cfef332b28bfc7b26bd7dd21.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1265.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1265.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8608.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8608.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1588.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1588.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3576.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3576.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9430EE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9430EE.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44gG03.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44gG03.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzYLI49.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzYLI49.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y27ba32.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y27ba32.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2132

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4136

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1004

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5100

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ff8bb999758,0x7ff8bb999768,0x7ff8bb999778
6⤵
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:8
6⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:2
6⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:8
6⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:1
6⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:1
6⤵
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3812 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:1
6⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4624 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:1
6⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:8
6⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:8
6⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:8
6⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1688,i,6127329308593950025,18076490947296020797,131072 /prefetch:8
6⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:1280

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:1568

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1015B

MD5
ddae26b8abc3972f912f7b4425761b29

SHA1
5cb97b6a95a63b8f7ba666a5bdae0bc4df07be58

SHA256
b88e180087d40c28d50e8cd8079d9a12e3e92b0a167667fa9188841617f23114

SHA512
a0795890dfbc7c17fe4eed7b719845ad6f55b36d330f81ad23eedb5e40e4700302995b86d84e40c015dc6155a8a6c321760d206871a2f914a7b27aca375e60c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
c3f85fdc7eaba45b5825f9a534148479

SHA1
bfa68911c323c269acc801889ed201590d756790

SHA256
d25ff5a841c3ee6b14824308acceeb17e966bccd885167352e5f4b77add35341

SHA512
90f45547f0aaefff7f8a6bceb6ab4a731343fdfc2d5c4fd31e5127f0558954bbe7b6c71b86bfdaf021c3018bd2db8f5039da57b14e1608d4219ee0ae84553e21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d86f4898f9be337f3723433ccf7cf486

SHA1
e111ccdc69cde0d3fe7b8890a6991ffa923435c6

SHA256
2645ad32bad1d337d08a7f4cbc52c2dfbbf20214595a25c2cb19781573091763

SHA512
79f2d335f114ab52b77e7766a9a43309a0b5d7bf0cfb50d7255e6ec3392f22d23417a9b49da4a11b9d1696cf6eeaa0964ce1714f660a5c28d420131a5c5214ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5f340f5f5787aec2d020cf7615fe1815

SHA1
bfe381e0996bc60ad4044a6e9630eb21d80a2724

SHA256
42eeaa74848141c65d416f51868b8d76912c7eb79e51eb0faa86679e441beee9

SHA512
0ffcd602d2dd47956a62333f7a122a2b8e9d1ae9042709d86a83d20845c39ebc2a9370c75dd34c4ca921c514991e87d6bd3b697717e1b4cab97b7bf3c2e0479e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
e121bc93be8e5ce1ea9d0769ce0aafd3

SHA1
e447918c87463aa2a42081be081d3909515d2e58

SHA256
4c8d2133ecf609b68ce9e7516e25d6cbfe3997aacf0789797ea5276818331011

SHA512
195400fdcee6808ad3859a2ce293481e031075294dda061fea8aabe03ae0fe9fba7719f96293cbf6b72f250d9b373b8150a09df4680b9298ab4583e5568ee1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a6b9c97b-6de4-4cd6-a7a8-3de8abdb5548.tmp
Filesize
5KB

MD5
12dbc78e5ab4341fdb5ecc5390dc65bf

SHA1
40ac240a46920151671651252605ba8604250800

SHA256
a1dc1697b8e00227517021aeba831cc93ac27c558f712b8d7a7ab3165f287d50

SHA512
aa704688a60898c13ab9a6a7f4c55b52ddc8edc4fe51834ddf6108fa7724af1139c3d183607501888d9379193eb6554948eddca92a725eb1e8eb1dab19fdce33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
bd89c4804895b8a1df15cf93f975a799

SHA1
677105113f3c4f797a9afdb4cdf09be2e12d755c

SHA256
51fff2a1063f2b59055d5bdf69f585fd5e5f558a1080947062caa201177efb79

SHA512
f94ef08edd8aa40028437f3f406770897636f723387c7605dc2532a8d9c346cb971fc85591b2aadae6a7698cd5085c6932b82c4216c3b932e437dbc309346363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y27ba32.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y27ba32.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1265.exe
Filesize
837KB

MD5
01e300e821ea8d956756086692dcfb3e

SHA1
41f9d6ecd602f3a596904ccce5b7770cace4f6c4

SHA256
d935222c03cce6ff73dc0e621a9f3a4da999c37310b3ce3ea226329410cb83be

SHA512
fcd5bf35731117fdd34cfe8e3a53461b97af41a2f990f35c15ba9e20124687ade7b109c70bb1cb0bd47b6646cea007f4631864a741faad14cd82ac0bf5011d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1265.exe
Filesize
837KB

MD5
01e300e821ea8d956756086692dcfb3e

SHA1
41f9d6ecd602f3a596904ccce5b7770cace4f6c4

SHA256
d935222c03cce6ff73dc0e621a9f3a4da999c37310b3ce3ea226329410cb83be

SHA512
fcd5bf35731117fdd34cfe8e3a53461b97af41a2f990f35c15ba9e20124687ade7b109c70bb1cb0bd47b6646cea007f4631864a741faad14cd82ac0bf5011d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzYLI49.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xzYLI49.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8608.exe
Filesize
695KB

MD5
22ac784657a28df368102e99ddb9be88

SHA1
11ae8e18f7bc1a6a0ac626684a03deaff48f4b9a

SHA256
02b4f4525dd0dfbba09438f595cbd7507e724b130a07d7f2f37f055650c47851

SHA512
ae039dc381417f851e0f3c197f73a3b0e1baa5119b24f4e750e461e9777b96aabd1d216d551ecbe46d364c8b778f3257be298818dc858bfcf596f176130c980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8608.exe
Filesize
695KB

MD5
22ac784657a28df368102e99ddb9be88

SHA1
11ae8e18f7bc1a6a0ac626684a03deaff48f4b9a

SHA256
02b4f4525dd0dfbba09438f595cbd7507e724b130a07d7f2f37f055650c47851

SHA512
ae039dc381417f851e0f3c197f73a3b0e1baa5119b24f4e750e461e9777b96aabd1d216d551ecbe46d364c8b778f3257be298818dc858bfcf596f176130c980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44gG03.exe
Filesize
349KB

MD5
51fffb6f4cb2b74e92f66830e1bdf51c

SHA1
fc2b661d8223bc4484c907bed92ef684652eb304

SHA256
b389177646e177eb4304a07f8219fadbed54eea8213409943ed5f565ad477800

SHA512
fbf66c3d5b35b700426a0aca2cc27e3b8d7ad90ab1941a3d1e039b9af90ac8c33c8282317630dac969b66624bd772d570b91b943dc1128b3bf67cf1ac1c79423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44gG03.exe
Filesize
349KB

MD5
51fffb6f4cb2b74e92f66830e1bdf51c

SHA1
fc2b661d8223bc4484c907bed92ef684652eb304

SHA256
b389177646e177eb4304a07f8219fadbed54eea8213409943ed5f565ad477800

SHA512
fbf66c3d5b35b700426a0aca2cc27e3b8d7ad90ab1941a3d1e039b9af90ac8c33c8282317630dac969b66624bd772d570b91b943dc1128b3bf67cf1ac1c79423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1588.exe
Filesize
344KB

MD5
b946fd1c17accef0f6d7bd324ad6ea80

SHA1
c1b7efc37be5990f3d73a6d49e2520697211e7df

SHA256
b81b3af2960db39925d4c3f61f4072161d2c9d0760406ee359f55dd6df6b3327

SHA512
6757d5c013253f5160c49e7808e4d58d7d32d532998d451d63cf0457ef493e8f20b97cb02f4cc59898f42b88455a8c958717d1bd5d9f9110e3014cc57192c923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1588.exe
Filesize
344KB

MD5
b946fd1c17accef0f6d7bd324ad6ea80

SHA1
c1b7efc37be5990f3d73a6d49e2520697211e7df

SHA256
b81b3af2960db39925d4c3f61f4072161d2c9d0760406ee359f55dd6df6b3327

SHA512
6757d5c013253f5160c49e7808e4d58d7d32d532998d451d63cf0457ef493e8f20b97cb02f4cc59898f42b88455a8c958717d1bd5d9f9110e3014cc57192c923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3576.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3576.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9430EE.exe
Filesize
291KB

MD5
514370c632a209a6e4c997e8ebe20a67

SHA1
be99b86a26ff9b3e75558f8614de382782f17778

SHA256
1b239a9ff41bf709e20763fc70918118b519f3436247a65a62415c2c645982ef

SHA512
f211f31649a026df033f5ee41c257aacc32b85f3f04c61f5f5f4fd9ad0f5270a170a483335b4d843363ed7efad6907eb8bfb3c3119a7aa913de9576e3030a452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9430EE.exe
Filesize
291KB

MD5
514370c632a209a6e4c997e8ebe20a67

SHA1
be99b86a26ff9b3e75558f8614de382782f17778

SHA256
1b239a9ff41bf709e20763fc70918118b519f3436247a65a62415c2c645982ef

SHA512
f211f31649a026df033f5ee41c257aacc32b85f3f04c61f5f5f4fd9ad0f5270a170a483335b4d843363ed7efad6907eb8bfb3c3119a7aa913de9576e3030a452

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\background.js
Filesize
2KB

MD5
6200ca0889334cfb6aec68e0d16ec1ae

SHA1
484b2db1bccfcd5a683faf4d4fe9bc4a26b669fd

SHA256
a7929366648541bdbc0770e2e46c396c1febabab88fb6f9399706f7faceef18a

SHA512
84f906a51c9c3e04acff4dd8e3a3e54994d435dcc1ea925b61bed6ed6ca82719d070332126ec901d906d475835532a03c2516e5c524940c1144ea2a8fc17a567

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\main.js
Filesize
174B

MD5
101da414c759e49091ed4c7c393e4b88

SHA1
ca66105564379ea52890b55364f61d6d967facce

SHA256
a36f1ac32942455f7f16f3ac4ce90b91c504a82c22f9d529e0ba7bf64a24b757

SHA512
504b7b35a83b135aec79322cf9e8b296f42552040ec6d630e008fff395e5120af88e8b2118641b58fb3de7d6ac7466f621f604d2824c2d688a4aefb444ce7f44

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\manifest.json
Filesize
614B

MD5
0688a45c7472ba90c4acbd8a4fbc928a

SHA1
0f6f86ebac77f35cf2b8f3bb2595597bc786de6b

SHA256
52e7a136a4f39bb826f30f5c89c6fa28ca9945acefc775068a39d21328e47275

SHA512
d8c32b1fe52060ffa020ab640dd78afda51ab1ea86a467ffbc308bf1c540f93485c73a71a1226b48835b2eb9e073d508c93ba94a3d571ba84af5d2a1784b951d

Download Submit
\??\pipe\crashpad_436_IGZLCGPYZVPYEZHB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/512-1133-0x0000000004A80000-0x0000000004ACB000-memory.dmp

Filesize
300KB

Download
memory/512-1132-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/512-1131-0x0000000000040000-0x0000000000072000-memory.dmp

Filesize
200KB

Download
memory/3964-222-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-1122-0x0000000006770000-0x0000000006C9C000-memory.dmp

Filesize
5.2MB

Download
memory/3964-204-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-206-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-208-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-210-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-212-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-214-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-216-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-218-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-220-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-200-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-224-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-226-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-228-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-232-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-230-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-388-0x0000000000810000-0x000000000085B000-memory.dmp

Filesize
300KB

Download
memory/3964-392-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-389-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-393-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-1109-0x0000000005850000-0x0000000005E56000-memory.dmp

Filesize
6.0MB

Download
memory/3964-1110-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/3964-1111-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/3964-1112-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-1113-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/3964-1114-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/3964-1116-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3964-1117-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-1118-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-1119-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-1120-0x00000000063F0000-0x0000000006482000-memory.dmp

Filesize
584KB

Download
memory/3964-1121-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/3964-202-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-1123-0x0000000006F40000-0x0000000006FB6000-memory.dmp

Filesize
472KB

Download
memory/3964-1124-0x0000000006FC0000-0x0000000007010000-memory.dmp

Filesize
320KB

Download
memory/3964-1125-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3964-199-0x0000000005200000-0x000000000523E000-memory.dmp

Filesize
248KB

Download
memory/3964-198-0x0000000005200000-0x0000000005244000-memory.dmp

Filesize
272KB

Download
memory/3964-197-0x0000000004C50000-0x0000000004C96000-memory.dmp

Filesize
280KB

Download
memory/4176-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-153-0x0000000004BD0000-0x0000000004BEA000-memory.dmp

Filesize
104KB

Download
memory/4176-189-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4176-188-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4176-187-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4176-186-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-184-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-182-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-180-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-178-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-176-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-174-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-172-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-190-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4176-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-192-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4176-159-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-157-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4176-158-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/4176-156-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4176-155-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4176-154-0x0000000004CB0000-0x00000000051AE000-memory.dmp

Filesize
5.0MB

Download
memory/4176-170-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4176-152-0x0000000000900000-0x000000000092D000-memory.dmp

Filesize
180KB

Download
memory/4752-146-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download