amadey | 4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe
Size

1021KB
MD5

cf1bd76ab5288797ea2408704afc7db3
SHA1

4b8bce56926444c9758dc3f3c60b53a44f7691e9
SHA256

4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100
SHA512

f9c280c711f03fae75e4ab52bcff57e5308256477866a52451ee880d7fb2a6f6165b71188628ec0535d5413fe063e956083b63a502b5dd1f64454cc59a95ee8c
SSDEEP

24576:GydXFb/ObTr/mEkX4822CwUOLX2xkN/DS42J56zAOe:VRh6d2452PUgmmN/+42izAO

Score

10^/10

amadey redline down lown discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

193.233.20.31:4125

Attributes

auth_value
4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2763.exev1234JE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2763.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2763.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2763.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2763.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v1234JE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v1234JE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v1234JE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v1234JE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2763.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2763.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v1234JE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v1234JE.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2564-207-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-208-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-210-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-212-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-214-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-216-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-218-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-220-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-222-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-224-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-226-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-228-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-230-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-232-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-234-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-236-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-238-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-240-0x0000000002980000-0x00000000029BE000-memory.dmp	family_redline
behavioral1/memory/2564-1127-0x00000000029E0000-0x00000000029F0000-memory.dmp	family_redline
behavioral1/memory/2564-1128-0x00000000029E0000-0x00000000029F0000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exerc.exey53Bp38.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	rc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y53Bp38.exe

Executes dropped EXE 12 IoCs

Processes:

zap9594.exezap0597.exezap8172.exetz2763.exev1234JE.exew86IG68.exexXLzE90.exey53Bp38.exelegenda.exerc.exelegenda.exelegenda.exe

pid	process
1508	zap9594.exe
4348	zap0597.exe
4408	zap8172.exe
2644	tz2763.exe
1828	v1234JE.exe
2564	w86IG68.exe
3440	xXLzE90.exe
4124	y53Bp38.exe
4412	legenda.exe
3824	rc.exe
3368	legenda.exe
3668	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1324 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1324	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v1234JE.exetz2763.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v1234JE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2763.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v1234JE.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exezap0597.exechrome.exezap8172.exezap9594.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0597.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8172.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8172.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9594.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0597.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4408 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3848 schtasks.exe

pid	process
4408	sc.exe

pid	process
3848	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5012 taskkill.exe

pid	process
5012	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240770059098970"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1276 PING.EXE

pid	process
1276	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz2763.exev1234JE.exew86IG68.exexXLzE90.exechrome.exe

pid	process
2644	tz2763.exe
2644	tz2763.exe
1828	v1234JE.exe
1828	v1234JE.exe
2564	w86IG68.exe
2564	w86IG68.exe
3440	xXLzE90.exe
3440	xXLzE90.exe
2008	chrome.exe
2008	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2008 chrome.exe
2008 chrome.exe
2008 chrome.exe
2008 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz2763.exev1234JE.exew86IG68.exexXLzE90.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2644	tz2763.exe
Token: SeDebugPrivilege	1828	v1234JE.exe
Token: SeDebugPrivilege	2564	w86IG68.exe
Token: SeDebugPrivilege	3440	xXLzE90.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exezap9594.exezap0597.exezap8172.exey53Bp38.exelegenda.execmd.exerc.execmd.exechrome.exe

description	pid	process	target process
PID 3488 wrote to memory of 1508	3488	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe	zap9594.exe
PID 3488 wrote to memory of 1508	3488	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe	zap9594.exe
PID 3488 wrote to memory of 1508	3488	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe	zap9594.exe
PID 1508 wrote to memory of 4348	1508	zap9594.exe	zap0597.exe
PID 1508 wrote to memory of 4348	1508	zap9594.exe	zap0597.exe
PID 1508 wrote to memory of 4348	1508	zap9594.exe	zap0597.exe
PID 4348 wrote to memory of 4408	4348	zap0597.exe	zap8172.exe
PID 4348 wrote to memory of 4408	4348	zap0597.exe	zap8172.exe
PID 4348 wrote to memory of 4408	4348	zap0597.exe	zap8172.exe
PID 4408 wrote to memory of 2644	4408	zap8172.exe	tz2763.exe
PID 4408 wrote to memory of 2644	4408	zap8172.exe	tz2763.exe
PID 4408 wrote to memory of 1828	4408	zap8172.exe	v1234JE.exe
PID 4408 wrote to memory of 1828	4408	zap8172.exe	v1234JE.exe
PID 4408 wrote to memory of 1828	4408	zap8172.exe	v1234JE.exe
PID 4348 wrote to memory of 2564	4348	zap0597.exe	w86IG68.exe
PID 4348 wrote to memory of 2564	4348	zap0597.exe	w86IG68.exe
PID 4348 wrote to memory of 2564	4348	zap0597.exe	w86IG68.exe
PID 1508 wrote to memory of 3440	1508	zap9594.exe	xXLzE90.exe
PID 1508 wrote to memory of 3440	1508	zap9594.exe	xXLzE90.exe
PID 1508 wrote to memory of 3440	1508	zap9594.exe	xXLzE90.exe
PID 3488 wrote to memory of 4124	3488	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe	y53Bp38.exe
PID 3488 wrote to memory of 4124	3488	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe	y53Bp38.exe
PID 3488 wrote to memory of 4124	3488	4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe	y53Bp38.exe
PID 4124 wrote to memory of 4412	4124	y53Bp38.exe	legenda.exe
PID 4124 wrote to memory of 4412	4124	y53Bp38.exe	legenda.exe
PID 4124 wrote to memory of 4412	4124	y53Bp38.exe	legenda.exe
PID 4412 wrote to memory of 3848	4412	legenda.exe	schtasks.exe
PID 4412 wrote to memory of 3848	4412	legenda.exe	schtasks.exe
PID 4412 wrote to memory of 3848	4412	legenda.exe	schtasks.exe
PID 4412 wrote to memory of 4236	4412	legenda.exe	cmd.exe
PID 4412 wrote to memory of 4236	4412	legenda.exe	cmd.exe
PID 4412 wrote to memory of 4236	4412	legenda.exe	cmd.exe
PID 4236 wrote to memory of 4484	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 4484	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 4484	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 1632	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 1632	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 1632	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 5028	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 5028	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 5028	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 768	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 768	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 768	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 3288	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 3288	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 3288	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 2244	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 2244	4236	cmd.exe	cacls.exe
PID 4236 wrote to memory of 2244	4236	cmd.exe	cacls.exe
PID 4412 wrote to memory of 3824	4412	legenda.exe	rc.exe
PID 4412 wrote to memory of 3824	4412	legenda.exe	rc.exe
PID 4412 wrote to memory of 3824	4412	legenda.exe	rc.exe
PID 3824 wrote to memory of 3760	3824	rc.exe	cmd.exe
PID 3824 wrote to memory of 3760	3824	rc.exe	cmd.exe
PID 3824 wrote to memory of 3760	3824	rc.exe	cmd.exe
PID 3760 wrote to memory of 5012	3760	cmd.exe	taskkill.exe
PID 3760 wrote to memory of 5012	3760	cmd.exe	taskkill.exe
PID 3760 wrote to memory of 5012	3760	cmd.exe	taskkill.exe
PID 3824 wrote to memory of 2008	3824	rc.exe	chrome.exe
PID 3824 wrote to memory of 2008	3824	rc.exe	chrome.exe
PID 2008 wrote to memory of 5020	2008	chrome.exe	chrome.exe
PID 2008 wrote to memory of 5020	2008	chrome.exe	chrome.exe
PID 3824 wrote to memory of 5076	3824	rc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe
"C:\Users\Admin\AppData\Local\Temp\4c470cef5f470dc8aaa4753018140ab84380fc5b218afc8a724bf50706a5b100.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9594.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9594.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0597.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0597.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8172.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8172.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2763.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2763.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1234JE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1234JE.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w86IG68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w86IG68.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXLzE90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXLzE90.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Bp38.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Bp38.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4484

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1632

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:768

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3288

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdabe59758,0x7ffdabe59768,0x7ffdabe59778
6⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:2
6⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:1
6⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3344 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:1
6⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4024 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:1
6⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4772 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:1
6⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1812,i,9470362519910786712,13646834362157781420,131072 /prefetch:8
6⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:5076

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:1276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1324

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
Filesize
2KB

MD5
a80684cd65dc4a62121b8db031da7e7d

SHA1
25dba3cbf213339e4ae4182ba1dcdfbdf3665b20

SHA256
f76ee14009ef28bc04bbcfb4ac44999b196e9840f95494baf5475563b2512172

SHA512
0cf39d3504e0bcb16df3d0f5088cc50510f2fe811cf4702954b87b81f085408055c0694de6a5ee15737801d269ee3ed5cef51c96765d38c56cf7ac947beec92d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0447c400019b326e25ccbc53e3c8fd78

SHA1
de0232d883db02bedee4d81a0865a45afea21a6c

SHA256
041a920651b17e90378ae39ec12dd5d8523c08723e183e92280eaab7b01b7c28

SHA512
4b3bbdd070398b1c5dffa81fe8c9c7483cec7b008f73bc968663ea18e41a7599867ba34b2da53aad34a0120daf6a62adb738dbdb2ad46dd7c03732f4f059e139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
2e19bc1b4776a1b02de55721365ef64f

SHA1
40b395147bc3252a5946e03cae7c3e7020da96ac

SHA256
1d7aad752053fb9ced5bb38392eb12361dbce15bbe9b9b4be7a05c558ba9da49

SHA512
bb149c996ea6c219aa0016c26629be029048853ca05d1127aabca86281c7f555eb209d886e89f09743cd8571fd09fa290581f9bad4df3ea20572616a7047687a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
664b805998299862dd9d2d2eabb2c385

SHA1
28cbd94204b6672f257d7d1ed5a1c033717cf765

SHA256
c000fc1ef1872eca5aa32a6a681c8f9bdd58754e77f5382a069490f1cb0b3642

SHA512
85b3b78c21b24d1ae7a62482b3615a85c5b0c30b336fb9601260294658b1be34f5dfb9190a18fe0190c01ffef8b61172b40362f8d8da6acbc52ea20a355ae7ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9ea804a46232088a4294e3ff69a0e9c1

SHA1
91b375d45f8a9f6d75e505ec2719b7efc6056fdc

SHA256
89deb350d9c19a6af77c375b25b0b55ae2203f3bd7285d7d18879d0216ace757

SHA512
9a5f450104e8a1d508a4ddcc0543cd8661fad1add7f25707d2d16edb16d5882df5b55c17e37d9d954abff6f7d04791a04f6579720e4124b6264fdd9ed860f2c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
a0672e1bee0e9d6bb65e4e1113f90079

SHA1
8af2b91077482c80e420a3d506745fa2ad69e580

SHA256
539889bc437b68bbda3e664bcce4d2a0d562226c19be3b3128ec9d3f7b33135a

SHA512
04bd1496298ce46d03fc39d5bdd2629248f443463571ad388604d5d8f0b3b40ce1dd83ab9d43f5357e77db5124d60fba6af5f9b185ac96ee28f5021c016515b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
895b26981f84b363cbb8f9b9003f7893

SHA1
b1ac4ca0740034bad18533c46f4d81bf2610a585

SHA256
7bf4b01325be3109dc989c7a35ab84f5de2c6df853839af2f2a361a0aefc9c10

SHA512
1929f21e12cdffdf7ae82447b3266702f2c0ef5a916d7be8defb0086cc8d7788851420cec06a6813f29a141325f9ebfc063e3c4511d6a23dd25861962285979e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Bp38.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Bp38.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9594.exe
Filesize
837KB

MD5
3774ecea8cfce0a13f7a66b40dcde3aa

SHA1
65524f2255b1aaaf2c8102f40713494d4a02edcc

SHA256
10fbe20e01019821d2a65f07a57b9a352d31a01ce597f720db65b838b5bd6aeb

SHA512
465c8f50f497a6962d60272c9a5be9a7d461e28619d4689d13751f741d87b8a6327e68afc83f91c2f61c064f7c374589214c1ac7f1ca118795b5f51c7ae7ab8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9594.exe
Filesize
837KB

MD5
3774ecea8cfce0a13f7a66b40dcde3aa

SHA1
65524f2255b1aaaf2c8102f40713494d4a02edcc

SHA256
10fbe20e01019821d2a65f07a57b9a352d31a01ce597f720db65b838b5bd6aeb

SHA512
465c8f50f497a6962d60272c9a5be9a7d461e28619d4689d13751f741d87b8a6327e68afc83f91c2f61c064f7c374589214c1ac7f1ca118795b5f51c7ae7ab8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXLzE90.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXLzE90.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0597.exe
Filesize
695KB

MD5
69ffb7e5311fc338f2f83624c3705ad1

SHA1
e7949cf9c47a5cf05d6e2f172e8dfe91bc32946a

SHA256
6cfdb1f65e059f6cf03569392b7278f3f15cd9e28a4802c3d3fa0838b2f2b421

SHA512
b875010346e94ad054cb218021cada5148cd2833da05992bde22c6fc19786aada4a1ce85d074a909ceb61b17e83de3970a749756248589c95a9f0a3087b27711

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0597.exe
Filesize
695KB

MD5
69ffb7e5311fc338f2f83624c3705ad1

SHA1
e7949cf9c47a5cf05d6e2f172e8dfe91bc32946a

SHA256
6cfdb1f65e059f6cf03569392b7278f3f15cd9e28a4802c3d3fa0838b2f2b421

SHA512
b875010346e94ad054cb218021cada5148cd2833da05992bde22c6fc19786aada4a1ce85d074a909ceb61b17e83de3970a749756248589c95a9f0a3087b27711

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w86IG68.exe
Filesize
349KB

MD5
6662d1c973ba1b018608e1a7c49bdc3b

SHA1
6a4833145f1497cc39a17d781f0f5d93778910f4

SHA256
30c8b91ab03f0b6a8967c371fc23c2bdf9ef50cee9cf18e657528170a1189d0a

SHA512
7b9c1d919b60eb89ee204ec547035440744a755a5702ae884dd4d3183e0a71f8972ac0bcbc2a98558caee12eefcd626be77bc586c7e4a7a47da451d1a0591d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w86IG68.exe
Filesize
349KB

MD5
6662d1c973ba1b018608e1a7c49bdc3b

SHA1
6a4833145f1497cc39a17d781f0f5d93778910f4

SHA256
30c8b91ab03f0b6a8967c371fc23c2bdf9ef50cee9cf18e657528170a1189d0a

SHA512
7b9c1d919b60eb89ee204ec547035440744a755a5702ae884dd4d3183e0a71f8972ac0bcbc2a98558caee12eefcd626be77bc586c7e4a7a47da451d1a0591d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8172.exe
Filesize
344KB

MD5
cff5831a7d0c9ffdab5f27f677c7f9de

SHA1
29391f8e26a69f021d6f90cd15099700d455322f

SHA256
9e02c6f0485d3560e5a858c94b58b0131edfd4aa7711da31a88ad04bda9d0dd1

SHA512
dc77c14b49f458ffc92b57aba1fca9c32bc1bd6f10c4ed1e3e30679bce5ed4661c6b32a1f966d9a9b86aef5fb2698709e165b5c838a3fbc1cfd6cf7327566f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8172.exe
Filesize
344KB

MD5
cff5831a7d0c9ffdab5f27f677c7f9de

SHA1
29391f8e26a69f021d6f90cd15099700d455322f

SHA256
9e02c6f0485d3560e5a858c94b58b0131edfd4aa7711da31a88ad04bda9d0dd1

SHA512
dc77c14b49f458ffc92b57aba1fca9c32bc1bd6f10c4ed1e3e30679bce5ed4661c6b32a1f966d9a9b86aef5fb2698709e165b5c838a3fbc1cfd6cf7327566f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2763.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2763.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1234JE.exe
Filesize
291KB

MD5
d7675819f5f3475c1af4bb76369a8a34

SHA1
69b7d75694e18f26afbb7364f51ab5e7f45ff1a1

SHA256
7515ecb40300fe185116abe97f492779e4d4ccefbfb1e2974fe552f7b17f418a

SHA512
18786b057b9ab82979a858a4bf4d28e4c4f073f018489fcfefa95861e0121da1c6016b06ce81c58aeea38e4113e1d8fc591e32925be20674def10b30164cd811

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1234JE.exe
Filesize
291KB

MD5
d7675819f5f3475c1af4bb76369a8a34

SHA1
69b7d75694e18f26afbb7364f51ab5e7f45ff1a1

SHA256
7515ecb40300fe185116abe97f492779e4d4ccefbfb1e2974fe552f7b17f418a

SHA512
18786b057b9ab82979a858a4bf4d28e4c4f073f018489fcfefa95861e0121da1c6016b06ce81c58aeea38e4113e1d8fc591e32925be20674def10b30164cd811

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\background.js
Filesize
2KB

MD5
6200ca0889334cfb6aec68e0d16ec1ae

SHA1
484b2db1bccfcd5a683faf4d4fe9bc4a26b669fd

SHA256
a7929366648541bdbc0770e2e46c396c1febabab88fb6f9399706f7faceef18a

SHA512
84f906a51c9c3e04acff4dd8e3a3e54994d435dcc1ea925b61bed6ed6ca82719d070332126ec901d906d475835532a03c2516e5c524940c1144ea2a8fc17a567

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\main.js
Filesize
174B

MD5
101da414c759e49091ed4c7c393e4b88

SHA1
ca66105564379ea52890b55364f61d6d967facce

SHA256
a36f1ac32942455f7f16f3ac4ce90b91c504a82c22f9d529e0ba7bf64a24b757

SHA512
504b7b35a83b135aec79322cf9e8b296f42552040ec6d630e008fff395e5120af88e8b2118641b58fb3de7d6ac7466f621f604d2824c2d688a4aefb444ce7f44

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\manifest.json
Filesize
614B

MD5
0688a45c7472ba90c4acbd8a4fbc928a

SHA1
0f6f86ebac77f35cf2b8f3bb2595597bc786de6b

SHA256
52e7a136a4f39bb826f30f5c89c6fa28ca9945acefc775068a39d21328e47275

SHA512
d8c32b1fe52060ffa020ab640dd78afda51ab1ea86a467ffbc308bf1c540f93485c73a71a1226b48835b2eb9e073d508c93ba94a3d571ba84af5d2a1784b951d

Download Submit
\??\pipe\crashpad_2008_DXQNUBHAUBPBSEUL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1828-172-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-202-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1828-200-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1828-199-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/1828-198-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/1828-197-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/1828-196-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-194-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-192-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-190-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-188-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-186-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-184-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-182-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-180-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-178-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-176-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-174-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-170-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-169-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/1828-168-0x0000000004CF0000-0x0000000005294000-memory.dmp

Filesize
5.6MB

Download
memory/1828-167-0x0000000002350000-0x000000000237D000-memory.dmp

Filesize
180KB

Download
memory/2564-236-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-458-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1124-0x0000000006820000-0x00000000069E2000-memory.dmp

Filesize
1.8MB

Download
memory/2564-1125-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/2564-1127-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1128-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1129-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1130-0x0000000007060000-0x00000000070D6000-memory.dmp

Filesize
472KB

Download
memory/2564-1131-0x00000000070F0000-0x0000000007140000-memory.dmp

Filesize
320KB

Download
memory/2564-1132-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1122-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/2564-1121-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/2564-207-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-208-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-1120-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1119-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/2564-1118-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/2564-1117-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/2564-456-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-1123-0x0000000006620000-0x00000000066B2000-memory.dmp

Filesize
584KB

Download
memory/2564-453-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2564-452-0x0000000002390000-0x00000000023DB000-memory.dmp

Filesize
300KB

Download
memory/2564-240-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-238-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-234-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-232-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-230-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-228-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-226-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-224-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-222-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-220-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-218-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-216-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-214-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-212-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2564-210-0x0000000002980000-0x00000000029BE000-memory.dmp

Filesize
248KB

Download
memory/2644-161-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/3440-1139-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3440-1138-0x0000000000510000-0x0000000000542000-memory.dmp

Filesize
200KB

Download