amadey | 561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841

Analysis

max time kernel
154s
max time network
140s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-03-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe
Size

1020KB
MD5

1130ac29baa9062eaafef8fb00945744
SHA1

886a27a00f21b1d3c505eefcaea89b48658ba527
SHA256

561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841
SHA512

bb50506f44c51f154e27d4266572fe157f4db2d6e9525959bce3c3afcb184df5509a8fb4af6c2a9022717bab1394e1504a12e4e16f2bdd65bef70feec218a808
SSDEEP

24576:uy9sO9ED+GHq4/e9InMOuqTI/b8lx1ebMd+d:99sO9EBHqweGMuTI/o/1eQd

Score

10^/10

amadey redline down lown discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

193.233.20.31:4125

Attributes

auth_value
4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v4430XJ.exetz1718.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4430XJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4430XJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4430XJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4430XJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4430XJ.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4528-198-0x00000000027C0000-0x0000000002806000-memory.dmp	family_redline
behavioral1/memory/4528-199-0x0000000004CC0000-0x0000000004D04000-memory.dmp	family_redline
behavioral1/memory/4528-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-207-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-209-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-211-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-213-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-219-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-221-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-223-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-225-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-227-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-229-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-231-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-233-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-235-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4528-237-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

zap2639.exezap7680.exezap7154.exetz1718.exev4430XJ.exew22MY30.exexldVR90.exey94Su56.exelegenda.exerc.exelegenda.exelegenda.exe

pid	process
2772	zap2639.exe
2148	zap7680.exe
4704	zap7154.exe
4880	tz1718.exe
4964	v4430XJ.exe
4528	w22MY30.exe
3712	xldVR90.exe
704	y94Su56.exe
3596	legenda.exe
400	rc.exe
4316	legenda.exe
5088	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5020 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5020	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1718.exev4430XJ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1718.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4430XJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4430XJ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exezap7680.exezap7154.exechrome.exezap2639.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7680.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7154.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7154.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4304 schtasks.exe

pid	process
4304	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1660 taskkill.exe

pid	process
1660	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240769396241201"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2300 PING.EXE

pid	process
2300	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz1718.exev4430XJ.exew22MY30.exexldVR90.exechrome.exe

pid	process
4880	tz1718.exe
4880	tz1718.exe
4964	v4430XJ.exe
4964	v4430XJ.exe
4528	w22MY30.exe
4528	w22MY30.exe
3712	xldVR90.exe
3712	xldVR90.exe
1028	chrome.exe
1028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1028 chrome.exe
1028 chrome.exe
1028 chrome.exe
1028 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz1718.exev4430XJ.exew22MY30.exexldVR90.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4880	tz1718.exe
Token: SeDebugPrivilege	4964	v4430XJ.exe
Token: SeDebugPrivilege	4528	w22MY30.exe
Token: SeDebugPrivilege	3712	xldVR90.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exezap2639.exezap7680.exezap7154.exey94Su56.exelegenda.execmd.exerc.execmd.exechrome.exe

description	pid	process	target process
PID 4604 wrote to memory of 2772	4604	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe	zap2639.exe
PID 4604 wrote to memory of 2772	4604	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe	zap2639.exe
PID 4604 wrote to memory of 2772	4604	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe	zap2639.exe
PID 2772 wrote to memory of 2148	2772	zap2639.exe	zap7680.exe
PID 2772 wrote to memory of 2148	2772	zap2639.exe	zap7680.exe
PID 2772 wrote to memory of 2148	2772	zap2639.exe	zap7680.exe
PID 2148 wrote to memory of 4704	2148	zap7680.exe	zap7154.exe
PID 2148 wrote to memory of 4704	2148	zap7680.exe	zap7154.exe
PID 2148 wrote to memory of 4704	2148	zap7680.exe	zap7154.exe
PID 4704 wrote to memory of 4880	4704	zap7154.exe	tz1718.exe
PID 4704 wrote to memory of 4880	4704	zap7154.exe	tz1718.exe
PID 4704 wrote to memory of 4964	4704	zap7154.exe	v4430XJ.exe
PID 4704 wrote to memory of 4964	4704	zap7154.exe	v4430XJ.exe
PID 4704 wrote to memory of 4964	4704	zap7154.exe	v4430XJ.exe
PID 2148 wrote to memory of 4528	2148	zap7680.exe	w22MY30.exe
PID 2148 wrote to memory of 4528	2148	zap7680.exe	w22MY30.exe
PID 2148 wrote to memory of 4528	2148	zap7680.exe	w22MY30.exe
PID 2772 wrote to memory of 3712	2772	zap2639.exe	xldVR90.exe
PID 2772 wrote to memory of 3712	2772	zap2639.exe	xldVR90.exe
PID 2772 wrote to memory of 3712	2772	zap2639.exe	xldVR90.exe
PID 4604 wrote to memory of 704	4604	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe	y94Su56.exe
PID 4604 wrote to memory of 704	4604	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe	y94Su56.exe
PID 4604 wrote to memory of 704	4604	561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe	y94Su56.exe
PID 704 wrote to memory of 3596	704	y94Su56.exe	legenda.exe
PID 704 wrote to memory of 3596	704	y94Su56.exe	legenda.exe
PID 704 wrote to memory of 3596	704	y94Su56.exe	legenda.exe
PID 3596 wrote to memory of 4304	3596	legenda.exe	schtasks.exe
PID 3596 wrote to memory of 4304	3596	legenda.exe	schtasks.exe
PID 3596 wrote to memory of 4304	3596	legenda.exe	schtasks.exe
PID 3596 wrote to memory of 3584	3596	legenda.exe	cmd.exe
PID 3596 wrote to memory of 3584	3596	legenda.exe	cmd.exe
PID 3596 wrote to memory of 3584	3596	legenda.exe	cmd.exe
PID 3584 wrote to memory of 3972	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 3972	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 3972	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 5076	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5076	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5076	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5060	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5060	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5060	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5092	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 5092	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 5092	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 5100	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5100	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 5100	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 4996	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 4996	3584	cmd.exe	cacls.exe
PID 3584 wrote to memory of 4996	3584	cmd.exe	cacls.exe
PID 3596 wrote to memory of 400	3596	legenda.exe	rc.exe
PID 3596 wrote to memory of 400	3596	legenda.exe	rc.exe
PID 3596 wrote to memory of 400	3596	legenda.exe	rc.exe
PID 400 wrote to memory of 788	400	rc.exe	cmd.exe
PID 400 wrote to memory of 788	400	rc.exe	cmd.exe
PID 400 wrote to memory of 788	400	rc.exe	cmd.exe
PID 788 wrote to memory of 1660	788	cmd.exe	taskkill.exe
PID 788 wrote to memory of 1660	788	cmd.exe	taskkill.exe
PID 788 wrote to memory of 1660	788	cmd.exe	taskkill.exe
PID 400 wrote to memory of 1028	400	rc.exe	chrome.exe
PID 400 wrote to memory of 1028	400	rc.exe	chrome.exe
PID 1028 wrote to memory of 700	1028	chrome.exe	chrome.exe
PID 1028 wrote to memory of 700	1028	chrome.exe	chrome.exe
PID 400 wrote to memory of 1040	400	rc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe
"C:\Users\Admin\AppData\Local\Temp\561069b08f94fc513487594a808d323bd884829b52a343cf3a2d963699a50841.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2639.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2639.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7680.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7680.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7154.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7154.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1718.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1718.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4430XJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4430XJ.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22MY30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22MY30.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xldVR90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xldVR90.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y94Su56.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y94Su56.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3972

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:5076

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5092

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5100

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7fffb7b09758,0x7fffb7b09768,0x7fffb7b09778
6⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:2
6⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:1
6⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:1
6⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3768 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:1
6⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3816 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:1
6⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1784,i,7359652136384446547,4875517555669481151,131072 /prefetch:8
6⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:1040

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:2300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:5020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ae7bb94d5ffb898e41e277595623910a

SHA1
4aa1c386b06c7b8f0fd756a4c1e9ecd35c59f2bb

SHA256
20c1e830d6841244120c2ddd1c6520bdca4208ed5abc540b452a5800100f3908

SHA512
a630959b9cf966f9493fed56bdcd33bf5a7a23deca2694ca635689619a738565b13c5a0d3360bde15c359df5fbc45263fa4a0a0c8e198a5d04c3056474f05b38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
7654ff8782ac3ebe9fc55c5717b947b0

SHA1
fe44a18f85d883bb7f985356c8fc829bdcf835c1

SHA256
0b34048c32fe978707a94fe5a25c0604a5f5cc3b267e346494b641691bfdc7a2

SHA512
8e9718a9319d919f960d22068be32cca728e3058ed4a30448870f3848483c78a91003acb858bf7f7329138a00502503fd21091a42935f0c011ecc925070e82f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
fdc49d041f03237ddc19e9f41a333fcd

SHA1
e1bd1f2f2729b92b1168673b533970234a84e8bc

SHA256
360e864ac424a73f086befd5cdc866b920c55de44126ed562f4cad45eca39b6b

SHA512
e6227ce2f08e669a97028a0bb5ded01d7d1d4a19b0b40f6bc67d9feb9b91ee17b8c0239b3c7096f01be79ce37b761403fe0aa5dd2f1fdbd31771d26111fe19ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
675d937e2d16ee71ff9a91856a1cdb13

SHA1
f27d758ae4dc1c74b483432be33e84a5076ad278

SHA256
8df25ff65116fdab14d4f80c395d27d90c93e3663a9656b29abd02dd404c21e3

SHA512
e35688f275f486ab51834c4d710b6335a33cd4c7818c5ff3576ccac71d29158c81ce3e003bc854bd958fd492f49ec261e1832ea3108803769a5c1b03bcecfb88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
acd1f7078181aa48c81f397a6bf695e2

SHA1
91982495effdbfb0ba08bf728b1fbe309bddfd7f

SHA256
07ba2a3675b577001e73000d69c7fdf0ac38fa6250ca0587b4f7e8319901f8d1

SHA512
00b537e1232827edbea04dc0f9079765c9f02c849a5677e3e5a6b38005431b7c51237bfa377c6b41b3e830ec487a5ee8b03bfd25902faa6642e5f48c600c937e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
7d867c822787fb69238d044934e8ca43

SHA1
5bf166c2805fdf7aa9dd8dfe7535849d1a6d642c

SHA256
0b9b76a21f6fe7b8f89ce611b2719717ec77f7f82ed1172c4c285e0cbd73e80f

SHA512
017176e2ada92bcb23a0a5a453e994da58e56e6230ff36f7d56c3e9f051b01d5e42dccb9f6770c66683754925a69b147d029da40f20bb3000c5b49cd9351d01b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
90a19d2ad9b9bca8ea1be1d5b5335439

SHA1
ae08e9a93374eeacecad055ced266d85bca1f90b

SHA256
395d0c1a0b8acd63dacbd298a28a3d1bf6fa2bb9a22e352c46c26f75eeac48ca

SHA512
066227e6ce97b9ccff8d7e0e09404f59f639af3bc56deb2c6ff36c22374dd12c01550ca8de6b9aa5a65727bcb9562e6a88d9e55e74f37cb3f9aa9c58407d7741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y94Su56.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y94Su56.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2639.exe
Filesize
836KB

MD5
e0f6920c17ad243ea666079aae078304

SHA1
d3f288373b9c66408fed45ca337ec39c55c54d03

SHA256
60284191bcecca4ebba5f430092487b9c1e9c342c600ed0d2f2c96b3c99e2f7f

SHA512
4af7aa47ef3dcc75b7f020ad3206e0ffc59434eecfcbe252662ecfda93f4143f4f9bed59fa1ae9e20a62a90b5a53257c3fc98bccb6dbdd80b1091a4864e94def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2639.exe
Filesize
836KB

MD5
e0f6920c17ad243ea666079aae078304

SHA1
d3f288373b9c66408fed45ca337ec39c55c54d03

SHA256
60284191bcecca4ebba5f430092487b9c1e9c342c600ed0d2f2c96b3c99e2f7f

SHA512
4af7aa47ef3dcc75b7f020ad3206e0ffc59434eecfcbe252662ecfda93f4143f4f9bed59fa1ae9e20a62a90b5a53257c3fc98bccb6dbdd80b1091a4864e94def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xldVR90.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xldVR90.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7680.exe
Filesize
694KB

MD5
5fb05a54603ebf2e1bd1681d62e3d468

SHA1
89a91e40d526e109bb4e942e66f103838143a9b5

SHA256
660fadb6de4d5a2a2aaa80c52023595c5bdd1aeb3e93b1ea82445e2fa150bd5d

SHA512
4018f73046e8c41a5677f062ae1d792cb6301b09ae100d24bfff09245e7169fe62097553fc3758518c8975b661633099d2776b77d865715ddef5f23815e40049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7680.exe
Filesize
694KB

MD5
5fb05a54603ebf2e1bd1681d62e3d468

SHA1
89a91e40d526e109bb4e942e66f103838143a9b5

SHA256
660fadb6de4d5a2a2aaa80c52023595c5bdd1aeb3e93b1ea82445e2fa150bd5d

SHA512
4018f73046e8c41a5677f062ae1d792cb6301b09ae100d24bfff09245e7169fe62097553fc3758518c8975b661633099d2776b77d865715ddef5f23815e40049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22MY30.exe
Filesize
349KB

MD5
60b3b3b5082339901e4c708e3b239fa2

SHA1
1115e685a27ced460e9a17652ac07c9a78ecc3fb

SHA256
5f0f0c76499d87aaee179bedbc97859fd21f1eb11ec9af9553c34b3ba1477040

SHA512
34aad1fbdf1ae4692c67dfae319827d53c858b881acabfe249d347f2f6707e25414fcde5b2b6dc7ad88b0869d20e60fec3645936c704ee4e4da969dc615ffadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w22MY30.exe
Filesize
349KB

MD5
60b3b3b5082339901e4c708e3b239fa2

SHA1
1115e685a27ced460e9a17652ac07c9a78ecc3fb

SHA256
5f0f0c76499d87aaee179bedbc97859fd21f1eb11ec9af9553c34b3ba1477040

SHA512
34aad1fbdf1ae4692c67dfae319827d53c858b881acabfe249d347f2f6707e25414fcde5b2b6dc7ad88b0869d20e60fec3645936c704ee4e4da969dc615ffadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7154.exe
Filesize
344KB

MD5
ff45f99dab23ef49e8bb10c8dcb15b4a

SHA1
ac550b7fc6a89df1780ebe9c05913eb0f431c76b

SHA256
d32fb8eb8562320e61b4c5bdf535860b1656aeb68404773e017eeb87dae78f34

SHA512
6bdb3747f05bbc9048f38551315810f25f400ffbed663c8bed892d1743481352f5e53630950941a28f8bcfa95e4f5d7633c7ac82f3106370609bbde44e99e0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7154.exe
Filesize
344KB

MD5
ff45f99dab23ef49e8bb10c8dcb15b4a

SHA1
ac550b7fc6a89df1780ebe9c05913eb0f431c76b

SHA256
d32fb8eb8562320e61b4c5bdf535860b1656aeb68404773e017eeb87dae78f34

SHA512
6bdb3747f05bbc9048f38551315810f25f400ffbed663c8bed892d1743481352f5e53630950941a28f8bcfa95e4f5d7633c7ac82f3106370609bbde44e99e0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1718.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1718.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4430XJ.exe
Filesize
291KB

MD5
9ee7175f5df35570fac0035fd7903862

SHA1
8cce85621a7f3cba89a1f6d86fa7fd4be9bb3442

SHA256
4d3599469779ada22e096256c91d14a1bc43dd217359a262614dc7c5753a2e5f

SHA512
621f01cebf6085ef16eef75b927bc558ae72aae20be5c0cc080b9af14a949a20b505f569e037528eeade6e2e69d8f94a3ecbf87df1735c349a762c6ba01e4505

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4430XJ.exe
Filesize
291KB

MD5
9ee7175f5df35570fac0035fd7903862

SHA1
8cce85621a7f3cba89a1f6d86fa7fd4be9bb3442

SHA256
4d3599469779ada22e096256c91d14a1bc43dd217359a262614dc7c5753a2e5f

SHA512
621f01cebf6085ef16eef75b927bc558ae72aae20be5c0cc080b9af14a949a20b505f569e037528eeade6e2e69d8f94a3ecbf87df1735c349a762c6ba01e4505

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\background.js
Filesize
2KB

MD5
6200ca0889334cfb6aec68e0d16ec1ae

SHA1
484b2db1bccfcd5a683faf4d4fe9bc4a26b669fd

SHA256
a7929366648541bdbc0770e2e46c396c1febabab88fb6f9399706f7faceef18a

SHA512
84f906a51c9c3e04acff4dd8e3a3e54994d435dcc1ea925b61bed6ed6ca82719d070332126ec901d906d475835532a03c2516e5c524940c1144ea2a8fc17a567

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\main.js
Filesize
174B

MD5
101da414c759e49091ed4c7c393e4b88

SHA1
ca66105564379ea52890b55364f61d6d967facce

SHA256
a36f1ac32942455f7f16f3ac4ce90b91c504a82c22f9d529e0ba7bf64a24b757

SHA512
504b7b35a83b135aec79322cf9e8b296f42552040ec6d630e008fff395e5120af88e8b2118641b58fb3de7d6ac7466f621f604d2824c2d688a4aefb444ce7f44

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\manifest.json
Filesize
614B

MD5
0688a45c7472ba90c4acbd8a4fbc928a

SHA1
0f6f86ebac77f35cf2b8f3bb2595597bc786de6b

SHA256
52e7a136a4f39bb826f30f5c89c6fa28ca9945acefc775068a39d21328e47275

SHA512
d8c32b1fe52060ffa020ab640dd78afda51ab1ea86a467ffbc308bf1c540f93485c73a71a1226b48835b2eb9e073d508c93ba94a3d571ba84af5d2a1784b951d

Download Submit
\??\pipe\crashpad_1028_LAMOVSCVDECXSGED
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/3712-1133-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3712-1132-0x0000000005080000-0x00000000050CB000-memory.dmp

Filesize
300KB

Download
memory/3712-1131-0x0000000000780000-0x00000000007B2000-memory.dmp

Filesize
200KB

Download
memory/4528-219-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-1123-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-203-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-207-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-206-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-209-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-211-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-213-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-221-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-223-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-225-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-227-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-229-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-231-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-233-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-235-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-237-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4528-1110-0x0000000005290000-0x0000000005896000-memory.dmp

Filesize
6.0MB

Download
memory/4528-1111-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/4528-1112-0x0000000005A00000-0x0000000005A12000-memory.dmp

Filesize
72KB

Download
memory/4528-1113-0x0000000005A20000-0x0000000005A5E000-memory.dmp

Filesize
248KB

Download
memory/4528-1114-0x0000000005B70000-0x0000000005BBB000-memory.dmp

Filesize
300KB

Download
memory/4528-1115-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/4528-1116-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/4528-1118-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-1119-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-1120-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-1121-0x00000000065B0000-0x0000000006772000-memory.dmp

Filesize
1.8MB

Download
memory/4528-1122-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4528-204-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4528-1124-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/4528-1125-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download
memory/4528-201-0x0000000000860000-0x00000000008AB000-memory.dmp

Filesize
300KB

Download
memory/4528-199-0x0000000004CC0000-0x0000000004D04000-memory.dmp

Filesize
272KB

Download
memory/4528-198-0x00000000027C0000-0x0000000002806000-memory.dmp

Filesize
280KB

Download
memory/4880-147-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/4964-169-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-191-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4964-171-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-188-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4964-187-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-185-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-183-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-181-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-179-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-177-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-175-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-173-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-189-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4964-190-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4964-156-0x00000000026D0000-0x00000000026E8000-memory.dmp

Filesize
96KB

Download
memory/4964-165-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-163-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-161-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-160-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-158-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4964-159-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4964-167-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4964-157-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4964-155-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4964-154-0x0000000004D70000-0x000000000526E000-memory.dmp

Filesize
5.0MB

Download
memory/4964-153-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/4964-193-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download