amadey | 9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe
Size

1021KB
MD5

f1036434272af8ada6964d71cb760cdf
SHA1

aad3841690f7ee02b23ce9da3c07fb3b58dbd5ce
SHA256

9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5
SHA512

c38608fb9e5eb25e6315a6c0c964d2ca93ac6b4b9bee9a36974e532738cb8ab702dfe46e9f44f3ac693add6dcf3150b028fe72def3f39b97dd43375844920979
SSDEEP

24576:6yKt3VRLhfBsQMv39ajEnQwiSs/Z/+/f8RoT3Vw/X2:B8T/TwowQwil+/0IV4X

Score

10^/10

amadey redline down lown discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

193.233.20.31:4125

Attributes

auth_value
4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz4549.exev3288zu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3288zu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3288zu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3288zu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4549.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3288zu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3288zu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3288zu.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3184-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-211-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-208-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-217-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-213-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-218-0x0000000004DB0000-0x0000000004DC0000-memory.dmp	family_redline
behavioral1/memory/3184-220-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-222-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-226-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-228-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-230-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-232-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-234-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-236-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-238-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-240-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-242-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3184-244-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y74bQ33.exelegenda.exerc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y74bQ33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rc.exe

Executes dropped EXE 12 IoCs

Processes:

zap1725.exezap1365.exezap1875.exetz4549.exev3288zu.exew46Re30.exexGHSv42.exey74bQ33.exelegenda.exerc.exelegenda.exelegenda.exe

pid	process
1784	zap1725.exe
2532	zap1365.exe
1284	zap1875.exe
5056	tz4549.exe
2256	v3288zu.exe
3184	w46Re30.exe
4940	xGHSv42.exe
2376	y74bQ33.exe
3616	legenda.exe
1280	rc.exe
180	legenda.exe
656	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4832 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4832	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4549.exev3288zu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4549.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3288zu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3288zu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exezap1875.exe9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exezap1725.exezap1365.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1875.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1725.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1365.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1365.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

224 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3988 schtasks.exe

pid	process
224	sc.exe

pid	process
3988	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1340 taskkill.exe

pid	process
1340	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240758361752637"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4948 PING.EXE

pid	process
4948	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz4549.exev3288zu.exew46Re30.exexGHSv42.exechrome.exe

pid	process
5056	tz4549.exe
5056	tz4549.exe
2256	v3288zu.exe
2256	v3288zu.exe
3184	w46Re30.exe
3184	w46Re30.exe
4940	xGHSv42.exe
4940	xGHSv42.exe
3228	chrome.exe
3228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3228 chrome.exe
3228 chrome.exe
3228 chrome.exe
3228 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz4549.exev3288zu.exew46Re30.exexGHSv42.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5056	tz4549.exe
Token: SeDebugPrivilege	2256	v3288zu.exe
Token: SeDebugPrivilege	3184	w46Re30.exe
Token: SeDebugPrivilege	4940	xGHSv42.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe
Token: SeCreatePagefilePrivilege	3228	chrome.exe
Token: SeShutdownPrivilege	3228	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exezap1725.exezap1365.exezap1875.exey74bQ33.exelegenda.execmd.exerc.execmd.exechrome.exe

description	pid	process	target process
PID 1268 wrote to memory of 1784	1268	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe	zap1725.exe
PID 1268 wrote to memory of 1784	1268	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe	zap1725.exe
PID 1268 wrote to memory of 1784	1268	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe	zap1725.exe
PID 1784 wrote to memory of 2532	1784	zap1725.exe	zap1365.exe
PID 1784 wrote to memory of 2532	1784	zap1725.exe	zap1365.exe
PID 1784 wrote to memory of 2532	1784	zap1725.exe	zap1365.exe
PID 2532 wrote to memory of 1284	2532	zap1365.exe	zap1875.exe
PID 2532 wrote to memory of 1284	2532	zap1365.exe	zap1875.exe
PID 2532 wrote to memory of 1284	2532	zap1365.exe	zap1875.exe
PID 1284 wrote to memory of 5056	1284	zap1875.exe	tz4549.exe
PID 1284 wrote to memory of 5056	1284	zap1875.exe	tz4549.exe
PID 1284 wrote to memory of 2256	1284	zap1875.exe	v3288zu.exe
PID 1284 wrote to memory of 2256	1284	zap1875.exe	v3288zu.exe
PID 1284 wrote to memory of 2256	1284	zap1875.exe	v3288zu.exe
PID 2532 wrote to memory of 3184	2532	zap1365.exe	w46Re30.exe
PID 2532 wrote to memory of 3184	2532	zap1365.exe	w46Re30.exe
PID 2532 wrote to memory of 3184	2532	zap1365.exe	w46Re30.exe
PID 1784 wrote to memory of 4940	1784	zap1725.exe	xGHSv42.exe
PID 1784 wrote to memory of 4940	1784	zap1725.exe	xGHSv42.exe
PID 1784 wrote to memory of 4940	1784	zap1725.exe	xGHSv42.exe
PID 1268 wrote to memory of 2376	1268	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe	y74bQ33.exe
PID 1268 wrote to memory of 2376	1268	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe	y74bQ33.exe
PID 1268 wrote to memory of 2376	1268	9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe	y74bQ33.exe
PID 2376 wrote to memory of 3616	2376	y74bQ33.exe	legenda.exe
PID 2376 wrote to memory of 3616	2376	y74bQ33.exe	legenda.exe
PID 2376 wrote to memory of 3616	2376	y74bQ33.exe	legenda.exe
PID 3616 wrote to memory of 3988	3616	legenda.exe	schtasks.exe
PID 3616 wrote to memory of 3988	3616	legenda.exe	schtasks.exe
PID 3616 wrote to memory of 3988	3616	legenda.exe	schtasks.exe
PID 3616 wrote to memory of 4604	3616	legenda.exe	cmd.exe
PID 3616 wrote to memory of 4604	3616	legenda.exe	cmd.exe
PID 3616 wrote to memory of 4604	3616	legenda.exe	cmd.exe
PID 4604 wrote to memory of 5116	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 5116	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 5116	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 4932	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4932	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4932	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 2384	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 2384	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 2384	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 748	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 748	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 748	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 432	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 432	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 432	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4008	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4008	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4008	4604	cmd.exe	cacls.exe
PID 3616 wrote to memory of 1280	3616	legenda.exe	rc.exe
PID 3616 wrote to memory of 1280	3616	legenda.exe	rc.exe
PID 3616 wrote to memory of 1280	3616	legenda.exe	rc.exe
PID 1280 wrote to memory of 1300	1280	rc.exe	cmd.exe
PID 1280 wrote to memory of 1300	1280	rc.exe	cmd.exe
PID 1280 wrote to memory of 1300	1280	rc.exe	cmd.exe
PID 1300 wrote to memory of 1340	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1340	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1340	1300	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 3228	1280	rc.exe	chrome.exe
PID 1280 wrote to memory of 3228	1280	rc.exe	chrome.exe
PID 3228 wrote to memory of 2692	3228	chrome.exe	chrome.exe
PID 3228 wrote to memory of 2692	3228	chrome.exe	chrome.exe
PID 1280 wrote to memory of 1460	1280	rc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe
"C:\Users\Admin\AppData\Local\Temp\9624eea72919dcdac14896f71d8004a138e02820999b3a8cc2724bcd997123d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1725.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1725.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1365.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1365.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1875.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1875.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4549.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4549.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3288zu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3288zu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Re30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Re30.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGHSv42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGHSv42.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y74bQ33.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y74bQ33.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5116

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4932

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:748

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff81ce69758,0x7ff81ce69768,0x7ff81ce69778
6⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:2
6⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:1
6⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3300 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:1
6⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3996 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:1
6⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4736 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:1
6⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1892,i,2339147569127936874,2704588448993037271,131072 /prefetch:8
6⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:1460

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:4948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:180

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:224

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
Filesize
2KB

MD5
57742051b9b5e637bfb8b9034f428121

SHA1
60c2d8a0138411384b20dd2fbd353feb22520837

SHA256
055438aca1755e730ea1d71136a3e978a4c90748a4a68ff4858ca99050b94e07

SHA512
5ccfa7fd385ffe24fbe2908c94788c42646a3a190fd03c78c524d884dba5f7e31faf9c47214b2f08bf91bf35aa53abf0ab0d38ec726279fcb21528a364967577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c25ae5f09ab8aa02d29129ec55920841

SHA1
d528643b240422d63815130370ce93ac09d9c70a

SHA256
21f24693d7da27ecb516ed427d1298c43e0f8e4acbf0a066275445aa7efd888c

SHA512
9c5fd132e65b2d69f8af2958315d726e74d7d6bf11b2af2cdbff2fbd48e0a309d4a33e38a7474563d56729d675b066cec34ce4c5baf11afe0ac28d9fdcab7bec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
6e3c5da0fcfcbc228caa6a0bfca3f73f

SHA1
da3da012438a405299ee88625a6c1a191e9b14d1

SHA256
afd3cd2e4a4cc1ebf519ceec39605ffd8332cbb3ead4f642889774dec0a781ba

SHA512
73e12215861af388df66934a8bee56acc4713943b2e38f5c6a695221ef6b1f4afa6cda2ee489385f7d6570a987683250af3fd00c5ba8499b13076f9a7aaefeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
34cf114d5355ded6bc165ea3f46be240

SHA1
9f81ed05118d02daf623dbaf81ac4ec439241217

SHA256
9d8cdeaeedde52b551eed4abaf6b67bb0a3577897e9f6e9acbd65196a048386f

SHA512
fa85790c181e31217b45065dfbb0c024d5f83336b2984eff50b78c6ef082b8421e5d7fe4f505c35bf2c03a89ba68feb91fd79df4246637a9f564555899de3af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d4bfbfe5289513f642a058dda0ddba29

SHA1
52bca4debf3bed1d6aa2abb6316217b11e940796

SHA256
2bca38fe1586680e837b8c94a82b6fc42673ac36a67200bb3b030334a07927b1

SHA512
4cb8c6831ce1873542ec251a6bd811422a6eb5316fa66e7ab11d020eb007c20bb283210480a91a2270d857baf10a693a17721d804e50a386ecfaac6a30c3aa22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
bf16e778bab82b2f61014125ee2cc533

SHA1
57477084022ad9dccf92347e7fe2f5bc6b296775

SHA256
1b89deb09dae4ea7d17d34068a94e48489701ccd7d098a23c0fbf4ff22cc7761

SHA512
cd1b7174032e3768ebda2a3ddf070ca7a81f5daa76471b925f3c2c796f4e2cc391f32868c55f8674d772d13314dddd6b009c7067c83bdc335c0d108f1dfafcf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
2ae4a581d7b1b1177675ea2f9ed88d2e

SHA1
cbbe5a2a57aeba1b81b5d79d03097ccbd9422b34

SHA256
9187ba53194fdef0aeb43068966350db3199c25a43a43feb4f3c1e256d6631f0

SHA512
79b4d9a8018ed9861173caa386f0ff5a1ee1bc3d50a5e95ef76227f9e69c33d3ed2ec6ffa2e93fa0217f55f9ba38f8642fef19ce68e9e1992102084171187fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y74bQ33.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y74bQ33.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1725.exe
Filesize
836KB

MD5
6c85c3508ecf4acb157941294829fac0

SHA1
b393bf58b0d452ac0c97322bdb3bf1d102b59da2

SHA256
c858d7162aa32ba4ad674b975bfc5e242c323591fdc38386db3a2e4ae9da0c33

SHA512
34f131423352110291f4d686f335fe96385f44f52cefcb41f942bfc669fbd17f8d94570ff3cfcc9c7074755c86b67f8f80857c26bc6f2605bde772e01542d400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1725.exe
Filesize
836KB

MD5
6c85c3508ecf4acb157941294829fac0

SHA1
b393bf58b0d452ac0c97322bdb3bf1d102b59da2

SHA256
c858d7162aa32ba4ad674b975bfc5e242c323591fdc38386db3a2e4ae9da0c33

SHA512
34f131423352110291f4d686f335fe96385f44f52cefcb41f942bfc669fbd17f8d94570ff3cfcc9c7074755c86b67f8f80857c26bc6f2605bde772e01542d400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGHSv42.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xGHSv42.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1365.exe
Filesize
694KB

MD5
2d5b7a3e290460ddd5b80d3b7f347345

SHA1
e737eaee23ad7c4fbd57f9deab4566f113c0f47c

SHA256
4fef3c3c5580e7dce4e68aa69c32779a25d1e3f7007e60333595d13e5106dc05

SHA512
9902d3b3b1ac00f9c02dc28bf56aa7e09c1b98e2475d31ab846ddef0fa97f22a10cd3dfa5cdea1182412b0599af329f33c7f80b55f02d25d1ab31cbaa1df5fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1365.exe
Filesize
694KB

MD5
2d5b7a3e290460ddd5b80d3b7f347345

SHA1
e737eaee23ad7c4fbd57f9deab4566f113c0f47c

SHA256
4fef3c3c5580e7dce4e68aa69c32779a25d1e3f7007e60333595d13e5106dc05

SHA512
9902d3b3b1ac00f9c02dc28bf56aa7e09c1b98e2475d31ab846ddef0fa97f22a10cd3dfa5cdea1182412b0599af329f33c7f80b55f02d25d1ab31cbaa1df5fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Re30.exe
Filesize
349KB

MD5
2b4faef5efa061a3fca2fd17c3b2d36b

SHA1
0a7a61407ebd7499daf3b66db2c704076aec3726

SHA256
e5aeea6fac2bcb8c5204d805e2af5120a1f7f35d3c571bc20b38acf2ea7753ed

SHA512
d4b6c7b2c2f0bc0858636cee9424f43468357667c80f83a37d228aa889af9c47b796e6573ffa3aeb37739c999112548af548eeb042ca94f27c8f3f3cffa86a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w46Re30.exe
Filesize
349KB

MD5
2b4faef5efa061a3fca2fd17c3b2d36b

SHA1
0a7a61407ebd7499daf3b66db2c704076aec3726

SHA256
e5aeea6fac2bcb8c5204d805e2af5120a1f7f35d3c571bc20b38acf2ea7753ed

SHA512
d4b6c7b2c2f0bc0858636cee9424f43468357667c80f83a37d228aa889af9c47b796e6573ffa3aeb37739c999112548af548eeb042ca94f27c8f3f3cffa86a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1875.exe
Filesize
344KB

MD5
1642284eef9c223156ca5796388d3efb

SHA1
5fa9f8751b58bf2460daea6c2afa6477b9a0bbe7

SHA256
21baa64872bce6f7123c16a2c5719e0fd3cd21f7f117e0fa8d14057c8a65732b

SHA512
b062d7c89821531bf3961e84623665394b4c7a5307ea0fcdb682e19f1c5283f7adc3ca3c27c2d47ed12050a1c251f13f29517f0a8a5b85fcdcd5cdc6222af6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1875.exe
Filesize
344KB

MD5
1642284eef9c223156ca5796388d3efb

SHA1
5fa9f8751b58bf2460daea6c2afa6477b9a0bbe7

SHA256
21baa64872bce6f7123c16a2c5719e0fd3cd21f7f117e0fa8d14057c8a65732b

SHA512
b062d7c89821531bf3961e84623665394b4c7a5307ea0fcdb682e19f1c5283f7adc3ca3c27c2d47ed12050a1c251f13f29517f0a8a5b85fcdcd5cdc6222af6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4549.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4549.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3288zu.exe
Filesize
291KB

MD5
b435cc50c6190f5bc692be9ad4763968

SHA1
407fa70aa181fda93483b172439d148945f11129

SHA256
b44e58e5bfb34a19fccaf49a2f996ea374881f091c684524b867ee85fb1b703d

SHA512
dfbcec834484629557dfb8e493768ee7ce43be77ded603b25bda7fa704b0e226623715e90e1e372e9497d3511e99a4b99f0480d239517a657df41ad5ef8767df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3288zu.exe
Filesize
291KB

MD5
b435cc50c6190f5bc692be9ad4763968

SHA1
407fa70aa181fda93483b172439d148945f11129

SHA256
b44e58e5bfb34a19fccaf49a2f996ea374881f091c684524b867ee85fb1b703d

SHA512
dfbcec834484629557dfb8e493768ee7ce43be77ded603b25bda7fa704b0e226623715e90e1e372e9497d3511e99a4b99f0480d239517a657df41ad5ef8767df

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\background.js
Filesize
2KB

MD5
6200ca0889334cfb6aec68e0d16ec1ae

SHA1
484b2db1bccfcd5a683faf4d4fe9bc4a26b669fd

SHA256
a7929366648541bdbc0770e2e46c396c1febabab88fb6f9399706f7faceef18a

SHA512
84f906a51c9c3e04acff4dd8e3a3e54994d435dcc1ea925b61bed6ed6ca82719d070332126ec901d906d475835532a03c2516e5c524940c1144ea2a8fc17a567

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\main.js
Filesize
174B

MD5
101da414c759e49091ed4c7c393e4b88

SHA1
ca66105564379ea52890b55364f61d6d967facce

SHA256
a36f1ac32942455f7f16f3ac4ce90b91c504a82c22f9d529e0ba7bf64a24b757

SHA512
504b7b35a83b135aec79322cf9e8b296f42552040ec6d630e008fff395e5120af88e8b2118641b58fb3de7d6ac7466f621f604d2824c2d688a4aefb444ce7f44

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\manifest.json
Filesize
614B

MD5
0688a45c7472ba90c4acbd8a4fbc928a

SHA1
0f6f86ebac77f35cf2b8f3bb2595597bc786de6b

SHA256
52e7a136a4f39bb826f30f5c89c6fa28ca9945acefc775068a39d21328e47275

SHA512
d8c32b1fe52060ffa020ab640dd78afda51ab1ea86a467ffbc308bf1c540f93485c73a71a1226b48835b2eb9e073d508c93ba94a3d571ba84af5d2a1784b951d

Download Submit
\??\pipe\crashpad_3228_SFBBINSGGJRJWWXD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2256-191-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-203-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2256-167-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/2256-168-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/2256-169-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2256-170-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-171-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-173-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-175-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-177-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-179-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-181-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-183-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-185-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-187-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-189-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-193-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-195-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-197-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2256-198-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2256-199-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2256-200-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2256-201-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/3184-244-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-232-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-1126-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3184-1127-0x00000000079C0000-0x0000000007B82000-memory.dmp

Filesize
1.8MB

Download
memory/3184-1128-0x0000000007B90000-0x00000000080BC000-memory.dmp

Filesize
5.2MB

Download
memory/3184-1129-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3184-1130-0x0000000008270000-0x00000000082E6000-memory.dmp

Filesize
472KB

Download
memory/3184-1131-0x0000000008300000-0x0000000008350000-memory.dmp

Filesize
320KB

Download
memory/3184-216-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3184-214-0x0000000002390000-0x00000000023DB000-memory.dmp

Filesize
300KB

Download
memory/3184-213-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-218-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3184-208-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-211-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-1123-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3184-1122-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/3184-1121-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3184-1120-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3184-1119-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3184-1118-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3184-1117-0x0000000005470000-0x0000000005A88000-memory.dmp

Filesize
6.1MB

Download
memory/3184-217-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-242-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-240-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-238-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-236-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-234-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-1125-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3184-230-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-228-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-226-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-222-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3184-220-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4940-1138-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4940-1137-0x0000000000DA0000-0x0000000000DD2000-memory.dmp

Filesize
200KB

Download
memory/5056-161-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download