amadey | 14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-03-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe
Size

1017KB
MD5

eddafdda32d7b5939bf8be8ab30f417d
SHA1

58d5aa16e278e51eb593316f396899e7020700c4
SHA256

14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9
SHA512

949e555d727ab8ccc7b3c2cad2e6bfc5e2b17d5d1a3a8a5bb445b034a09f5e1db7a97486489d9fa8b0fc04112b14940a09be550593bd8d74ed8b7fca8ebad90e
SSDEEP

24576:oyqNT36ApHMks7w5KQzZHwODi/mlCz2BPzu:vqNTTHMkkwtdQYi//2Nz

Score

10^/10

amadey redline down lown discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

193.233.20.31:4125

Attributes

auth_value
4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz5596.exev3817ti.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5596.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1436-198-0x00000000028A0000-0x00000000028E6000-memory.dmp	family_redline
behavioral1/memory/1436-199-0x0000000004C90000-0x0000000004CD4000-memory.dmp	family_redline
behavioral1/memory/1436-200-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-201-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-203-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-205-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-207-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-209-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-211-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-213-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-215-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-217-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-219-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-221-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-223-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-225-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-227-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-229-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-231-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-233-0x0000000004C90000-0x0000000004CCE000-memory.dmp	family_redline
behavioral1/memory/1436-1121-0x0000000004D80000-0x0000000004D90000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

zap1758.exezap5295.exezap4324.exetz5596.exev3817ti.exew48pY96.exexJaCO86.exey15BL29.exelegenda.exerc.exelegenda.exe

pid	process
2572	zap1758.exe
3196	zap5295.exe
4872	zap4324.exe
4304	tz5596.exe
3576	v3817ti.exe
1436	w48pY96.exe
3016	xJaCO86.exe
4736	y15BL29.exe
4416	legenda.exe
3228	rc.exe
4468	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4868 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4868	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v3817ti.exetz5596.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3817ti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5596.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4324.exechrome.exe14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exezap1758.exezap5295.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4324.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1758.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5295.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4324.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5295.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3428 schtasks.exe

pid	process
3428	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5004 taskkill.exe

pid	process
5004	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240745591481214"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

624 PING.EXE

pid	process
624	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz5596.exev3817ti.exew48pY96.exexJaCO86.exechrome.exe

pid	process
4304	tz5596.exe
4304	tz5596.exe
3576	v3817ti.exe
3576	v3817ti.exe
1436	w48pY96.exe
1436	w48pY96.exe
3016	xJaCO86.exe
3016	xJaCO86.exe
4996	chrome.exe
4996	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4996 chrome.exe
4996 chrome.exe
4996 chrome.exe
4996 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz5596.exev3817ti.exew48pY96.exexJaCO86.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4304	tz5596.exe
Token: SeDebugPrivilege	3576	v3817ti.exe
Token: SeDebugPrivilege	1436	w48pY96.exe
Token: SeDebugPrivilege	3016	xJaCO86.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exezap1758.exezap5295.exezap4324.exey15BL29.exelegenda.execmd.exerc.execmd.exechrome.exe

description	pid	process	target process
PID 2496 wrote to memory of 2572	2496	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe	zap1758.exe
PID 2496 wrote to memory of 2572	2496	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe	zap1758.exe
PID 2496 wrote to memory of 2572	2496	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe	zap1758.exe
PID 2572 wrote to memory of 3196	2572	zap1758.exe	zap5295.exe
PID 2572 wrote to memory of 3196	2572	zap1758.exe	zap5295.exe
PID 2572 wrote to memory of 3196	2572	zap1758.exe	zap5295.exe
PID 3196 wrote to memory of 4872	3196	zap5295.exe	zap4324.exe
PID 3196 wrote to memory of 4872	3196	zap5295.exe	zap4324.exe
PID 3196 wrote to memory of 4872	3196	zap5295.exe	zap4324.exe
PID 4872 wrote to memory of 4304	4872	zap4324.exe	tz5596.exe
PID 4872 wrote to memory of 4304	4872	zap4324.exe	tz5596.exe
PID 4872 wrote to memory of 3576	4872	zap4324.exe	v3817ti.exe
PID 4872 wrote to memory of 3576	4872	zap4324.exe	v3817ti.exe
PID 4872 wrote to memory of 3576	4872	zap4324.exe	v3817ti.exe
PID 3196 wrote to memory of 1436	3196	zap5295.exe	w48pY96.exe
PID 3196 wrote to memory of 1436	3196	zap5295.exe	w48pY96.exe
PID 3196 wrote to memory of 1436	3196	zap5295.exe	w48pY96.exe
PID 2572 wrote to memory of 3016	2572	zap1758.exe	xJaCO86.exe
PID 2572 wrote to memory of 3016	2572	zap1758.exe	xJaCO86.exe
PID 2572 wrote to memory of 3016	2572	zap1758.exe	xJaCO86.exe
PID 2496 wrote to memory of 4736	2496	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe	y15BL29.exe
PID 2496 wrote to memory of 4736	2496	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe	y15BL29.exe
PID 2496 wrote to memory of 4736	2496	14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe	y15BL29.exe
PID 4736 wrote to memory of 4416	4736	y15BL29.exe	legenda.exe
PID 4736 wrote to memory of 4416	4736	y15BL29.exe	legenda.exe
PID 4736 wrote to memory of 4416	4736	y15BL29.exe	legenda.exe
PID 4416 wrote to memory of 3428	4416	legenda.exe	schtasks.exe
PID 4416 wrote to memory of 3428	4416	legenda.exe	schtasks.exe
PID 4416 wrote to memory of 3428	4416	legenda.exe	schtasks.exe
PID 4416 wrote to memory of 3372	4416	legenda.exe	cmd.exe
PID 4416 wrote to memory of 3372	4416	legenda.exe	cmd.exe
PID 4416 wrote to memory of 3372	4416	legenda.exe	cmd.exe
PID 3372 wrote to memory of 4748	3372	cmd.exe	cmd.exe
PID 3372 wrote to memory of 4748	3372	cmd.exe	cmd.exe
PID 3372 wrote to memory of 4748	3372	cmd.exe	cmd.exe
PID 3372 wrote to memory of 4756	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4756	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4756	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4980	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4980	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4980	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4880	3372	cmd.exe	cmd.exe
PID 3372 wrote to memory of 4880	3372	cmd.exe	cmd.exe
PID 3372 wrote to memory of 4880	3372	cmd.exe	cmd.exe
PID 3372 wrote to memory of 4964	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4964	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 4964	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 5072	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 5072	3372	cmd.exe	cacls.exe
PID 3372 wrote to memory of 5072	3372	cmd.exe	cacls.exe
PID 4416 wrote to memory of 3228	4416	legenda.exe	rc.exe
PID 4416 wrote to memory of 3228	4416	legenda.exe	rc.exe
PID 4416 wrote to memory of 3228	4416	legenda.exe	rc.exe
PID 3228 wrote to memory of 4816	3228	rc.exe	cmd.exe
PID 3228 wrote to memory of 4816	3228	rc.exe	cmd.exe
PID 3228 wrote to memory of 4816	3228	rc.exe	cmd.exe
PID 4816 wrote to memory of 5004	4816	cmd.exe	taskkill.exe
PID 4816 wrote to memory of 5004	4816	cmd.exe	taskkill.exe
PID 4816 wrote to memory of 5004	4816	cmd.exe	taskkill.exe
PID 3228 wrote to memory of 4996	3228	rc.exe	chrome.exe
PID 3228 wrote to memory of 4996	3228	rc.exe	chrome.exe
PID 4996 wrote to memory of 4144	4996	chrome.exe	chrome.exe
PID 4996 wrote to memory of 4144	4996	chrome.exe	chrome.exe
PID 3228 wrote to memory of 2100	3228	rc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe
"C:\Users\Admin\AppData\Local\Temp\14c7e02c269de982bca0eacb8dfceaf4fdf4324019d6f140522e6a0baa33fbb9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1758.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1758.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5295.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5295.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4324.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4324.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5596.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5596.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3817ti.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3817ti.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48pY96.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48pY96.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJaCO86.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJaCO86.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15BL29.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15BL29.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4748

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4756

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4880

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4964

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ffd704a9758,0x7ffd704a9768,0x7ffd704a9778
6⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:8
6⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:2
6⤵
PID:168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:8
6⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:1
6⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:1
6⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:1
6⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3756 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:1
6⤵
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:8
6⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:8
6⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:8
6⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1748,i,9625513410090117160,99103355037080970,131072 /prefetch:8
6⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:2100

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:624

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1014B

MD5
30577e8a43da47533c167f5842741b0b

SHA1
cf5eed7df38cafd0d9b195ebb6e26f900e965508

SHA256
6e65fcf3e363b4b69ad9f07332e7d45602569426b04c0b869ceb9014dff6149d

SHA512
dc0c1c558c44d09b31b9cad9e956f8b28a689e11115b65e6800880aba72f60ce5aac1888414dc72444a06920ef314f35faa291a4fb37e5e26a7602e628051578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
189ce6d94f92bf4096a451d7acb4b4d6

SHA1
d9d104a07c1bb2496b9753109db6b349be39ebf5

SHA256
ac80b88d4bd64f4418e25e55c498b48142da26db37f2531c8709dbc9af36ecf6

SHA512
ee83f7238917bde9c9da49e2a5ebf488a409f9c93dbca7dc472219b9a4d16233d543841b57a4e65b51c4411769cf9e9abbe5b686c2d3000d80eace7ac244c085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c71f4815fc22f6280574064da75dfe6d

SHA1
474fc0c2f07c5b720092a8d297b9ddc4b5040178

SHA256
7b5cf0285b81658a864a0e38738c1b1f0343adb1fe9eed8dc6f5cf7fe9e6620f

SHA512
894e954d09bf6ef04fb108f0f1e7c041180721f5bee078a3c283e1794dcac45dbe23cce3d6428f33c8cb57a4ae99561c6523c59ecd7a69b1bfccb946d920bbbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
de39b64f6415f0f0900f9668bb3dd935

SHA1
71b09279924ab517742cc752f4349e7e50262fe4

SHA256
0df2b454838afaccefd34bbe74d6e1bc8deced649dadbe43b9209f93c189d308

SHA512
051a1c4addecd9f2516354d556bccdc3793808858fce13458552ddd742dc58a4722d60a873d3fa760ab6e01731e6ee3004588dca0ca6b01ce3ec061b9a048b07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
557e4ec4fe17d774408710ecc25085eb

SHA1
abb0de4e2efebb09c19000ac050fcabc3d8155d4

SHA256
e4c1a7e131a28523ab4983af322f81b2f0a3b53c515ad77912c52a2831c5e90c

SHA512
abfac4805f871d6515d74508f619e3e08f5c4a873c368e250564053a468f1779355d392a92e805d3a1324f11ecc2b394930076baa2902ce06227940f6bc3bfea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
c9d1280a149607b81b35647d7469e253

SHA1
98daaca0cbf2eddcaf71c0326252065728ed78a8

SHA256
0b29b9ec734d75d5a61e3d6c16bdde25b38801674204fc8e3edbb9c6e35f891b

SHA512
bb1b20b66805c000ba4673f7822df26f55966122cf140bd76ee587bc3f0d54b22c3568121ff53080d279f7acceaae07af138765e9d706650d96a78a3ccfe6695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
31c44291b7a77beed74077c5a5b735b0

SHA1
1e663dd740d98d4edb07c8e5e037647b99c872bc

SHA256
3312a29793a74eed51f9c501d8776edf7d1cb232a6dbb0af3064317770e1d5e9

SHA512
94ce72b1fb464f55ff79affc9a21215fc51167f45d8a0ec3d9ecc515d1b6162665fc291daa36293ba45fa1063dd68603606ddb5b157ac870b578ad768a935d8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
Filesize
141KB

MD5
50e9958bb2a5b6ae6ed8da1b1d97a5bb

SHA1
afd7485b1313cc54c321cc18c4b1c19e5ae415af

SHA256
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

SHA512
49d079459c3f6f40b62fe60e599f0cc85624a1f9151320811f12bd8bc84378571e23b98144289c6ff61625d939cfec627223b0fa9299159803df486d98feba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15BL29.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15BL29.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1758.exe
Filesize
837KB

MD5
72f7da6aec77d44c1e68c2db8ad4524e

SHA1
94c107cb681ff1a615b1ae36f033ef13aa6c7496

SHA256
9390dfdcb258413446b9a9afa2ebbd3456f0cf56a8f64e92d5c4ccc7e19b5b52

SHA512
5522d0a30b6d10fbdfc5e6221a27b5ce1bf9fb69c1cf9b6a9382684e457478701c84d963e22ce9931e0fdc8e7c71f7351d731fa9ce4ad5992dc5305a97a03af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1758.exe
Filesize
837KB

MD5
72f7da6aec77d44c1e68c2db8ad4524e

SHA1
94c107cb681ff1a615b1ae36f033ef13aa6c7496

SHA256
9390dfdcb258413446b9a9afa2ebbd3456f0cf56a8f64e92d5c4ccc7e19b5b52

SHA512
5522d0a30b6d10fbdfc5e6221a27b5ce1bf9fb69c1cf9b6a9382684e457478701c84d963e22ce9931e0fdc8e7c71f7351d731fa9ce4ad5992dc5305a97a03af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJaCO86.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJaCO86.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5295.exe
Filesize
695KB

MD5
e9d5db6a32f98b2242b8d2a95b89902b

SHA1
888ace84b23dbf50efab256263e0e8975d83bcbd

SHA256
0742a99dde8ca0aa70ec9a705e38d0452bf92a11c03fc9d3e48c43300c68ebf8

SHA512
a94916bdf4ab8ca1e453b0e64e2d9863355e66950dfaf2a2102f007f2201774e4a36d0b63c8d7db86d7c351a657b3bc7299f736bb857ea563197680cd0f671e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5295.exe
Filesize
695KB

MD5
e9d5db6a32f98b2242b8d2a95b89902b

SHA1
888ace84b23dbf50efab256263e0e8975d83bcbd

SHA256
0742a99dde8ca0aa70ec9a705e38d0452bf92a11c03fc9d3e48c43300c68ebf8

SHA512
a94916bdf4ab8ca1e453b0e64e2d9863355e66950dfaf2a2102f007f2201774e4a36d0b63c8d7db86d7c351a657b3bc7299f736bb857ea563197680cd0f671e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48pY96.exe
Filesize
349KB

MD5
b572d9b2ce9592bd8c47d125d01ffdfb

SHA1
5fc9e0ffbc2b0a54685f2249c920864fddbf4a0f

SHA256
9f90b56985998c1de7176a1de51d2ec4cdbcd05824dbbd08c26682fdfede354c

SHA512
c09d780647139416e031968ddedb2b486210de5facf7bab01c61ee36af84a34554d806fb650c897611efd0439242f1da28811d98de1f5e40eff8d52eded8cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48pY96.exe
Filesize
349KB

MD5
b572d9b2ce9592bd8c47d125d01ffdfb

SHA1
5fc9e0ffbc2b0a54685f2249c920864fddbf4a0f

SHA256
9f90b56985998c1de7176a1de51d2ec4cdbcd05824dbbd08c26682fdfede354c

SHA512
c09d780647139416e031968ddedb2b486210de5facf7bab01c61ee36af84a34554d806fb650c897611efd0439242f1da28811d98de1f5e40eff8d52eded8cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4324.exe
Filesize
344KB

MD5
e244376af94473c3a75914b49d919d11

SHA1
665070bdb4a2b9be16880e1e6aec64f74759636d

SHA256
d48f4018b3dbc24911326a233284ca5e3132a8e3e45c48b31c8fc23f4e73f088

SHA512
bab19ac7126bfde4304a245061f905dbed98cd406a869e4617d9012fa8e90e36c91483eff5f3422790e30f335b4d728b42b24a9e9b0c80b1fb8e17bc46cadb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4324.exe
Filesize
344KB

MD5
e244376af94473c3a75914b49d919d11

SHA1
665070bdb4a2b9be16880e1e6aec64f74759636d

SHA256
d48f4018b3dbc24911326a233284ca5e3132a8e3e45c48b31c8fc23f4e73f088

SHA512
bab19ac7126bfde4304a245061f905dbed98cd406a869e4617d9012fa8e90e36c91483eff5f3422790e30f335b4d728b42b24a9e9b0c80b1fb8e17bc46cadb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5596.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5596.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3817ti.exe
Filesize
291KB

MD5
b5f434483a5eadbf0f623910ce649fc9

SHA1
144dfe0744c6dc21a6a5b438691dcba22fd50849

SHA256
af89b716a0c51cb66b6fd253be3d7850214b4cf2bc81ad8d9aaedf3a0af785cc

SHA512
6adc87a125585eb48d9e745d76c9f7c0d02eb540de8f31d0bbae03617347becae05ca988509442cb3c9b156543cd3452ec36d9a6b19abdbfbb13784a1ec001bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3817ti.exe
Filesize
291KB

MD5
b5f434483a5eadbf0f623910ce649fc9

SHA1
144dfe0744c6dc21a6a5b438691dcba22fd50849

SHA256
af89b716a0c51cb66b6fd253be3d7850214b4cf2bc81ad8d9aaedf3a0af785cc

SHA512
6adc87a125585eb48d9e745d76c9f7c0d02eb540de8f31d0bbae03617347becae05ca988509442cb3c9b156543cd3452ec36d9a6b19abdbfbb13784a1ec001bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\background.js
Filesize
2KB

MD5
6200ca0889334cfb6aec68e0d16ec1ae

SHA1
484b2db1bccfcd5a683faf4d4fe9bc4a26b669fd

SHA256
a7929366648541bdbc0770e2e46c396c1febabab88fb6f9399706f7faceef18a

SHA512
84f906a51c9c3e04acff4dd8e3a3e54994d435dcc1ea925b61bed6ed6ca82719d070332126ec901d906d475835532a03c2516e5c524940c1144ea2a8fc17a567

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\main.js
Filesize
174B

MD5
101da414c759e49091ed4c7c393e4b88

SHA1
ca66105564379ea52890b55364f61d6d967facce

SHA256
a36f1ac32942455f7f16f3ac4ce90b91c504a82c22f9d529e0ba7bf64a24b757

SHA512
504b7b35a83b135aec79322cf9e8b296f42552040ec6d630e008fff395e5120af88e8b2118641b58fb3de7d6ac7466f621f604d2824c2d688a4aefb444ce7f44

Download Submit
C:\Users\Admin\AppData\Roaming\extension_chrome\manifest.json
Filesize
614B

MD5
0688a45c7472ba90c4acbd8a4fbc928a

SHA1
0f6f86ebac77f35cf2b8f3bb2595597bc786de6b

SHA256
52e7a136a4f39bb826f30f5c89c6fa28ca9945acefc775068a39d21328e47275

SHA512
d8c32b1fe52060ffa020ab640dd78afda51ab1ea86a467ffbc308bf1c540f93485c73a71a1226b48835b2eb9e073d508c93ba94a3d571ba84af5d2a1784b951d

Download Submit
\??\pipe\crashpad_4996_NIDYVIKBFFCSPKJI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/1436-223-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-1122-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-201-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-203-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-205-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-207-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-209-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-211-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-213-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-215-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-217-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-219-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-221-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-199-0x0000000004C90000-0x0000000004CD4000-memory.dmp

Filesize
272KB

Download
memory/1436-225-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-227-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-229-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-231-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-233-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-262-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/1436-266-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-263-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-267-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-1110-0x0000000005290000-0x0000000005896000-memory.dmp

Filesize
6.0MB

Download
memory/1436-1111-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/1436-1112-0x0000000005A00000-0x0000000005A12000-memory.dmp

Filesize
72KB

Download
memory/1436-1113-0x0000000005A60000-0x0000000005A9E000-memory.dmp

Filesize
248KB

Download
memory/1436-1114-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-1115-0x0000000005BA0000-0x0000000005BEB000-memory.dmp

Filesize
300KB

Download
memory/1436-1116-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/1436-1117-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/1436-1119-0x00000000064A0000-0x0000000006662000-memory.dmp

Filesize
1.8MB

Download
memory/1436-1120-0x0000000006670000-0x0000000006B9C000-memory.dmp

Filesize
5.2MB

Download
memory/1436-200-0x0000000004C90000-0x0000000004CCE000-memory.dmp

Filesize
248KB

Download
memory/1436-1121-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-1123-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1436-1124-0x0000000006E10000-0x0000000006E86000-memory.dmp

Filesize
472KB

Download
memory/1436-1125-0x0000000006EA0000-0x0000000006EF0000-memory.dmp

Filesize
320KB

Download
memory/1436-198-0x00000000028A0000-0x00000000028E6000-memory.dmp

Filesize
280KB

Download
memory/3016-1133-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3016-1131-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/3016-1132-0x0000000005570000-0x00000000055BB000-memory.dmp

Filesize
300KB

Download
memory/3576-174-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-191-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3576-190-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3576-189-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3576-188-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-186-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-184-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-182-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-180-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-178-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-176-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-193-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3576-172-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-170-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-168-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-166-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-164-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-162-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-161-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/3576-160-0x0000000002560000-0x0000000002578000-memory.dmp

Filesize
96KB

Download
memory/3576-159-0x0000000004E50000-0x000000000534E000-memory.dmp

Filesize
5.0MB

Download
memory/3576-158-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3576-157-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3576-156-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3576-155-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/4304-149-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download