amadey | ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683

Analysis

max time kernel
111s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe
Size

1.0MB
MD5

77c45c0debb608b80b97ad7a6bf2a645
SHA1

a6060a05095ec32126651112b005a1499f2fea0c
SHA256

ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683
SHA512

82d201e3659d9971cc9d92dd0d8e256cfa579c16e352bd63627cbe070ff40cc52422b83567397d7b82f18af8f3b6619f5e4dbd4d6ad40ffdc11a2d5cabb3333f
SSDEEP

24576:hyhqTTy4gz6Xwuj1cuiYKMYB4Y6aoG5okpNcQeY:UhqTl3NsujaoGiW

Score

10^/10

amadey aurora redline bolt down usa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

bolt

193.233.20.31:4125

Attributes

auth_value
29540c7bf0277243e2faf6601e15a754

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

USA

65.108.152.34:37345

Attributes

auth_value
01ecb56953469aaed8efad25c0f68a64

Extracted

Family

aurora

212.87.204.93:8081

94.142.138.215:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8984.exev2789YR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2789YR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2789YR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2789YR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2789YR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2789YR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2789YR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8984.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5040-213-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-214-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-216-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-218-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-220-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-222-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-224-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-226-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-228-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-230-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-232-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-234-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-236-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-238-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-240-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-242-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-244-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline
behavioral1/memory/5040-246-0x00000000027D0000-0x000000000280E000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y56WQ15.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y56WQ15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 13 IoCs

Processes:

zap0895.exezap3848.exezap1842.exetz8984.exev2789YR.exew60iZ18.exexEInb90.exey56WQ15.exelegenda.exeusa.exevpn-go.exe1.exelegenda.exe

pid	process
2108	zap0895.exe
2892	zap3848.exe
4176	zap1842.exe
400	tz8984.exe
4704	v2789YR.exe
5040	w60iZ18.exe
4932	xEInb90.exe
4364	y56WQ15.exe
3508	legenda.exe
2688	usa.exe
5012	vpn-go.exe
4728	1.exe
4448	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4368 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4368	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8984.exev2789YR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2789YR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2789YR.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exezap0895.exezap3848.exezap1842.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap0895.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3848.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3848.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1842.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

vpn-go.exe

description pid process target process

PID 5012 set thread context of 1328 5012 vpn-go.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3292 4704 WerFault.exe v2789YR.exe
1520 5040 WerFault.exe w60iZ18.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4080 schtasks.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

4364 systeminfo.exe
1272 systeminfo.exe

description	pid	process	target process
PID 5012 set thread context of 1328	5012	vpn-go.exe	InstallUtil.exe

pid	pid_target	process	target process
3292	4704	WerFault.exe	v2789YR.exe
1520	5040	WerFault.exe	w60iZ18.exe

pid	process
4080	schtasks.exe

pid	process
4364	systeminfo.exe
1272	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

tz8984.exev2789YR.exew60iZ18.exexEInb90.exeusa.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
400	tz8984.exe
400	tz8984.exe
4704	v2789YR.exe
4704	v2789YR.exe
5040	w60iZ18.exe
5040	w60iZ18.exe
4932	xEInb90.exe
4932	xEInb90.exe
2688	usa.exe
2688	usa.exe
372	powershell.exe
372	powershell.exe
3924	powershell.exe
3924	powershell.exe
5008	powershell.exe
5008	powershell.exe
2064	powershell.exe
2064	powershell.exe
2352	powershell.exe
2352	powershell.exe
1832	powershell.exe
1832	powershell.exe
4160	powershell.exe
4160	powershell.exe
4116	powershell.exe
4116	powershell.exe
1776	powershell.exe
1776	powershell.exe
1668	powershell.exe
1668	powershell.exe
4100	powershell.exe
4100	powershell.exe
3180	powershell.exe
3180	powershell.exe
1420	powershell.exe
1420	powershell.exe
4312	powershell.exe
4312	powershell.exe
1532	powershell.exe
1532	powershell.exe
2064	powershell.exe
2064	powershell.exe
4892	powershell.exe
4892	powershell.exe
4424	powershell.exe
4424	powershell.exe
232	powershell.exe
232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz8984.exev2789YR.exew60iZ18.exexEInb90.exevpn-go.exeusa.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	400	tz8984.exe
Token: SeDebugPrivilege	4704	v2789YR.exe
Token: SeDebugPrivilege	5040	w60iZ18.exe
Token: SeDebugPrivilege	4932	xEInb90.exe
Token: SeDebugPrivilege	5012	vpn-go.exe
Token: SeDebugPrivilege	2688	usa.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: 36	636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: 36	636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2364	wmic.exe
Token: SeSecurityPrivilege	2364	wmic.exe
Token: SeTakeOwnershipPrivilege	2364	wmic.exe
Token: SeLoadDriverPrivilege	2364	wmic.exe
Token: SeSystemProfilePrivilege	2364	wmic.exe
Token: SeSystemtimePrivilege	2364	wmic.exe
Token: SeProfSingleProcessPrivilege	2364	wmic.exe
Token: SeIncBasePriorityPrivilege	2364	wmic.exe
Token: SeCreatePagefilePrivilege	2364	wmic.exe
Token: SeBackupPrivilege	2364	wmic.exe
Token: SeRestorePrivilege	2364	wmic.exe
Token: SeShutdownPrivilege	2364	wmic.exe
Token: SeDebugPrivilege	2364	wmic.exe
Token: SeSystemEnvironmentPrivilege	2364	wmic.exe
Token: SeRemoteShutdownPrivilege	2364	wmic.exe
Token: SeUndockPrivilege	2364	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exezap0895.exezap3848.exezap1842.exey56WQ15.exelegenda.execmd.exevpn-go.exe

description	pid	process	target process
PID 4776 wrote to memory of 2108	4776	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe	zap0895.exe
PID 4776 wrote to memory of 2108	4776	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe	zap0895.exe
PID 4776 wrote to memory of 2108	4776	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe	zap0895.exe
PID 2108 wrote to memory of 2892	2108	zap0895.exe	zap3848.exe
PID 2108 wrote to memory of 2892	2108	zap0895.exe	zap3848.exe
PID 2108 wrote to memory of 2892	2108	zap0895.exe	zap3848.exe
PID 2892 wrote to memory of 4176	2892	zap3848.exe	zap1842.exe
PID 2892 wrote to memory of 4176	2892	zap3848.exe	zap1842.exe
PID 2892 wrote to memory of 4176	2892	zap3848.exe	zap1842.exe
PID 4176 wrote to memory of 400	4176	zap1842.exe	tz8984.exe
PID 4176 wrote to memory of 400	4176	zap1842.exe	tz8984.exe
PID 4176 wrote to memory of 4704	4176	zap1842.exe	v2789YR.exe
PID 4176 wrote to memory of 4704	4176	zap1842.exe	v2789YR.exe
PID 4176 wrote to memory of 4704	4176	zap1842.exe	v2789YR.exe
PID 2892 wrote to memory of 5040	2892	zap3848.exe	w60iZ18.exe
PID 2892 wrote to memory of 5040	2892	zap3848.exe	w60iZ18.exe
PID 2892 wrote to memory of 5040	2892	zap3848.exe	w60iZ18.exe
PID 2108 wrote to memory of 4932	2108	zap0895.exe	xEInb90.exe
PID 2108 wrote to memory of 4932	2108	zap0895.exe	xEInb90.exe
PID 2108 wrote to memory of 4932	2108	zap0895.exe	xEInb90.exe
PID 4776 wrote to memory of 4364	4776	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe	y56WQ15.exe
PID 4776 wrote to memory of 4364	4776	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe	y56WQ15.exe
PID 4776 wrote to memory of 4364	4776	ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe	y56WQ15.exe
PID 4364 wrote to memory of 3508	4364	y56WQ15.exe	legenda.exe
PID 4364 wrote to memory of 3508	4364	y56WQ15.exe	legenda.exe
PID 4364 wrote to memory of 3508	4364	y56WQ15.exe	legenda.exe
PID 3508 wrote to memory of 4080	3508	legenda.exe	schtasks.exe
PID 3508 wrote to memory of 4080	3508	legenda.exe	schtasks.exe
PID 3508 wrote to memory of 4080	3508	legenda.exe	schtasks.exe
PID 3508 wrote to memory of 2756	3508	legenda.exe	cmd.exe
PID 3508 wrote to memory of 2756	3508	legenda.exe	cmd.exe
PID 3508 wrote to memory of 2756	3508	legenda.exe	cmd.exe
PID 2756 wrote to memory of 4424	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 4424	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 4424	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 4460	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4460	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4460	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4532	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4532	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4532	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 232	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 232	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 232	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 216	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 216	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 216	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 2256	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 2256	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 2256	2756	cmd.exe	cacls.exe
PID 3508 wrote to memory of 2688	3508	legenda.exe	usa.exe
PID 3508 wrote to memory of 2688	3508	legenda.exe	usa.exe
PID 3508 wrote to memory of 2688	3508	legenda.exe	usa.exe
PID 3508 wrote to memory of 5012	3508	legenda.exe	vpn-go.exe
PID 3508 wrote to memory of 5012	3508	legenda.exe	vpn-go.exe
PID 3508 wrote to memory of 4728	3508	legenda.exe	1.exe
PID 3508 wrote to memory of 4728	3508	legenda.exe	1.exe
PID 3508 wrote to memory of 4728	3508	legenda.exe	1.exe
PID 5012 wrote to memory of 1328	5012	vpn-go.exe	InstallUtil.exe
PID 5012 wrote to memory of 1328	5012	vpn-go.exe	InstallUtil.exe
PID 5012 wrote to memory of 1328	5012	vpn-go.exe	InstallUtil.exe
PID 5012 wrote to memory of 1328	5012	vpn-go.exe	InstallUtil.exe
PID 5012 wrote to memory of 1328	5012	vpn-go.exe	InstallUtil.exe
PID 5012 wrote to memory of 1328	5012	vpn-go.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe
"C:\Users\Admin\AppData\Local\Temp\ee5ee2a9243637464456f11764de58c3895ab3e3a5e0c284bbcd8128d9c72683.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0895.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0895.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3848.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3848.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1842.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1842.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8984.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8984.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2789YR.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2789YR.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1084
6⤵
- Program crash
PID:3292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60iZ18.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60iZ18.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1096
5⤵
- Program crash
PID:1520

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xEInb90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xEInb90.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y56WQ15.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y56WQ15.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4424

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4460

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:232

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:216

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
5⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:460

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
PID:2184

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
6⤵
PID:2040

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
6⤵
PID:3344

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:4364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQleQYh\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\YzRyWJjPjz\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\pfRFEgmotaFetHs\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\krBEmfdzdcEkXBA\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\kjQZLCtTMt\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\TCoaNatyyiNKARe\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\KJyiXJrscc\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\tNswYNsGRussVma\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\ozFZBsbOJi\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\FQGZsnwTKSmVoiG\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\LOpbUOpEdK\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\updOMeRVjaRzLNT\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\" \"C:\Users\Admin\AppData\Local\Temp\XYeUCWKsXb\""
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Users\Admin\AppData\Roaming\1000150000\1.exe
"C:\Users\Admin\AppData\Roaming\1000150000\1.exe"
4⤵
- Executes dropped EXE
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:4612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:2960

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:3076

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:3952

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
5⤵
PID:2992

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:1272

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4704 -ip 4704
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5040 -ip 5040
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
03b04eff415e60fec7567f5f05706c12

SHA1
6d8a25a5db62d19c20ad3954e9b2ca06ed97d0a5

SHA256
675a0fad99354264e36178be602a0efe9846d535be60eb5479a56c986b02648c

SHA512
36be7818d4b23da9b98aca01d79315be7459ac6b0c4373657fadfbe07fd46012a42ccf9fed6dd1b61cf6b5c91b0767465149e1cc41dc2f65d1f05f8da6f8b95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
3080d6d76c21a0b2af73d5bf91df7255

SHA1
82b192acb17aa504608762a6186bccf05446fae7

SHA256
62e1dbad7ca5402f51bee97be53eb6329ce4ee968b66ec538f699504d8bb93b4

SHA512
a24f6589c82d931e61709f3f2fdfcd0ea78a3a7936c1c42d456da1e62eb2afc0292ad4a1f270a2db7cbabeec72b518024c68196c72f4b4ebe19de4c312b187ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
012e6da37d40df78b6ec9ea6d917c115

SHA1
bb06206605487446d6071ba6f812c2287ce9c701

SHA256
848f1ed600b86ffd8232994e50e1aeceb79d75d8b5e60ab64554ace74d409139

SHA512
c91f2895597a01606b897ce017e63f8b40671c7ad07e20a67a26a8d78d41c487bd09710e7a7566790f413be6b0d09d242c8e363ed8b4e65ef518767f69f4ad53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
48ccc44c8ae2a4be99e61d8a1348eb79

SHA1
109c893e73798c7ff80c2feab1294f76a0820e9e

SHA256
882b0c1b29d5575ac8bc596c961a348ee5a628e4225b98cf74da886a1c670d04

SHA512
b00b12c5eb70decfdf6a699437f7352c19f6b20cd7d4ea29a54e4fad6b3da2ec6160b4f611833fc667aeecc6a7add2d199be8f9384571bf929f819bdd22b759a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
a2e6eaea44e8d55ecb5582535c281ea2

SHA1
754732a74cadabafed2f6f63225f8a1bee3c3b67

SHA256
1db906593338e24ab3a81a37b78ab612d894700e10ff234178c129dff8601342

SHA512
bc130fa41086ca042b763130a13fd265f6cee1a39b61ba116c6f9fed504bb0d4abbdcf1a309365bbfeacea75e9eef727bca80be7a24bd38a048e778d6571f870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
5a667be70ce4b375518a32b1b313c2b8

SHA1
cc0d0b20b5e2f6cb2d6d16744e19f794e4279e40

SHA256
981d4aacd5a2f012168973acadabc57062e6adc8534223035bca23eed6577a4a

SHA512
db93c9f6582fa5a6e2f7be54309d7f10683195ea4b66a2a848db105bfbe89df97801617882bf5aa2279b2e89654d1415fdf7798752476e0bc650a29f99792e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
fa09522bc735d9afa04a4603cc0c7349

SHA1
422c823c4df80c3bf2bf73ad2351670b5a4b3870

SHA256
36401348ec35b92d939ad43e565085cfd74b008f093159556f632e581fcdf612

SHA512
7e29c9845ea68637846b164157c10f6767afd31d0fc77c600711e692e16ce080879206b6313c3a2a4573c093d26bb9ae56b22dde401502ad17c87fd7f0712d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
366011706adaef95670350bd818156fd

SHA1
7291eb18b51bd511f52eb7adfdc01ca74c23f422

SHA256
f23c4a507740b14a5459f256ab068091ac9b30731072c326a2ab3668ea1bb2c8

SHA512
eb501c50bde74601fff612709efebc58b3fc4a296fc62479a072daf318cb5ea73dffb1958066431475e3a60ef892cf19797a12798fb48705907aa5ff223afde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
12bf55bfcff646f1160b0a2c2dcd0630

SHA1
f0f20514377ebaebb3b212afb72875ffeb9e86dd

SHA256
0486130ca8588c9027876f44af0257b95c04241dcf9c83ea9b894471b310a9b2

SHA512
30d01a93e8319604facd17099a96c9ff4cce9a379092062e0d2de7268abe3a17f449770e96acdf01f985771b65cf3a8d2744377c5eb1310d0d861fd7f6085747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9d01806b9503c2b0964c6b23f8650ef8

SHA1
f060f76d5ebc1cf63a30e5452a6622fe8b0c6260

SHA256
ffafd8419e940cdc4e8c1ab088ff8c2457414745dfece5d0fca89b971eafdbc7

SHA512
c6ea434f3d547bc7d809278758c5c4502c81e741da78008fefeb8cb580796a3d42eef3efc5eb8a2c31c735f4c3a4e70fef49772a11ab5b591ea37741bb9b65a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9c63173f4462073b1293a2e948583c7a

SHA1
790129620aee0fde6fd17a7641bf0590982560b7

SHA256
9d26a06cf5f5dcc8556fce309258ab4936158e2d946848f150ab35299be00e5d

SHA512
630857c14baf3f960b86efb0c60e180d3e854ccbd0387522d8a8e8a05e3262ef1bacbb1998a16b43ed3c37cd684cfec611826b4abfc91394c6c32da5ce69d8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e5402c58df2371a841cacb326104fafa

SHA1
510a7d7c871c5da6ef349b625488efd1cd86626d

SHA256
03c24ec483401c15d3e3f1c7619a6c22ced290050644f8e41a87bbfaf9f83565

SHA512
d64058b6c27290c48f1b028c44ec9234e436ce1a26fe6b9286b09712ac98fd573e9ab59b4ade0d16b3c05bcf062d476506c34633f43d5d098b62ee9092caeceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
f4748d52dbc5d158e49219eafdaa65f0

SHA1
eb8fb3d03cee6b887d8c4d5faf5c1977eae6b62c

SHA256
8b7bc6374171917af0932b115b48fa42b63fdd5479ac66fd72fd776df3d559a0

SHA512
55d25001e376c48e241723cded946907e3a10167d9b6401a806569adf726416a29738a29c02341288d5cb423705b43bdd31ccce38429c3ba7f08d56f7810469a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9efd41e3c8792832d58d15681c56f315

SHA1
a6d6fa8f40b58ecb5133be34ebb2c4ecaa3d9631

SHA256
d1ea844a969472a4642354d116a1784ee173f42b1b1e92e0f100fc0b50810e73

SHA512
28b6de3a870d251d61dc295f52d84f746029a6ffb5875bd0b1ea71320b1f95c6b5791cc0eee87b7efd12de07a0108e61c29463667cdedaea80fe56418ff32103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ede4ff1d4bb1bd65b38138ec97f2ae01

SHA1
3f09767f0c5a22a38f0511b2877cfcc6d895fa4e

SHA256
340ae33d8d1162f0c25b533d5e5ba81cc34fd12abc6da91f4c15381f09c0e063

SHA512
0e7b23bbd8dfcb05b3eb20266246e895e460c0e89a0331df0c8b1203151e6dd70d40910cbc87a92fbc4f3ea5b7eea0409ed42e4165cb420a47b1c08716a39e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
b29d5bd679bf9b578d4426e0e0a29272

SHA1
49702a6687e79b7e5b17883577a9e65e30512dbf

SHA256
979f67b3794e21859c14352e1d6afff7dad95127f0a7df5da5657ee3e5f92da5

SHA512
973a192cda8200e508aa82364ebfbe85413b9d2d4f31a066b5f6c4e24d93f1244fc4147ee254665ea6fac247c24efaf461975d888c3482c162cff560bce33368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
bfe13e68cf08d9be4cbf02d6b361bc73

SHA1
b4374acb695b7fa1d67efe6b36233a26f985f628

SHA256
770c9310c2f27ff30e244dc42c269d048da8ba2270564c3a5576956c5e4b4d14

SHA512
769db724c45654a7754d2b3a7a13d441e50dd6a4354d6e6a29a37f286d1ff77f9ff46e7a3c1b61498ea89d68835cb07b394c4a0f7f8c05c6353c1697a9be7ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c71e87f3fac4f702fd6f3709945dfe38

SHA1
a63a4ef6c6429aae1b3ef5597f6e87236f9a02a2

SHA256
9a7576256aa5bf3c243bcd6e121aa6b698f466aca5272dc94edef1db88cf4152

SHA512
4c0f36cc31ab8c36680562b49e1312693f3bdd836faf701c466e92fb487967e80c6a69ebfc6d1abf05cb6cd69ebb81e4372d8b50e3d596f656c79eac37b3720a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
Filesize
335KB

MD5
f00f6596f6bf65d01cb390aebc5326f5

SHA1
8e8d257bd51d2213ed871c4b8b88a0238036e313

SHA256
2e54e59e1fabb5accbef4a42a2cf7af640c57ac0fa7e3542c160662fb327caa7

SHA512
74bde8fd32b51b42c6cc70790f86ae4bc1b83f37aa6e246d147469220c46b5d789d9349fef961491917a773dca061665cc09ab858df449f5119e96e59fbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
Filesize
335KB

MD5
f00f6596f6bf65d01cb390aebc5326f5

SHA1
8e8d257bd51d2213ed871c4b8b88a0238036e313

SHA256
2e54e59e1fabb5accbef4a42a2cf7af640c57ac0fa7e3542c160662fb327caa7

SHA512
74bde8fd32b51b42c6cc70790f86ae4bc1b83f37aa6e246d147469220c46b5d789d9349fef961491917a773dca061665cc09ab858df449f5119e96e59fbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
Filesize
335KB

MD5
f00f6596f6bf65d01cb390aebc5326f5

SHA1
8e8d257bd51d2213ed871c4b8b88a0238036e313

SHA256
2e54e59e1fabb5accbef4a42a2cf7af640c57ac0fa7e3542c160662fb327caa7

SHA512
74bde8fd32b51b42c6cc70790f86ae4bc1b83f37aa6e246d147469220c46b5d789d9349fef961491917a773dca061665cc09ab858df449f5119e96e59fbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
Filesize
9.6MB

MD5
e38edcf41b7b13dc8837e030774cf083

SHA1
1ed5f18fbc105fd177129f594d63e3297654acff

SHA256
9e83c3a822bc5253e9b5047fd2ee19abce885852db7afcb70d9b76fc470f69bc

SHA512
17021db0c40c5068c1df61e3682cd967fec74a76e661d5967b3950d2a0f2a3a64ea15abcfd21b89223fb541d3561172a0dbdcc2a63694996518e0fde8ced1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
Filesize
9.6MB

MD5
e38edcf41b7b13dc8837e030774cf083

SHA1
1ed5f18fbc105fd177129f594d63e3297654acff

SHA256
9e83c3a822bc5253e9b5047fd2ee19abce885852db7afcb70d9b76fc470f69bc

SHA512
17021db0c40c5068c1df61e3682cd967fec74a76e661d5967b3950d2a0f2a3a64ea15abcfd21b89223fb541d3561172a0dbdcc2a63694996518e0fde8ced1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
Filesize
9.6MB

MD5
e38edcf41b7b13dc8837e030774cf083

SHA1
1ed5f18fbc105fd177129f594d63e3297654acff

SHA256
9e83c3a822bc5253e9b5047fd2ee19abce885852db7afcb70d9b76fc470f69bc

SHA512
17021db0c40c5068c1df61e3682cd967fec74a76e661d5967b3950d2a0f2a3a64ea15abcfd21b89223fb541d3561172a0dbdcc2a63694996518e0fde8ced1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQGZsnwTKSmVoiG
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y56WQ15.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y56WQ15.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0895.exe
Filesize
841KB

MD5
f95314a1c73bddfa847a2a6b59dc0c9b

SHA1
0a3e7e2ab9ba16f95ae754fef30abb457300839c

SHA256
71359a0d1c5785230cad6f06dbb15829d347279778b2d615a75e56c2b6b766c5

SHA512
f0ff39bf0f824e5348393d7957529448e568d6b7e5ee747be0a1e881d6813ac802c0c1e96a9d845ece55788285aa077f668e617c6f2fbe1fdc7c29ded62e4a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0895.exe
Filesize
841KB

MD5
f95314a1c73bddfa847a2a6b59dc0c9b

SHA1
0a3e7e2ab9ba16f95ae754fef30abb457300839c

SHA256
71359a0d1c5785230cad6f06dbb15829d347279778b2d615a75e56c2b6b766c5

SHA512
f0ff39bf0f824e5348393d7957529448e568d6b7e5ee747be0a1e881d6813ac802c0c1e96a9d845ece55788285aa077f668e617c6f2fbe1fdc7c29ded62e4a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xEInb90.exe
Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xEInb90.exe
Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3848.exe
Filesize
699KB

MD5
ba0dd21a44ffe96c6e6ad9089c131581

SHA1
910f7632e8f11c33a929db6d02913c38e3b608f2

SHA256
3905625017f08775630fa3b1be611d8d7053089eff0a0f3df8c58407d434eb39

SHA512
68911d03d9de4fa26a87e88732e927bbafdbe6f3110fd8476cf29b902bdf217647af8c1b0fb6b765e3d84be957112494320929500e4d152e2dda626e54852035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3848.exe
Filesize
699KB

MD5
ba0dd21a44ffe96c6e6ad9089c131581

SHA1
910f7632e8f11c33a929db6d02913c38e3b608f2

SHA256
3905625017f08775630fa3b1be611d8d7053089eff0a0f3df8c58407d434eb39

SHA512
68911d03d9de4fa26a87e88732e927bbafdbe6f3110fd8476cf29b902bdf217647af8c1b0fb6b765e3d84be957112494320929500e4d152e2dda626e54852035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60iZ18.exe
Filesize
358KB

MD5
4a58d533493787362e55d7d32c2554ee

SHA1
c1d95e44e22b83e94834d3bebe15b1d4f4b9afc7

SHA256
49832ccf2eaa733ffc744c3d1520323551cfa4ebf40e9cc54d13f77b001916b0

SHA512
4fda343bc09920639e59f39834d7a5b12ad910304a80ce9c21fd68e60d234635ae81ec19a8e9afeea59fb84a8d42db22906f48b6e27f1c8e1330bb5a8687a350

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60iZ18.exe
Filesize
358KB

MD5
4a58d533493787362e55d7d32c2554ee

SHA1
c1d95e44e22b83e94834d3bebe15b1d4f4b9afc7

SHA256
49832ccf2eaa733ffc744c3d1520323551cfa4ebf40e9cc54d13f77b001916b0

SHA512
4fda343bc09920639e59f39834d7a5b12ad910304a80ce9c21fd68e60d234635ae81ec19a8e9afeea59fb84a8d42db22906f48b6e27f1c8e1330bb5a8687a350

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1842.exe
Filesize
346KB

MD5
0e6f38cc74928de1aafbc11dcfa5d6aa

SHA1
9879f6ba9a782f29596cb6b65cdcffb3704ccdbe

SHA256
fa5ed5bfe928a6a3f6d3af3fafe0f568c13220a41e68c4533e9fe5cec81502ff

SHA512
63eb388ed282f566d64e69c79c25e567fea2c626f5c4b80e956806e96122cd63281ae61f8221338574ade132c3e2c8811fef76f3a7212c117cf6b6a27029d2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1842.exe
Filesize
346KB

MD5
0e6f38cc74928de1aafbc11dcfa5d6aa

SHA1
9879f6ba9a782f29596cb6b65cdcffb3704ccdbe

SHA256
fa5ed5bfe928a6a3f6d3af3fafe0f568c13220a41e68c4533e9fe5cec81502ff

SHA512
63eb388ed282f566d64e69c79c25e567fea2c626f5c4b80e956806e96122cd63281ae61f8221338574ade132c3e2c8811fef76f3a7212c117cf6b6a27029d2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8984.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8984.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2789YR.exe
Filesize
300KB

MD5
7576d0f160fda37f7603ab8a2c40a299

SHA1
1a136f2f4a3a6ae9d151b9d0ee04f01b7d92b699

SHA256
276870989fac1ec7ccc9556503fbaf3fef1dbe356685a88fa8048833467b7d7c

SHA512
2ba5d1a4822081762d81a2f49516b2335879e2272c7b91ff25fce7ffc539d606bfb8fcd1a56089d676c33ff22c267e475e282e5ef7783148af75d6a77962eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2789YR.exe
Filesize
300KB

MD5
7576d0f160fda37f7603ab8a2c40a299

SHA1
1a136f2f4a3a6ae9d151b9d0ee04f01b7d92b699

SHA256
276870989fac1ec7ccc9556503fbaf3fef1dbe356685a88fa8048833467b7d7c

SHA512
2ba5d1a4822081762d81a2f49516b2335879e2272c7b91ff25fce7ffc539d606bfb8fcd1a56089d676c33ff22c267e475e282e5ef7783148af75d6a77962eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\KJyiXJrscc
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOpbUOpEdK
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCoaNatyyiNKARe
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzRyWJjPjz
Filesize
92KB

MD5
651d855bcf44adceccfd3fffcd32956d

SHA1
45ac6cb8bd69976f45a37bf86193bd4c8e03fce9

SHA256
4ada554163d26c8a3385d4fe372fc132971c867e23927a35d72a98aadb25b57b

SHA512
67b4683a4e780093e5b3e73ea906a42c74f96a9234845114e0ea6e61ab0308c2e5b7f12d3428ce5bf48928863c102f57c011f9cdc4589d2d82c078b3db70c31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lj1eamil.gpk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjQZLCtTMt
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\krBEmfdzdcEkXBA
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQleQYh
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozFZBsbOJi
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfRFEgmotaFetHs
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tNswYNsGRussVma
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\updOMeRVjaRzLNT
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\updOMeRVjaRzLNT
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Roaming\1000150000\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Roaming\1000150000\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Roaming\1000150000\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/372-1247-0x0000000006560000-0x0000000006582000-memory.dmp

Filesize
136KB

Download
memory/372-1228-0x00000000049D0000-0x0000000004A06000-memory.dmp

Filesize
216KB

Download
memory/372-1243-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/372-1231-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/372-1238-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/372-1229-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/372-1237-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/372-1245-0x0000000006590000-0x0000000006626000-memory.dmp

Filesize
600KB

Download
memory/372-1230-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/372-1246-0x0000000006510000-0x000000000652A000-memory.dmp

Filesize
104KB

Download
memory/400-161-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1328-1223-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1328-1244-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1668-1383-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1668-1382-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1776-1368-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/1832-1323-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/1832-1324-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/2064-1293-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2064-1294-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2352-1308-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/2352-1307-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/2688-1174-0x00000000009B0000-0x0000000000A0A000-memory.dmp

Filesize
360KB

Download
memory/2688-1226-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/2688-1175-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3924-1253-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3924-1254-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4116-1354-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4116-1353-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4160-1339-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/4160-1338-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/4704-198-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-184-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-167-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/4704-168-0x0000000002330000-0x000000000235D000-memory.dmp

Filesize
180KB

Download
memory/4704-169-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/4704-170-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/4704-171-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-172-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-174-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-176-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-178-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-180-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-182-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-201-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/4704-200-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/4704-202-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/4704-186-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-188-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-190-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-192-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-194-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-196-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/4704-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4704-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4932-1141-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/4932-1140-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/5008-1279-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/5008-1278-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/5012-1211-0x0000000000AD0000-0x000000000147A000-memory.dmp

Filesize
9.7MB

Download
memory/5012-1213-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/5012-1212-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/5040-1119-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/5040-240-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/5040-234-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-224-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-218-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-216-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-214-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-213-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-222-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-210-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-211-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-209-0x0000000000870000-0x00000000008BB000-memory.dmp

Filesize
300KB

Download
memory/5040-226-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-228-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-230-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-232-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-236-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-238-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-212-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-242-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-244-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-246-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-1132-0x0000000006940000-0x0000000006B02000-memory.dmp

Filesize
1.8MB

Download
memory/5040-1120-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/5040-220-0x00000000027D0000-0x000000000280E000-memory.dmp

Filesize
248KB

Download
memory/5040-1122-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/5040-1123-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-1134-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-1133-0x0000000006B10000-0x000000000703C000-memory.dmp

Filesize
5.2MB

Download
memory/5040-1124-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/5040-1125-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/5040-1127-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-1128-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-1129-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/5040-1130-0x0000000006850000-0x00000000068C6000-memory.dmp

Filesize
472KB

Download
memory/5040-1131-0x00000000068E0000-0x0000000006930000-memory.dmp

Filesize
320KB

Download