amadey | 74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a

Analysis

max time kernel
113s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935c8459f31edb0ec9be0e6ce3cb53ab.exe
Size

1013KB
MD5

935c8459f31edb0ec9be0e6ce3cb53ab
SHA1

ea766a0431c3dc91336432d0ff7b26e45d5bacf9
SHA256

74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a
SHA512

969c42a0f20c7d68dd5dc52cdedeaedca5783e650bfee43e823b049b85e1c47885cc655cc5cf58abafdad9a23c388f016c0552fc7e30a74a2ca19a52faff9c5b
SSDEEP

24576:2yyuQU6oDHu7pQLRBOrFPkVfovB1NcwWVM:FyuQkHforhkRoJ1NcL

Score

10^/10

amadey redline boris lida whitedoc discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

whitedoc

81.161.229.143:45156

Attributes

auth_value
2020d22aaa2ecafa1b12e00dfcffae03

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v6855WI.exetz4768.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6855WI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6855WI.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4776-210-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-211-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-215-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-213-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-217-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-219-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-221-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-223-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-230-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-226-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-233-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-235-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-237-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-239-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-241-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-243-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-245-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4776-247-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exe76783.exey86tu48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	76783.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y86tu48.exe

Executes dropped EXE 12 IoCs

Processes:

zap5766.exezap4075.exezap2174.exetz4768.exev6855WI.exew05AV57.exexAPed82.exey86tu48.exelegenda.exe76783.exebuild.exelegenda.exe

pid	process
436	zap5766.exe
4352	zap4075.exe
2512	zap2174.exe
3520	tz4768.exe
2732	v6855WI.exe
4776	w05AV57.exe
4264	xAPed82.exe
4668	y86tu48.exe
4624	legenda.exe
4600	76783.exe
3100	build.exe
644	legenda.exe

Loads dropped DLL 2 IoCs

Processes:

build.exerundll32.exe

pid process

3100 build.exe
2036 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3100	build.exe
2036	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v6855WI.exetz4768.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4768.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6855WI.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2174.exebuild.exe935c8459f31edb0ec9be0e6ce3cb53ab.exezap4075.exezap5766.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2174.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build = "C:\\Users\\Admin\\AppData\\Local\\11bdd1c8eaa189b3bb5a9a359c17957f\\build.exe"	build.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	935c8459f31edb0ec9be0e6ce3cb53ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	935c8459f31edb0ec9be0e6ce3cb53ab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap5766.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2174.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

76783.exe

description pid process target process

PID 4600 set thread context of 116 4600 76783.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4568 2732 WerFault.exe v6855WI.exe
3976 4776 WerFault.exe w05AV57.exe

flow	ioc
92	icanhazip.com

description	pid	process	target process
PID 4600 set thread context of 116	4600	76783.exe	InstallUtil.exe

pid	pid_target	process	target process
4568	2732	WerFault.exe	v6855WI.exe
3976	4776	WerFault.exe	w05AV57.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	build.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

532 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

build.exe

pid process

3100 build.exe

pid	process
532	schtasks.exe

pid	process
3100	build.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tz4768.exev6855WI.exew05AV57.exexAPed82.exe76783.exe

pid	process
3520	tz4768.exe
3520	tz4768.exe
2732	v6855WI.exe
2732	v6855WI.exe
4776	w05AV57.exe
4776	w05AV57.exe
4264	xAPed82.exe
4264	xAPed82.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe
4600	76783.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

tz4768.exev6855WI.exew05AV57.exexAPed82.exe76783.exebuild.exemsiexec.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3520	tz4768.exe
Token: SeDebugPrivilege	2732	v6855WI.exe
Token: SeDebugPrivilege	4776	w05AV57.exe
Token: SeDebugPrivilege	4264	xAPed82.exe
Token: SeDebugPrivilege	4600	76783.exe
Token: SeDebugPrivilege	3100	build.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeDebugPrivilege	116	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

build.exe

pid process

3100 build.exe

pid	process
3100	build.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

935c8459f31edb0ec9be0e6ce3cb53ab.exezap5766.exezap4075.exezap2174.exey86tu48.exelegenda.execmd.exe76783.exebuild.exe

description	pid	process	target process
PID 2108 wrote to memory of 436	2108	935c8459f31edb0ec9be0e6ce3cb53ab.exe	zap5766.exe
PID 2108 wrote to memory of 436	2108	935c8459f31edb0ec9be0e6ce3cb53ab.exe	zap5766.exe
PID 2108 wrote to memory of 436	2108	935c8459f31edb0ec9be0e6ce3cb53ab.exe	zap5766.exe
PID 436 wrote to memory of 4352	436	zap5766.exe	zap4075.exe
PID 436 wrote to memory of 4352	436	zap5766.exe	zap4075.exe
PID 436 wrote to memory of 4352	436	zap5766.exe	zap4075.exe
PID 4352 wrote to memory of 2512	4352	zap4075.exe	zap2174.exe
PID 4352 wrote to memory of 2512	4352	zap4075.exe	zap2174.exe
PID 4352 wrote to memory of 2512	4352	zap4075.exe	zap2174.exe
PID 2512 wrote to memory of 3520	2512	zap2174.exe	tz4768.exe
PID 2512 wrote to memory of 3520	2512	zap2174.exe	tz4768.exe
PID 2512 wrote to memory of 2732	2512	zap2174.exe	v6855WI.exe
PID 2512 wrote to memory of 2732	2512	zap2174.exe	v6855WI.exe
PID 2512 wrote to memory of 2732	2512	zap2174.exe	v6855WI.exe
PID 4352 wrote to memory of 4776	4352	zap4075.exe	w05AV57.exe
PID 4352 wrote to memory of 4776	4352	zap4075.exe	w05AV57.exe
PID 4352 wrote to memory of 4776	4352	zap4075.exe	w05AV57.exe
PID 436 wrote to memory of 4264	436	zap5766.exe	xAPed82.exe
PID 436 wrote to memory of 4264	436	zap5766.exe	xAPed82.exe
PID 436 wrote to memory of 4264	436	zap5766.exe	xAPed82.exe
PID 2108 wrote to memory of 4668	2108	935c8459f31edb0ec9be0e6ce3cb53ab.exe	y86tu48.exe
PID 2108 wrote to memory of 4668	2108	935c8459f31edb0ec9be0e6ce3cb53ab.exe	y86tu48.exe
PID 2108 wrote to memory of 4668	2108	935c8459f31edb0ec9be0e6ce3cb53ab.exe	y86tu48.exe
PID 4668 wrote to memory of 4624	4668	y86tu48.exe	legenda.exe
PID 4668 wrote to memory of 4624	4668	y86tu48.exe	legenda.exe
PID 4668 wrote to memory of 4624	4668	y86tu48.exe	legenda.exe
PID 4624 wrote to memory of 532	4624	legenda.exe	schtasks.exe
PID 4624 wrote to memory of 532	4624	legenda.exe	schtasks.exe
PID 4624 wrote to memory of 532	4624	legenda.exe	schtasks.exe
PID 4624 wrote to memory of 3188	4624	legenda.exe	cmd.exe
PID 4624 wrote to memory of 3188	4624	legenda.exe	cmd.exe
PID 4624 wrote to memory of 3188	4624	legenda.exe	cmd.exe
PID 3188 wrote to memory of 3196	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3196	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3196	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3228	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 3228	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 3228	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 3232	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 3232	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 3232	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 820	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 820	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 820	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 4760	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 4760	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 4760	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 1312	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 1312	3188	cmd.exe	cacls.exe
PID 3188 wrote to memory of 1312	3188	cmd.exe	cacls.exe
PID 4624 wrote to memory of 4600	4624	legenda.exe	76783.exe
PID 4624 wrote to memory of 4600	4624	legenda.exe	76783.exe
PID 4624 wrote to memory of 4600	4624	legenda.exe	76783.exe
PID 4600 wrote to memory of 3100	4600	76783.exe	build.exe
PID 4600 wrote to memory of 3100	4600	76783.exe	build.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 4600 wrote to memory of 116	4600	76783.exe	InstallUtil.exe
PID 3100 wrote to memory of 4240	3100	build.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\935c8459f31edb0ec9be0e6ce3cb53ab.exe
"C:\Users\Admin\AppData\Local\Temp\935c8459f31edb0ec9be0e6ce3cb53ab.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1084
6⤵
- Program crash
PID:4568

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1356
5⤵
- Program crash
PID:3976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3196

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3228

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:820

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4760

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\1000156001\76783.exe
"C:\Users\Admin\AppData\Local\Temp\1000156001\76783.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
6⤵
PID:4240

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4800

C:\Windows\system32\netsh.exe
netsh wlan show profile
7⤵
PID:3596

C:\Windows\system32\findstr.exe
findstr All
7⤵
PID:4132

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
6⤵
PID:4288

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:3308

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
7⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2732 -ip 2732
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4776 -ip 4776
1⤵
PID:1616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000156001\76783.exe
Filesize
1.3MB

MD5
1782e83ab6ad4f8b4b24dc03ee802100

SHA1
fcc9e4d3a0b8bc205339f878f83775939acb93e6

SHA256
e5d6c6b7449ea4f9931eed975d0fbf40ded3c637bafee5adb4bd4bd7a703f7dd

SHA512
ada7fa28dd6a60a5bef1b63ac07e697e14091fe8bd0d569b0b9cb9e5483acf4c650b25d64ec35027a1ec14ef2fb028c7cf7dd2bdb36f1da7acdddb51d4580e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000156001\76783.exe
Filesize
1.3MB

MD5
1782e83ab6ad4f8b4b24dc03ee802100

SHA1
fcc9e4d3a0b8bc205339f878f83775939acb93e6

SHA256
e5d6c6b7449ea4f9931eed975d0fbf40ded3c637bafee5adb4bd4bd7a703f7dd

SHA512
ada7fa28dd6a60a5bef1b63ac07e697e14091fe8bd0d569b0b9cb9e5483acf4c650b25d64ec35027a1ec14ef2fb028c7cf7dd2bdb36f1da7acdddb51d4580e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000156001\76783.exe
Filesize
1.3MB

MD5
1782e83ab6ad4f8b4b24dc03ee802100

SHA1
fcc9e4d3a0b8bc205339f878f83775939acb93e6

SHA256
e5d6c6b7449ea4f9931eed975d0fbf40ded3c637bafee5adb4bd4bd7a703f7dd

SHA512
ada7fa28dd6a60a5bef1b63ac07e697e14091fe8bd0d569b0b9cb9e5483acf4c650b25d64ec35027a1ec14ef2fb028c7cf7dd2bdb36f1da7acdddb51d4580e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\698aaace-200f-410f-82cd-63a7acb3aafb
Filesize
92KB

MD5
721d9e468a6d6d0276d8d0e060e4e57b

SHA1
62c635bf0c173012301f195a7d0e430270715613

SHA256
0be20bbaa9d80dfefd3038e5c7904d4b426719607c563254ec42500d704021f0

SHA512
0af08f0f5ecda8cdaaaba317f16e835032797e4e6e64f3f4e5b0bb8fd20f1afd9e8e2ca50b549e1c1a48a26ff02f59bc8212deb354b095294c97016a3c9dbb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fe20cbe-a64f-4f47-804f-38668606de25
Filesize
5.0MB

MD5
eaaa6ecca0077542fd37b22b0d11e50d

SHA1
3b83081897afdadd5f112a449e6d32a0915b8717

SHA256
adb6fe43ee687f3a5a40882ce49754b23e4d1282c1bbe3c601e43967dfd3ee59

SHA512
2080d044fe4c26660ef49ee45e59bcb8bf3e5f0d7917a6c4bce759a5c9f00fd432af3d476ce662ed5d2d0a0a8e6ace578143fc03fdbbfb845378bec305e8d0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\4993FC383A80402228FA13C13CB7F2C2\64\sqlite.interop.dll
Filesize
1.6MB

MD5
0ec8d85d10ff52827930b1cec64a0933

SHA1
90c6d01aefa10f5488411c84553ed44131372c58

SHA256
7f214dfccf659d8e4c0a08aa6772b2e540f20987aab2b26b6baad2d201554bec

SHA512
650257cf683d030bfa6a8da7065409b47e994ae86ba96934a1d977c51a48b2d80d8e1bc8a7979deb089ba243cef13f9e2707837f9803d691b51c14c07aff3375

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
Filesize
829KB

MD5
9bea9d1a577e90ce387958c1507b0918

SHA1
b7579a4fe32afd8cc5e61a3363f8552249b8a42b

SHA256
f69aced34f60ab9fb4b4a298f4889381733932dcff96577282bb5fb6140aec2e

SHA512
3224ff1926fe706d364c3670e63392277cd704e17d04c2d5b113950c271fa953a0f3ce153ea09ff905bfcbb002485c15436a2fb66097d3dd6f97d877bbcadeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
Filesize
829KB

MD5
9bea9d1a577e90ce387958c1507b0918

SHA1
b7579a4fe32afd8cc5e61a3363f8552249b8a42b

SHA256
f69aced34f60ab9fb4b4a298f4889381733932dcff96577282bb5fb6140aec2e

SHA512
3224ff1926fe706d364c3670e63392277cd704e17d04c2d5b113950c271fa953a0f3ce153ea09ff905bfcbb002485c15436a2fb66097d3dd6f97d877bbcadeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
Filesize
687KB

MD5
07f05ba4795888230a232c52605fa4f1

SHA1
71162b41a85670c734f87b9f91919c26edfb2beb

SHA256
2fda4e170a0ef722e22c8dda3ad79c8c39251fe83db7e119b02b883d30f7e6ec

SHA512
1f00d611cc11c7e94b397c6ec763d3d1dc455ee0c3b1c20e56e40cf6e79d3d7e1d897dd02f43852c1721047c72ec7963be4d130f1d40ed9d3de58d520e07d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
Filesize
687KB

MD5
07f05ba4795888230a232c52605fa4f1

SHA1
71162b41a85670c734f87b9f91919c26edfb2beb

SHA256
2fda4e170a0ef722e22c8dda3ad79c8c39251fe83db7e119b02b883d30f7e6ec

SHA512
1f00d611cc11c7e94b397c6ec763d3d1dc455ee0c3b1c20e56e40cf6e79d3d7e1d897dd02f43852c1721047c72ec7963be4d130f1d40ed9d3de58d520e07d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
Filesize
357KB

MD5
d8c72a55085bc5caabcbafe552b02e2b

SHA1
a433d3ad1a180e0d64d4175c84d942f5b506cc7a

SHA256
4fb07143a13cce5cd71e21b3988b048ad05d2364e33f445dbc87615827eb00fc

SHA512
fb1d669e10dd1eef7bdd6da413c3eedf6a3c40b949ff0fcfcc5a4d408aba6f21256bd987eab786588ab741d152470849765f6c675c975d41e1e09624631637be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
Filesize
357KB

MD5
d8c72a55085bc5caabcbafe552b02e2b

SHA1
a433d3ad1a180e0d64d4175c84d942f5b506cc7a

SHA256
4fb07143a13cce5cd71e21b3988b048ad05d2364e33f445dbc87615827eb00fc

SHA512
fb1d669e10dd1eef7bdd6da413c3eedf6a3c40b949ff0fcfcc5a4d408aba6f21256bd987eab786588ab741d152470849765f6c675c975d41e1e09624631637be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
Filesize
340KB

MD5
db69a53184dd6aa861e9f83469a0fcee

SHA1
9943477240ec918a39816ea32c6c9b8b5689ca4b

SHA256
610ffa272a80b6ffcf75f243906a750ef3f70669f82644d34ee64adc4f1d2711

SHA512
9fcd5cd4a19ee9fc0e04112d7dbedbe3ca7f960552f19d71efd7f4368fc16ef6285e2de2f785891911c142c23220c9cf1daaa94a4cd08f67e463d0917f76346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
Filesize
340KB

MD5
db69a53184dd6aa861e9f83469a0fcee

SHA1
9943477240ec918a39816ea32c6c9b8b5689ca4b

SHA256
610ffa272a80b6ffcf75f243906a750ef3f70669f82644d34ee64adc4f1d2711

SHA512
9fcd5cd4a19ee9fc0e04112d7dbedbe3ca7f960552f19d71efd7f4368fc16ef6285e2de2f785891911c142c23220c9cf1daaa94a4cd08f67e463d0917f76346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
Filesize
298KB

MD5
a58945177e3e75e3016fbfe540953af0

SHA1
8cf2a371da631755af9ece5d6f17f1d252e16ba5

SHA256
43e20bd504ad83faffec9e6861f7575d941792b96de57f79fca0fa3e8a4488d4

SHA512
6d9f5234488f4304dc5cdea2287519dc7651f60cdfc6d96ba652effbce8f99fca9de62a105fe2c135dfd8bae90c958e369934883072c168629f4cf0cb2e43793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
Filesize
298KB

MD5
a58945177e3e75e3016fbfe540953af0

SHA1
8cf2a371da631755af9ece5d6f17f1d252e16ba5

SHA256
43e20bd504ad83faffec9e6861f7575d941792b96de57f79fca0fa3e8a4488d4

SHA512
6d9f5234488f4304dc5cdea2287519dc7651f60cdfc6d96ba652effbce8f99fca9de62a105fe2c135dfd8bae90c958e369934883072c168629f4cf0cb2e43793

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdcf7589-c24d-4c6a-ae2c-819aa0cb4877
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Roaming\BDyuFOZADSVWH.Admin\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\BDyuFOZADSVWH.Admin\System\Apps.txt
Filesize
4KB

MD5
5c662abcd41d56e9895098b9c4f6908b

SHA1
9d00abbcbee140db589a13582079dd842e38e09d

SHA256
990a64de4c96683b6f54cbba19c0b440f0b083f017ebbab825f927ed078978d9

SHA512
6ae8816026becf7a72bab14f77c6fe68e82193d46ff7529cbb86c621468bd42f3184eea200faf7c69a42c9f40ae7425aaef3f86a3449ee7ef89da141792937b4

Download Submit
C:\Users\Admin\AppData\Roaming\BDyuFOZADSVWH.Admin\System\Process.txt
Filesize
749B

MD5
f8f655435a26c1d570c7e2c864318207

SHA1
316aca3b47cb910b31cb043d3a81c0c2e06ee662

SHA256
0e73cd06b7936d0be0998318845499501ed16c43fd76fa91dab105ab69dbf7d3

SHA512
0dc69f1b230e38f41381ce8c112960c764aaf8840d33b229c4527afdf33b36e7b6b9bf4f5650d35e783429de84b669b8e7eaf81ae7520e3b3666c3dd689f5366

Download Submit
C:\Users\Admin\AppData\Roaming\BDyuFOZADSVWH.Admin\System\Process.txt
Filesize
1KB

MD5
ea48d27dceb421efc7a52674a266a745

SHA1
f388632cabfca495a006f596265db62ead27bcad

SHA256
b649122c4cc90561ae9d2932e964f40e77e8e6f9c042d8bd38290b78a95f68e1

SHA512
abb74e03d10cb9aebfef50e9b1729a5834b4b1d9a5e2d8e1405983cd9a5ecf666e006a59f2c37e6205f49ba3ea070309e84114bbecd5089f014b4bdbb59336e7

Download Submit
C:\Users\Admin\AppData\Roaming\BDyuFOZADSVWH.Admin\System\Process.txt
Filesize
2KB

MD5
6b9c52581cfe13a48f7c08c9aff21060

SHA1
87cfe2b517c7c7ed6bd3a3e6cada2529eb2e3865

SHA256
210ff6952894d328ed89cedf7d9fed7501efcecfaa27bef7753bbb5af337c0a0

SHA512
2e5fd22d67dcf94781dd288c2b523d82cc437604b05c0cd3b80a9e9a6f6889420616cdf02da5fd62dc6dace4438c3342d1eb5578da25d1e249d830a3be98eb14

Download Submit
C:\Users\Admin\AppData\Roaming\BDyuFOZADSVWH.Admin\System\Process.txt
Filesize
4KB

MD5
811ddf55384ba0d7de67a85b9179f924

SHA1
fdcbc93c746cefcf8fff581f5fc00a090208617d

SHA256
d208abceef45a5aeeceaea7b0d61a025d7f2d043677c9c83ab273ce32498c37b

SHA512
33712e161d9a794875864892fef6fdee5b884898bbaacb90ca3079e8d80268eefa88cf05f9ef73dd336c8c272ffcefa56620cab17208fb70d9bd5560a1fbcc08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
Filesize
219KB

MD5
8335af270081d77360614e79069a2c33

SHA1
4ddbbe796abda834b342f0987df5b72c35fd2717

SHA256
f10d06d3709919d84af8c6ca81c85c3e33d501da0f1e36b6c37f04c5e58345c1

SHA512
448389132aa57473478a8b44761ae029510ab1ed3828d8c501fe4206317cb18ba5d46660788a5065568fb91c2c6626e74f0d3c41198b518e86336b5e2991648f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
Filesize
219KB

MD5
8335af270081d77360614e79069a2c33

SHA1
4ddbbe796abda834b342f0987df5b72c35fd2717

SHA256
f10d06d3709919d84af8c6ca81c85c3e33d501da0f1e36b6c37f04c5e58345c1

SHA512
448389132aa57473478a8b44761ae029510ab1ed3828d8c501fe4206317cb18ba5d46660788a5065568fb91c2c6626e74f0d3c41198b518e86336b5e2991648f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
Filesize
219KB

MD5
8335af270081d77360614e79069a2c33

SHA1
4ddbbe796abda834b342f0987df5b72c35fd2717

SHA256
f10d06d3709919d84af8c6ca81c85c3e33d501da0f1e36b6c37f04c5e58345c1

SHA512
448389132aa57473478a8b44761ae029510ab1ed3828d8c501fe4206317cb18ba5d46660788a5065568fb91c2c6626e74f0d3c41198b518e86336b5e2991648f

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/116-1440-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/116-1439-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/116-1449-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/2732-173-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2732-203-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2732-202-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2732-201-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2732-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2732-199-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-197-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-195-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-193-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-191-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-189-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-187-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-185-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-183-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-181-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-179-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-177-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-175-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-172-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2732-170-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2732-171-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2732-169-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2732-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/2732-167-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/3100-1195-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/3100-1338-0x0000000020420000-0x000000002045A000-memory.dmp

Filesize
232KB

Download
memory/3100-1436-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1435-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1434-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1405-0x0000000020200000-0x0000000020212000-memory.dmp

Filesize
72KB

Download
memory/3100-1380-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1339-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1337-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1336-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3100-1334-0x0000000020C00000-0x0000000020DC2000-memory.dmp

Filesize
1.8MB

Download
memory/3100-1200-0x000000001ECE0000-0x000000001ECEA000-memory.dmp

Filesize
40KB

Download
memory/3100-1199-0x000000001E930000-0x000000001E94E000-memory.dmp

Filesize
120KB

Download
memory/3100-1198-0x000000001E950000-0x000000001E9C6000-memory.dmp

Filesize
472KB

Download
memory/3100-1196-0x000000001D0D0000-0x000000001D0E0000-memory.dmp

Filesize
64KB

Download
memory/3520-161-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/4264-1141-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/4264-1142-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4600-1177-0x0000000006270000-0x000000000630C000-memory.dmp

Filesize
624KB

Download
memory/4600-1175-0x0000000000AD0000-0x0000000000C10000-memory.dmp

Filesize
1.2MB

Download
memory/4600-1176-0x0000000006540000-0x0000000006AAC000-memory.dmp

Filesize
5.4MB

Download
memory/4600-1197-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1178-0x00000000063B0000-0x00000000063BA000-memory.dmp

Filesize
40KB

Download
memory/4600-1179-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1180-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1181-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1182-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1183-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1433-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4600-1210-0x0000000006500000-0x0000000006510000-memory.dmp

Filesize
64KB

Download
memory/4776-226-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-1130-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-1123-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/4776-241-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-1124-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-1126-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/4776-1127-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4776-243-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-237-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-235-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-233-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4776-230-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-231-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-245-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-229-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-247-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-1128-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-1129-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-239-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-227-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-225-0x0000000004560000-0x00000000045AB000-memory.dmp

Filesize
300KB

Download
memory/4776-1135-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-223-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-1134-0x0000000009540000-0x0000000009590000-memory.dmp

Filesize
320KB

Download
memory/4776-1120-0x0000000007790000-0x0000000007DA8000-memory.dmp

Filesize
6.1MB

Download
memory/4776-1133-0x00000000094C0000-0x0000000009536000-memory.dmp

Filesize
472KB

Download
memory/4776-1132-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/4776-1131-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/4776-221-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-219-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-217-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-213-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-215-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-211-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-210-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4776-1121-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download