amadey | 5c48b9d5f58f3a95f82e68cbbf9d068a8ed909e41d5559e120d5543e88457d09

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe
Size

1013KB
MD5

935c8459f31edb0ec9be0e6ce3cb53ab
SHA1

ea766a0431c3dc91336432d0ff7b26e45d5bacf9
SHA256

74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a
SHA512

969c42a0f20c7d68dd5dc52cdedeaedca5783e650bfee43e823b049b85e1c47885cc655cc5cf58abafdad9a23c388f016c0552fc7e30a74a2ca19a52faff9c5b
SSDEEP

24576:2yyuQU6oDHu7pQLRBOrFPkVfovB1NcwWVM:FyuQkHforhkRoJ1NcL

Score

10^/10

amadey lumma redline boris lida discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v6855WI.exetz4768.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4768.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6855WI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4768.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4768.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4012-210-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-211-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-213-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-215-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-217-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-219-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-223-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-221-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-227-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-225-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-229-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-231-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-233-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-239-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-235-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-243-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-247-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-245-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4012-241-0x0000000007260000-0x0000000007270000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y86tu48.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y86tu48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap5766.exezap4075.exezap2174.exetz4768.exev6855WI.exew05AV57.exexAPed82.exey86tu48.exelegenda.exeLummas.exelegenda.exelegenda.exe

pid	process
4272	zap5766.exe
2044	zap4075.exe
1316	zap2174.exe
8	tz4768.exe
1420	v6855WI.exe
4012	w05AV57.exe
5068	xAPed82.exe
3352	y86tu48.exe
1856	legenda.exe
4756	Lummas.exe
4876	legenda.exe
4312	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1676 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1676	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4768.exev6855WI.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4768.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6855WI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6855WI.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2174.exe74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exezap5766.exezap4075.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2174.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap5766.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2174.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lummas.exe

description pid process target process

PID 4756 set thread context of 4076 4756 Lummas.exe jsc.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4224 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3472 1420 WerFault.exe v6855WI.exe
3180 4012 WerFault.exe w05AV57.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

408 schtasks.exe

description	pid	process	target process
PID 4756 set thread context of 4076	4756	Lummas.exe	jsc.exe

pid	process
4224	sc.exe

pid	pid_target	process	target process
3472	1420	WerFault.exe	v6855WI.exe
3180	4012	WerFault.exe	w05AV57.exe

pid	process
408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

tz4768.exev6855WI.exew05AV57.exexAPed82.exeLummas.exe

pid	process
8	tz4768.exe
8	tz4768.exe
1420	v6855WI.exe
1420	v6855WI.exe
4012	w05AV57.exe
4012	w05AV57.exe
5068	xAPed82.exe
5068	xAPed82.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe
4756	Lummas.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tz4768.exev6855WI.exew05AV57.exexAPed82.exeLummas.exe

description	pid	process
Token: SeDebugPrivilege	8	tz4768.exe
Token: SeDebugPrivilege	1420	v6855WI.exe
Token: SeDebugPrivilege	4012	w05AV57.exe
Token: SeDebugPrivilege	5068	xAPed82.exe
Token: SeDebugPrivilege	4756	Lummas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exezap5766.exezap4075.exezap2174.exey86tu48.exelegenda.execmd.exeLummas.exe

description	pid	process	target process
PID 1952 wrote to memory of 4272	1952	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe	zap5766.exe
PID 1952 wrote to memory of 4272	1952	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe	zap5766.exe
PID 1952 wrote to memory of 4272	1952	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe	zap5766.exe
PID 4272 wrote to memory of 2044	4272	zap5766.exe	zap4075.exe
PID 4272 wrote to memory of 2044	4272	zap5766.exe	zap4075.exe
PID 4272 wrote to memory of 2044	4272	zap5766.exe	zap4075.exe
PID 2044 wrote to memory of 1316	2044	zap4075.exe	zap2174.exe
PID 2044 wrote to memory of 1316	2044	zap4075.exe	zap2174.exe
PID 2044 wrote to memory of 1316	2044	zap4075.exe	zap2174.exe
PID 1316 wrote to memory of 8	1316	zap2174.exe	tz4768.exe
PID 1316 wrote to memory of 8	1316	zap2174.exe	tz4768.exe
PID 1316 wrote to memory of 1420	1316	zap2174.exe	v6855WI.exe
PID 1316 wrote to memory of 1420	1316	zap2174.exe	v6855WI.exe
PID 1316 wrote to memory of 1420	1316	zap2174.exe	v6855WI.exe
PID 2044 wrote to memory of 4012	2044	zap4075.exe	w05AV57.exe
PID 2044 wrote to memory of 4012	2044	zap4075.exe	w05AV57.exe
PID 2044 wrote to memory of 4012	2044	zap4075.exe	w05AV57.exe
PID 4272 wrote to memory of 5068	4272	zap5766.exe	xAPed82.exe
PID 4272 wrote to memory of 5068	4272	zap5766.exe	xAPed82.exe
PID 4272 wrote to memory of 5068	4272	zap5766.exe	xAPed82.exe
PID 1952 wrote to memory of 3352	1952	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe	y86tu48.exe
PID 1952 wrote to memory of 3352	1952	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe	y86tu48.exe
PID 1952 wrote to memory of 3352	1952	74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe	y86tu48.exe
PID 3352 wrote to memory of 1856	3352	y86tu48.exe	legenda.exe
PID 3352 wrote to memory of 1856	3352	y86tu48.exe	legenda.exe
PID 3352 wrote to memory of 1856	3352	y86tu48.exe	legenda.exe
PID 1856 wrote to memory of 408	1856	legenda.exe	schtasks.exe
PID 1856 wrote to memory of 408	1856	legenda.exe	schtasks.exe
PID 1856 wrote to memory of 408	1856	legenda.exe	schtasks.exe
PID 1856 wrote to memory of 2428	1856	legenda.exe	cmd.exe
PID 1856 wrote to memory of 2428	1856	legenda.exe	cmd.exe
PID 1856 wrote to memory of 2428	1856	legenda.exe	cmd.exe
PID 2428 wrote to memory of 4348	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 4348	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 4348	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 112	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 112	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 112	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 5024	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 5024	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 5024	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 3532	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 3532	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 3532	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2488	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 2488	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 2488	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 2680	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 2680	2428	cmd.exe	cacls.exe
PID 2428 wrote to memory of 2680	2428	cmd.exe	cacls.exe
PID 1856 wrote to memory of 4756	1856	legenda.exe	Lummas.exe
PID 1856 wrote to memory of 4756	1856	legenda.exe	Lummas.exe
PID 4756 wrote to memory of 4580	4756	Lummas.exe	mscorsvw.exe
PID 4756 wrote to memory of 4580	4756	Lummas.exe	mscorsvw.exe
PID 4756 wrote to memory of 688	4756	Lummas.exe	AddInUtil.exe
PID 4756 wrote to memory of 688	4756	Lummas.exe	AddInUtil.exe
PID 4756 wrote to memory of 1624	4756	Lummas.exe	aspnet_state.exe
PID 4756 wrote to memory of 1624	4756	Lummas.exe	aspnet_state.exe
PID 4756 wrote to memory of 4676	4756	Lummas.exe	aspnet_regbrowsers.exe
PID 4756 wrote to memory of 4676	4756	Lummas.exe	aspnet_regbrowsers.exe
PID 4756 wrote to memory of 4256	4756	Lummas.exe	ComSvcConfig.exe
PID 4756 wrote to memory of 4256	4756	Lummas.exe	ComSvcConfig.exe
PID 4756 wrote to memory of 4296	4756	Lummas.exe	AppLaunch.exe
PID 4756 wrote to memory of 4296	4756	Lummas.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe
"C:\Users\Admin\AppData\Local\Temp\74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1080
6⤵
- Program crash
PID:3472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1328
5⤵
- Program crash
PID:3180

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4348

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:112

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3532

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2488

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
5⤵
PID:4580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
5⤵
PID:688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
5⤵
PID:4676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
5⤵
PID:4256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
5⤵
PID:4296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
5⤵
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
5⤵
PID:2480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
5⤵
PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
5⤵
PID:4564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
5⤵
PID:536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
5⤵
PID:32

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
5⤵
PID:1808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
5⤵
PID:3384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:3836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
5⤵
PID:1156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
5⤵
PID:3808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
5⤵
PID:4320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
5⤵
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
5⤵
PID:2072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
5⤵
PID:3420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
5⤵
PID:2532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
5⤵
PID:1960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:4076

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1420 -ip 1420
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4012 -ip 4012
1⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y86tu48.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
Filesize
829KB

MD5
9bea9d1a577e90ce387958c1507b0918

SHA1
b7579a4fe32afd8cc5e61a3363f8552249b8a42b

SHA256
f69aced34f60ab9fb4b4a298f4889381733932dcff96577282bb5fb6140aec2e

SHA512
3224ff1926fe706d364c3670e63392277cd704e17d04c2d5b113950c271fa953a0f3ce153ea09ff905bfcbb002485c15436a2fb66097d3dd6f97d877bbcadeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap5766.exe
Filesize
829KB

MD5
9bea9d1a577e90ce387958c1507b0918

SHA1
b7579a4fe32afd8cc5e61a3363f8552249b8a42b

SHA256
f69aced34f60ab9fb4b4a298f4889381733932dcff96577282bb5fb6140aec2e

SHA512
3224ff1926fe706d364c3670e63392277cd704e17d04c2d5b113950c271fa953a0f3ce153ea09ff905bfcbb002485c15436a2fb66097d3dd6f97d877bbcadeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xAPed82.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
Filesize
687KB

MD5
07f05ba4795888230a232c52605fa4f1

SHA1
71162b41a85670c734f87b9f91919c26edfb2beb

SHA256
2fda4e170a0ef722e22c8dda3ad79c8c39251fe83db7e119b02b883d30f7e6ec

SHA512
1f00d611cc11c7e94b397c6ec763d3d1dc455ee0c3b1c20e56e40cf6e79d3d7e1d897dd02f43852c1721047c72ec7963be4d130f1d40ed9d3de58d520e07d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4075.exe
Filesize
687KB

MD5
07f05ba4795888230a232c52605fa4f1

SHA1
71162b41a85670c734f87b9f91919c26edfb2beb

SHA256
2fda4e170a0ef722e22c8dda3ad79c8c39251fe83db7e119b02b883d30f7e6ec

SHA512
1f00d611cc11c7e94b397c6ec763d3d1dc455ee0c3b1c20e56e40cf6e79d3d7e1d897dd02f43852c1721047c72ec7963be4d130f1d40ed9d3de58d520e07d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
Filesize
357KB

MD5
d8c72a55085bc5caabcbafe552b02e2b

SHA1
a433d3ad1a180e0d64d4175c84d942f5b506cc7a

SHA256
4fb07143a13cce5cd71e21b3988b048ad05d2364e33f445dbc87615827eb00fc

SHA512
fb1d669e10dd1eef7bdd6da413c3eedf6a3c40b949ff0fcfcc5a4d408aba6f21256bd987eab786588ab741d152470849765f6c675c975d41e1e09624631637be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05AV57.exe
Filesize
357KB

MD5
d8c72a55085bc5caabcbafe552b02e2b

SHA1
a433d3ad1a180e0d64d4175c84d942f5b506cc7a

SHA256
4fb07143a13cce5cd71e21b3988b048ad05d2364e33f445dbc87615827eb00fc

SHA512
fb1d669e10dd1eef7bdd6da413c3eedf6a3c40b949ff0fcfcc5a4d408aba6f21256bd987eab786588ab741d152470849765f6c675c975d41e1e09624631637be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
Filesize
340KB

MD5
db69a53184dd6aa861e9f83469a0fcee

SHA1
9943477240ec918a39816ea32c6c9b8b5689ca4b

SHA256
610ffa272a80b6ffcf75f243906a750ef3f70669f82644d34ee64adc4f1d2711

SHA512
9fcd5cd4a19ee9fc0e04112d7dbedbe3ca7f960552f19d71efd7f4368fc16ef6285e2de2f785891911c142c23220c9cf1daaa94a4cd08f67e463d0917f76346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2174.exe
Filesize
340KB

MD5
db69a53184dd6aa861e9f83469a0fcee

SHA1
9943477240ec918a39816ea32c6c9b8b5689ca4b

SHA256
610ffa272a80b6ffcf75f243906a750ef3f70669f82644d34ee64adc4f1d2711

SHA512
9fcd5cd4a19ee9fc0e04112d7dbedbe3ca7f960552f19d71efd7f4368fc16ef6285e2de2f785891911c142c23220c9cf1daaa94a4cd08f67e463d0917f76346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4768.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
Filesize
298KB

MD5
a58945177e3e75e3016fbfe540953af0

SHA1
8cf2a371da631755af9ece5d6f17f1d252e16ba5

SHA256
43e20bd504ad83faffec9e6861f7575d941792b96de57f79fca0fa3e8a4488d4

SHA512
6d9f5234488f4304dc5cdea2287519dc7651f60cdfc6d96ba652effbce8f99fca9de62a105fe2c135dfd8bae90c958e369934883072c168629f4cf0cb2e43793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6855WI.exe
Filesize
298KB

MD5
a58945177e3e75e3016fbfe540953af0

SHA1
8cf2a371da631755af9ece5d6f17f1d252e16ba5

SHA256
43e20bd504ad83faffec9e6861f7575d941792b96de57f79fca0fa3e8a4488d4

SHA512
6d9f5234488f4304dc5cdea2287519dc7651f60cdfc6d96ba652effbce8f99fca9de62a105fe2c135dfd8bae90c958e369934883072c168629f4cf0cb2e43793

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/8-161-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/1420-186-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-194-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-196-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-197-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1420-198-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1420-199-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1420-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1420-202-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1420-204-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1420-203-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1420-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1420-192-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-190-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-188-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-184-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-182-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-180-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-178-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-176-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-174-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-172-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-170-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-169-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/1420-168-0x00000000071C0000-0x0000000007764000-memory.dmp

Filesize
5.6MB

Download
memory/1420-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4012-227-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-1134-0x000000000A8C0000-0x000000000A910000-memory.dmp

Filesize
320KB

Download
memory/4012-239-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-235-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-243-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-247-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-245-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-241-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-1120-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/4012-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4012-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4012-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4012-1124-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-1126-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/4012-1127-0x0000000008BD0000-0x0000000008C62000-memory.dmp

Filesize
584KB

Download
memory/4012-1128-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-1129-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-1130-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-1131-0x0000000009F80000-0x000000000A142000-memory.dmp

Filesize
1.8MB

Download
memory/4012-1132-0x000000000A150000-0x000000000A67C000-memory.dmp

Filesize
5.2MB

Download
memory/4012-1133-0x0000000004A40000-0x0000000004AB6000-memory.dmp

Filesize
472KB

Download
memory/4012-240-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-1136-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-210-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-211-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-238-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4012-236-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/4012-233-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-231-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-229-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-225-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-221-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-223-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-213-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-215-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-217-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4012-219-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4076-1184-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4076-1185-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4076-1182-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4756-1176-0x000001F4198B0000-0x000001F4198C0000-memory.dmp

Filesize
64KB

Download
memory/4756-1175-0x000001F419360000-0x000001F41954E000-memory.dmp

Filesize
1.9MB

Download
memory/5068-1142-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/5068-1141-0x0000000000050000-0x0000000000082000-memory.dmp

Filesize
200KB

Download