amadey | 10f8fdb6c418db38657f0555e7f849b06669ad006ea3c57d25a48dd14eabee6b

Analysis

max time kernel
148s
max time network
115s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
Size

1.0MB
MD5

5ab493e8263fdc603cd5d6379781370c
SHA1

92e0ff46ecd086e0e030e9ccb0d9b12a5b0716b4
SHA256

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343
SHA512

eb3faa8f0129453676b637739b3b4813ea6975bf88bf1c566588c8250aac67a50163a921482d0b5491df19b8e4a78bffd5c1e1ee9d64c73152c165cbfb6d933f
SSDEEP

12288:/Mrjy90Pqd4U96S5aY50+IprbrXcGhJb3pJmaiqorbP0XHG4ioCk88AVKMCT6C:gybdfDg+INrxhhHmdrbP4mDoJANu3

Score

10^/10

amadey redline fort sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

fort

193.233.20.33:4125

Attributes

auth_value
5ea5673154a804d8c80f565f7276f720

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3801.exev6837xU.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6837xU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3801.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1304-147-0x00000000031D0000-0x0000000003216000-memory.dmp	family_redline
behavioral1/memory/1304-148-0x00000000047B0000-0x00000000047F4000-memory.dmp	family_redline
behavioral1/memory/1304-150-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-149-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-152-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-154-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-156-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-160-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-158-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-162-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-164-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-166-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-168-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-170-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-172-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-174-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-176-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-178-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-182-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-181-0x0000000007420000-0x0000000007460000-memory.dmp	family_redline
behavioral1/memory/1304-183-0x0000000007420000-0x0000000007460000-memory.dmp	family_redline
behavioral1/memory/1304-186-0x00000000047B0000-0x00000000047EE000-memory.dmp	family_redline
behavioral1/memory/1304-1059-0x0000000007420000-0x0000000007460000-memory.dmp	family_redline

Executes dropped EXE 11 IoCs

Processes:

zap7146.exezap9018.exezap1202.exetz3801.exev6837xU.exew38dM76.exexXdsh93.exey69Lh26.exelegenda.exelegenda.exelegenda.exe

pid	process
1716	zap7146.exe
1924	zap9018.exe
1668	zap1202.exe
2024	tz3801.exe
1128	v6837xU.exe
1304	w38dM76.exe
804	xXdsh93.exe
1628	y69Lh26.exe
1432	legenda.exe
544	legenda.exe
1720	legenda.exe

Loads dropped DLL 23 IoCs

Processes:

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exezap7146.exezap9018.exezap1202.exev6837xU.exew38dM76.exexXdsh93.exey69Lh26.exelegenda.exerundll32.exe

pid	process
1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
1716	zap7146.exe
1716	zap7146.exe
1924	zap9018.exe
1924	zap9018.exe
1668	zap1202.exe
1668	zap1202.exe
1668	zap1202.exe
1668	zap1202.exe
1128	v6837xU.exe
1924	zap9018.exe
1924	zap9018.exe
1304	w38dM76.exe
1716	zap7146.exe
804	xXdsh93.exe
1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
1628	y69Lh26.exe
1628	y69Lh26.exe
1432	legenda.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3801.exev6837xU.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	tz3801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3801.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	v6837xU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6837xU.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1202.execf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exezap7146.exezap9018.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1202.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7146.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9018.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9018.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1316 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3801.exev6837xU.exew38dM76.exexXdsh93.exe

pid process

2024 tz3801.exe
2024 tz3801.exe
1128 v6837xU.exe
1128 v6837xU.exe
1304 w38dM76.exe
1304 w38dM76.exe
804 xXdsh93.exe
804 xXdsh93.exe

pid	process
1316	schtasks.exe

pid	process
2024	tz3801.exe
2024	tz3801.exe
1128	v6837xU.exe
1128	v6837xU.exe
1304	w38dM76.exe
1304	w38dM76.exe
804	xXdsh93.exe
804	xXdsh93.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz3801.exev6837xU.exew38dM76.exexXdsh93.exe

description	pid	process
Token: SeDebugPrivilege	2024	tz3801.exe
Token: SeDebugPrivilege	1128	v6837xU.exe
Token: SeDebugPrivilege	1304	w38dM76.exe
Token: SeDebugPrivilege	804	xXdsh93.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exezap7146.exezap9018.exezap1202.exey69Lh26.exelegenda.exe

description	pid	process	target process
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1928 wrote to memory of 1716	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	zap7146.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1716 wrote to memory of 1924	1716	zap7146.exe	zap9018.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1924 wrote to memory of 1668	1924	zap9018.exe	zap1202.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 2024	1668	zap1202.exe	tz3801.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1668 wrote to memory of 1128	1668	zap1202.exe	v6837xU.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1924 wrote to memory of 1304	1924	zap9018.exe	w38dM76.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1716 wrote to memory of 804	1716	zap7146.exe	xXdsh93.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1928 wrote to memory of 1628	1928	cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe	y69Lh26.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1628 wrote to memory of 1432	1628	y69Lh26.exe	legenda.exe
PID 1432 wrote to memory of 1316	1432	legenda.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe
"C:\Users\Admin\AppData\Local\Temp\cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:996
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {7CC3B551-E963-4AC0-8E31-13913BBC5C4E} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  2⤵
  - Executes dropped EXE
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe

Filesize
846KB

MD5
5317c4e1a8c51a1464d2d4bb0dce0b36

SHA1
3cdae911225bdb81900477c136a5ab091afc9d81

SHA256
4f5346c8e163d2433f152db3db4590122f85da8a1f5f8436acb070fc2d00d749

SHA512
47bb8d4177925c521a3bc71208b8e0aec584ada9355b28a5baf556d70214f0403e986ffa8e84484379fda71c312785f59f3f3c6fdfa73d2b0765729ee50f34d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe

Filesize
846KB

MD5
5317c4e1a8c51a1464d2d4bb0dce0b36

SHA1
3cdae911225bdb81900477c136a5ab091afc9d81

SHA256
4f5346c8e163d2433f152db3db4590122f85da8a1f5f8436acb070fc2d00d749

SHA512
47bb8d4177925c521a3bc71208b8e0aec584ada9355b28a5baf556d70214f0403e986ffa8e84484379fda71c312785f59f3f3c6fdfa73d2b0765729ee50f34d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe

Filesize
175KB

MD5
61e94f59f33c69cc82d12e186cb7995f

SHA1
218f44f70e692e0a5371eae8774dd7d74a1ca416

SHA256
4fac93d65ffdf72d8c6daa48e86d5ccf0d039171676b401347ee254da38bb035

SHA512
c9bdb611cd610d5cb62be5b08673b10b59c734edc10b28ad8c7026c896fe8c1de2530e91cf59c6f0401edde4de8d347333933273168d73e2a03d328e632af5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe

Filesize
175KB

MD5
61e94f59f33c69cc82d12e186cb7995f

SHA1
218f44f70e692e0a5371eae8774dd7d74a1ca416

SHA256
4fac93d65ffdf72d8c6daa48e86d5ccf0d039171676b401347ee254da38bb035

SHA512
c9bdb611cd610d5cb62be5b08673b10b59c734edc10b28ad8c7026c896fe8c1de2530e91cf59c6f0401edde4de8d347333933273168d73e2a03d328e632af5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe

Filesize
704KB

MD5
59824d893af57cd4f4dd333b33322367

SHA1
c94f5bc82cbfb69adeb1ab662e179f7957cc5890

SHA256
0acd37ec594ac1db83dbd6eaac2e66e145777d2791d23cf404a61ab833b0c1a0

SHA512
405518e858075ee06d684fa29345aa9879d666fa19703cb4c2ed1f84b1376d41590ed47d95c90aa893aeba8305769f63620379ff35f6644cfb74eeb4299df2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe

Filesize
704KB

MD5
59824d893af57cd4f4dd333b33322367

SHA1
c94f5bc82cbfb69adeb1ab662e179f7957cc5890

SHA256
0acd37ec594ac1db83dbd6eaac2e66e145777d2791d23cf404a61ab833b0c1a0

SHA512
405518e858075ee06d684fa29345aa9879d666fa19703cb4c2ed1f84b1376d41590ed47d95c90aa893aeba8305769f63620379ff35f6644cfb74eeb4299df2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe

Filesize
349KB

MD5
b684967277b44899337eb466e687f8a3

SHA1
20b979cf6b3852feabe8e420fbd2c0701caed366

SHA256
102c23a20ce74c8859950279d0de4a91091e8912877a332c0e8d5c90473c6c0f

SHA512
95362d952449aa4e424b975f7415e43d15dc4e893425679afce9b1a066e0bcc25355a8794dc633cb9d699b55cead039b37761c2ebd9ae978c8bb45dd8b8a075a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe

Filesize
349KB

MD5
b684967277b44899337eb466e687f8a3

SHA1
20b979cf6b3852feabe8e420fbd2c0701caed366

SHA256
102c23a20ce74c8859950279d0de4a91091e8912877a332c0e8d5c90473c6c0f

SHA512
95362d952449aa4e424b975f7415e43d15dc4e893425679afce9b1a066e0bcc25355a8794dc633cb9d699b55cead039b37761c2ebd9ae978c8bb45dd8b8a075a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe

Filesize
12KB

MD5
f7e156712232cb4e5dce14b7f1961e75

SHA1
5c2aa13a04926a376cedaea5069df2cc4bfeb53f

SHA256
6d24b108886b08672e33415999a500a65a235fd6e39e5aa9b2bcb338b18aa680

SHA512
ec51e38433a7ec37947b00f7da98bd58a5a27a90c50b1592e273cc54895c0d1c70640e74c4d1575577e16251decc0aba663c280786eaadffb949632c8d5a9a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe

Filesize
12KB

MD5
f7e156712232cb4e5dce14b7f1961e75

SHA1
5c2aa13a04926a376cedaea5069df2cc4bfeb53f

SHA256
6d24b108886b08672e33415999a500a65a235fd6e39e5aa9b2bcb338b18aa680

SHA512
ec51e38433a7ec37947b00f7da98bd58a5a27a90c50b1592e273cc54895c0d1c70640e74c4d1575577e16251decc0aba663c280786eaadffb949632c8d5a9a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y69Lh26.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe

Filesize
846KB

MD5
5317c4e1a8c51a1464d2d4bb0dce0b36

SHA1
3cdae911225bdb81900477c136a5ab091afc9d81

SHA256
4f5346c8e163d2433f152db3db4590122f85da8a1f5f8436acb070fc2d00d749

SHA512
47bb8d4177925c521a3bc71208b8e0aec584ada9355b28a5baf556d70214f0403e986ffa8e84484379fda71c312785f59f3f3c6fdfa73d2b0765729ee50f34d4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7146.exe

Filesize
846KB

MD5
5317c4e1a8c51a1464d2d4bb0dce0b36

SHA1
3cdae911225bdb81900477c136a5ab091afc9d81

SHA256
4f5346c8e163d2433f152db3db4590122f85da8a1f5f8436acb070fc2d00d749

SHA512
47bb8d4177925c521a3bc71208b8e0aec584ada9355b28a5baf556d70214f0403e986ffa8e84484379fda71c312785f59f3f3c6fdfa73d2b0765729ee50f34d4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe

Filesize
175KB

MD5
61e94f59f33c69cc82d12e186cb7995f

SHA1
218f44f70e692e0a5371eae8774dd7d74a1ca416

SHA256
4fac93d65ffdf72d8c6daa48e86d5ccf0d039171676b401347ee254da38bb035

SHA512
c9bdb611cd610d5cb62be5b08673b10b59c734edc10b28ad8c7026c896fe8c1de2530e91cf59c6f0401edde4de8d347333933273168d73e2a03d328e632af5cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\xXdsh93.exe

Filesize
175KB

MD5
61e94f59f33c69cc82d12e186cb7995f

SHA1
218f44f70e692e0a5371eae8774dd7d74a1ca416

SHA256
4fac93d65ffdf72d8c6daa48e86d5ccf0d039171676b401347ee254da38bb035

SHA512
c9bdb611cd610d5cb62be5b08673b10b59c734edc10b28ad8c7026c896fe8c1de2530e91cf59c6f0401edde4de8d347333933273168d73e2a03d328e632af5cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe

Filesize
704KB

MD5
59824d893af57cd4f4dd333b33322367

SHA1
c94f5bc82cbfb69adeb1ab662e179f7957cc5890

SHA256
0acd37ec594ac1db83dbd6eaac2e66e145777d2791d23cf404a61ab833b0c1a0

SHA512
405518e858075ee06d684fa29345aa9879d666fa19703cb4c2ed1f84b1376d41590ed47d95c90aa893aeba8305769f63620379ff35f6644cfb74eeb4299df2c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9018.exe

Filesize
704KB

MD5
59824d893af57cd4f4dd333b33322367

SHA1
c94f5bc82cbfb69adeb1ab662e179f7957cc5890

SHA256
0acd37ec594ac1db83dbd6eaac2e66e145777d2791d23cf404a61ab833b0c1a0

SHA512
405518e858075ee06d684fa29345aa9879d666fa19703cb4c2ed1f84b1376d41590ed47d95c90aa893aeba8305769f63620379ff35f6644cfb74eeb4299df2c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w38dM76.exe

Filesize
379KB

MD5
eca25aec9008d892ccda5b7932200b99

SHA1
b7c557e00eeb0e2c5443c987f6c8cefc5c6638da

SHA256
77e22b2ef9a250e95d3cf22a7d72880ec12e7e7b893fac5b78c2d958eeb22ed5

SHA512
6a3e68f7dcfc96d603fed6fd639bf33999a6f1475d643b7c8386eeee62748674a5ee1aed760fe2bd6851b8318656739df45a8f0255dd5ba27696d6b128148421

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe

Filesize
349KB

MD5
b684967277b44899337eb466e687f8a3

SHA1
20b979cf6b3852feabe8e420fbd2c0701caed366

SHA256
102c23a20ce74c8859950279d0de4a91091e8912877a332c0e8d5c90473c6c0f

SHA512
95362d952449aa4e424b975f7415e43d15dc4e893425679afce9b1a066e0bcc25355a8794dc633cb9d699b55cead039b37761c2ebd9ae978c8bb45dd8b8a075a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1202.exe

Filesize
349KB

MD5
b684967277b44899337eb466e687f8a3

SHA1
20b979cf6b3852feabe8e420fbd2c0701caed366

SHA256
102c23a20ce74c8859950279d0de4a91091e8912877a332c0e8d5c90473c6c0f

SHA512
95362d952449aa4e424b975f7415e43d15dc4e893425679afce9b1a066e0bcc25355a8794dc633cb9d699b55cead039b37761c2ebd9ae978c8bb45dd8b8a075a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3801.exe

Filesize
12KB

MD5
f7e156712232cb4e5dce14b7f1961e75

SHA1
5c2aa13a04926a376cedaea5069df2cc4bfeb53f

SHA256
6d24b108886b08672e33415999a500a65a235fd6e39e5aa9b2bcb338b18aa680

SHA512
ec51e38433a7ec37947b00f7da98bd58a5a27a90c50b1592e273cc54895c0d1c70640e74c4d1575577e16251decc0aba663c280786eaadffb949632c8d5a9a49

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6837xU.exe

Filesize
322KB

MD5
42b9a6e3f8858547b2ad9cc8ccc8b2fb

SHA1
e4efab917132d1629e798849b5e34bee26997d16

SHA256
457c3fae1725e061c26db68d5d4a3616942606368979feb998457411e228c311

SHA512
e912818a002c08f68ee69a72f3bef839a6a8a9d62fe20833767e9092570c5a1ae0108c09bfedcda46972299958e0819529753c1ff930353c3eb800cb173ddf21

Download Submit
\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
a875a48776239a29554cb905ce6682e7

SHA1
8ff7d34a037556cc4107d1eb616436f9fe6ab413

SHA256
f4ac368c92a39f47ff8c3370796274663912387e2b952e907a10384326d0af63

SHA512
8e86d8b1b5e229e9527ffb7422ccd591db48c4cc66dc1f1b4a2613e5514ab2f890111ffd7c7d21622b746bb96213b0e8f7c8177e3f101da3e4342093781321ab

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/804-1068-0x0000000000B20000-0x0000000000B52000-memory.dmp

Filesize
200KB

Download
memory/804-1069-0x0000000005210000-0x0000000005250000-memory.dmp

Filesize
256KB

Download
memory/1128-105-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/1128-136-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1128-103-0x0000000002BC0000-0x0000000002BDA000-memory.dmp

Filesize
104KB

Download
memory/1128-104-0x0000000002C90000-0x0000000002CA8000-memory.dmp

Filesize
96KB

Download
memory/1128-106-0x0000000004680000-0x00000000046C0000-memory.dmp

Filesize
256KB

Download
memory/1128-107-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-108-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-110-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-112-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-114-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-116-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-118-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-120-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-122-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-124-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-126-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-128-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-130-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-132-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-134-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1128-135-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1304-172-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-174-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-150-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-148-0x00000000047B0000-0x00000000047F4000-memory.dmp

Filesize
272KB

Download
memory/1304-147-0x00000000031D0000-0x0000000003216000-memory.dmp

Filesize
280KB

Download
memory/1304-185-0x0000000007420000-0x0000000007460000-memory.dmp

Filesize
256KB

Download
memory/1304-186-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-183-0x0000000007420000-0x0000000007460000-memory.dmp

Filesize
256KB

Download
memory/1304-181-0x0000000007420000-0x0000000007460000-memory.dmp

Filesize
256KB

Download
memory/1304-182-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-179-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/1304-178-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-176-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-1059-0x0000000007420000-0x0000000007460000-memory.dmp

Filesize
256KB

Download
memory/1304-149-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-170-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-168-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-166-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-164-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-162-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-158-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-160-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-156-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-154-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/1304-152-0x00000000047B0000-0x00000000047EE000-memory.dmp

Filesize
248KB

Download
memory/2024-92-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download