redline | 56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe
Size

1.1MB
MD5

83e53f9ad2731814e1dfa36d113169b4
SHA1

a662fc33582b46b0408eea740201b526baeff18e
SHA256

56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1
SHA512

aa635292fcadcbec381b0c6d37256a0e0962bc4de0c6191a7ab0fa2e9d2f40db7e2abc710c6fcb57e645e3d134a865b02a1733359675828a36930f8e3012d5e7
SSDEEP

24576:SyUNGLWEIcboDfPCA9jTxETkq9FX5CvGVzcKXoddyKQ:5GGLWEobD3UkqTXEG11XodT

Score

10^/10

redline sectoprat vjw0rm wshrat luka payment terra discovery evasion infostealer persistence rat spyware stealer trojan worm

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

redline

Botnet

Payment

194.87.151.214:2020

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o1305402.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o1305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1305402.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe	family_redline
behavioral1/memory/4540-268-0x0000000000680000-0x000000000069E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe	family_sectoprat
behavioral1/memory/4540-268-0x0000000000680000-0x000000000069E000-memory.dmp	family_sectoprat

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\JoGjo.vbs	family_wshrat

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exeWScript.exe

flow pid process

24 1252 wscript.exe
25 1252 wscript.exe
28 3924 WScript.exe
Downloads MZ/PE file

flow	pid	process
24	1252	wscript.exe
25	1252	wscript.exe
28	3924	WScript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s3620272.exelegends.exeserver.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	s3620272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 17 IoCs

Processes:

z5566575.exez7912083.exeo1305402.exep9644550.exer1284271.exer1284271.exes3620272.exes3620272.exelegends.exelegends.exebuild.exeserver.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
5012	z5566575.exe
4920	z7912083.exe
1652	o1305402.exe
3972	p9644550.exe
2672	r1284271.exe
4300	r1284271.exe
1804	s3620272.exe
4932	s3620272.exe
3660	legends.exe
2524	legends.exe
4540	build.exe
4324	server.exe
2156	legends.exe
724	legends.exe
3736	legends.exe
4992	legends.exe
4944	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3152 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3152	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o1305402.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1305402.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z7912083.exewscript.exeWScript.exe56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exez5566575.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7912083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7912083.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BN3XGO1HFO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5566575.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JoGjo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JoGjo.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5566575.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

Processes:

r1284271.exes3620272.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 2672 set thread context of 4300	2672	r1284271.exe	r1284271.exe
PID 1804 set thread context of 4932	1804	s3620272.exe	s3620272.exe
PID 3660 set thread context of 2524	3660	legends.exe	legends.exe
PID 2156 set thread context of 3736	2156	legends.exe	legends.exe
PID 4992 set thread context of 4944	4992	legends.exe	legends.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5016 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4328 3972 WerFault.exe p9644550.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1748 schtasks.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings wscript.exe

pid	process
5016	sc.exe

pid	pid_target	process	target process
4328	3972	WerFault.exe	p9644550.exe

pid	process
1748	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	wscript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

o1305402.exer1284271.exebuild.exe

pid process

1652 o1305402.exe
1652 o1305402.exe
4300 r1284271.exe
4300 r1284271.exe
4540 build.exe
4540 build.exe

pid	process
1652	o1305402.exe
1652	o1305402.exe
4300	r1284271.exe
4300	r1284271.exe
4540	build.exe
4540	build.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

o1305402.exer1284271.exes3620272.exelegends.exer1284271.exebuild.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	1652	o1305402.exe
Token: SeDebugPrivilege	2672	r1284271.exe
Token: SeDebugPrivilege	1804	s3620272.exe
Token: SeDebugPrivilege	3660	legends.exe
Token: SeDebugPrivilege	4300	r1284271.exe
Token: SeDebugPrivilege	4540	build.exe
Token: SeDebugPrivilege	2156	legends.exe
Token: SeDebugPrivilege	4992	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s3620272.exe

pid process

4932 s3620272.exe

pid	process
4932	s3620272.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exez5566575.exez7912083.exer1284271.exes3620272.exes3620272.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 4536 wrote to memory of 5012	4536	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe	z5566575.exe
PID 4536 wrote to memory of 5012	4536	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe	z5566575.exe
PID 4536 wrote to memory of 5012	4536	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe	z5566575.exe
PID 5012 wrote to memory of 4920	5012	z5566575.exe	z7912083.exe
PID 5012 wrote to memory of 4920	5012	z5566575.exe	z7912083.exe
PID 5012 wrote to memory of 4920	5012	z5566575.exe	z7912083.exe
PID 4920 wrote to memory of 1652	4920	z7912083.exe	o1305402.exe
PID 4920 wrote to memory of 1652	4920	z7912083.exe	o1305402.exe
PID 4920 wrote to memory of 1652	4920	z7912083.exe	o1305402.exe
PID 4920 wrote to memory of 3972	4920	z7912083.exe	p9644550.exe
PID 4920 wrote to memory of 3972	4920	z7912083.exe	p9644550.exe
PID 4920 wrote to memory of 3972	4920	z7912083.exe	p9644550.exe
PID 5012 wrote to memory of 2672	5012	z5566575.exe	r1284271.exe
PID 5012 wrote to memory of 2672	5012	z5566575.exe	r1284271.exe
PID 5012 wrote to memory of 2672	5012	z5566575.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 2672 wrote to memory of 4300	2672	r1284271.exe	r1284271.exe
PID 4536 wrote to memory of 1804	4536	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe	s3620272.exe
PID 4536 wrote to memory of 1804	4536	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe	s3620272.exe
PID 4536 wrote to memory of 1804	4536	56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 1804 wrote to memory of 4932	1804	s3620272.exe	s3620272.exe
PID 4932 wrote to memory of 3660	4932	s3620272.exe	legends.exe
PID 4932 wrote to memory of 3660	4932	s3620272.exe	legends.exe
PID 4932 wrote to memory of 3660	4932	s3620272.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 3660 wrote to memory of 2524	3660	legends.exe	legends.exe
PID 2524 wrote to memory of 1748	2524	legends.exe	schtasks.exe
PID 2524 wrote to memory of 1748	2524	legends.exe	schtasks.exe
PID 2524 wrote to memory of 1748	2524	legends.exe	schtasks.exe
PID 2524 wrote to memory of 2208	2524	legends.exe	cmd.exe
PID 2524 wrote to memory of 2208	2524	legends.exe	cmd.exe
PID 2524 wrote to memory of 2208	2524	legends.exe	cmd.exe
PID 2208 wrote to memory of 4040	2208	cmd.exe	cmd.exe
PID 2208 wrote to memory of 4040	2208	cmd.exe	cmd.exe
PID 2208 wrote to memory of 4040	2208	cmd.exe	cmd.exe
PID 2208 wrote to memory of 956	2208	cmd.exe	cacls.exe
PID 2208 wrote to memory of 956	2208	cmd.exe	cacls.exe
PID 2208 wrote to memory of 956	2208	cmd.exe	cacls.exe
PID 2208 wrote to memory of 4200	2208	cmd.exe	cacls.exe
PID 2208 wrote to memory of 4200	2208	cmd.exe	cacls.exe
PID 2208 wrote to memory of 4200	2208	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe
"C:\Users\Admin\AppData\Local\Temp\56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5566575.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5566575.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7912083.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7912083.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1305402.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1305402.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9644550.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9644550.exe
4⤵
- Executes dropped EXE
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 928
5⤵
- Program crash
PID:4328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4040

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:956

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:3152

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4324

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
7⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
8⤵
- Blocklisted process makes network request
- Adds Run key to start application
PID:3924

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3972 -ip 3972
1⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:724

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3736

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r1284271.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe
Filesize
95KB

MD5
1e0be6fd7600c7218b3542af67ab2a0d

SHA1
6f09be74a464f0980226370d28682a1012767697

SHA256
072419f50fda9e481eab0f6e5bc3bc1557ef0182b989b285940e9a978d1be626

SHA512
ba2fdad01c7d3372ccafe6781d4603aa73fa6a473b8f11b31413e10ea79024c9136013acac1540042d58e05c554f65f48a5f3f42c90aba7b9e210456cd80e22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe
Filesize
95KB

MD5
1e0be6fd7600c7218b3542af67ab2a0d

SHA1
6f09be74a464f0980226370d28682a1012767697

SHA256
072419f50fda9e481eab0f6e5bc3bc1557ef0182b989b285940e9a978d1be626

SHA512
ba2fdad01c7d3372ccafe6781d4603aa73fa6a473b8f11b31413e10ea79024c9136013acac1540042d58e05c554f65f48a5f3f42c90aba7b9e210456cd80e22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\build.exe
Filesize
95KB

MD5
1e0be6fd7600c7218b3542af67ab2a0d

SHA1
6f09be74a464f0980226370d28682a1012767697

SHA256
072419f50fda9e481eab0f6e5bc3bc1557ef0182b989b285940e9a978d1be626

SHA512
ba2fdad01c7d3372ccafe6781d4603aa73fa6a473b8f11b31413e10ea79024c9136013acac1540042d58e05c554f65f48a5f3f42c90aba7b9e210456cd80e22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\server.exe
Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3620272.exe
Filesize
961KB

MD5
77ea6916f7cdb351869cbc06de707c32

SHA1
476a9a070951a07968b66744e19cc8fde8c702b5

SHA256
b7f0bd9b792c2cd51419e10bc56897313e1fe960d5a94b5c07c8d11ecd0e6328

SHA512
0e72616b5984eaf6b918f57e2d92db245028fbf3abc3555304657fca53ec92684c4166077e67c1e9b89d955da248f929525eab5e266c60e1ba9d12892f3dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5566575.exe
Filesize
703KB

MD5
6111163221e5bbc29fb81ae8a03a8958

SHA1
71996048959d3cbbdca1b848db9e19554755320e

SHA256
097bc13ae26494fa68ed2e41ce6d9406cbbaa376496f323ef5c36ac2883471a0

SHA512
fff76d5c33b9bd7b5e58dc76127a61bed49e9a30a6553b364e1e8c176be23c65b2200eb99a9d3302d62175e09b5c1f3c665cb768fa71593c94a832fbbc9b6762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5566575.exe
Filesize
703KB

MD5
6111163221e5bbc29fb81ae8a03a8958

SHA1
71996048959d3cbbdca1b848db9e19554755320e

SHA256
097bc13ae26494fa68ed2e41ce6d9406cbbaa376496f323ef5c36ac2883471a0

SHA512
fff76d5c33b9bd7b5e58dc76127a61bed49e9a30a6553b364e1e8c176be23c65b2200eb99a9d3302d62175e09b5c1f3c665cb768fa71593c94a832fbbc9b6762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
Filesize
904KB

MD5
143c8882cfacb36ce0e9ef287c7cbf49

SHA1
4d15996ce4b4fa2cc3e78871e3060be20f39b327

SHA256
cdc83d9a56cb1090aed05c45381a305a6af809476213b6ff9feaebe2a5076718

SHA512
54b4000c06f6269695645fa51a2264981cfa276fc8b36cf26926ba6eac650ee58ccbf82c9010232493fbe46e2643798d79f7eaf448466754280d284d7669d1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
Filesize
904KB

MD5
143c8882cfacb36ce0e9ef287c7cbf49

SHA1
4d15996ce4b4fa2cc3e78871e3060be20f39b327

SHA256
cdc83d9a56cb1090aed05c45381a305a6af809476213b6ff9feaebe2a5076718

SHA512
54b4000c06f6269695645fa51a2264981cfa276fc8b36cf26926ba6eac650ee58ccbf82c9010232493fbe46e2643798d79f7eaf448466754280d284d7669d1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1284271.exe
Filesize
904KB

MD5
143c8882cfacb36ce0e9ef287c7cbf49

SHA1
4d15996ce4b4fa2cc3e78871e3060be20f39b327

SHA256
cdc83d9a56cb1090aed05c45381a305a6af809476213b6ff9feaebe2a5076718

SHA512
54b4000c06f6269695645fa51a2264981cfa276fc8b36cf26926ba6eac650ee58ccbf82c9010232493fbe46e2643798d79f7eaf448466754280d284d7669d1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7912083.exe
Filesize
306KB

MD5
49c3413d7d26eff9680d0e981c5faaa4

SHA1
ea5b47d2167b8dff7db01b991daa72065b549c00

SHA256
94128269f678600b9958f8cf83a405f19c3d12e852100bcf18a8e05e08f8685d

SHA512
554f0f4cdd3cb2eef8392fe83c56944f7ef0530be3e998227274ddaf6a27d626ecfa44126163c15a410bf4354a209d0cb6562eb5cc0fe5a1353c4a120459185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7912083.exe
Filesize
306KB

MD5
49c3413d7d26eff9680d0e981c5faaa4

SHA1
ea5b47d2167b8dff7db01b991daa72065b549c00

SHA256
94128269f678600b9958f8cf83a405f19c3d12e852100bcf18a8e05e08f8685d

SHA512
554f0f4cdd3cb2eef8392fe83c56944f7ef0530be3e998227274ddaf6a27d626ecfa44126163c15a410bf4354a209d0cb6562eb5cc0fe5a1353c4a120459185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1305402.exe
Filesize
185KB

MD5
b31a781fca5c375275f085696386fa7a

SHA1
80731eb3b5146a9031c60b28fdd8d7b910cb4854

SHA256
3c231b8c96860c3a89f1cfa9cad94c800034e61db2b6749e763fc73fca862fac

SHA512
6f2e5efbde9ad8bef01ee350e51acaa1e1a9e9a60a273dcb3de5156d155a02db71ea42f79c46a6249b4540c25fe49deea9d22beae47704340514826027d87e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1305402.exe
Filesize
185KB

MD5
b31a781fca5c375275f085696386fa7a

SHA1
80731eb3b5146a9031c60b28fdd8d7b910cb4854

SHA256
3c231b8c96860c3a89f1cfa9cad94c800034e61db2b6749e763fc73fca862fac

SHA512
6f2e5efbde9ad8bef01ee350e51acaa1e1a9e9a60a273dcb3de5156d155a02db71ea42f79c46a6249b4540c25fe49deea9d22beae47704340514826027d87e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9644550.exe
Filesize
145KB

MD5
a8e00002a7ee689b3ee8bdc08e1c6388

SHA1
37efc639400126ab7431ca99d78cd8d02c554d29

SHA256
b89e71e3ca9e5d105189926aa2e0467ca9f05ba4a3d417a95d909beb3617ee9f

SHA512
fee21145319a0198d5d53ed72693c9f6110d1d09d80e2f0251a8a1dead5f49784de60756a48110a32d914d590d64912496471b1f53a42629e8b986b85d163735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9644550.exe
Filesize
145KB

MD5
a8e00002a7ee689b3ee8bdc08e1c6388

SHA1
37efc639400126ab7431ca99d78cd8d02c554d29

SHA256
b89e71e3ca9e5d105189926aa2e0467ca9f05ba4a3d417a95d909beb3617ee9f

SHA512
fee21145319a0198d5d53ed72693c9f6110d1d09d80e2f0251a8a1dead5f49784de60756a48110a32d914d590d64912496471b1f53a42629e8b986b85d163735

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4D5.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4FB.tmp
Filesize
92KB

MD5
651d855bcf44adceccfd3fffcd32956d

SHA1
45ac6cb8bd69976f45a37bf86193bd4c8e03fce9

SHA256
4ada554163d26c8a3385d4fe372fc132971c867e23927a35d72a98aadb25b57b

SHA512
67b4683a4e780093e5b3e73ea906a42c74f96a9234845114e0ea6e61ab0308c2e5b7f12d3428ce5bf48928863c102f57c011f9cdc4589d2d82c078b3db70c31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF564.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF57A.tmp
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5C5.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\JoGjo.vbs
Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js
Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
memory/1652-179-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-155-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/1652-161-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-163-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-165-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-167-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-169-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-171-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-173-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-156-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-175-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-177-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-181-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-183-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-184-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1652-185-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1652-159-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-186-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1652-187-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1652-157-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1652-154-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1804-205-0x0000000000FA0000-0x0000000001096000-memory.dmp

Filesize
984KB

Download
memory/1804-209-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/2156-463-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2524-482-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-266-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-290-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2672-197-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/2672-196-0x0000000000A50000-0x0000000000B38000-memory.dmp

Filesize
928KB

Download
memory/3660-233-0x00000000077A0000-0x00000000077B0000-memory.dmp

Filesize
64KB

Download
memory/3736-489-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-487-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-488-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-192-0x0000000000E40000-0x0000000000E6A000-memory.dmp

Filesize
168KB

Download
memory/4300-242-0x0000000006890000-0x0000000006906000-memory.dmp

Filesize
472KB

Download
memory/4300-211-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/4300-270-0x0000000007230000-0x000000000775C000-memory.dmp

Filesize
5.2MB

Download
memory/4300-280-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4300-206-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/4300-208-0x0000000005130000-0x0000000005142000-memory.dmp

Filesize
72KB

Download
memory/4300-210-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4300-234-0x0000000005CB0000-0x0000000005D42000-memory.dmp

Filesize
584KB

Download
memory/4300-269-0x0000000006B30000-0x0000000006CF2000-memory.dmp

Filesize
1.8MB

Download
memory/4300-207-0x0000000005200000-0x000000000530A000-memory.dmp

Filesize
1.0MB

Download
memory/4300-235-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4300-198-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4300-243-0x0000000006910000-0x0000000006960000-memory.dmp

Filesize
320KB

Download
memory/4324-293-0x00000000006D0000-0x000000000075C000-memory.dmp

Filesize
560KB

Download
memory/4540-302-0x0000000006B80000-0x0000000006B9E000-memory.dmp

Filesize
120KB

Download
memory/4540-268-0x0000000000680000-0x000000000069E000-memory.dmp

Filesize
120KB

Download
memory/4932-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4944-493-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4944-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4944-494-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download