amadey | 059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe
Size

390KB
MD5

2cc4ccaeca459c56001d02bb48f7cc87
SHA1

26800022646659f88c58aa3a2c6e77a3fdb1b9b5
SHA256

059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0
SHA512

eac730d4a9d1f3f74eca471f2fd370719e6ac446187563034a0bca3381fcb9903d584ad17e6d3352b140a9b21529fd7d12a5a359612b6f70ded81fce0faeb871
SSDEEP

6144:Kyy+bnr+Xp0yN90QEzHq0Yj9YVv/xbYODa8V7ATFOGIp7vYIdqQZZbcO6v:GMrTy901MYd/PuaAJOGXQZZbOv

Score

10^/10

amadey asyncrat healer lumma redline @ytlogsbot default krast lux3 discovery dropper evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.86

5.42.92.67/norm/index.php

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

89.185.85.103:4444

Mutex

izbfscxyujjjjvohrox

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

@ytlogsbot

176.123.9.85:16482

Attributes

auth_value
36b3ee30353ed1e6c1776af75fcfbc2c

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8536244.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8536244.exe	healer
behavioral1/memory/1100-147-0x0000000000D10000-0x0000000000D1A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

p8536244.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p8536244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p8536244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p8536244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p8536244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p8536244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p8536244.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3196-385-0x0000000000400000-0x0000000000592000-memory.dmp	family_redline
behavioral1/memory/4316-386-0x0000000000C50000-0x0000000000FE7000-memory.dmp	family_redline

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/64-272-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r4370165.exelegola.exesetup-rc18.exeaam1tmp.exesetup-rc18.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	r4370165.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	legola.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	setup-rc18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	aam1tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	setup-rc18.exe

Executes dropped EXE 17 IoCs

Processes:

z6352355.exep8536244.exer4370165.exelegola.exet5816212.exe0x8mompdsnjum.exeLummaC2.exelegola.exesetup-rc18.exem4HBom6QaF.exesetup-rc18.exeaam1tmp.exeevbD4C2.tmplegola.exe@ytlogsbot.exelux3.exelegola.exe

pid	process
4708	z6352355.exe
1100	p8536244.exe
4536	r4370165.exe
4520	legola.exe
5064	t5816212.exe
4316	0x8mompdsnjum.exe
552	LummaC2.exe
640	legola.exe
4672	setup-rc18.exe
2408	m4HBom6QaF.exe
4084	setup-rc18.exe
3392	aam1tmp.exe
4736	evbD4C2.tmp
948	legola.exe
1432	@ytlogsbot.exe
372	lux3.exe
4300	legola.exe

Loads dropped DLL 2 IoCs

Processes:

aam1tmp.exerundll32.exe

pid process

3392 aam1tmp.exe
4372 rundll32.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3392	aam1tmp.exe
4372	rundll32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
behavioral1/memory/4672-233-0x0000000140000000-0x0000000140057000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
behavioral1/memory/4084-258-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4672-266-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4084-269-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4084-307-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4672-314-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4672-317-0x0000000140000000-0x0000000140057000-memory.dmp	upx

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

p8536244.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p8536244.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p8536244.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exez6352355.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6352355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6352355.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

m4HBom6QaF.exeaam1tmp.exe0x8mompdsnjum.exe

description	pid	process	target process
PID 2408 set thread context of 64	2408	m4HBom6QaF.exe	jsc.exe
PID 3392 set thread context of 4736	3392	aam1tmp.exe	evbD4C2.tmp
PID 4316 set thread context of 3196	4316	0x8mompdsnjum.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

644 64 WerFault.exe jsc.exe
4524 4316 WerFault.exe 0x8mompdsnjum.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4820 schtasks.exe

pid	pid_target	process	target process
644	64	WerFault.exe	jsc.exe
4524	4316	WerFault.exe	0x8mompdsnjum.exe

pid	process
4820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

p8536244.exeLummaC2.exem4HBom6QaF.exeevbD4C2.tmpjsc.exe@ytlogsbot.exe

pid	process
1100	p8536244.exe
1100	p8536244.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
552	LummaC2.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
2408	m4HBom6QaF.exe
4736	evbD4C2.tmp
4736	evbD4C2.tmp
4736	evbD4C2.tmp
4736	evbD4C2.tmp
4736	evbD4C2.tmp
4736	evbD4C2.tmp
64	jsc.exe
64	jsc.exe
64	jsc.exe
1432	@ytlogsbot.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

p8536244.exem4HBom6QaF.exejsc.exe@ytlogsbot.exelux3.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1100	p8536244.exe
Token: SeDebugPrivilege	2408	m4HBom6QaF.exe
Token: SeDebugPrivilege	64	jsc.exe
Token: SeDebugPrivilege	1432	@ytlogsbot.exe
Token: SeDebugPrivilege	372	lux3.exe
Token: SeDebugPrivilege	3196	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

r4370165.exe

pid process

4536 r4370165.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

64 jsc.exe

pid	process
4536	r4370165.exe

pid	process
64	jsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exez6352355.exer4370165.exelegola.execmd.exesetup-rc18.exesetup-rc18.exem4HBom6QaF.exe

description	pid	process	target process
PID 2420 wrote to memory of 4708	2420	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe	z6352355.exe
PID 2420 wrote to memory of 4708	2420	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe	z6352355.exe
PID 2420 wrote to memory of 4708	2420	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe	z6352355.exe
PID 4708 wrote to memory of 1100	4708	z6352355.exe	p8536244.exe
PID 4708 wrote to memory of 1100	4708	z6352355.exe	p8536244.exe
PID 4708 wrote to memory of 4536	4708	z6352355.exe	r4370165.exe
PID 4708 wrote to memory of 4536	4708	z6352355.exe	r4370165.exe
PID 4708 wrote to memory of 4536	4708	z6352355.exe	r4370165.exe
PID 4536 wrote to memory of 4520	4536	r4370165.exe	legola.exe
PID 4536 wrote to memory of 4520	4536	r4370165.exe	legola.exe
PID 4536 wrote to memory of 4520	4536	r4370165.exe	legola.exe
PID 2420 wrote to memory of 5064	2420	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe	t5816212.exe
PID 2420 wrote to memory of 5064	2420	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe	t5816212.exe
PID 2420 wrote to memory of 5064	2420	059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe	t5816212.exe
PID 4520 wrote to memory of 4820	4520	legola.exe	schtasks.exe
PID 4520 wrote to memory of 4820	4520	legola.exe	schtasks.exe
PID 4520 wrote to memory of 4820	4520	legola.exe	schtasks.exe
PID 4520 wrote to memory of 4732	4520	legola.exe	cmd.exe
PID 4520 wrote to memory of 4732	4520	legola.exe	cmd.exe
PID 4520 wrote to memory of 4732	4520	legola.exe	cmd.exe
PID 4732 wrote to memory of 960	4732	cmd.exe	cmd.exe
PID 4732 wrote to memory of 960	4732	cmd.exe	cmd.exe
PID 4732 wrote to memory of 960	4732	cmd.exe	cmd.exe
PID 4732 wrote to memory of 2320	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 2320	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 2320	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 632	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 632	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 632	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 4540	4732	cmd.exe	cmd.exe
PID 4732 wrote to memory of 4540	4732	cmd.exe	cmd.exe
PID 4732 wrote to memory of 4540	4732	cmd.exe	cmd.exe
PID 4732 wrote to memory of 1852	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 1852	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 1852	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 2996	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 2996	4732	cmd.exe	cacls.exe
PID 4732 wrote to memory of 2996	4732	cmd.exe	cacls.exe
PID 4520 wrote to memory of 4316	4520	legola.exe	0x8mompdsnjum.exe
PID 4520 wrote to memory of 4316	4520	legola.exe	0x8mompdsnjum.exe
PID 4520 wrote to memory of 4316	4520	legola.exe	0x8mompdsnjum.exe
PID 4520 wrote to memory of 552	4520	legola.exe	LummaC2.exe
PID 4520 wrote to memory of 552	4520	legola.exe	LummaC2.exe
PID 4520 wrote to memory of 552	4520	legola.exe	LummaC2.exe
PID 4520 wrote to memory of 4672	4520	legola.exe	setup-rc18.exe
PID 4520 wrote to memory of 4672	4520	legola.exe	setup-rc18.exe
PID 4520 wrote to memory of 2408	4520	legola.exe	m4HBom6QaF.exe
PID 4520 wrote to memory of 2408	4520	legola.exe	m4HBom6QaF.exe
PID 4672 wrote to memory of 4084	4672	setup-rc18.exe	setup-rc18.exe
PID 4672 wrote to memory of 4084	4672	setup-rc18.exe	setup-rc18.exe
PID 4084 wrote to memory of 3392	4084	setup-rc18.exe	aam1tmp.exe
PID 4084 wrote to memory of 3392	4084	setup-rc18.exe	aam1tmp.exe
PID 2408 wrote to memory of 224	2408	m4HBom6QaF.exe	aspnet_regsql.exe
PID 2408 wrote to memory of 224	2408	m4HBom6QaF.exe	aspnet_regsql.exe
PID 2408 wrote to memory of 3556	2408	m4HBom6QaF.exe	WsatConfig.exe
PID 2408 wrote to memory of 3556	2408	m4HBom6QaF.exe	WsatConfig.exe
PID 2408 wrote to memory of 1736	2408	m4HBom6QaF.exe	aspnet_wp.exe
PID 2408 wrote to memory of 1736	2408	m4HBom6QaF.exe	aspnet_wp.exe
PID 2408 wrote to memory of 2760	2408	m4HBom6QaF.exe	dfsvc.exe
PID 2408 wrote to memory of 2760	2408	m4HBom6QaF.exe	dfsvc.exe
PID 2408 wrote to memory of 948	2408	m4HBom6QaF.exe	AppLaunch.exe
PID 2408 wrote to memory of 948	2408	m4HBom6QaF.exe	AppLaunch.exe
PID 2408 wrote to memory of 3260	2408	m4HBom6QaF.exe	aspnet_regbrowsers.exe
PID 2408 wrote to memory of 3260	2408	m4HBom6QaF.exe	aspnet_regbrowsers.exe

C:\Users\Admin\AppData\Local\Temp\059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe
"C:\Users\Admin\AppData\Local\Temp\059bf3df2601a36f1647bf62290786eae428a9b2a888e1e50c77f34d543087e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6352355.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6352355.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8536244.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8536244.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4370165.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4370165.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
      "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:960
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:N"
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:R" /E
        6⤵
        
        PID:632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4540
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        6⤵
        
        PID:1852
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        6⤵
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "AppLaunch.exe"
        7⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 200
        6⤵
        Program crash
        
        PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:552
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe" -sfxwaitall:1 "aam1tmp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\evbD4C2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\protox.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
        6⤵
        
        PID:224
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
        6⤵
        
        PID:3556
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        
        PID:3260
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
        6⤵
        
        PID:228
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        6⤵
        
        PID:1964
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
        6⤵
        
        PID:440
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
        6⤵
        
        PID:824
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:948
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
        6⤵
        
        PID:2760
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
        6⤵
        
        PID:1736
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
        6⤵
        
        PID:4300
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2140
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3860
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
        6⤵
        
        PID:3816
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
        6⤵
        
        PID:4820
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:64
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2656
        7⤵
        Program crash
        
        PID:644
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t5816212.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t5816212.exe
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 64 -ip 64
1⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4316 -ip 4316
1⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe

Filesize
3.3MB

MD5
c88684792ace21a20a82333f91a39251

SHA1
d34d9f5e8269a7535e8d461213b1cc10bf91ded9

SHA256
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a

SHA512
8d9813079de26e1b9eab250ae59de64792b49ba9484cd9f81d4d58cc5d26910379721e8cc2731149433fa3810c769080300b747562652959a845557205d671c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe

Filesize
3.3MB

MD5
c88684792ace21a20a82333f91a39251

SHA1
d34d9f5e8269a7535e8d461213b1cc10bf91ded9

SHA256
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a

SHA512
8d9813079de26e1b9eab250ae59de64792b49ba9484cd9f81d4d58cc5d26910379721e8cc2731149433fa3810c769080300b747562652959a845557205d671c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe

Filesize
3.3MB

MD5
c88684792ace21a20a82333f91a39251

SHA1
d34d9f5e8269a7535e8d461213b1cc10bf91ded9

SHA256
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a

SHA512
8d9813079de26e1b9eab250ae59de64792b49ba9484cd9f81d4d58cc5d26910379721e8cc2731149433fa3810c769080300b747562652959a845557205d671c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe

Filesize
391KB

MD5
16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1
ade62b2a58d4aa6972283cd000a51fe3ff0885e8

SHA256
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

SHA512
a5619c43463f45414c04de711cb8daa20bad433f494b6912db27eeb632a6f42669893a7f85acfa24171560581febe548757fec005b2968460d0486c097a9d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe

Filesize
391KB

MD5
16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1
ade62b2a58d4aa6972283cd000a51fe3ff0885e8

SHA256
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

SHA512
a5619c43463f45414c04de711cb8daa20bad433f494b6912db27eeb632a6f42669893a7f85acfa24171560581febe548757fec005b2968460d0486c097a9d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe

Filesize
391KB

MD5
16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1
ade62b2a58d4aa6972283cd000a51fe3ff0885e8

SHA256
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

SHA512
a5619c43463f45414c04de711cb8daa20bad433f494b6912db27eeb632a6f42669893a7f85acfa24171560581febe548757fec005b2968460d0486c097a9d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe

Filesize
409KB

MD5
b4f60407cc688d2327c5bc8dd39c0b00

SHA1
0a7af4bb31249419603b60005670aec36aa7d6e4

SHA256
4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

SHA512
b3e65834ec4a014fe33731f213b3e11251366ed706b1d5d6885e17dcae49501cc1c59d67aa1ad469b843c9f5b1e567c2e3b9f6dca88945aa2a86b0a07d67b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe

Filesize
409KB

MD5
b4f60407cc688d2327c5bc8dd39c0b00

SHA1
0a7af4bb31249419603b60005670aec36aa7d6e4

SHA256
4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

SHA512
b3e65834ec4a014fe33731f213b3e11251366ed706b1d5d6885e17dcae49501cc1c59d67aa1ad469b843c9f5b1e567c2e3b9f6dca88945aa2a86b0a07d67b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe

Filesize
409KB

MD5
b4f60407cc688d2327c5bc8dd39c0b00

SHA1
0a7af4bb31249419603b60005670aec36aa7d6e4

SHA256
4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

SHA512
b3e65834ec4a014fe33731f213b3e11251366ed706b1d5d6885e17dcae49501cc1c59d67aa1ad469b843c9f5b1e567c2e3b9f6dca88945aa2a86b0a07d67b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
214B

MD5
1e12313da73eaf8b5b3fe922968f3474

SHA1
5ad2d98dfcbaa174c710d5ddb4c8059815a42f6e

SHA256
42e31df40256510ee84a876abdc72094f80fc84b595506578197e265fe33b8b6

SHA512
02b9c454ad24bebc7f8b1df59064f48de2a12f80585ae06464a91f9a253ffc4c148398ab4d550d4eae1449f43c7ec30d92eb677e5a7c0d99dd61eef80f5c48e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe

Filesize
84.7MB

MD5
828b2db4837685451e144bab1b726b17

SHA1
0ad0c2d79681bf8bed0f663c644a4c421efd0560

SHA256
9900f584d89ef25cdae93a64eb5243df98fc787b006f846f11582a8b150353fc

SHA512
cfb43a51e9cb727c6a23784f71fae2ab6344e552587892f4e8867e37ffb7615d39e3d302d4370d87c17a9a46d988d584b2c2ae04d1c8ab0d354be7238dd9afce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe

Filesize
84.7MB

MD5
828b2db4837685451e144bab1b726b17

SHA1
0ad0c2d79681bf8bed0f663c644a4c421efd0560

SHA256
9900f584d89ef25cdae93a64eb5243df98fc787b006f846f11582a8b150353fc

SHA512
cfb43a51e9cb727c6a23784f71fae2ab6344e552587892f4e8867e37ffb7615d39e3d302d4370d87c17a9a46d988d584b2c2ae04d1c8ab0d354be7238dd9afce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t5816212.exe

Filesize
172KB

MD5
a9ad6efc71a03d29f63fc0a23e3e10b0

SHA1
66451a7d8836f7697f1a4679f0473a1bac5bda43

SHA256
14e33b14631cac1da95214d1bab9101c3cc906208a4e1a764b3f01048cb6a64a

SHA512
296c0d531a47a164c57cddbcd1f437a0e9286e3e664c2bb111e876c087a9e3696a3902c67a7d7a2c417169b4fd94b96bb8b1b3a46885f3e10dc889112fad4eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t5816212.exe

Filesize
172KB

MD5
a9ad6efc71a03d29f63fc0a23e3e10b0

SHA1
66451a7d8836f7697f1a4679f0473a1bac5bda43

SHA256
14e33b14631cac1da95214d1bab9101c3cc906208a4e1a764b3f01048cb6a64a

SHA512
296c0d531a47a164c57cddbcd1f437a0e9286e3e664c2bb111e876c087a9e3696a3902c67a7d7a2c417169b4fd94b96bb8b1b3a46885f3e10dc889112fad4eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6352355.exe

Filesize
234KB

MD5
a80cfb08bcd59f8b3243b139c85e4e49

SHA1
20e84cad7340cc6f9ab13df93a28fbe63478b3a0

SHA256
716db1b44aa96c8e08a14c0375a33aaacfbd9bf78a40fee570e0dec04f7043ea

SHA512
0567eb28de6f5c996dc31201784c818c400423169cabfaa4ce47ee10a1080828b121e33d0985cffaa52c4dfa32d2908c70a417a99107520e51c664fcc32ab2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6352355.exe

Filesize
234KB

MD5
a80cfb08bcd59f8b3243b139c85e4e49

SHA1
20e84cad7340cc6f9ab13df93a28fbe63478b3a0

SHA256
716db1b44aa96c8e08a14c0375a33aaacfbd9bf78a40fee570e0dec04f7043ea

SHA512
0567eb28de6f5c996dc31201784c818c400423169cabfaa4ce47ee10a1080828b121e33d0985cffaa52c4dfa32d2908c70a417a99107520e51c664fcc32ab2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8536244.exe

Filesize
11KB

MD5
99c00d0acec9ede87a1c9e72a5c63d5d

SHA1
11454a8ec68b43a87cb1c9a133fba8edfdd9085a

SHA256
94815237076f78edbf213ac0a7142fbedb2423c5b937be280728c971374fe13d

SHA512
d2a7e5b99de2b6665b09ea164b188d60a0e3c64b3f5e88fd8d4d1021d0ea1bd8f85d1afae21dff9f574093738153e369dd7a90bbeb0cf5c08751124f4266d533

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8536244.exe

Filesize
11KB

MD5
99c00d0acec9ede87a1c9e72a5c63d5d

SHA1
11454a8ec68b43a87cb1c9a133fba8edfdd9085a

SHA256
94815237076f78edbf213ac0a7142fbedb2423c5b937be280728c971374fe13d

SHA512
d2a7e5b99de2b6665b09ea164b188d60a0e3c64b3f5e88fd8d4d1021d0ea1bd8f85d1afae21dff9f574093738153e369dd7a90bbeb0cf5c08751124f4266d533

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4370165.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4370165.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
571f6063db2c7cb916b40b8ba8e286a5

SHA1
72c71d0655441135360a574cb4907e3bc1ca8d99

SHA256
09a0a592511c8c2ab4dba83df62f4fb6464da0877468723c724ff1c3a5ad118d

SHA512
30d71d9170938ec6feb9f1f192a51687f801c4421e3f0056a00ce8d3ed1ebac7b2a5009f048b2456435cd40d76be5718ba890956967313a5d2896d7981bbf7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCCC2.tmp

Filesize
1KB

MD5
80d9d9f423743211fe06edaeb603e20c

SHA1
60e763581e43624e208afb9904c4ef51cce66b1a

SHA256
6144c5e06aa35b3831d2b77b13a553e57148cbabf2961d60a3efd4f6684059b4

SHA512
efd3eca5087be88085f91248de55f90d37e00a00310ffe8bed29f3af1f6c658b71194f958db4c04ed20710a6c3fac8b3b8f1328abff805939380789654ab2704

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbD4C2.tmp

Filesize
1KB

MD5
efc150bf3e187b7f68b29687d3e2f20c

SHA1
db9e7478bd9c7843826cc5973a6184c3113eb9a0

SHA256
2ecbee3b53aa8c14555a11520dc8b207013049b1aa50308d5c62a40636d195b9

SHA512
6f808bb8ecab43bec6415d11353267fab2b8eba248ed9030586efcc5ba792675f307ec49f0cb744d6178b9db5d4da171838eb46a667ea632818e265655c35939

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbD4C2.tmp

Filesize
1KB

MD5
efc150bf3e187b7f68b29687d3e2f20c

SHA1
db9e7478bd9c7843826cc5973a6184c3113eb9a0

SHA256
2ecbee3b53aa8c14555a11520dc8b207013049b1aa50308d5c62a40636d195b9

SHA512
6f808bb8ecab43bec6415d11353267fab2b8eba248ed9030586efcc5ba792675f307ec49f0cb744d6178b9db5d4da171838eb46a667ea632818e265655c35939

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
358ddcec1819198ecad04ef86899feaa

SHA1
478cc105d928665b40aa32a2923c98dbf332b2bd

SHA256
d6ee6168d2f6c316601b151aa6a16d8b3fda4bbefd046a93a5c336bd47f75d16

SHA512
21c0694342efdec04827d892e51bacc9b4cd21b549e779debdb8d6819afecbebc9e30944338d8c3fd9e43ff9ec97151aab21cc5d60a324b799df416a7fb0b9ae

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
358ddcec1819198ecad04ef86899feaa

SHA1
478cc105d928665b40aa32a2923c98dbf332b2bd

SHA256
d6ee6168d2f6c316601b151aa6a16d8b3fda4bbefd046a93a5c336bd47f75d16

SHA512
21c0694342efdec04827d892e51bacc9b4cd21b549e779debdb8d6819afecbebc9e30944338d8c3fd9e43ff9ec97151aab21cc5d60a324b799df416a7fb0b9ae

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
358ddcec1819198ecad04ef86899feaa

SHA1
478cc105d928665b40aa32a2923c98dbf332b2bd

SHA256
d6ee6168d2f6c316601b151aa6a16d8b3fda4bbefd046a93a5c336bd47f75d16

SHA512
21c0694342efdec04827d892e51bacc9b4cd21b549e779debdb8d6819afecbebc9e30944338d8c3fd9e43ff9ec97151aab21cc5d60a324b799df416a7fb0b9ae

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
memory/64-326-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/64-320-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/64-343-0x0000000007570000-0x000000000758E000-memory.dmp

Filesize
120KB

Download
memory/64-382-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/64-327-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/64-383-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/64-324-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/64-325-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/64-323-0x00000000069F0000-0x0000000006A8C000-memory.dmp

Filesize
624KB

Download
memory/64-284-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/64-318-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/64-342-0x00000000073D0000-0x0000000007446000-memory.dmp

Filesize
472KB

Download
memory/64-280-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/64-272-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/64-279-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/372-418-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/372-416-0x0000000000D00000-0x0000000000D30000-memory.dmp

Filesize
192KB

Download
memory/372-420-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1100-150-0x00007FF8F4850000-0x00007FF8F5311000-memory.dmp

Filesize
10.8MB

Download
memory/1100-147-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/1100-148-0x00007FF8F4850000-0x00007FF8F5311000-memory.dmp

Filesize
10.8MB

Download
memory/1432-415-0x0000000000C70000-0x0000000000C96000-memory.dmp

Filesize
152KB

Download
memory/1432-423-0x0000000007AE0000-0x0000000007B30000-memory.dmp

Filesize
320KB

Download
memory/1432-417-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/1432-419-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/2408-260-0x000002599E580000-0x000002599E59A000-memory.dmp

Filesize
104KB

Download
memory/2408-259-0x000002599E5E0000-0x000002599E5F0000-memory.dmp

Filesize
64KB

Download
memory/2408-253-0x00000259840F0000-0x000002598415A000-memory.dmp

Filesize
424KB

Download
memory/2408-282-0x00007FF8F4850000-0x00007FF8F5311000-memory.dmp

Filesize
10.8MB

Download
memory/2408-268-0x00007FF8F4850000-0x00007FF8F5311000-memory.dmp

Filesize
10.8MB

Download
memory/2408-254-0x00007FF8F4850000-0x00007FF8F5311000-memory.dmp

Filesize
10.8MB

Download
memory/2408-274-0x000002599E5E0000-0x000002599E5F0000-memory.dmp

Filesize
64KB

Download
memory/3196-422-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/3196-421-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3196-385-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/3196-392-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/3196-391-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/3392-303-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/3392-273-0x00000000048D0000-0x0000000005044000-memory.dmp

Filesize
7.5MB

Download
memory/3392-275-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/3392-265-0x00007FF893090000-0x00007FF8930A0000-memory.dmp

Filesize
64KB

Download
memory/3392-302-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/3392-264-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/3392-263-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/3392-301-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/4084-269-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4084-307-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4084-258-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4316-386-0x0000000000C50000-0x0000000000FE7000-memory.dmp

Filesize
3.6MB

Download
memory/4316-232-0x0000000000C50000-0x0000000000FE7000-memory.dmp

Filesize
3.6MB

Download
memory/4316-186-0x0000000000C50000-0x0000000000FE7000-memory.dmp

Filesize
3.6MB

Download
memory/4672-266-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4672-233-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4672-314-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4672-317-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4736-306-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/4736-305-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/4736-292-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/4736-312-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/4736-300-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/4736-298-0x0000000140000000-0x0000000140774000-memory.dmp

Filesize
7.5MB

Download
memory/4736-304-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/4736-309-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/4736-308-0x00007FF912E90000-0x00007FF913085000-memory.dmp

Filesize
2.0MB

Download
memory/4736-310-0x0000000140000000-0x0000000140774000-memory.dmp

Filesize
7.5MB

Download
memory/4736-311-0x00007FF893090000-0x00007FF8930A0000-memory.dmp

Filesize
64KB

Download
memory/5064-167-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/5064-171-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/5064-172-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/5064-168-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5064-169-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/5064-170-0x0000000004CB0000-0x0000000004DBA000-memory.dmp

Filesize
1.0MB

Download
memory/5064-207-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5064-218-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/5064-179-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download