amadey | a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe
Size

390KB
MD5

c22472eacde5b6e4fd612eeacc87158e
SHA1

3131f69f230b9c87012a7553624397704ae31195
SHA256

a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f
SHA512

0eb4c050886fb95157a62554d8e29ecf98444c98ecf3ccd00d7bf3b52c0a0c1758a7df451121a33c0ba59cc7d4ca8fcfb7b5b36ef53ec07a647b5fe055e7d5cf
SSDEEP

12288:RMrby90Ltp1BYlyjgF30JbgrXqcmkSRLn:WyOU6gKMLqHkCb

Score

10^/10

amadey asyncrat healer lumma redline @ytlogsbot default krast lux3 discovery dropper evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.86

5.42.92.67/norm/index.php

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

@ytlogsbot

176.123.9.85:16482

Attributes

auth_value
36b3ee30353ed1e6c1776af75fcfbc2c

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

89.185.85.103:4444

Mutex

izbfscxyujjjjvohrox

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5724017.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5724017.exe	healer
behavioral1/memory/1036-147-0x00000000007C0000-0x00000000007CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

p5724017.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p5724017.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p5724017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p5724017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p5724017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p5724017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p5724017.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4348-208-0x0000000000400000-0x0000000000592000-memory.dmp	family_redline
behavioral1/memory/3460-207-0x00000000004A0000-0x0000000000837000-memory.dmp	family_redline

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4492-315-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r4079859.exelegola.exesetup-rc18.exeaam1tmp.exesetup-rc18.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	r4079859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	legola.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	setup-rc18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	aam1tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	setup-rc18.exe

Executes dropped EXE 16 IoCs

Processes:

z5790388.exep5724017.exer4079859.exelegola.exet9359632.exe0x8mompdsnjum.exeLummaC2.exelux3.exe@ytlogsbot.exesetup-rc18.exesetup-rc18.exem4HBom6QaF.exeaam1tmp.exeevb973.tmplegola.exelegola.exe

pid	process
3808	z5790388.exe
1036	p5724017.exe
1244	r4079859.exe
5008	legola.exe
3584	t9359632.exe
3460	0x8mompdsnjum.exe
3448	LummaC2.exe
3092	lux3.exe
2152	@ytlogsbot.exe
5056	setup-rc18.exe
4700	setup-rc18.exe
4540	m4HBom6QaF.exe
2400	aam1tmp.exe
5040	evb973.tmp
392	legola.exe
3424	legola.exe

Loads dropped DLL 2 IoCs

Processes:

aam1tmp.exerundll32.exe

pid process

2400 aam1tmp.exe
1396 rundll32.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2400	aam1tmp.exe
1396	rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
behavioral1/memory/5056-267-0x0000000140000000-0x0000000140057000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe	upx
behavioral1/memory/4700-275-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/5056-313-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4700-317-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/4700-358-0x0000000140000000-0x0000000140057000-memory.dmp	upx
behavioral1/memory/5056-362-0x0000000140000000-0x0000000140057000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

p5724017.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p5724017.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p5724017.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exez5790388.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5790388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5790388.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

0x8mompdsnjum.exem4HBom6QaF.exeaam1tmp.exe

description	pid	process	target process
PID 3460 set thread context of 4348	3460	0x8mompdsnjum.exe	AppLaunch.exe
PID 4540 set thread context of 4492	4540	m4HBom6QaF.exe	AddInProcess32.exe
PID 2400 set thread context of 5040	2400	aam1tmp.exe	evb973.tmp

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2856 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

976 3460 WerFault.exe 0x8mompdsnjum.exe
5116 4492 WerFault.exe AddInProcess32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3464 schtasks.exe

pid	process
2856	sc.exe

pid	pid_target	process	target process
976	3460	WerFault.exe	0x8mompdsnjum.exe
5116	4492	WerFault.exe	AddInProcess32.exe

pid	process
3464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

p5724017.exeLummaC2.exe@ytlogsbot.exelux3.exem4HBom6QaF.exeevb973.tmp

pid	process
1036	p5724017.exe
1036	p5724017.exe
3448	LummaC2.exe
3448	LummaC2.exe
2152	@ytlogsbot.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3092	lux3.exe
3092	lux3.exe
2152	@ytlogsbot.exe
3448	LummaC2.exe
3448	LummaC2.exe
3092	lux3.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
3448	LummaC2.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
4540	m4HBom6QaF.exe
5040	evb973.tmp
5040	evb973.tmp
5040	evb973.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

p5724017.exe@ytlogsbot.exelux3.exem4HBom6QaF.exeAddInProcess32.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1036	p5724017.exe
Token: SeDebugPrivilege	2152	@ytlogsbot.exe
Token: SeDebugPrivilege	3092	lux3.exe
Token: SeDebugPrivilege	4540	m4HBom6QaF.exe
Token: SeDebugPrivilege	4492	AddInProcess32.exe
Token: SeDebugPrivilege	4348	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

r4079859.exe

pid process

1244 r4079859.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

4492 AddInProcess32.exe

pid	process
1244	r4079859.exe

pid	process
4492	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exez5790388.exer4079859.exelegola.execmd.exe0x8mompdsnjum.exeAppLaunch.exesetup-rc18.exesetup-rc18.exem4HBom6QaF.exe

description	pid	process	target process
PID 624 wrote to memory of 3808	624	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe	z5790388.exe
PID 624 wrote to memory of 3808	624	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe	z5790388.exe
PID 624 wrote to memory of 3808	624	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe	z5790388.exe
PID 3808 wrote to memory of 1036	3808	z5790388.exe	p5724017.exe
PID 3808 wrote to memory of 1036	3808	z5790388.exe	p5724017.exe
PID 3808 wrote to memory of 1244	3808	z5790388.exe	r4079859.exe
PID 3808 wrote to memory of 1244	3808	z5790388.exe	r4079859.exe
PID 3808 wrote to memory of 1244	3808	z5790388.exe	r4079859.exe
PID 1244 wrote to memory of 5008	1244	r4079859.exe	legola.exe
PID 1244 wrote to memory of 5008	1244	r4079859.exe	legola.exe
PID 1244 wrote to memory of 5008	1244	r4079859.exe	legola.exe
PID 624 wrote to memory of 3584	624	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe	t9359632.exe
PID 624 wrote to memory of 3584	624	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe	t9359632.exe
PID 624 wrote to memory of 3584	624	a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe	t9359632.exe
PID 5008 wrote to memory of 3464	5008	legola.exe	schtasks.exe
PID 5008 wrote to memory of 3464	5008	legola.exe	schtasks.exe
PID 5008 wrote to memory of 3464	5008	legola.exe	schtasks.exe
PID 5008 wrote to memory of 4776	5008	legola.exe	cmd.exe
PID 5008 wrote to memory of 4776	5008	legola.exe	cmd.exe
PID 5008 wrote to memory of 4776	5008	legola.exe	cmd.exe
PID 4776 wrote to memory of 1496	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 1496	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 1496	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 1384	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 1384	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 1384	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2572	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2572	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2572	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 4656	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4656	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4656	4776	cmd.exe	cmd.exe
PID 4776 wrote to memory of 4972	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 4972	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 4972	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2692	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2692	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2692	4776	cmd.exe	cacls.exe
PID 5008 wrote to memory of 3460	5008	legola.exe	0x8mompdsnjum.exe
PID 5008 wrote to memory of 3460	5008	legola.exe	0x8mompdsnjum.exe
PID 5008 wrote to memory of 3460	5008	legola.exe	0x8mompdsnjum.exe
PID 5008 wrote to memory of 3448	5008	legola.exe	LummaC2.exe
PID 5008 wrote to memory of 3448	5008	legola.exe	LummaC2.exe
PID 5008 wrote to memory of 3448	5008	legola.exe	LummaC2.exe
PID 3460 wrote to memory of 4348	3460	0x8mompdsnjum.exe	AppLaunch.exe
PID 3460 wrote to memory of 4348	3460	0x8mompdsnjum.exe	AppLaunch.exe
PID 3460 wrote to memory of 4348	3460	0x8mompdsnjum.exe	AppLaunch.exe
PID 3460 wrote to memory of 4348	3460	0x8mompdsnjum.exe	AppLaunch.exe
PID 3460 wrote to memory of 4348	3460	0x8mompdsnjum.exe	AppLaunch.exe
PID 4348 wrote to memory of 3092	4348	AppLaunch.exe	lux3.exe
PID 4348 wrote to memory of 3092	4348	AppLaunch.exe	lux3.exe
PID 4348 wrote to memory of 3092	4348	AppLaunch.exe	lux3.exe
PID 4348 wrote to memory of 2152	4348	AppLaunch.exe	@ytlogsbot.exe
PID 4348 wrote to memory of 2152	4348	AppLaunch.exe	@ytlogsbot.exe
PID 4348 wrote to memory of 2152	4348	AppLaunch.exe	@ytlogsbot.exe
PID 5008 wrote to memory of 5056	5008	legola.exe	setup-rc18.exe
PID 5008 wrote to memory of 5056	5008	legola.exe	setup-rc18.exe
PID 5056 wrote to memory of 4700	5056	setup-rc18.exe	setup-rc18.exe
PID 5056 wrote to memory of 4700	5056	setup-rc18.exe	setup-rc18.exe
PID 5008 wrote to memory of 4540	5008	legola.exe	m4HBom6QaF.exe
PID 5008 wrote to memory of 4540	5008	legola.exe	m4HBom6QaF.exe
PID 4700 wrote to memory of 2400	4700	setup-rc18.exe	aam1tmp.exe
PID 4700 wrote to memory of 2400	4700	setup-rc18.exe	aam1tmp.exe
PID 4540 wrote to memory of 2216	4540	m4HBom6QaF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe
"C:\Users\Admin\AppData\Local\Temp\a2e542e81caacf5742f227aeec06f54f95825b25a07a2463628b73b84a9ee65f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5790388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5790388.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5724017.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5724017.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4079859.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4079859.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
      "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:N"
        6⤵
        
        PID:1384
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:R" /E
        6⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4656
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        6⤵
        
        PID:4972
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        6⤵
        
        PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "AppLaunch.exe"
        7⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 568
        6⤵
        Program crash
        
        PID:976
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3448
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5056
      - C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe" -sfxwaitall:1 "aam1tmp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\evb973.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\protox.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
        6⤵
        
        PID:2216
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
        6⤵
        
        PID:1156
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
        6⤵
        
        PID:4568
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1488
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        
        PID:1676
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:1336
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
        6⤵
        
        PID:4376
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 2320
        7⤵
        Program crash
        
        PID:5116
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:3792
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
        6⤵
        
        PID:4988
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
        6⤵
        
        PID:1512
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
        6⤵
        
        PID:2304
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4856
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
        6⤵
        
        PID:940
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
        6⤵
        
        PID:1496
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
        6⤵
        
        PID:4964
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
        6⤵
        
        PID:2468
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
        6⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9359632.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9359632.exe
  2⤵
  - Executes dropped EXE
  PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3460 -ip 3460
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4492 -ip 4492
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe

Filesize
3.3MB

MD5
c88684792ace21a20a82333f91a39251

SHA1
d34d9f5e8269a7535e8d461213b1cc10bf91ded9

SHA256
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a

SHA512
8d9813079de26e1b9eab250ae59de64792b49ba9484cd9f81d4d58cc5d26910379721e8cc2731149433fa3810c769080300b747562652959a845557205d671c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe

Filesize
3.3MB

MD5
c88684792ace21a20a82333f91a39251

SHA1
d34d9f5e8269a7535e8d461213b1cc10bf91ded9

SHA256
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a

SHA512
8d9813079de26e1b9eab250ae59de64792b49ba9484cd9f81d4d58cc5d26910379721e8cc2731149433fa3810c769080300b747562652959a845557205d671c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\0x8mompdsnjum.exe

Filesize
3.3MB

MD5
c88684792ace21a20a82333f91a39251

SHA1
d34d9f5e8269a7535e8d461213b1cc10bf91ded9

SHA256
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a

SHA512
8d9813079de26e1b9eab250ae59de64792b49ba9484cd9f81d4d58cc5d26910379721e8cc2731149433fa3810c769080300b747562652959a845557205d671c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe

Filesize
391KB

MD5
16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1
ade62b2a58d4aa6972283cd000a51fe3ff0885e8

SHA256
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

SHA512
a5619c43463f45414c04de711cb8daa20bad433f494b6912db27eeb632a6f42669893a7f85acfa24171560581febe548757fec005b2968460d0486c097a9d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe

Filesize
391KB

MD5
16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1
ade62b2a58d4aa6972283cd000a51fe3ff0885e8

SHA256
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

SHA512
a5619c43463f45414c04de711cb8daa20bad433f494b6912db27eeb632a6f42669893a7f85acfa24171560581febe548757fec005b2968460d0486c097a9d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\LummaC2.exe

Filesize
391KB

MD5
16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1
ade62b2a58d4aa6972283cd000a51fe3ff0885e8

SHA256
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

SHA512
a5619c43463f45414c04de711cb8daa20bad433f494b6912db27eeb632a6f42669893a7f85acfa24171560581febe548757fec005b2968460d0486c097a9d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup-rc18.exe

Filesize
4.9MB

MD5
c7feee4698e4d22fead87c243d9cb8ad

SHA1
c3e7b4fe28519adc5f7a8924ced7b5c25a8f034f

SHA256
caa7643ffed1f6042896a2df3c799613bd323193fdfb8da5683832e369494da7

SHA512
1db0fe1a649ddec624bb4686f4124e8a3140b59c176cc4ed8b30560d6251f7257e9a30f563f389fb0ae54247e28a356f20daf682407bc2f047f9a407b3f6f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe

Filesize
409KB

MD5
b4f60407cc688d2327c5bc8dd39c0b00

SHA1
0a7af4bb31249419603b60005670aec36aa7d6e4

SHA256
4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

SHA512
b3e65834ec4a014fe33731f213b3e11251366ed706b1d5d6885e17dcae49501cc1c59d67aa1ad469b843c9f5b1e567c2e3b9f6dca88945aa2a86b0a07d67b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe

Filesize
409KB

MD5
b4f60407cc688d2327c5bc8dd39c0b00

SHA1
0a7af4bb31249419603b60005670aec36aa7d6e4

SHA256
4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

SHA512
b3e65834ec4a014fe33731f213b3e11251366ed706b1d5d6885e17dcae49501cc1c59d67aa1ad469b843c9f5b1e567c2e3b9f6dca88945aa2a86b0a07d67b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\m4HBom6QaF.exe

Filesize
409KB

MD5
b4f60407cc688d2327c5bc8dd39c0b00

SHA1
0a7af4bb31249419603b60005670aec36aa7d6e4

SHA256
4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

SHA512
b3e65834ec4a014fe33731f213b3e11251366ed706b1d5d6885e17dcae49501cc1c59d67aa1ad469b843c9f5b1e567c2e3b9f6dca88945aa2a86b0a07d67b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
214B

MD5
1e12313da73eaf8b5b3fe922968f3474

SHA1
5ad2d98dfcbaa174c710d5ddb4c8059815a42f6e

SHA256
42e31df40256510ee84a876abdc72094f80fc84b595506578197e265fe33b8b6

SHA512
02b9c454ad24bebc7f8b1df59064f48de2a12f80585ae06464a91f9a253ffc4c148398ab4d550d4eae1449f43c7ec30d92eb677e5a7c0d99dd61eef80f5c48e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe

Filesize
84.7MB

MD5
828b2db4837685451e144bab1b726b17

SHA1
0ad0c2d79681bf8bed0f663c644a4c421efd0560

SHA256
9900f584d89ef25cdae93a64eb5243df98fc787b006f846f11582a8b150353fc

SHA512
cfb43a51e9cb727c6a23784f71fae2ab6344e552587892f4e8867e37ffb7615d39e3d302d4370d87c17a9a46d988d584b2c2ae04d1c8ab0d354be7238dd9afce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aam1tmp.exe

Filesize
84.7MB

MD5
828b2db4837685451e144bab1b726b17

SHA1
0ad0c2d79681bf8bed0f663c644a4c421efd0560

SHA256
9900f584d89ef25cdae93a64eb5243df98fc787b006f846f11582a8b150353fc

SHA512
cfb43a51e9cb727c6a23784f71fae2ab6344e552587892f4e8867e37ffb7615d39e3d302d4370d87c17a9a46d988d584b2c2ae04d1c8ab0d354be7238dd9afce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9359632.exe

Filesize
172KB

MD5
f92c7797a36b01b2ca0507a55fb64136

SHA1
01609905bae55d05ce3340d78068fff3081dfe12

SHA256
ddb674cebea4fe9abc42e05cfa7265481a7d00b39eb0b0d447292a148fb40ca6

SHA512
6ab2da8f97f59e689a1ccc1f3dcfd4d1e4132c011bbe30510399c13bbc85f75768a5051ca0cd08dd977c8bb01552e47f82e949ca1d9de495c9fb4090236b787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9359632.exe

Filesize
172KB

MD5
f92c7797a36b01b2ca0507a55fb64136

SHA1
01609905bae55d05ce3340d78068fff3081dfe12

SHA256
ddb674cebea4fe9abc42e05cfa7265481a7d00b39eb0b0d447292a148fb40ca6

SHA512
6ab2da8f97f59e689a1ccc1f3dcfd4d1e4132c011bbe30510399c13bbc85f75768a5051ca0cd08dd977c8bb01552e47f82e949ca1d9de495c9fb4090236b787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5790388.exe

Filesize
234KB

MD5
f63651b79c698b7dedaa0adecb61ec73

SHA1
fb94d03f12d7dd77b0310ff80833a31181454845

SHA256
c658e584457c79283eaacfd103beaa687a6689fc29689aaee22253e5bf1114d9

SHA512
60bbbe047c3e884a38c86189905d88858f59ef8c4ba4ccbe6101c6e756da95582dcfd96d33ea0e0d2ad63e3031046bab67ccb2eee79348ac16c49b137e327768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5790388.exe

Filesize
234KB

MD5
f63651b79c698b7dedaa0adecb61ec73

SHA1
fb94d03f12d7dd77b0310ff80833a31181454845

SHA256
c658e584457c79283eaacfd103beaa687a6689fc29689aaee22253e5bf1114d9

SHA512
60bbbe047c3e884a38c86189905d88858f59ef8c4ba4ccbe6101c6e756da95582dcfd96d33ea0e0d2ad63e3031046bab67ccb2eee79348ac16c49b137e327768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5724017.exe

Filesize
11KB

MD5
d770c7bc8f671371883dd453989735a3

SHA1
0fe95fb8a56747d639b67e03cf1ceed9aaab8af1

SHA256
24d702a270e77a14f0a3889f4183286536edf9956f222f0a9c39d7a4676d7d68

SHA512
5fe34286075540ab526529c5e5b79e20ace3f21b265094bee2b8be50bc3189b750f1117a851fe8fa6d660fc5186e29fa8966d5d236ca436c7cb565eee43b5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5724017.exe

Filesize
11KB

MD5
d770c7bc8f671371883dd453989735a3

SHA1
0fe95fb8a56747d639b67e03cf1ceed9aaab8af1

SHA256
24d702a270e77a14f0a3889f4183286536edf9956f222f0a9c39d7a4676d7d68

SHA512
5fe34286075540ab526529c5e5b79e20ace3f21b265094bee2b8be50bc3189b750f1117a851fe8fa6d660fc5186e29fa8966d5d236ca436c7cb565eee43b5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4079859.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4079859.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
223KB

MD5
3a11789a15fb10d307a44ea016fab05a

SHA1
01abbbd3259db4d0d65104e614b2cffa0e0e6e22

SHA256
b36e3c8b1fad8bd07598a6a0c6c2d683f6055bf81fd75380f9812ffb66d0b4f5

SHA512
bd721454812e53a94cc08e07f1784abec2c4b239c11a69405b4b4617a20ffb17d876af54e76e2ec07cb9a581d5fe70448249855d5daa12e2a3a544dc4a202941

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb396.tmp

Filesize
1KB

MD5
80d9d9f423743211fe06edaeb603e20c

SHA1
60e763581e43624e208afb9904c4ef51cce66b1a

SHA256
6144c5e06aa35b3831d2b77b13a553e57148cbabf2961d60a3efd4f6684059b4

SHA512
efd3eca5087be88085f91248de55f90d37e00a00310ffe8bed29f3af1f6c658b71194f958db4c04ed20710a6c3fac8b3b8f1328abff805939380789654ab2704

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb973.tmp

Filesize
1KB

MD5
efc150bf3e187b7f68b29687d3e2f20c

SHA1
db9e7478bd9c7843826cc5973a6184c3113eb9a0

SHA256
2ecbee3b53aa8c14555a11520dc8b207013049b1aa50308d5c62a40636d195b9

SHA512
6f808bb8ecab43bec6415d11353267fab2b8eba248ed9030586efcc5ba792675f307ec49f0cb744d6178b9db5d4da171838eb46a667ea632818e265655c35939

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb973.tmp

Filesize
1KB

MD5
efc150bf3e187b7f68b29687d3e2f20c

SHA1
db9e7478bd9c7843826cc5973a6184c3113eb9a0

SHA256
2ecbee3b53aa8c14555a11520dc8b207013049b1aa50308d5c62a40636d195b9

SHA512
6f808bb8ecab43bec6415d11353267fab2b8eba248ed9030586efcc5ba792675f307ec49f0cb744d6178b9db5d4da171838eb46a667ea632818e265655c35939

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
358ddcec1819198ecad04ef86899feaa

SHA1
478cc105d928665b40aa32a2923c98dbf332b2bd

SHA256
d6ee6168d2f6c316601b151aa6a16d8b3fda4bbefd046a93a5c336bd47f75d16

SHA512
21c0694342efdec04827d892e51bacc9b4cd21b549e779debdb8d6819afecbebc9e30944338d8c3fd9e43ff9ec97151aab21cc5d60a324b799df416a7fb0b9ae

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
358ddcec1819198ecad04ef86899feaa

SHA1
478cc105d928665b40aa32a2923c98dbf332b2bd

SHA256
d6ee6168d2f6c316601b151aa6a16d8b3fda4bbefd046a93a5c336bd47f75d16

SHA512
21c0694342efdec04827d892e51bacc9b4cd21b549e779debdb8d6819afecbebc9e30944338d8c3fd9e43ff9ec97151aab21cc5d60a324b799df416a7fb0b9ae

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
358ddcec1819198ecad04ef86899feaa

SHA1
478cc105d928665b40aa32a2923c98dbf332b2bd

SHA256
d6ee6168d2f6c316601b151aa6a16d8b3fda4bbefd046a93a5c336bd47f75d16

SHA512
21c0694342efdec04827d892e51bacc9b4cd21b549e779debdb8d6819afecbebc9e30944338d8c3fd9e43ff9ec97151aab21cc5d60a324b799df416a7fb0b9ae

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
memory/1036-148-0x00007FFB6F730000-0x00007FFB701F1000-memory.dmp

Filesize
10.8MB

Download
memory/1036-147-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/1036-150-0x00007FFB6F730000-0x00007FFB701F1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-278-0x0000000005E10000-0x0000000005E60000-memory.dmp

Filesize
320KB

Download
memory/2152-277-0x0000000005D70000-0x0000000005E02000-memory.dmp

Filesize
584KB

Download
memory/2152-252-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2152-302-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/2152-308-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/2152-268-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/2152-250-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/2152-312-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2152-276-0x0000000006240000-0x00000000067E4000-memory.dmp

Filesize
5.6MB

Download
memory/2152-303-0x00000000069C0000-0x0000000006B82000-memory.dmp

Filesize
1.8MB

Download
memory/2152-304-0x00000000070C0000-0x00000000075EC000-memory.dmp

Filesize
5.2MB

Download
memory/2152-247-0x0000000000560000-0x0000000000586000-memory.dmp

Filesize
152KB

Download
memory/2152-286-0x0000000005E60000-0x0000000005ED6000-memory.dmp

Filesize
472KB

Download
memory/2400-353-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/2400-310-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/2400-356-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/2400-344-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/2400-346-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/2400-324-0x00000000048E0000-0x0000000005054000-memory.dmp

Filesize
7.5MB

Download
memory/2400-311-0x00007FFB0D870000-0x00007FFB0D880000-memory.dmp

Filesize
64KB

Download
memory/3092-248-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3092-354-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3092-243-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/3092-309-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3092-306-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3092-251-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3460-207-0x00000000004A0000-0x0000000000837000-memory.dmp

Filesize
3.6MB

Download
memory/3460-186-0x00000000004A0000-0x0000000000837000-memory.dmp

Filesize
3.6MB

Download
memory/3584-249-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3584-171-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3584-172-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/3584-170-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/3584-169-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/3584-183-0x0000000004E80000-0x0000000004EBC000-memory.dmp

Filesize
240KB

Download
memory/3584-168-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/3584-167-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/3584-266-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4348-305-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/4348-208-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4348-216-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4348-299-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4348-221-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/4492-321-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4492-318-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4492-368-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4492-367-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4492-366-0x0000000006130000-0x00000000061CC000-memory.dmp

Filesize
624KB

Download
memory/4492-315-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4492-408-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4492-357-0x0000000005B90000-0x0000000005B9A000-memory.dmp

Filesize
40KB

Download
memory/4540-320-0x00007FFB6F980000-0x00007FFB70441000-memory.dmp

Filesize
10.8MB

Download
memory/4540-297-0x000001A622E80000-0x000001A622EEA000-memory.dmp

Filesize
424KB

Download
memory/4540-298-0x00007FFB6F980000-0x00007FFB70441000-memory.dmp

Filesize
10.8MB

Download
memory/4540-300-0x000001A623370000-0x000001A623380000-memory.dmp

Filesize
64KB

Download
memory/4540-301-0x000001A623350000-0x000001A62336A000-memory.dmp

Filesize
104KB

Download
memory/4700-317-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4700-275-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4700-358-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/5040-342-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/5040-351-0x00007FFB0D870000-0x00007FFB0D880000-memory.dmp

Filesize
64KB

Download
memory/5040-341-0x0000000140000000-0x0000000140774000-memory.dmp

Filesize
7.5MB

Download
memory/5040-336-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/5040-347-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/5040-348-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/5040-349-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/5040-355-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/5040-350-0x0000000140000000-0x0000000140774000-memory.dmp

Filesize
7.5MB

Download
memory/5056-362-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/5056-313-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/5056-267-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download