a85c2cda61c3af339cc84922fd7a3b6c534efaa5a4e09d89b0af4c90ed52389b

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2023, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roguelegacy (1).exe
Size

64.1MB
MD5

39c68f7d5167e7166a22be56fdf63218
SHA1

55ce4dd6159efcc8ea2d42fa019c97f05fb4502e
SHA256

169b9c61242616ba58675bc093b7aff441f23686280a903fc5fff85bce615cee
SHA512

4b1036fa9c0a4c8c249aeda5eceff53e5acb1e83499bc97c75e6ae11fc9e6626a808a5c7ef992162142f999cb6b6e75fe18b52f6bd7215e6b6f37cced0eaa586
SSDEEP

1572864:M2syXKJyR0JCSTZZFVf7b4a3+0ciLjLj7dchPfbt5X7:M2syX1Ap4aO0ciLjL/dcxh5X7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Roguelegacy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Roguelegacy.exe

Executes dropped EXE 4 IoCs

pid	Process
4960	Roguelegacy.exe
2504	Roguelegacy.exe
3020	Roguelegacy.exe
2956	Roguelegacy.exe

Loads dropped DLL 12 IoCs

pid	Process
5048	Roguelegacy (1).exe
5048	Roguelegacy (1).exe
5048	Roguelegacy (1).exe
4960	Roguelegacy.exe
2504	Roguelegacy.exe
3020	Roguelegacy.exe
2504	Roguelegacy.exe
2504	Roguelegacy.exe
2504	Roguelegacy.exe
2504	Roguelegacy.exe
2504	Roguelegacy.exe
2956	Roguelegacy.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{0B43B8C7-391A-47A4-A361-8F71F3AF0A5B}	svchost.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Roguelegacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Roguelegacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Roguelegacy.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5048	Roguelegacy (1).exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe
Token: SeShutdownPrivilege	4960	Roguelegacy.exe
Token: SeCreatePagefilePrivilege	4960	Roguelegacy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4088	OpenWith.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4960	5048	Roguelegacy (1).exe	83
PID 5048 wrote to memory of 4960	5048	Roguelegacy (1).exe	83
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 2504	4960	Roguelegacy.exe	85
PID 4960 wrote to memory of 3020	4960	Roguelegacy.exe	86
PID 4960 wrote to memory of 3020	4960	Roguelegacy.exe	86
PID 4960 wrote to memory of 2956	4960	Roguelegacy.exe	89
PID 4960 wrote to memory of 2956	4960	Roguelegacy.exe	89

C:\Users\Admin\AppData\Local\Temp\Roguelegacy (1).exe
"C:\Users\Admin\AppData\Local\Temp\Roguelegacy (1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
  C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
    "C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Roguelegacy" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1764,i,12451444680596167243,11532080589039310994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2504
- - C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
    "C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Roguelegacy" --mojo-platform-channel-handle=2000 --field-trial-handle=1764,i,12451444680596167243,11532080589039310994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
    "C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Roguelegacy" --app-path="C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2464 --field-trial-handle=1764,i,12451444680596167243,11532080589039310994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2956

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\D3DCompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\libEGL.dll

Filesize
473KB

MD5
234a6b1f55ff509b67798fc035c0d630

SHA1
4d7bc13a6c496a055aeb3575435a539362041fb8

SHA256
18437c020fc37011e276a9780d8941482195632489a6afca47302132e2cb66c4

SHA512
d77147a65a28da132144f6f47bd6b86fb9679f247fbe7e75bc36d8e91a81b9db8ef2ba9a42a2e277b746ff66e056af3592fbe24ae56bd20139419f2eb8b44ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\libGLESv2.dll

Filesize
7.2MB

MD5
7a846681e19d07fd1b77ef5ddf4c1249

SHA1
c38a8dbc51d1ee6a7826e70e4f1da1b6e9bb795e

SHA256
2d7367f7457044588826d19887edbc2070368cb9754c4b638c93b4ad19ea5ce7

SHA512
08dba2f13660a152bb4028c49be3809c3a6a437fd44d537efd0841cc00fb4869c74016a0227e65accee0f0412d9741e7783fb639f07983ccd39817c89a5d08b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\libegl.dll

Filesize
473KB

MD5
234a6b1f55ff509b67798fc035c0d630

SHA1
4d7bc13a6c496a055aeb3575435a539362041fb8

SHA256
18437c020fc37011e276a9780d8941482195632489a6afca47302132e2cb66c4

SHA512
d77147a65a28da132144f6f47bd6b86fb9679f247fbe7e75bc36d8e91a81b9db8ef2ba9a42a2e277b746ff66e056af3592fbe24ae56bd20139419f2eb8b44ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\libglesv2.dll

Filesize
7.2MB

MD5
7a846681e19d07fd1b77ef5ddf4c1249

SHA1
c38a8dbc51d1ee6a7826e70e4f1da1b6e9bb795e

SHA256
2d7367f7457044588826d19887edbc2070368cb9754c4b638c93b4ad19ea5ce7

SHA512
08dba2f13660a152bb4028c49be3809c3a6a437fd44d537efd0841cc00fb4869c74016a0227e65accee0f0412d9741e7783fb639f07983ccd39817c89a5d08b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\resources.pak

Filesize
5.1MB

MD5
bd17bd87b4a2f1fc2ba31e6f58b19a32

SHA1
838294ed3d4d0cb11ea14ff6c200f33e75156e22

SHA256
d4297566631f6addf3492559462ece0c2e9b42f29faf873ebd01fc424f9f8e6f

SHA512
1b9970dc73b4e647841712542c9751c727e6d33b45e987c42b49741e1873d540406f47bb9b869d334786191844071aac66043435f09510be5a141f518ca1f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\resources\app.asar

Filesize
28.0MB

MD5
cb1b3b9384332f4bd6c5dcd401e148ce

SHA1
f0356dcecbfcc32c493a1fbb9b93555b4ff18a1c

SHA256
a4986712c476c12caf7fb8d6582ec682ce964851d58316fc5b723d202b4f3b03

SHA512
52d5e0e60b0acc7b012260febbab212fa68f5d9a525b41c821256828584f8acc9871f5dce88891bd77b90fd9cf923fe1059d9cd9ad545d5835ca8d28a3d4516f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\v8_context_snapshot.bin

Filesize
471KB

MD5
0e92bb66ea722338663d6d2d891b5d35

SHA1
b73c8560c974dc9b17488a7b50895dc03f43bc6f

SHA256
e795edcbe49ef9dbe4ad88c4fce19076fafc13f56353753a39e35a3355c3d2d1

SHA512
cc8e28d47f1298382645e658deecf784fcdb9e4eca44537eff878d090be215c437d87e709c186947f798a46580517bac76bb9d69c09830991ed1d94d29e2a367

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\vk_swiftshader.dll

Filesize
4.9MB

MD5
bc275a1ce7b513901b58851ec5786819

SHA1
37d71b37e7293c0159c4efdc4e7a20733c9e5c7a

SHA256
88ccc0b3221e46fe13055839e5c5623ee219894b947e2e01e83a0fd12e7a34f7

SHA512
1b643a0c12385fd4fe212af07eeb214ab9b09938f67b83e9442a562fdf73cdb6da289d2323eb126d535518f9f55a9a2b704cde29f96f8c38f710944bd705cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\vk_swiftshader.dll

Filesize
4.9MB

MD5
bc275a1ce7b513901b58851ec5786819

SHA1
37d71b37e7293c0159c4efdc4e7a20733c9e5c7a

SHA256
88ccc0b3221e46fe13055839e5c5623ee219894b947e2e01e83a0fd12e7a34f7

SHA512
1b643a0c12385fd4fe212af07eeb214ab9b09938f67b83e9442a562fdf73cdb6da289d2323eb126d535518f9f55a9a2b704cde29f96f8c38f710944bd705cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\vulkan-1.dll

Filesize
894KB

MD5
7855fc788b036bb11f98ca53bd7d23d3

SHA1
abb06e806e9ef55440a6499636c134dfd9dcaa04

SHA256
54e6de3b228c5e265498f4c21663cf51a113d53eac9c08f621f7213b0d57a378

SHA512
964d1d37f231684dc38edfc3ed78b90f466619f2ca885d13da4349addabf39d233e647c3faa95875161d18781f0f090f67b40a5f77dbd5a018a82867b77f4bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\vulkan-1.dll

Filesize
894KB

MD5
7855fc788b036bb11f98ca53bd7d23d3

SHA1
abb06e806e9ef55440a6499636c134dfd9dcaa04

SHA256
54e6de3b228c5e265498f4c21663cf51a113d53eac9c08f621f7213b0d57a378

SHA512
964d1d37f231684dc38edfc3ed78b90f466619f2ca885d13da4349addabf39d233e647c3faa95875161d18781f0f090f67b40a5f77dbd5a018a82867b77f4bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8E8A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8E8A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8E8A.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads