amadey | f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4

Analysis

max time kernel
113s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe
Size

1.1MB
MD5

3d0aa84b46d83694b3ca5dd98fbfbdca
SHA1

063152b002f0f417ac15ad71e7716f886b1db849
SHA256

f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4
SHA512

671da02311bb3deb065e3852b220c31042edcec821f7f08387aea89f61e1c1c7cd2f7b017e6689edf8159c7178d3dabe9a6c1975f7aa148d0457170794523c32
SSDEEP

24576:KyvOvoW5WMz/UGHUdjibxxU60NH7pm2zzQX8r:RWvxWuBHc4FUl7s8

Score

10^/10

amadey aurora redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2796-1248-0x0000000000870000-0x000000000088C000-memory.dmp	family_rhadamanthys
behavioral1/memory/2796-1255-0x0000000000870000-0x000000000088C000-memory.dmp	family_rhadamanthys

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2450.exev9092DV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2450.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9092DV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9092DV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9092DV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9092DV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9092DV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9092DV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2450.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/320-209-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-210-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-212-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-214-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-216-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-218-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-220-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-222-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-224-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-226-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-228-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-230-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-232-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-234-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-236-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-238-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-240-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-242-0x00000000028B0000-0x00000000028EE000-memory.dmp	family_redline
behavioral1/memory/320-383-0x00000000028F0000-0x0000000002900000-memory.dmp	family_redline
behavioral1/memory/320-386-0x00000000028F0000-0x0000000002900000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y82QY88.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y82QY88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap9271.exezap7665.exezap3146.exetz2450.exev9092DV.exew84UH87.exexddYJ14.exey82QY88.exelegenda.exeserv.exesvchost.exelegenda.exe

pid	process
2492	zap9271.exe
3052	zap7665.exe
1344	zap3146.exe
3364	tz2450.exe
3132	v9092DV.exe
320	w84UH87.exe
3628	xddYJ14.exe
5116	y82QY88.exe
2144	legenda.exe
2796	serv.exe
3620	svchost.exe
852	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2100 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2100	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2450.exev9092DV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2450.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9092DV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9092DV.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7665.exezap3146.exef227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exezap9271.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7665.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3146.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9271.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

serv.exe

pid process

2796 serv.exe
2796 serv.exe
2796 serv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1692 320 WerFault.exe w84UH87.exe
3048 320 WerFault.exe w84UH87.exe
1748 2796 WerFault.exe serv.exe

pid	process
2796	serv.exe
2796	serv.exe
2796	serv.exe

pid	pid_target	process	target process
1692	320	WerFault.exe	w84UH87.exe
3048	320	WerFault.exe	w84UH87.exe
1748	2796	WerFault.exe	serv.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	serv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1396 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2450.exev9092DV.exew84UH87.exexddYJ14.exe

pid process

3364 tz2450.exe
3364 tz2450.exe
3132 v9092DV.exe
3132 v9092DV.exe
320 w84UH87.exe
320 w84UH87.exe
3628 xddYJ14.exe
3628 xddYJ14.exe

pid	process
1396	schtasks.exe

pid	process
3364	tz2450.exe
3364	tz2450.exe
3132	v9092DV.exe
3132	v9092DV.exe
320	w84UH87.exe
320	w84UH87.exe
3628	xddYJ14.exe
3628	xddYJ14.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz2450.exev9092DV.exew84UH87.exexddYJ14.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3364	tz2450.exe
Token: SeDebugPrivilege	3132	v9092DV.exe
Token: SeDebugPrivilege	320	w84UH87.exe
Token: SeDebugPrivilege	3628	xddYJ14.exe
Token: SeIncreaseQuotaPrivilege	4876	wmic.exe
Token: SeSecurityPrivilege	4876	wmic.exe
Token: SeTakeOwnershipPrivilege	4876	wmic.exe
Token: SeLoadDriverPrivilege	4876	wmic.exe
Token: SeSystemProfilePrivilege	4876	wmic.exe
Token: SeSystemtimePrivilege	4876	wmic.exe
Token: SeProfSingleProcessPrivilege	4876	wmic.exe
Token: SeIncBasePriorityPrivilege	4876	wmic.exe
Token: SeCreatePagefilePrivilege	4876	wmic.exe
Token: SeBackupPrivilege	4876	wmic.exe
Token: SeRestorePrivilege	4876	wmic.exe
Token: SeShutdownPrivilege	4876	wmic.exe
Token: SeDebugPrivilege	4876	wmic.exe
Token: SeSystemEnvironmentPrivilege	4876	wmic.exe
Token: SeRemoteShutdownPrivilege	4876	wmic.exe
Token: SeUndockPrivilege	4876	wmic.exe
Token: SeManageVolumePrivilege	4876	wmic.exe
Token: 33	4876	wmic.exe
Token: 34	4876	wmic.exe
Token: 35	4876	wmic.exe
Token: 36	4876	wmic.exe
Token: SeIncreaseQuotaPrivilege	4876	wmic.exe
Token: SeSecurityPrivilege	4876	wmic.exe
Token: SeTakeOwnershipPrivilege	4876	wmic.exe
Token: SeLoadDriverPrivilege	4876	wmic.exe
Token: SeSystemProfilePrivilege	4876	wmic.exe
Token: SeSystemtimePrivilege	4876	wmic.exe
Token: SeProfSingleProcessPrivilege	4876	wmic.exe
Token: SeIncBasePriorityPrivilege	4876	wmic.exe
Token: SeCreatePagefilePrivilege	4876	wmic.exe
Token: SeBackupPrivilege	4876	wmic.exe
Token: SeRestorePrivilege	4876	wmic.exe
Token: SeShutdownPrivilege	4876	wmic.exe
Token: SeDebugPrivilege	4876	wmic.exe
Token: SeSystemEnvironmentPrivilege	4876	wmic.exe
Token: SeRemoteShutdownPrivilege	4876	wmic.exe
Token: SeUndockPrivilege	4876	wmic.exe
Token: SeManageVolumePrivilege	4876	wmic.exe
Token: 33	4876	wmic.exe
Token: 34	4876	wmic.exe
Token: 35	4876	wmic.exe
Token: 36	4876	wmic.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exezap9271.exezap7665.exezap3146.exey82QY88.exelegenda.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 2492	1708	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe	zap9271.exe
PID 1708 wrote to memory of 2492	1708	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe	zap9271.exe
PID 1708 wrote to memory of 2492	1708	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe	zap9271.exe
PID 2492 wrote to memory of 3052	2492	zap9271.exe	zap7665.exe
PID 2492 wrote to memory of 3052	2492	zap9271.exe	zap7665.exe
PID 2492 wrote to memory of 3052	2492	zap9271.exe	zap7665.exe
PID 3052 wrote to memory of 1344	3052	zap7665.exe	zap3146.exe
PID 3052 wrote to memory of 1344	3052	zap7665.exe	zap3146.exe
PID 3052 wrote to memory of 1344	3052	zap7665.exe	zap3146.exe
PID 1344 wrote to memory of 3364	1344	zap3146.exe	tz2450.exe
PID 1344 wrote to memory of 3364	1344	zap3146.exe	tz2450.exe
PID 1344 wrote to memory of 3132	1344	zap3146.exe	v9092DV.exe
PID 1344 wrote to memory of 3132	1344	zap3146.exe	v9092DV.exe
PID 1344 wrote to memory of 3132	1344	zap3146.exe	v9092DV.exe
PID 3052 wrote to memory of 320	3052	zap7665.exe	w84UH87.exe
PID 3052 wrote to memory of 320	3052	zap7665.exe	w84UH87.exe
PID 3052 wrote to memory of 320	3052	zap7665.exe	w84UH87.exe
PID 2492 wrote to memory of 3628	2492	zap9271.exe	xddYJ14.exe
PID 2492 wrote to memory of 3628	2492	zap9271.exe	xddYJ14.exe
PID 2492 wrote to memory of 3628	2492	zap9271.exe	xddYJ14.exe
PID 1708 wrote to memory of 5116	1708	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe	y82QY88.exe
PID 1708 wrote to memory of 5116	1708	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe	y82QY88.exe
PID 1708 wrote to memory of 5116	1708	f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe	y82QY88.exe
PID 5116 wrote to memory of 2144	5116	y82QY88.exe	legenda.exe
PID 5116 wrote to memory of 2144	5116	y82QY88.exe	legenda.exe
PID 5116 wrote to memory of 2144	5116	y82QY88.exe	legenda.exe
PID 2144 wrote to memory of 1396	2144	legenda.exe	schtasks.exe
PID 2144 wrote to memory of 1396	2144	legenda.exe	schtasks.exe
PID 2144 wrote to memory of 1396	2144	legenda.exe	schtasks.exe
PID 2144 wrote to memory of 2304	2144	legenda.exe	cmd.exe
PID 2144 wrote to memory of 2304	2144	legenda.exe	cmd.exe
PID 2144 wrote to memory of 2304	2144	legenda.exe	cmd.exe
PID 2304 wrote to memory of 4544	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 4544	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 4544	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 236	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 236	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 236	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 232	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 232	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 232	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 5068	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 5068	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 5068	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 264	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 264	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 264	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 2028	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 2028	2304	cmd.exe	cacls.exe
PID 2304 wrote to memory of 2028	2304	cmd.exe	cacls.exe
PID 2144 wrote to memory of 2796	2144	legenda.exe	serv.exe
PID 2144 wrote to memory of 2796	2144	legenda.exe	serv.exe
PID 2144 wrote to memory of 2796	2144	legenda.exe	serv.exe
PID 2144 wrote to memory of 3620	2144	legenda.exe	svchost.exe
PID 2144 wrote to memory of 3620	2144	legenda.exe	svchost.exe
PID 2144 wrote to memory of 3620	2144	legenda.exe	svchost.exe
PID 3620 wrote to memory of 4876	3620	svchost.exe	wmic.exe
PID 3620 wrote to memory of 4876	3620	svchost.exe	wmic.exe
PID 3620 wrote to memory of 4876	3620	svchost.exe	wmic.exe
PID 3620 wrote to memory of 2292	3620	svchost.exe	cmd.exe
PID 3620 wrote to memory of 2292	3620	svchost.exe	cmd.exe
PID 3620 wrote to memory of 2292	3620	svchost.exe	cmd.exe
PID 2292 wrote to memory of 1628	2292	cmd.exe	WMIC.exe
PID 2292 wrote to memory of 1628	2292	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe
"C:\Users\Admin\AppData\Local\Temp\f227705f7ac418a039b49135085d8c44e51629d55a73a141c8fcf251c5020ca4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 956
5⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1104
5⤵
- Program crash
PID:3048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4544

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:236

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5068

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:264

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 348
5⤵
- Program crash
PID:1748

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:3664

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 320 -ip 320
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 320 -ip 320
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2796 -ip 2796
1⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
Filesize
3.0MB

MD5
a8a106555b9e1f92569d623c66ee8c12

SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1

SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
Filesize
3.0MB

MD5
a8a106555b9e1f92569d623c66ee8c12

SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1

SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
Filesize
3.0MB

MD5
a8a106555b9e1f92569d623c66ee8c12

SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1

SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y82QY88.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
Filesize
906KB

MD5
e1c5095f4a1354814b74d4b3233c982e

SHA1
466549a809237e1822871702416df4e2b0c22e31

SHA256
b93a981773363d635081f6eb1d9b7368fb65ef408146233d13c85c53d84156b7

SHA512
54f02169c015dff78f6ac9c7dd27afbe6e10e7b37932c1fe894f68e5cc4ba140429149c2757757f4c9775e01dde2bc52a1a85f8d6bf6c6234cac35ce3157d65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9271.exe
Filesize
906KB

MD5
e1c5095f4a1354814b74d4b3233c982e

SHA1
466549a809237e1822871702416df4e2b0c22e31

SHA256
b93a981773363d635081f6eb1d9b7368fb65ef408146233d13c85c53d84156b7

SHA512
54f02169c015dff78f6ac9c7dd27afbe6e10e7b37932c1fe894f68e5cc4ba140429149c2757757f4c9775e01dde2bc52a1a85f8d6bf6c6234cac35ce3157d65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xddYJ14.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
Filesize
763KB

MD5
7653f7488ea94889e089aa4878e487d1

SHA1
5373bf80109e483f849eaf96504d1bce3eb9369d

SHA256
52f4c2f9bc0706513f46d43a7a4632796a97cc6c14d36139029d38ae05e8dcb9

SHA512
ea5e351cd27a908ba33edbb397d56c33179fd7bb02b1247539b36656b03ea79350d3e65353bee9d1e50a639c8ff4ef954559fa0c04e04a44dcc29164c70b52cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7665.exe
Filesize
763KB

MD5
7653f7488ea94889e089aa4878e487d1

SHA1
5373bf80109e483f849eaf96504d1bce3eb9369d

SHA256
52f4c2f9bc0706513f46d43a7a4632796a97cc6c14d36139029d38ae05e8dcb9

SHA512
ea5e351cd27a908ba33edbb397d56c33179fd7bb02b1247539b36656b03ea79350d3e65353bee9d1e50a639c8ff4ef954559fa0c04e04a44dcc29164c70b52cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
Filesize
456KB

MD5
b1b874bda45255c1918822acdee76b7a

SHA1
4d6447fdf8f78a5a01d9266d8b50df839e4068fa

SHA256
518b12541919c4d3a6d6f50a00b1e1fc0b4cea5c006033e49e291d4b0f5386d3

SHA512
b1bd9dfcdd2f006c165bd489628e2e2e226e75a31f0d5c7d1b6f5d9f6a9e89ec3968d1fc2cd4f41de67b9eb911a7375ef884f084eb9ff9522deabfd814f3612f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w84UH87.exe
Filesize
456KB

MD5
b1b874bda45255c1918822acdee76b7a

SHA1
4d6447fdf8f78a5a01d9266d8b50df839e4068fa

SHA256
518b12541919c4d3a6d6f50a00b1e1fc0b4cea5c006033e49e291d4b0f5386d3

SHA512
b1bd9dfcdd2f006c165bd489628e2e2e226e75a31f0d5c7d1b6f5d9f6a9e89ec3968d1fc2cd4f41de67b9eb911a7375ef884f084eb9ff9522deabfd814f3612f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
Filesize
378KB

MD5
860a8ef0cbc6c563fe9a3389761bd2d5

SHA1
39aa6e1688fb12ac7ae109839844ca63e569d801

SHA256
904a83dbf02fe546c6ea88969bb07fdf74cd34a44247991287b1e7e4aaf58b4a

SHA512
20850384762158037c52b6191f2411f3455932d36a46162c1f3e518615f4024c82f6a3dd615b642186dc26248e03775d82852e02c749c9d92c1c07c0011b35f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3146.exe
Filesize
378KB

MD5
860a8ef0cbc6c563fe9a3389761bd2d5

SHA1
39aa6e1688fb12ac7ae109839844ca63e569d801

SHA256
904a83dbf02fe546c6ea88969bb07fdf74cd34a44247991287b1e7e4aaf58b4a

SHA512
20850384762158037c52b6191f2411f3455932d36a46162c1f3e518615f4024c82f6a3dd615b642186dc26248e03775d82852e02c749c9d92c1c07c0011b35f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2450.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
Filesize
398KB

MD5
9f6a2aee7f5a0a2dfc233bdddc186ed3

SHA1
be670efc0da3fded3263e5e23c2daa68c5213df4

SHA256
d06f3062a13b95f39f046b9af1be52944bcc7591e476c687314bb20fd7e0bdb3

SHA512
068889e8eb298b34ea26698f44292523e588e19ea4fbfec8588bf78fb3097d73fb77755e80e86107804e8ea5598bc29ef5ff0882e3b230678ad29f1c7f1089d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9092DV.exe
Filesize
398KB

MD5
9f6a2aee7f5a0a2dfc233bdddc186ed3

SHA1
be670efc0da3fded3263e5e23c2daa68c5213df4

SHA256
d06f3062a13b95f39f046b9af1be52944bcc7591e476c687314bb20fd7e0bdb3

SHA512
068889e8eb298b34ea26698f44292523e588e19ea4fbfec8588bf78fb3097d73fb77755e80e86107804e8ea5598bc29ef5ff0882e3b230678ad29f1c7f1089d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
b2446d155f77cf70a33bb0c25172fa3f

SHA1
c20d68dad9e872b4607a5677c4851f863c28daf7

SHA256
0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb

SHA512
5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
53bf804f75123ed2339305be1d298398

SHA1
33a337e3e219da8ecd237b44fbcaf4864124a012

SHA256
7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8

SHA512
7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/320-234-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-1128-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-1134-0x0000000008340000-0x0000000008390000-memory.dmp

Filesize
320KB

Download
memory/320-1133-0x00000000082C0000-0x0000000008336000-memory.dmp

Filesize
472KB

Download
memory/320-1132-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-209-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-210-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-212-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-214-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-216-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-218-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-220-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-222-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-224-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-226-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-228-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-230-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-232-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-1131-0x0000000007A70000-0x0000000007F9C000-memory.dmp

Filesize
5.2MB

Download
memory/320-236-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-238-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-240-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-242-0x00000000028B0000-0x00000000028EE000-memory.dmp

Filesize
248KB

Download
memory/320-381-0x0000000000740000-0x000000000078B000-memory.dmp

Filesize
300KB

Download
memory/320-383-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-384-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-386-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-1119-0x0000000005360000-0x0000000005978000-memory.dmp

Filesize
6.1MB

Download
memory/320-1120-0x00000000059E0000-0x0000000005AEA000-memory.dmp

Filesize
1.0MB

Download
memory/320-1121-0x0000000005B20000-0x0000000005B32000-memory.dmp

Filesize
72KB

Download
memory/320-1122-0x0000000005B40000-0x0000000005B7C000-memory.dmp

Filesize
240KB

Download
memory/320-1123-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-1125-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/320-1126-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/320-1127-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/320-1130-0x0000000007890000-0x0000000007A52000-memory.dmp

Filesize
1.8MB

Download
memory/320-1129-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2796-1192-0x0000000000800000-0x000000000082E000-memory.dmp

Filesize
184KB

Download
memory/2796-1255-0x0000000000870000-0x000000000088C000-memory.dmp

Filesize
112KB

Download
memory/2796-1252-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2796-1249-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2796-1248-0x0000000000870000-0x000000000088C000-memory.dmp

Filesize
112KB

Download
memory/3132-180-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-176-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-167-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3132-168-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/3132-194-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-192-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-190-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-188-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-186-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-184-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-182-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-202-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3132-178-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-196-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-174-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-198-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-172-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-171-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/3132-204-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/3132-201-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3132-200-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3132-199-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/3132-170-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3132-169-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3364-161-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/3628-1142-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/3628-1141-0x0000000000BF0000-0x0000000000C22000-memory.dmp

Filesize
200KB

Download