amadey | 0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df

Analysis

max time kernel
70s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe
Size

1.0MB
MD5

0e8ebf01e8dc7a00698bcf21cf8ee51e
SHA1

3bf9e109cae6b786be467ead18f9dbeef9be2e33
SHA256

0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df
SHA512

9803cbbff0a4fbc9eb490915e6d9ea17a6a113249585836e27d12450c391d4d49be9908feda456a617bda8933e9d4488b626f33b93a07f830742a6f7330bd5d8
SSDEEP

24576:JyhAHzi/D98xoxvkjbewasd1mvk2/n+aV4Fw466uJk1Y:8eoD98xVbDasd1o/n+aV4q466uJ

Score

10^/10

amadey aurora redline bolt down usa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

bolt

193.233.20.31:4125

Attributes

auth_value
29540c7bf0277243e2faf6601e15a754

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

USA

65.108.152.34:37345

Attributes

auth_value
01ecb56953469aaed8efad25c0f68a64

Extracted

Family

aurora

212.87.204.93:8081

94.142.138.215:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7982UQ.exetz7901.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7982UQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7901.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3676-210-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-211-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-213-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-215-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-217-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-219-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-221-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-223-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-225-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-229-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-227-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-231-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-233-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-235-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-237-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-239-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-241-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-243-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/3676-436-0x0000000004F40000-0x0000000004F50000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y90eI54.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y90eI54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 14 IoCs

Processes:

zap9179.exezap3656.exezap6305.exetz7901.exev7982UQ.exew49Li90.exexSkMa74.exey90eI54.exelegenda.exeusa.exevpn-go.exe1.exe1.exelegenda.exe

pid	process
1904	zap9179.exe
768	zap3656.exe
4484	zap6305.exe
2308	tz7901.exe
4536	v7982UQ.exe
3676	w49Li90.exe
244	xSkMa74.exe
1388	y90eI54.exe
4120	legenda.exe
916	usa.exe
4328	vpn-go.exe
3412	1.exe
3096	1.exe
3712	legenda.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v7982UQ.exetz7901.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7982UQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7901.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3656.exezap6305.exe0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exezap9179.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3656.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6305.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9179.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9179.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3656.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

vpn-go.exe

description pid process target process

PID 4328 set thread context of 3780 4328 vpn-go.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1620 4536 WerFault.exe v7982UQ.exe
2612 3676 WerFault.exe w49Li90.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1344 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1316 systeminfo.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tz7901.exev7982UQ.exew49Li90.exexSkMa74.exeusa.exe

pid process

2308 tz7901.exe
2308 tz7901.exe
4536 v7982UQ.exe
4536 v7982UQ.exe
3676 w49Li90.exe
3676 w49Li90.exe
244 xSkMa74.exe
244 xSkMa74.exe
916 usa.exe
916 usa.exe

description	pid	process	target process
PID 4328 set thread context of 3780	4328	vpn-go.exe	InstallUtil.exe

pid	pid_target	process	target process
1620	4536	WerFault.exe	v7982UQ.exe
2612	3676	WerFault.exe	w49Li90.exe

pid	process
1344	schtasks.exe

pid	process
1316	systeminfo.exe

pid	process
2308	tz7901.exe
2308	tz7901.exe
4536	v7982UQ.exe
4536	v7982UQ.exe
3676	w49Li90.exe
3676	w49Li90.exe
244	xSkMa74.exe
244	xSkMa74.exe
916	usa.exe
916	usa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz7901.exev7982UQ.exew49Li90.exexSkMa74.exevpn-go.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2308	tz7901.exe
Token: SeDebugPrivilege	4536	v7982UQ.exe
Token: SeDebugPrivilege	3676	w49Li90.exe
Token: SeDebugPrivilege	244	xSkMa74.exe
Token: SeDebugPrivilege	4328	vpn-go.exe
Token: SeIncreaseQuotaPrivilege	804	WMIC.exe
Token: SeSecurityPrivilege	804	WMIC.exe
Token: SeTakeOwnershipPrivilege	804	WMIC.exe
Token: SeLoadDriverPrivilege	804	WMIC.exe
Token: SeSystemProfilePrivilege	804	WMIC.exe
Token: SeSystemtimePrivilege	804	WMIC.exe
Token: SeProfSingleProcessPrivilege	804	WMIC.exe
Token: SeIncBasePriorityPrivilege	804	WMIC.exe
Token: SeCreatePagefilePrivilege	804	WMIC.exe
Token: SeBackupPrivilege	804	WMIC.exe
Token: SeRestorePrivilege	804	WMIC.exe
Token: SeShutdownPrivilege	804	WMIC.exe
Token: SeDebugPrivilege	804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	804	WMIC.exe
Token: SeRemoteShutdownPrivilege	804	WMIC.exe
Token: SeUndockPrivilege	804	WMIC.exe
Token: SeManageVolumePrivilege	804	WMIC.exe
Token: 33	804	WMIC.exe
Token: 34	804	WMIC.exe
Token: 35	804	WMIC.exe
Token: 36	804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	804	WMIC.exe
Token: SeSecurityPrivilege	804	WMIC.exe
Token: SeTakeOwnershipPrivilege	804	WMIC.exe
Token: SeLoadDriverPrivilege	804	WMIC.exe
Token: SeSystemProfilePrivilege	804	WMIC.exe
Token: SeSystemtimePrivilege	804	WMIC.exe
Token: SeProfSingleProcessPrivilege	804	WMIC.exe
Token: SeIncBasePriorityPrivilege	804	WMIC.exe
Token: SeCreatePagefilePrivilege	804	WMIC.exe
Token: SeBackupPrivilege	804	WMIC.exe
Token: SeRestorePrivilege	804	WMIC.exe
Token: SeShutdownPrivilege	804	WMIC.exe
Token: SeDebugPrivilege	804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	804	WMIC.exe
Token: SeRemoteShutdownPrivilege	804	WMIC.exe
Token: SeUndockPrivilege	804	WMIC.exe
Token: SeManageVolumePrivilege	804	WMIC.exe
Token: 33	804	WMIC.exe
Token: 34	804	WMIC.exe
Token: 35	804	WMIC.exe
Token: 36	804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4416	wmic.exe
Token: SeSecurityPrivilege	4416	wmic.exe
Token: SeTakeOwnershipPrivilege	4416	wmic.exe
Token: SeLoadDriverPrivilege	4416	wmic.exe
Token: SeSystemProfilePrivilege	4416	wmic.exe
Token: SeSystemtimePrivilege	4416	wmic.exe
Token: SeProfSingleProcessPrivilege	4416	wmic.exe
Token: SeIncBasePriorityPrivilege	4416	wmic.exe
Token: SeCreatePagefilePrivilege	4416	wmic.exe
Token: SeBackupPrivilege	4416	wmic.exe
Token: SeRestorePrivilege	4416	wmic.exe
Token: SeShutdownPrivilege	4416	wmic.exe
Token: SeDebugPrivilege	4416	wmic.exe
Token: SeSystemEnvironmentPrivilege	4416	wmic.exe
Token: SeRemoteShutdownPrivilege	4416	wmic.exe
Token: SeUndockPrivilege	4416	wmic.exe
Token: SeManageVolumePrivilege	4416	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exezap9179.exezap3656.exezap6305.exey90eI54.exelegenda.execmd.exevpn-go.exe

description	pid	process	target process
PID 2244 wrote to memory of 1904	2244	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe	zap9179.exe
PID 2244 wrote to memory of 1904	2244	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe	zap9179.exe
PID 2244 wrote to memory of 1904	2244	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe	zap9179.exe
PID 1904 wrote to memory of 768	1904	zap9179.exe	zap3656.exe
PID 1904 wrote to memory of 768	1904	zap9179.exe	zap3656.exe
PID 1904 wrote to memory of 768	1904	zap9179.exe	zap3656.exe
PID 768 wrote to memory of 4484	768	zap3656.exe	zap6305.exe
PID 768 wrote to memory of 4484	768	zap3656.exe	zap6305.exe
PID 768 wrote to memory of 4484	768	zap3656.exe	zap6305.exe
PID 4484 wrote to memory of 2308	4484	zap6305.exe	tz7901.exe
PID 4484 wrote to memory of 2308	4484	zap6305.exe	tz7901.exe
PID 4484 wrote to memory of 4536	4484	zap6305.exe	v7982UQ.exe
PID 4484 wrote to memory of 4536	4484	zap6305.exe	v7982UQ.exe
PID 4484 wrote to memory of 4536	4484	zap6305.exe	v7982UQ.exe
PID 768 wrote to memory of 3676	768	zap3656.exe	w49Li90.exe
PID 768 wrote to memory of 3676	768	zap3656.exe	w49Li90.exe
PID 768 wrote to memory of 3676	768	zap3656.exe	w49Li90.exe
PID 1904 wrote to memory of 244	1904	zap9179.exe	xSkMa74.exe
PID 1904 wrote to memory of 244	1904	zap9179.exe	xSkMa74.exe
PID 1904 wrote to memory of 244	1904	zap9179.exe	xSkMa74.exe
PID 2244 wrote to memory of 1388	2244	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe	y90eI54.exe
PID 2244 wrote to memory of 1388	2244	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe	y90eI54.exe
PID 2244 wrote to memory of 1388	2244	0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe	y90eI54.exe
PID 1388 wrote to memory of 4120	1388	y90eI54.exe	legenda.exe
PID 1388 wrote to memory of 4120	1388	y90eI54.exe	legenda.exe
PID 1388 wrote to memory of 4120	1388	y90eI54.exe	legenda.exe
PID 4120 wrote to memory of 1344	4120	legenda.exe	schtasks.exe
PID 4120 wrote to memory of 1344	4120	legenda.exe	schtasks.exe
PID 4120 wrote to memory of 1344	4120	legenda.exe	schtasks.exe
PID 4120 wrote to memory of 4144	4120	legenda.exe	cmd.exe
PID 4120 wrote to memory of 4144	4120	legenda.exe	cmd.exe
PID 4120 wrote to memory of 4144	4120	legenda.exe	cmd.exe
PID 4144 wrote to memory of 3608	4144	cmd.exe	cmd.exe
PID 4144 wrote to memory of 3608	4144	cmd.exe	cmd.exe
PID 4144 wrote to memory of 3608	4144	cmd.exe	cmd.exe
PID 4144 wrote to memory of 1028	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 1028	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 1028	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 4380	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 4380	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 4380	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 4268	4144	cmd.exe	cmd.exe
PID 4144 wrote to memory of 4268	4144	cmd.exe	cmd.exe
PID 4144 wrote to memory of 4268	4144	cmd.exe	cmd.exe
PID 4144 wrote to memory of 1292	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 1292	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 1292	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 2092	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 2092	4144	cmd.exe	cacls.exe
PID 4144 wrote to memory of 2092	4144	cmd.exe	cacls.exe
PID 4120 wrote to memory of 916	4120	legenda.exe	usa.exe
PID 4120 wrote to memory of 916	4120	legenda.exe	usa.exe
PID 4120 wrote to memory of 916	4120	legenda.exe	usa.exe
PID 4120 wrote to memory of 4328	4120	legenda.exe	vpn-go.exe
PID 4120 wrote to memory of 4328	4120	legenda.exe	vpn-go.exe
PID 4120 wrote to memory of 3412	4120	legenda.exe	1.exe
PID 4120 wrote to memory of 3412	4120	legenda.exe	1.exe
PID 4120 wrote to memory of 3412	4120	legenda.exe	1.exe
PID 4120 wrote to memory of 3096	4120	legenda.exe	1.exe
PID 4120 wrote to memory of 3096	4120	legenda.exe	1.exe
PID 4120 wrote to memory of 3096	4120	legenda.exe	1.exe
PID 4328 wrote to memory of 3780	4328	vpn-go.exe	InstallUtil.exe
PID 4328 wrote to memory of 3780	4328	vpn-go.exe	InstallUtil.exe
PID 4328 wrote to memory of 3780	4328	vpn-go.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe
"C:\Users\Admin\AppData\Local\Temp\0235a30b7e1d0d5b8b19076fec58331d8638d97743eac11bacd59137291b40df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9179.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9179.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3656.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3656.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6305.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6305.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7901.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7901.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7982UQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7982UQ.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1080
6⤵
- Program crash
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49Li90.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49Li90.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1328
5⤵
- Program crash
PID:2612

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSkMa74.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSkMa74.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y90eI54.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y90eI54.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3608

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4268

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:916

C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
5⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:4872

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
PID:4396

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
6⤵
PID:4768

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
6⤵
PID:3208

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:1316

C:\Users\Admin\AppData\Roaming\1000150000\1.exe
"C:\Users\Admin\AppData\Roaming\1000150000\1.exe"
4⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe"
4⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4536 -ip 4536
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3676 -ip 3676
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
Filesize
335KB

MD5
f00f6596f6bf65d01cb390aebc5326f5

SHA1
8e8d257bd51d2213ed871c4b8b88a0238036e313

SHA256
2e54e59e1fabb5accbef4a42a2cf7af640c57ac0fa7e3542c160662fb327caa7

SHA512
74bde8fd32b51b42c6cc70790f86ae4bc1b83f37aa6e246d147469220c46b5d789d9349fef961491917a773dca061665cc09ab858df449f5119e96e59fbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
Filesize
335KB

MD5
f00f6596f6bf65d01cb390aebc5326f5

SHA1
8e8d257bd51d2213ed871c4b8b88a0238036e313

SHA256
2e54e59e1fabb5accbef4a42a2cf7af640c57ac0fa7e3542c160662fb327caa7

SHA512
74bde8fd32b51b42c6cc70790f86ae4bc1b83f37aa6e246d147469220c46b5d789d9349fef961491917a773dca061665cc09ab858df449f5119e96e59fbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\usa.exe
Filesize
335KB

MD5
f00f6596f6bf65d01cb390aebc5326f5

SHA1
8e8d257bd51d2213ed871c4b8b88a0238036e313

SHA256
2e54e59e1fabb5accbef4a42a2cf7af640c57ac0fa7e3542c160662fb327caa7

SHA512
74bde8fd32b51b42c6cc70790f86ae4bc1b83f37aa6e246d147469220c46b5d789d9349fef961491917a773dca061665cc09ab858df449f5119e96e59fbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
Filesize
9.6MB

MD5
e38edcf41b7b13dc8837e030774cf083

SHA1
1ed5f18fbc105fd177129f594d63e3297654acff

SHA256
9e83c3a822bc5253e9b5047fd2ee19abce885852db7afcb70d9b76fc470f69bc

SHA512
17021db0c40c5068c1df61e3682cd967fec74a76e661d5967b3950d2a0f2a3a64ea15abcfd21b89223fb541d3561172a0dbdcc2a63694996518e0fde8ced1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
Filesize
9.6MB

MD5
e38edcf41b7b13dc8837e030774cf083

SHA1
1ed5f18fbc105fd177129f594d63e3297654acff

SHA256
9e83c3a822bc5253e9b5047fd2ee19abce885852db7afcb70d9b76fc470f69bc

SHA512
17021db0c40c5068c1df61e3682cd967fec74a76e661d5967b3950d2a0f2a3a64ea15abcfd21b89223fb541d3561172a0dbdcc2a63694996518e0fde8ced1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\vpn-go.exe
Filesize
9.6MB

MD5
e38edcf41b7b13dc8837e030774cf083

SHA1
1ed5f18fbc105fd177129f594d63e3297654acff

SHA256
9e83c3a822bc5253e9b5047fd2ee19abce885852db7afcb70d9b76fc470f69bc

SHA512
17021db0c40c5068c1df61e3682cd967fec74a76e661d5967b3950d2a0f2a3a64ea15abcfd21b89223fb541d3561172a0dbdcc2a63694996518e0fde8ced1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151001\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y90eI54.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y90eI54.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9179.exe
Filesize
842KB

MD5
f70b4de172d2de1a4eac74192b1206e3

SHA1
91d7863d9e089a450af5b519d7633be63b74e5f9

SHA256
6e571e761761e17c77a11b73dc1628e64c31f5a6a00e1191f8ad48e4193b3ef4

SHA512
9e109e47c7b82ddb9d1e557858e8d6f17445ae64572659cd1a73f80124b1677952ba0a09b303158d682caa5cbae29af7427b92cb50d203718c134ac57d444ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9179.exe
Filesize
842KB

MD5
f70b4de172d2de1a4eac74192b1206e3

SHA1
91d7863d9e089a450af5b519d7633be63b74e5f9

SHA256
6e571e761761e17c77a11b73dc1628e64c31f5a6a00e1191f8ad48e4193b3ef4

SHA512
9e109e47c7b82ddb9d1e557858e8d6f17445ae64572659cd1a73f80124b1677952ba0a09b303158d682caa5cbae29af7427b92cb50d203718c134ac57d444ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSkMa74.exe
Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSkMa74.exe
Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3656.exe
Filesize
700KB

MD5
a04c4fc0e965962c93bb0d1c5183fa76

SHA1
da7723821690683f1c036644ff5faacc1af2a2ef

SHA256
3e0d01fd2964cf25e94a9c8aefb6099358944f0df09691dabf7f4fa6a071015d

SHA512
0ba573acfa1fd8b1540a61fb8d9fd7ee4d9159254e804d40ae9c437afaafdc491d671f3d32870911365485dab0beb21dc792c4db9cf45389f5a2747bd89ba6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3656.exe
Filesize
700KB

MD5
a04c4fc0e965962c93bb0d1c5183fa76

SHA1
da7723821690683f1c036644ff5faacc1af2a2ef

SHA256
3e0d01fd2964cf25e94a9c8aefb6099358944f0df09691dabf7f4fa6a071015d

SHA512
0ba573acfa1fd8b1540a61fb8d9fd7ee4d9159254e804d40ae9c437afaafdc491d671f3d32870911365485dab0beb21dc792c4db9cf45389f5a2747bd89ba6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49Li90.exe
Filesize
358KB

MD5
c9832f30a26a980578cd6fc606aafc41

SHA1
a4dc508a0bea52e3ccdda96b07ef8aca91d80b94

SHA256
b82ae989d3e0e9128e36c3599e743532882dac676e0318a2bb70e38af2361340

SHA512
3ad2272866d3fa6f744e62c036fc536a2610dcc84ea73b37243e8a0aa8c5a610e60ba3de5fac421b34383df32449f48322542b9711e80f165634d97346569228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w49Li90.exe
Filesize
358KB

MD5
c9832f30a26a980578cd6fc606aafc41

SHA1
a4dc508a0bea52e3ccdda96b07ef8aca91d80b94

SHA256
b82ae989d3e0e9128e36c3599e743532882dac676e0318a2bb70e38af2361340

SHA512
3ad2272866d3fa6f744e62c036fc536a2610dcc84ea73b37243e8a0aa8c5a610e60ba3de5fac421b34383df32449f48322542b9711e80f165634d97346569228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6305.exe
Filesize
347KB

MD5
e42b86fc656eb1871568c1f8c528ac15

SHA1
91bb51406b28d742de9b5c48a6505424630042dd

SHA256
6934ebc9c9c31cd9d4f22121e97efd7a9beffa47ae1ab1a3ab9dc82840d6e4f3

SHA512
ae078a12b6ee1e15c347a3e2a1cd5d361045083f56944863574fb2214d96de048fcbd8009cc83746dde973476deb06067f55eaca9d690a4555de13829cc27509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6305.exe
Filesize
347KB

MD5
e42b86fc656eb1871568c1f8c528ac15

SHA1
91bb51406b28d742de9b5c48a6505424630042dd

SHA256
6934ebc9c9c31cd9d4f22121e97efd7a9beffa47ae1ab1a3ab9dc82840d6e4f3

SHA512
ae078a12b6ee1e15c347a3e2a1cd5d361045083f56944863574fb2214d96de048fcbd8009cc83746dde973476deb06067f55eaca9d690a4555de13829cc27509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7901.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7901.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7982UQ.exe
Filesize
300KB

MD5
124bc27696fdf17b1e2031fcc0b54630

SHA1
804dde5f0fdbdd30328eadd8a688aa01b481044e

SHA256
92156ecb03350fb5f95d8206849afadc2bed5bbc6803a27e12619d9728fe92fa

SHA512
018e5cf62773504356f35decaf7b481b5f0277cc7d207bf53655534174cca950671df6295828fda1ab0d93a5227fbd813ab97b4b133f71a95b8ccdf0fbeecdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7982UQ.exe
Filesize
300KB

MD5
124bc27696fdf17b1e2031fcc0b54630

SHA1
804dde5f0fdbdd30328eadd8a688aa01b481044e

SHA256
92156ecb03350fb5f95d8206849afadc2bed5bbc6803a27e12619d9728fe92fa

SHA512
018e5cf62773504356f35decaf7b481b5f0277cc7d207bf53655534174cca950671df6295828fda1ab0d93a5227fbd813ab97b4b133f71a95b8ccdf0fbeecdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\1000150000\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Roaming\1000150000\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
C:\Users\Admin\AppData\Roaming\1000150000\1.exe
Filesize
3.1MB

MD5
64e554cd95971c4a00ae1f6677331cce

SHA1
d7189c4afd0bfbdf12323917434dcfdd55e8b300

SHA256
4564dd1ce4e535487bbe27f9c4b2ac6bee07fa1acf838142e1044fe425d9d0c3

SHA512
4000e391279f0d930079d2355f78cb173cb00308e3c847edfe473daf9c08000c7acaa6fd5accc2a91b389cdbc4a0f5ca2511ca9a65760a7042d8d466fc726074

Download Submit
memory/244-1140-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/244-1139-0x0000000000810000-0x0000000000842000-memory.dmp

Filesize
200KB

Download
memory/916-1173-0x0000000000170000-0x00000000001CA000-memory.dmp

Filesize
360KB

Download
memory/916-1242-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/916-1174-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2308-161-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/3676-233-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-1129-0x0000000006810000-0x0000000006886000-memory.dmp

Filesize
472KB

Download
memory/3676-211-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-213-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-215-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-217-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-219-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-221-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-223-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-225-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-229-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-227-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-231-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-1133-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3676-235-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-237-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-239-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-241-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-243-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-432-0x00000000008C0000-0x000000000090B000-memory.dmp

Filesize
300KB

Download
memory/3676-436-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3676-433-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3676-1119-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/3676-1120-0x0000000005B20000-0x0000000005C2A000-memory.dmp

Filesize
1.0MB

Download
memory/3676-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3676-1122-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3676-1123-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3676-1124-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/3676-1125-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/3676-1127-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3676-1128-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3676-210-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/3676-1130-0x00000000068A0000-0x00000000068F0000-memory.dmp

Filesize
320KB

Download
memory/3676-1131-0x0000000006900000-0x0000000006AC2000-memory.dmp

Filesize
1.8MB

Download
memory/3676-1132-0x0000000006B10000-0x000000000703C000-memory.dmp

Filesize
5.2MB

Download
memory/3780-1239-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4328-1205-0x0000000000B20000-0x00000000014CA000-memory.dmp

Filesize
9.7MB

Download
memory/4328-1228-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/4328-1227-0x000000001D6B0000-0x000000001D6C0000-memory.dmp

Filesize
64KB

Download
memory/4536-184-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-178-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-198-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4536-197-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4536-196-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-194-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-192-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-190-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-188-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-186-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4536-182-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-180-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-199-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4536-176-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4536-174-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-172-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-170-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-169-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4536-202-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4536-203-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4536-168-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/4536-204-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4536-167-0x0000000002350000-0x000000000237D000-memory.dmp

Filesize
180KB

Download