amadey | 4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f

Analysis

max time kernel
145s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-03-2023 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe
Size

1.0MB
MD5

9d78b33bfd9f33f64c88ffe7f3ba5691
SHA1

0a45ffd1738825a87099e88768dff876d9bcb325
SHA256

4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f
SHA512

fb0f53ca1496007c3cf1d756cbc2dec23cf8f5dd655fb4307fdf6d6f91e9657a24a758aac3df09957c7ffb6b723b776a073aae4dca14d8b282a35968657886ec
SSDEEP

24576:eyBNyBokEFsr+V7cEarXNSD2wA+ea+tsbuWlS6q:tBNyBokD65cFQDJeaiYur

Score

10^/10

amadey lumma redline @redlinevipchat cloud (tg: @fatherofcarders)boris netu ngan003 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)

151.80.89.234:19388

Attributes

auth_value
56af49c3278d982f9a41ef2abb7c4d09

Extracted

Family

redline

Botnet

ngan003

199.115.193.116:11300

Attributes

auth_value
b500a5cf0cb429e32a81c6ddcd8d4545

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7250.exev0656Wn.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0656Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0656Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0656Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0656Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0656Wn.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1284-197-0x0000000002E80000-0x0000000002EC6000-memory.dmp	family_redline
behavioral1/memory/1284-198-0x00000000048F0000-0x0000000004934000-memory.dmp	family_redline
behavioral1/memory/1284-199-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-200-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-202-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-204-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-206-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-208-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-210-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-212-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-214-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-217-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-223-0x0000000007250000-0x0000000007260000-memory.dmp	family_redline
behavioral1/memory/1284-221-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-224-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-226-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-228-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-230-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-232-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-234-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline
behavioral1/memory/1284-236-0x00000000048F0000-0x000000000492F000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

zap7067.exezap0850.exezap1551.exetz7250.exev0656Wn.exew23aG52.exexNJZv54.exey77dr71.exelegenda.exe1millRDX.exeSprawl.exeLummas.exeSprawl.exelegenda.exe

pid	process
2600	zap7067.exe
2968	zap0850.exe
3916	zap1551.exe
2504	tz7250.exe
2800	v0656Wn.exe
1284	w23aG52.exe
4944	xNJZv54.exe
4352	y77dr71.exe
4508	legenda.exe
3368	1millRDX.exe
4100	Sprawl.exe
652	Lummas.exe
3964	Sprawl.exe
2664	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1972 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1972	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7250.exev0656Wn.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7250.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0656Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0656Wn.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap0850.exezap1551.exe4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exezap7067.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0850.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1551.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7067.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

Lummas.exeSprawl.exe

description pid process target process

PID 652 set thread context of 2148 652 Lummas.exe jsc.exe
PID 4100 set thread context of 3964 4100 Sprawl.exe Sprawl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5016 schtasks.exe

description	pid	process	target process
PID 652 set thread context of 2148	652	Lummas.exe	jsc.exe
PID 4100 set thread context of 3964	4100	Sprawl.exe	Sprawl.exe

pid	process
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

tz7250.exev0656Wn.exew23aG52.exexNJZv54.exeLummas.exe1millRDX.exeSprawl.exe

pid	process
2504	tz7250.exe
2504	tz7250.exe
2800	v0656Wn.exe
2800	v0656Wn.exe
1284	w23aG52.exe
1284	w23aG52.exe
4944	xNJZv54.exe
4944	xNJZv54.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
652	Lummas.exe
3368	1millRDX.exe
3368	1millRDX.exe
3964	Sprawl.exe
3964	Sprawl.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

tz7250.exev0656Wn.exew23aG52.exexNJZv54.exeLummas.exe1millRDX.exeSprawl.exe

description	pid	process
Token: SeDebugPrivilege	2504	tz7250.exe
Token: SeDebugPrivilege	2800	v0656Wn.exe
Token: SeDebugPrivilege	1284	w23aG52.exe
Token: SeDebugPrivilege	4944	xNJZv54.exe
Token: SeDebugPrivilege	652	Lummas.exe
Token: SeDebugPrivilege	3368	1millRDX.exe
Token: SeDebugPrivilege	3964	Sprawl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exezap7067.exezap0850.exezap1551.exey77dr71.exelegenda.execmd.exeSprawl.exeLummas.exe

description	pid	process	target process
PID 2408 wrote to memory of 2600	2408	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe	zap7067.exe
PID 2408 wrote to memory of 2600	2408	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe	zap7067.exe
PID 2408 wrote to memory of 2600	2408	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe	zap7067.exe
PID 2600 wrote to memory of 2968	2600	zap7067.exe	zap0850.exe
PID 2600 wrote to memory of 2968	2600	zap7067.exe	zap0850.exe
PID 2600 wrote to memory of 2968	2600	zap7067.exe	zap0850.exe
PID 2968 wrote to memory of 3916	2968	zap0850.exe	zap1551.exe
PID 2968 wrote to memory of 3916	2968	zap0850.exe	zap1551.exe
PID 2968 wrote to memory of 3916	2968	zap0850.exe	zap1551.exe
PID 3916 wrote to memory of 2504	3916	zap1551.exe	tz7250.exe
PID 3916 wrote to memory of 2504	3916	zap1551.exe	tz7250.exe
PID 3916 wrote to memory of 2800	3916	zap1551.exe	v0656Wn.exe
PID 3916 wrote to memory of 2800	3916	zap1551.exe	v0656Wn.exe
PID 3916 wrote to memory of 2800	3916	zap1551.exe	v0656Wn.exe
PID 2968 wrote to memory of 1284	2968	zap0850.exe	w23aG52.exe
PID 2968 wrote to memory of 1284	2968	zap0850.exe	w23aG52.exe
PID 2968 wrote to memory of 1284	2968	zap0850.exe	w23aG52.exe
PID 2600 wrote to memory of 4944	2600	zap7067.exe	xNJZv54.exe
PID 2600 wrote to memory of 4944	2600	zap7067.exe	xNJZv54.exe
PID 2600 wrote to memory of 4944	2600	zap7067.exe	xNJZv54.exe
PID 2408 wrote to memory of 4352	2408	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe	y77dr71.exe
PID 2408 wrote to memory of 4352	2408	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe	y77dr71.exe
PID 2408 wrote to memory of 4352	2408	4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe	y77dr71.exe
PID 4352 wrote to memory of 4508	4352	y77dr71.exe	legenda.exe
PID 4352 wrote to memory of 4508	4352	y77dr71.exe	legenda.exe
PID 4352 wrote to memory of 4508	4352	y77dr71.exe	legenda.exe
PID 4508 wrote to memory of 5016	4508	legenda.exe	schtasks.exe
PID 4508 wrote to memory of 5016	4508	legenda.exe	schtasks.exe
PID 4508 wrote to memory of 5016	4508	legenda.exe	schtasks.exe
PID 4508 wrote to memory of 2452	4508	legenda.exe	cmd.exe
PID 4508 wrote to memory of 2452	4508	legenda.exe	cmd.exe
PID 4508 wrote to memory of 2452	4508	legenda.exe	cmd.exe
PID 2452 wrote to memory of 4280	2452	cmd.exe	cmd.exe
PID 2452 wrote to memory of 4280	2452	cmd.exe	cmd.exe
PID 2452 wrote to memory of 4280	2452	cmd.exe	cmd.exe
PID 2452 wrote to memory of 360	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 360	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 360	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 5088	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 5088	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 5088	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 5064	2452	cmd.exe	cmd.exe
PID 2452 wrote to memory of 5064	2452	cmd.exe	cmd.exe
PID 2452 wrote to memory of 5064	2452	cmd.exe	cmd.exe
PID 2452 wrote to memory of 5072	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 5072	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 5072	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 4236	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 4236	2452	cmd.exe	cacls.exe
PID 2452 wrote to memory of 4236	2452	cmd.exe	cacls.exe
PID 4508 wrote to memory of 3368	4508	legenda.exe	1millRDX.exe
PID 4508 wrote to memory of 3368	4508	legenda.exe	1millRDX.exe
PID 4508 wrote to memory of 3368	4508	legenda.exe	1millRDX.exe
PID 4508 wrote to memory of 4100	4508	legenda.exe	Sprawl.exe
PID 4508 wrote to memory of 4100	4508	legenda.exe	Sprawl.exe
PID 4508 wrote to memory of 4100	4508	legenda.exe	Sprawl.exe
PID 4100 wrote to memory of 3964	4100	Sprawl.exe	Sprawl.exe
PID 4100 wrote to memory of 3964	4100	Sprawl.exe	Sprawl.exe
PID 4100 wrote to memory of 3964	4100	Sprawl.exe	Sprawl.exe
PID 4508 wrote to memory of 652	4508	legenda.exe	Lummas.exe
PID 4508 wrote to memory of 652	4508	legenda.exe	Lummas.exe
PID 652 wrote to memory of 600	652	Lummas.exe	CasPol.exe
PID 652 wrote to memory of 600	652	Lummas.exe	CasPol.exe
PID 652 wrote to memory of 432	652	Lummas.exe	ilasm.exe

C:\Users\Admin\AppData\Local\Temp\4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe
"C:\Users\Admin\AppData\Local\Temp\4c377a938408d7cd939fc54c1cddb71bc51600e922bd37283e98c26507464b2f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7067.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7067.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0850.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0850.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1551.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1551.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7250.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7250.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0656Wn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0656Wn.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23aG52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23aG52.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNJZv54.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNJZv54.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77dr71.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77dr71.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4280

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:360

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5064

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5072

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
"C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
5⤵
PID:600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
5⤵
PID:4424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:3928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
5⤵
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
5⤵
PID:1392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
5⤵
PID:1388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
5⤵
PID:1352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
5⤵
PID:3400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
5⤵
PID:3464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
5⤵
PID:312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
5⤵
PID:4008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
5⤵
PID:208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
5⤵
PID:212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:1140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:2148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1972

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sprawl.exe.log
Filesize
1KB

MD5
8268d0ebb3b023f56d9a27f3933f124f

SHA1
def43e831ca0fcbc1df8a1e11a41fe3ea1734f3b

SHA256
2fdfee92c5ce81220a0b66cf0ec1411c923d48ae89232406c237e1bc5204392d

SHA512
c61c2f8df84e4bbcb6f871befd4dde44188cf106c4af91a56b33a45692b83d1c52a953477f14f4239726b66ecab66842e910c2996631137355a4aba4ea793c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
Filesize
175KB

MD5
f197d1eb5c9a1f9e586e2438529067b6

SHA1
143d53443170406749b1a56eab31cfd532105677

SHA256
3a65f720bc48f5ea51dd7c073961f71332cf864ec6ae1e3469a1a284dfaabdd8

SHA512
d20a7f47d033257751134687f0e0da3864864e0adb6575115e827c22d5b0a5f454023607dd5b0b37f1133715e3fae20e1bd60dca8d596d9763b4def339d5f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
Filesize
175KB

MD5
f197d1eb5c9a1f9e586e2438529067b6

SHA1
143d53443170406749b1a56eab31cfd532105677

SHA256
3a65f720bc48f5ea51dd7c073961f71332cf864ec6ae1e3469a1a284dfaabdd8

SHA512
d20a7f47d033257751134687f0e0da3864864e0adb6575115e827c22d5b0a5f454023607dd5b0b37f1133715e3fae20e1bd60dca8d596d9763b4def339d5f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\1millRDX.exe
Filesize
175KB

MD5
f197d1eb5c9a1f9e586e2438529067b6

SHA1
143d53443170406749b1a56eab31cfd532105677

SHA256
3a65f720bc48f5ea51dd7c073961f71332cf864ec6ae1e3469a1a284dfaabdd8

SHA512
d20a7f47d033257751134687f0e0da3864864e0adb6575115e827c22d5b0a5f454023607dd5b0b37f1133715e3fae20e1bd60dca8d596d9763b4def339d5f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\Sprawl.exe
Filesize
895KB

MD5
7f9cc3889e95b39a93593207cc823dd2

SHA1
553b922ae2d755e012792ab495c879f63ab3b923

SHA256
d66720ec90fd4c8e65e9a28272ec291db0e7a7ce60426e219ef4623e277313f5

SHA512
5a53fbeb23d5b407150427ac10d8a760bd493309ea88f2d82d357e439062b5cda633ce154ca9c56a1b07085bfaf51da6eb93c1e702502aad7122115ccca00951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\Lummas.exe
Filesize
1.9MB

MD5
ffc87cf5de85e0a6a3941bc91780d928

SHA1
6029ea950091d269d9626343a8defefd1b6c5c1c

SHA256
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

SHA512
98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77dr71.exe
Filesize
235KB

MD5
28e21f5a89f7ade98b5303625725313f

SHA1
b5c20b2ae0015fb430f356e467c26f93a5849d5b

SHA256
b364fac8a179400095dd919bd529f62a6057624de8a72d02767a4602e9cd6515

SHA512
58a42b553a5c84464a7429b79bcd6c5abefd5302f332563e466760aa0f1f84e3160a481a138039eb2f4b71d81364aa269abbe2630d3aee197e62d00a9314653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77dr71.exe
Filesize
235KB

MD5
28e21f5a89f7ade98b5303625725313f

SHA1
b5c20b2ae0015fb430f356e467c26f93a5849d5b

SHA256
b364fac8a179400095dd919bd529f62a6057624de8a72d02767a4602e9cd6515

SHA512
58a42b553a5c84464a7429b79bcd6c5abefd5302f332563e466760aa0f1f84e3160a481a138039eb2f4b71d81364aa269abbe2630d3aee197e62d00a9314653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7067.exe
Filesize
853KB

MD5
5e6e87a85f39319f2685f3a265cbb2da

SHA1
52106debc909a195938ef3bd86243b111f9c15b3

SHA256
03a91caa6f4ec77af8df8536360aad6f13bcf5e4f8a7939e830282dc151a9455

SHA512
0af297afeca0546924aa223637b0c2413ff20dff78b55c289b4ff2206daee1c8df5868af02cd9cc381758b3275c3102c8aee5c23f8ff6f1b03fd761364e9b1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7067.exe
Filesize
853KB

MD5
5e6e87a85f39319f2685f3a265cbb2da

SHA1
52106debc909a195938ef3bd86243b111f9c15b3

SHA256
03a91caa6f4ec77af8df8536360aad6f13bcf5e4f8a7939e830282dc151a9455

SHA512
0af297afeca0546924aa223637b0c2413ff20dff78b55c289b4ff2206daee1c8df5868af02cd9cc381758b3275c3102c8aee5c23f8ff6f1b03fd761364e9b1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNJZv54.exe
Filesize
175KB

MD5
5632f53dcccac2d7edc9ccd4d83cc978

SHA1
f8c1bfdbc76d0a7905ef74b35f46f4c79f9c2462

SHA256
1f1297bfd92b9f5ebed4228e521665a700be508349c3c9a88d15710ca6e14d21

SHA512
1647fab3f514e65ca3ef3fc2303cad77815bcb93c46e93fa890e2bdf6088a030c154d35f6750c7d930f32dfb11780e6cfa8553a9f02ba15ef8b5aedd07bacf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xNJZv54.exe
Filesize
175KB

MD5
5632f53dcccac2d7edc9ccd4d83cc978

SHA1
f8c1bfdbc76d0a7905ef74b35f46f4c79f9c2462

SHA256
1f1297bfd92b9f5ebed4228e521665a700be508349c3c9a88d15710ca6e14d21

SHA512
1647fab3f514e65ca3ef3fc2303cad77815bcb93c46e93fa890e2bdf6088a030c154d35f6750c7d930f32dfb11780e6cfa8553a9f02ba15ef8b5aedd07bacf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0850.exe
Filesize
711KB

MD5
f440f1b4547ce26054a89afa0b07ae12

SHA1
67323ea01ed6dda9d6fa208557bcefc258e9785e

SHA256
a94296258ca9de3cc4e1d67d13409f1c3530effdc666a28196a05fbf9df9c1cd

SHA512
7c672316960ab19f980b3b0319bdcacf08fa4f7f103894d768c14f08bd3ba4e99a5b2c63bbd3ca365d9e8ffb182c5d9f93fa68159f7dde979fddfbd03e0ba948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0850.exe
Filesize
711KB

MD5
f440f1b4547ce26054a89afa0b07ae12

SHA1
67323ea01ed6dda9d6fa208557bcefc258e9785e

SHA256
a94296258ca9de3cc4e1d67d13409f1c3530effdc666a28196a05fbf9df9c1cd

SHA512
7c672316960ab19f980b3b0319bdcacf08fa4f7f103894d768c14f08bd3ba4e99a5b2c63bbd3ca365d9e8ffb182c5d9f93fa68159f7dde979fddfbd03e0ba948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23aG52.exe
Filesize
383KB

MD5
9d7e6ef81d01bfe3a9e2197900f67756

SHA1
31f3335d96d731ae5b574deecd86015662597512

SHA256
ab86e4f53180f6dabe406e4c25739465393349aeaa4afb2a41423928ea219b32

SHA512
051787d3fd53ef8c266e29e07f892dd8a16a1c25aa3805027e3390954c634791f023e2f1e586bda1af8baeb96783da604e8b4bd28ae4d5cb24d8936f44ab2e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w23aG52.exe
Filesize
383KB

MD5
9d7e6ef81d01bfe3a9e2197900f67756

SHA1
31f3335d96d731ae5b574deecd86015662597512

SHA256
ab86e4f53180f6dabe406e4c25739465393349aeaa4afb2a41423928ea219b32

SHA512
051787d3fd53ef8c266e29e07f892dd8a16a1c25aa3805027e3390954c634791f023e2f1e586bda1af8baeb96783da604e8b4bd28ae4d5cb24d8936f44ab2e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1551.exe
Filesize
352KB

MD5
66b0d6e932148715edf92c80fb1e0f9b

SHA1
7977735615f3a875b33dbf199bcc799ea2b7e2b9

SHA256
64dc2a2518838c9eba50c7ecfb0f564d6652117550160628c94fe38cf3ce7598

SHA512
857d5e0521b0d5bb8dcc764fc7b2a7999b8c000c406bbca1ba9c1494e360c79c1b1960a819afbf425e22cee88fa69fd21d6605668f3ff4f3025d15f0bac5b89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1551.exe
Filesize
352KB

MD5
66b0d6e932148715edf92c80fb1e0f9b

SHA1
7977735615f3a875b33dbf199bcc799ea2b7e2b9

SHA256
64dc2a2518838c9eba50c7ecfb0f564d6652117550160628c94fe38cf3ce7598

SHA512
857d5e0521b0d5bb8dcc764fc7b2a7999b8c000c406bbca1ba9c1494e360c79c1b1960a819afbf425e22cee88fa69fd21d6605668f3ff4f3025d15f0bac5b89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7250.exe
Filesize
11KB

MD5
9b9318fccd42cafa15d80e4fac688772

SHA1
266f07f2be81fb2b07ab82a4cffe39e9b314edcd

SHA256
4f76b3061c523edc7df92d77b803a6621697885a794e46c97a3a170098d90379

SHA512
9a7980d1b7d4b327c660055f8cd1611b33f875c64e3fb59afd4ccab431ba45da5006d276d40efdbec9a0331bdef6d5161798933abd8745d5e963c81f1515d971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7250.exe
Filesize
11KB

MD5
9b9318fccd42cafa15d80e4fac688772

SHA1
266f07f2be81fb2b07ab82a4cffe39e9b314edcd

SHA256
4f76b3061c523edc7df92d77b803a6621697885a794e46c97a3a170098d90379

SHA512
9a7980d1b7d4b327c660055f8cd1611b33f875c64e3fb59afd4ccab431ba45da5006d276d40efdbec9a0331bdef6d5161798933abd8745d5e963c81f1515d971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0656Wn.exe
Filesize
325KB

MD5
2d2e41b15e63cb871a5ec6823ea2dcbf

SHA1
04a2fe0b7b353400a2d29c583158519365592900

SHA256
69fa52493d5bd6ce15553902f1fd12d811b1714284e97c2f7392a67b5fdf047d

SHA512
176bee66770e00e2b92d3e5d4a2458f00e86fc8ba3ba02a37b4e5c7ca77ffcd0eabc0be9aaa899298b6127c411e4add5c05beef2239ebb286aff2b90c81b8659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0656Wn.exe
Filesize
325KB

MD5
2d2e41b15e63cb871a5ec6823ea2dcbf

SHA1
04a2fe0b7b353400a2d29c583158519365592900

SHA256
69fa52493d5bd6ce15553902f1fd12d811b1714284e97c2f7392a67b5fdf047d

SHA512
176bee66770e00e2b92d3e5d4a2458f00e86fc8ba3ba02a37b4e5c7ca77ffcd0eabc0be9aaa899298b6127c411e4add5c05beef2239ebb286aff2b90c81b8659

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
28e21f5a89f7ade98b5303625725313f

SHA1
b5c20b2ae0015fb430f356e467c26f93a5849d5b

SHA256
b364fac8a179400095dd919bd529f62a6057624de8a72d02767a4602e9cd6515

SHA512
58a42b553a5c84464a7429b79bcd6c5abefd5302f332563e466760aa0f1f84e3160a481a138039eb2f4b71d81364aa269abbe2630d3aee197e62d00a9314653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
28e21f5a89f7ade98b5303625725313f

SHA1
b5c20b2ae0015fb430f356e467c26f93a5849d5b

SHA256
b364fac8a179400095dd919bd529f62a6057624de8a72d02767a4602e9cd6515

SHA512
58a42b553a5c84464a7429b79bcd6c5abefd5302f332563e466760aa0f1f84e3160a481a138039eb2f4b71d81364aa269abbe2630d3aee197e62d00a9314653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
28e21f5a89f7ade98b5303625725313f

SHA1
b5c20b2ae0015fb430f356e467c26f93a5849d5b

SHA256
b364fac8a179400095dd919bd529f62a6057624de8a72d02767a4602e9cd6515

SHA512
58a42b553a5c84464a7429b79bcd6c5abefd5302f332563e466760aa0f1f84e3160a481a138039eb2f4b71d81364aa269abbe2630d3aee197e62d00a9314653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
28e21f5a89f7ade98b5303625725313f

SHA1
b5c20b2ae0015fb430f356e467c26f93a5849d5b

SHA256
b364fac8a179400095dd919bd529f62a6057624de8a72d02767a4602e9cd6515

SHA512
58a42b553a5c84464a7429b79bcd6c5abefd5302f332563e466760aa0f1f84e3160a481a138039eb2f4b71d81364aa269abbe2630d3aee197e62d00a9314653c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/652-1189-0x000002B037320000-0x000002B03750E000-memory.dmp

Filesize
1.9MB

Download
memory/652-1190-0x000002B051A90000-0x000002B051C2E000-memory.dmp

Filesize
1.6MB

Download
memory/652-1191-0x000002B039260000-0x000002B039270000-memory.dmp

Filesize
64KB

Download
memory/1284-232-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-1126-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-199-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-200-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-202-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-204-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-206-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-208-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-210-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-212-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-214-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-216-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/1284-218-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-220-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-217-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-223-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-221-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-224-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-226-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-228-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-230-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-197-0x0000000002E80000-0x0000000002EC6000-memory.dmp

Filesize
280KB

Download
memory/1284-234-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-236-0x00000000048F0000-0x000000000492F000-memory.dmp

Filesize
252KB

Download
memory/1284-1109-0x0000000007D70000-0x0000000008376000-memory.dmp

Filesize
6.0MB

Download
memory/1284-1110-0x0000000007760000-0x000000000786A000-memory.dmp

Filesize
1.0MB

Download
memory/1284-1111-0x0000000007870000-0x0000000007882000-memory.dmp

Filesize
72KB

Download
memory/1284-1112-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-1113-0x0000000007890000-0x00000000078CE000-memory.dmp

Filesize
248KB

Download
memory/1284-1114-0x00000000079D0000-0x0000000007A1B000-memory.dmp

Filesize
300KB

Download
memory/1284-1116-0x0000000007B60000-0x0000000007BF2000-memory.dmp

Filesize
584KB

Download
memory/1284-1117-0x0000000007C00000-0x0000000007C66000-memory.dmp

Filesize
408KB

Download
memory/1284-1118-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/1284-1119-0x0000000008A90000-0x0000000008AE0000-memory.dmp

Filesize
320KB

Download
memory/1284-1120-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-1121-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-1122-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1284-1123-0x0000000008B10000-0x0000000008CD2000-memory.dmp

Filesize
1.8MB

Download
memory/1284-1124-0x0000000008CE0000-0x000000000920C000-memory.dmp

Filesize
5.2MB

Download
memory/1284-198-0x00000000048F0000-0x0000000004934000-memory.dmp

Filesize
272KB

Download
memory/2148-1207-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2148-1197-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2148-1205-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2504-149-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2800-186-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-172-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-188-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-158-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2800-184-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-182-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-180-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-178-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-176-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-192-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2800-160-0x0000000004C60000-0x0000000004C78000-memory.dmp

Filesize
96KB

Download
memory/2800-190-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2800-174-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-189-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2800-157-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2800-170-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-156-0x0000000007170000-0x000000000766E000-memory.dmp

Filesize
5.0MB

Download
memory/2800-155-0x0000000002E10000-0x0000000002E2A000-memory.dmp

Filesize
104KB

Download
memory/2800-168-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-166-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-164-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-162-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-161-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2800-159-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/3368-1159-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3368-1158-0x0000000006EE0000-0x0000000006F2B000-memory.dmp

Filesize
300KB

Download
memory/3368-1157-0x00000000000B0000-0x00000000000E2000-memory.dmp

Filesize
200KB

Download
memory/3964-1202-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3964-1203-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3964-1206-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4100-1175-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4100-1174-0x0000000004F50000-0x00000000052A0000-memory.dmp

Filesize
3.3MB

Download
memory/4100-1173-0x00000000004C0000-0x00000000005A6000-memory.dmp

Filesize
920KB

Download
memory/4944-1133-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4944-1132-0x0000000004DE0000-0x0000000004E2B000-memory.dmp

Filesize
300KB

Download
memory/4944-1131-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download