amadey | 5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049

Analysis

max time kernel
122s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe
Size

1.0MB
MD5

2e777101f49a8541c65d467a5d74e161
SHA1

82a3fef7204ef5c64aea4ee23f81fbda3a4bf5cf
SHA256

5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049
SHA512

e2435555cd186f55f8795a17d7a65abeddc2a51f01e02a807bdf2aa612c23efd6f332c9e74aad5fcaeae48581f70bf05f1398bed5f058d7e81617f049d70ab8b
SSDEEP

24576:BygHR07w4yqTwIt3sAQKkZUlPbzvFKM0sfBkQma:0B7w4VzhQ3k39lfBk

Score

10^/10

amadey aurora redline nado rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nado

176.113.115.145:4125

Attributes

auth_value
a648e365d8e0df895a84152ad68ffc56

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v3446SI.exetz5419.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3446SI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3446SI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3446SI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3446SI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3446SI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3446SI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5419.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5088-211-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-212-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-215-0x00000000074B0000-0x00000000074C0000-memory.dmp	family_redline
behavioral1/memory/5088-218-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-216-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-220-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-222-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-224-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-226-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-228-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-230-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-232-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-234-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-236-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-238-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-240-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-242-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-244-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline
behavioral1/memory/5088-246-0x0000000004B10000-0x0000000004B4F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y96nk37.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y96nk37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 12 IoCs

Processes:

zap4623.exezap3841.exezap2487.exetz5419.exev3446SI.exew41tj38.exexSNjn22.exey96nk37.exelegenda.exe2023.exew.exelegenda.exe

pid	process
3660	zap4623.exe
4940	zap3841.exe
2488	zap2487.exe
4076	tz5419.exe
2616	v3446SI.exe
5088	w41tj38.exe
4440	xSNjn22.exe
4708	y96nk37.exe
1552	legenda.exe
4724	2023.exe
3260	w.exe
404	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2348 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2348	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v3446SI.exetz5419.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3446SI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3446SI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5419.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3841.exezap2487.exe5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exezap4623.exew.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3841.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2487.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2487.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Updater.exe"	w.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	w.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2752 2616 WerFault.exe v3446SI.exe
3908 5088 WerFault.exe w41tj38.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2736 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

464 systeminfo.exe

pid	pid_target	process	target process
2752	2616	WerFault.exe	v3446SI.exe
3908	5088	WerFault.exe	w41tj38.exe

pid	process
2736	schtasks.exe

pid	process
464	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

tz5419.exev3446SI.exew41tj38.exexSNjn22.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4076	tz5419.exe
4076	tz5419.exe
2616	v3446SI.exe
2616	v3446SI.exe
5088	w41tj38.exe
5088	w41tj38.exe
4440	xSNjn22.exe
4440	xSNjn22.exe
3612	powershell.exe
3612	powershell.exe
1148	powershell.exe
1148	powershell.exe
4172	powershell.exe
4172	powershell.exe
4016	powershell.exe
4016	powershell.exe
3036	powershell.exe
3036	powershell.exe
4136	powershell.exe
4136	powershell.exe
4332	powershell.exe
4332	powershell.exe
544	powershell.exe
544	powershell.exe
5044	powershell.exe
5044	powershell.exe
4264	powershell.exe
4264	powershell.exe
2316	powershell.exe
2316	powershell.exe
536	powershell.exe
536	powershell.exe
4820	powershell.exe
4820	powershell.exe
1408	powershell.exe
1408	powershell.exe
4916	powershell.exe
4916	powershell.exe
3340	powershell.exe
3340	powershell.exe
1600	powershell.exe
1600	powershell.exe
744	powershell.exe
744	powershell.exe
3108	powershell.exe
3108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz5419.exev3446SI.exew41tj38.exexSNjn22.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4076	tz5419.exe
Token: SeDebugPrivilege	2616	v3446SI.exe
Token: SeDebugPrivilege	5088	w41tj38.exe
Token: SeDebugPrivilege	4440	xSNjn22.exe
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe
Token: SeSecurityPrivilege	2104	WMIC.exe
Token: SeTakeOwnershipPrivilege	2104	WMIC.exe
Token: SeLoadDriverPrivilege	2104	WMIC.exe
Token: SeSystemProfilePrivilege	2104	WMIC.exe
Token: SeSystemtimePrivilege	2104	WMIC.exe
Token: SeProfSingleProcessPrivilege	2104	WMIC.exe
Token: SeIncBasePriorityPrivilege	2104	WMIC.exe
Token: SeCreatePagefilePrivilege	2104	WMIC.exe
Token: SeBackupPrivilege	2104	WMIC.exe
Token: SeRestorePrivilege	2104	WMIC.exe
Token: SeShutdownPrivilege	2104	WMIC.exe
Token: SeDebugPrivilege	2104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2104	WMIC.exe
Token: SeRemoteShutdownPrivilege	2104	WMIC.exe
Token: SeUndockPrivilege	2104	WMIC.exe
Token: SeManageVolumePrivilege	2104	WMIC.exe
Token: 33	2104	WMIC.exe
Token: 34	2104	WMIC.exe
Token: 35	2104	WMIC.exe
Token: 36	2104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe
Token: SeSecurityPrivilege	2104	WMIC.exe
Token: SeTakeOwnershipPrivilege	2104	WMIC.exe
Token: SeLoadDriverPrivilege	2104	WMIC.exe
Token: SeSystemProfilePrivilege	2104	WMIC.exe
Token: SeSystemtimePrivilege	2104	WMIC.exe
Token: SeProfSingleProcessPrivilege	2104	WMIC.exe
Token: SeIncBasePriorityPrivilege	2104	WMIC.exe
Token: SeCreatePagefilePrivilege	2104	WMIC.exe
Token: SeBackupPrivilege	2104	WMIC.exe
Token: SeRestorePrivilege	2104	WMIC.exe
Token: SeShutdownPrivilege	2104	WMIC.exe
Token: SeDebugPrivilege	2104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2104	WMIC.exe
Token: SeRemoteShutdownPrivilege	2104	WMIC.exe
Token: SeUndockPrivilege	2104	WMIC.exe
Token: SeManageVolumePrivilege	2104	WMIC.exe
Token: 33	2104	WMIC.exe
Token: 34	2104	WMIC.exe
Token: 35	2104	WMIC.exe
Token: 36	2104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4748	wmic.exe
Token: SeSecurityPrivilege	4748	wmic.exe
Token: SeTakeOwnershipPrivilege	4748	wmic.exe
Token: SeLoadDriverPrivilege	4748	wmic.exe
Token: SeSystemProfilePrivilege	4748	wmic.exe
Token: SeSystemtimePrivilege	4748	wmic.exe
Token: SeProfSingleProcessPrivilege	4748	wmic.exe
Token: SeIncBasePriorityPrivilege	4748	wmic.exe
Token: SeCreatePagefilePrivilege	4748	wmic.exe
Token: SeBackupPrivilege	4748	wmic.exe
Token: SeRestorePrivilege	4748	wmic.exe
Token: SeShutdownPrivilege	4748	wmic.exe
Token: SeDebugPrivilege	4748	wmic.exe
Token: SeSystemEnvironmentPrivilege	4748	wmic.exe
Token: SeRemoteShutdownPrivilege	4748	wmic.exe
Token: SeUndockPrivilege	4748	wmic.exe
Token: SeManageVolumePrivilege	4748	wmic.exe
Token: 33	4748	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

w.exe

pid process

3260 w.exe

pid	process
3260	w.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exezap4623.exezap3841.exezap2487.exey96nk37.exelegenda.execmd.exe2023.execmd.exe

description	pid	process	target process
PID 4700 wrote to memory of 3660	4700	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe	zap4623.exe
PID 4700 wrote to memory of 3660	4700	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe	zap4623.exe
PID 4700 wrote to memory of 3660	4700	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe	zap4623.exe
PID 3660 wrote to memory of 4940	3660	zap4623.exe	zap3841.exe
PID 3660 wrote to memory of 4940	3660	zap4623.exe	zap3841.exe
PID 3660 wrote to memory of 4940	3660	zap4623.exe	zap3841.exe
PID 4940 wrote to memory of 2488	4940	zap3841.exe	zap2487.exe
PID 4940 wrote to memory of 2488	4940	zap3841.exe	zap2487.exe
PID 4940 wrote to memory of 2488	4940	zap3841.exe	zap2487.exe
PID 2488 wrote to memory of 4076	2488	zap2487.exe	tz5419.exe
PID 2488 wrote to memory of 4076	2488	zap2487.exe	tz5419.exe
PID 2488 wrote to memory of 2616	2488	zap2487.exe	v3446SI.exe
PID 2488 wrote to memory of 2616	2488	zap2487.exe	v3446SI.exe
PID 2488 wrote to memory of 2616	2488	zap2487.exe	v3446SI.exe
PID 4940 wrote to memory of 5088	4940	zap3841.exe	w41tj38.exe
PID 4940 wrote to memory of 5088	4940	zap3841.exe	w41tj38.exe
PID 4940 wrote to memory of 5088	4940	zap3841.exe	w41tj38.exe
PID 3660 wrote to memory of 4440	3660	zap4623.exe	xSNjn22.exe
PID 3660 wrote to memory of 4440	3660	zap4623.exe	xSNjn22.exe
PID 3660 wrote to memory of 4440	3660	zap4623.exe	xSNjn22.exe
PID 4700 wrote to memory of 4708	4700	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe	y96nk37.exe
PID 4700 wrote to memory of 4708	4700	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe	y96nk37.exe
PID 4700 wrote to memory of 4708	4700	5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe	y96nk37.exe
PID 4708 wrote to memory of 1552	4708	y96nk37.exe	legenda.exe
PID 4708 wrote to memory of 1552	4708	y96nk37.exe	legenda.exe
PID 4708 wrote to memory of 1552	4708	y96nk37.exe	legenda.exe
PID 1552 wrote to memory of 2736	1552	legenda.exe	schtasks.exe
PID 1552 wrote to memory of 2736	1552	legenda.exe	schtasks.exe
PID 1552 wrote to memory of 2736	1552	legenda.exe	schtasks.exe
PID 1552 wrote to memory of 4848	1552	legenda.exe	cmd.exe
PID 1552 wrote to memory of 4848	1552	legenda.exe	cmd.exe
PID 1552 wrote to memory of 4848	1552	legenda.exe	cmd.exe
PID 4848 wrote to memory of 4432	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 4432	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 4432	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 1340	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1340	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1340	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1384	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1384	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1384	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 2008	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 2008	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 2008	4848	cmd.exe	cmd.exe
PID 4848 wrote to memory of 316	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 316	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 316	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1504	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1504	4848	cmd.exe	cacls.exe
PID 4848 wrote to memory of 1504	4848	cmd.exe	cacls.exe
PID 1552 wrote to memory of 4724	1552	legenda.exe	2023.exe
PID 1552 wrote to memory of 4724	1552	legenda.exe	2023.exe
PID 1552 wrote to memory of 4724	1552	legenda.exe	2023.exe
PID 1552 wrote to memory of 3260	1552	legenda.exe	w.exe
PID 1552 wrote to memory of 3260	1552	legenda.exe	w.exe
PID 1552 wrote to memory of 3260	1552	legenda.exe	w.exe
PID 4724 wrote to memory of 2364	4724	2023.exe	cmd.exe
PID 4724 wrote to memory of 2364	4724	2023.exe	cmd.exe
PID 4724 wrote to memory of 2364	4724	2023.exe	cmd.exe
PID 2364 wrote to memory of 2104	2364	cmd.exe	WMIC.exe
PID 2364 wrote to memory of 2104	2364	cmd.exe	WMIC.exe
PID 2364 wrote to memory of 2104	2364	cmd.exe	WMIC.exe
PID 4724 wrote to memory of 4748	4724	2023.exe	wmic.exe
PID 4724 wrote to memory of 4748	4724	2023.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe
"C:\Users\Admin\AppData\Local\Temp\5c5fb94c2700e53cc35e25cb5012e32bc8f4bda2b265e3ab642973679d5e8049.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4623.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4623.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3841.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3841.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2487.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2487.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5419.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5419.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3446SI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3446SI.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1100
6⤵
- Program crash
PID:2752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41tj38.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41tj38.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1352
5⤵
- Program crash
PID:3908

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSNjn22.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSNjn22.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96nk37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96nk37.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4432

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1340

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:316

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:2068

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1584

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
5⤵
PID:3752

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQleQYh\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\YzRyWJjPjz\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\pfRFEgmotaFetHs\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\krBEmfdzdcEkXBA\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\kjQZLCtTMt\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\TCoaNatyyiNKARe\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\KJyiXJrscc\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\tNswYNsGRussVma\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\ozFZBsbOJi\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\FQGZsnwTKSmVoiG\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\LOpbUOpEdK\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\updOMeRVjaRzLNT\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\" \"C:\Users\Admin\AppData\Local\Temp\XYeUCWKsXb\""
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2616 -ip 2616
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5088 -ip 5088
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2e4c36445a238971c993fd0a8b6ee95c

SHA1
1874bffbc4ee75355434fce8ec4c8e752bc8b435

SHA256
d9bd9f7b5793d745b4f2147a552c424c7b7c63db35f06a26ee41c320524c1d28

SHA512
822727e88ff8b9b120e67d673a54191e8a5a100c689343e369966d25332561b7cb1b0923e989ca69d3fbad6102fbf0715376deb35383afa69fd16c27b53bce3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
76b9458cb864c234677a9bf83b848669

SHA1
022eb050b33bdf97046d7f790c48356a1c80e058

SHA256
f68f0316e15e2898e7064cb233d88fe702d96e8e2bad77e5b551e397fae724f2

SHA512
0eb1ca8d0397b3179075656cfcea3099343a2291210d591688d516841b11a502a521966ab0671d1a891abc2b140485bef40c725ad440f81df07019dd4c6a136b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
59959c11c355fa9be30edabbd44f5104

SHA1
9a6a42bd56f25abf8a9f1a8a437396af5761f69f

SHA256
f229375658ed3f2bb0fc88a34cfa08d6053667e1d8e6f10d6ed5d9540844dab6

SHA512
0337ac08b5e8e69026e8aec35b1f41006add7d32a1c2233ecb01fe4bb7f7ee59523061a2dbd250f821dab8a61b37b6054c346bacc65f28d1ca3ac340f82382c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9e03838f57b9f35d7af61af0576c6253

SHA1
4743c5ddb7331fd5ba2f3fee9a7d9a5ed5fb9fb5

SHA256
95e6822b0d5d2f6e7ac100e5487c5915979fbf65442c31dc2c678827cbedea2b

SHA512
f34db5bb2b4901d04c60149f4d20f87f48734c22795e1becc1e43e4d6d94135f5948adb658182c39e94304407dcaa9d9bfeb554491be66ab6b5d584e9890c842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
138879c67950cc5782da44a860ee4080

SHA1
865e087ac905a43b37aebaf9109037a07ef9a1aa

SHA256
cf10def820433659db8465c99b4225088d556325b992e516041c37d233871ede

SHA512
5114d8372da89ce5be1a2cbb04a0d69ee78ec9049f847e3efd1d1b5d22c1f91038f6c89ea844a070b4128965eaf03d69e0d717042100955139f8ab8d13ab31f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
54a69582fafafc976c61ae762b51e809

SHA1
b5d59904f9cbff2efdb82f030b528de2d0da5b58

SHA256
faddb08b00d5642fff836659ab3dcca279a33272cc0d3cffbbeadeee0c9ee007

SHA512
1a5341d0675354cc7384a9bd6b9c95ec2970e94ad3e3256665087ab62b9274a385b6145e2ce8203aaf3211d55460cce702590e72cdfc23fb4895c892ed4672bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
1388b37aee8155ad2eae65d47c51a873

SHA1
60c62ee002fe4313efe10bce2063254587a1b846

SHA256
4641ece4bccdd7d44d6ce2996bfd09700c17642334eb4eda2bd2d5f24bba9deb

SHA512
58126e11aacddc9912cf2519d01114bbff45814288309c2f619717b6bb4f0c5f066f065c39a466b32b86e57bda4fe67533f2a31e67b2d7d205760617ea956dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
18ff2e2240c9c0272b232c5b36372308

SHA1
0f33568329514d110e2340ed2d6775dcb29b8eff

SHA256
7525d3785153ea40da975c1c4651f63aca9b359b43a0e8c0184a0e0c62493f76

SHA512
dcc40926bae28217c36e66ef0ebd6e7dbb750be0d2dd024e223572d25b063af4f845f443266914c25312f210c1bdfaef87c88a89c821b6f8b9805538856f05c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
59cfc3cae4da0a30b98becbc64b70f0f

SHA1
ff58f0099e3f128eff88f685d100f9f08f65d03f

SHA256
7533349ea42946bb3c214585418630e1c826a4770832dcac49ceadfe9b4291b4

SHA512
8c11b908b97673f94c3cb0f4323020eb437d4ca544f31312e032fae775e87ebbf6904156bdd7de8b4f709b7b9192d1ee7d3261a3834ccff0c4a8ed049d79ecd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0dc037d05fe9253b955fe45f85c42bf0

SHA1
a170fce6fb787a8224afd1ca51f8157e2e464eeb

SHA256
54f9ba1a45413df8db4009c0b07275025b85ddf18b5ac849024f2fb2602d59a9

SHA512
95b37351d78a34ba835a220d723821b4b2db44d41f85cc166137b88ab0bdce7129559f83472ac2169193e4c4138d0854dddb3553f72fa9f49814a81c90ccef33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0cd53af598f4b3c1502a5c474d103fca

SHA1
ed5fa53b52d20ddfaf8b291d91c1e7cfa361ec6a

SHA256
569cf7f8c1a9501c51ec45f1e265fc803bd837e4b2a76114edc9b0ed5e129c5a

SHA512
2a9dfd8cf85b693a22d7aec4d00ec974337235aca1f0a222213397a6efa17ed8a1bd5b2303e6a8f6a7e770e8fef8f2199fbdebc78e4c44deaeb91a0a52fcc665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
491cfbb4ae7383e6aff6f6b219cda849

SHA1
73125447cb1e1ebb5f95da68dc27b200b803cb38

SHA256
b9952ad77bed0a9b4b416665149a124925dccbc48dd45af770bd656314bf35b7

SHA512
0a5fcf0bfd9d6ea07fc68b7c6f4bcca05073d377097da74fe3964bf50611ef20d6893b9038d6f09a55fc98a736c38cf770996e7fe4d316b87570d34c87a8d3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
d942064d41dad501cc8401038e503860

SHA1
d713b426cd00ba6b877c9bfc4938dff926d45c8a

SHA256
886ad1f8d5bed94c0e4199f181658ddb3b99d0d3e8b09d08afc5dc1eaebb43c1

SHA512
aa06bbef0875a4a9e3007318dfd745c990b3ed5b1eac57698a9c1a915b8c96c04fbdd58fb4573f45e6cde54b1571947573610fa0efc478494fefce0ce9be61f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2bbf9dc4b164dec5097532cb5ca41c71

SHA1
ffbca94f1600c3bef47a19af350fb860c9f1ce0a

SHA256
d344463f4b1333f25df5699b27ffd008ac4deeb80f310e8621116ac331d98c9c

SHA512
6ffedf6053297b2ad66f6b4cee6a153f2be4fe099dde44d20e6c2c35606eb347b289204ec95c427dd8b717218d02549509f09a24ec98fc223b8422b315a81836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
473d2055935a8bce6b13b7e76c4c7413

SHA1
30b2f4d395c8104b0baa3b9e8e4cfca06a0f5b4e

SHA256
dac58d94a92bfa0fc6bd20e89683ff51f7f39d3af413ce75d6a5c907b30d8629

SHA512
552b790040ee60c27c9fa91d26e86c7874abd28374067bdac08d5ee08a60786790aa9750ab14cce29b01a72ad133eb3e71ffc38558df063aaba9d21e2629277e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
a6399126cf027af8c1d27ec63d69d668

SHA1
974e59d899f037110ec610f38bf52e604df51298

SHA256
718697fdd358c831136ba6da008176b00a00b5de7e989ce3498d4b8602c492c4

SHA512
bc2005eee6e3de9020467a3dd8b9adbaf9395f34599ad886ec71fee04b9a3545d201ecbbec65190a88dd07314e4eab6f02766259c6a0a41fefec8fccd0563a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
adbc810749a415c996a36cdb6c44f2ea

SHA1
140633bf786349b344923792793b320d72c51a2c

SHA256
d8deb6ebcdc2535bc06b2fb8db9358bdb1945107ad50406365ae326c9c5756b3

SHA512
230d781684766196178265d5edd24104c746d57f1aa5e8e8f90a7e5660d3ee23dd1428c2fe20430e4deef29f30105cf11e81cce595181c499c4d0f1da324d257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ebbaa498a20824e014ee660bb4d94140

SHA1
71bfaedf53f756f40e8d682c6598841c4c631213

SHA256
2b68a6cc571282826998b4cf9642635615158d552da375dfa85454091a2736c2

SHA512
b95615b06cda5da041f00ed2164df05f95526216ff18a32dc41b4770ba22956f97a4419bbcb8fc3b6badab269901be7ac72647be26a1e7cef49f804f1f8edf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\w.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQGZsnwTKSmVoiG
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96nk37.exe
Filesize
235KB

MD5
c7a9c90034b99764c319a03ffbff935e

SHA1
4bbd6e95eff9995aaea3bd6cf14f64cd899bda85

SHA256
75a5c85ae6b54d53061c87681274723169087f710caedf10905e1a62f84cd25e

SHA512
d2ce71cc63c7b60fb2732775709be7c94a8180670dba5b304ba6d91d425e15ea392c8088d3b5682d4656b6c1771d6b8b1754666154cde83d969ed89e5a4cc825

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96nk37.exe
Filesize
235KB

MD5
c7a9c90034b99764c319a03ffbff935e

SHA1
4bbd6e95eff9995aaea3bd6cf14f64cd899bda85

SHA256
75a5c85ae6b54d53061c87681274723169087f710caedf10905e1a62f84cd25e

SHA512
d2ce71cc63c7b60fb2732775709be7c94a8180670dba5b304ba6d91d425e15ea392c8088d3b5682d4656b6c1771d6b8b1754666154cde83d969ed89e5a4cc825

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4623.exe
Filesize
872KB

MD5
584d24a1456fc7911d63db0b6328b19c

SHA1
63e306362c5be47bfd8544f85961731145478efe

SHA256
6c47110cb50fcdbd013f2a6af4c9139ac945970160250283d261f7dfab31a144

SHA512
9be2816c47daf2ff893140f1242531e4af0724aa95873e1e33137a279f036189bfa3f790cfd169d0caa3e4aba6a8e2d19203f85746a2b9a978f29c253fe9b86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4623.exe
Filesize
872KB

MD5
584d24a1456fc7911d63db0b6328b19c

SHA1
63e306362c5be47bfd8544f85961731145478efe

SHA256
6c47110cb50fcdbd013f2a6af4c9139ac945970160250283d261f7dfab31a144

SHA512
9be2816c47daf2ff893140f1242531e4af0724aa95873e1e33137a279f036189bfa3f790cfd169d0caa3e4aba6a8e2d19203f85746a2b9a978f29c253fe9b86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSNjn22.exe
Filesize
175KB

MD5
74d118606d9109cd0194734abce0edc5

SHA1
ece5c4279c7e81499019766f7cef13e87ce46663

SHA256
8e4221917abbd99eca1b21e202d74bb196f42492773cca71d5880f3ec538a92e

SHA512
cb46f4a154ab3958d4baef7a75acc79c3542826516e15a48a68130edad9f3708aca189b755248db24be5b0fb80bc38f920f08a3a77187d224596a9ff56853b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xSNjn22.exe
Filesize
175KB

MD5
74d118606d9109cd0194734abce0edc5

SHA1
ece5c4279c7e81499019766f7cef13e87ce46663

SHA256
8e4221917abbd99eca1b21e202d74bb196f42492773cca71d5880f3ec538a92e

SHA512
cb46f4a154ab3958d4baef7a75acc79c3542826516e15a48a68130edad9f3708aca189b755248db24be5b0fb80bc38f920f08a3a77187d224596a9ff56853b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3841.exe
Filesize
730KB

MD5
8b8d0d37f314c586ed4750189e7ce5a4

SHA1
b77e2953708aebcb5d3c899491fce98ce1312f43

SHA256
c3c3dfcfe961db45b46ab307ba66403d248dd715479fbde8fdc3663d358d6c85

SHA512
5862fb2a6f4e5e6c7b5618934deb0f7735836839b89fede0e6ea604e04afce4f1e64bc9c6cc93308f3f956df09526d96cfb3532827b529c178eac542bb703acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3841.exe
Filesize
730KB

MD5
8b8d0d37f314c586ed4750189e7ce5a4

SHA1
b77e2953708aebcb5d3c899491fce98ce1312f43

SHA256
c3c3dfcfe961db45b46ab307ba66403d248dd715479fbde8fdc3663d358d6c85

SHA512
5862fb2a6f4e5e6c7b5618934deb0f7735836839b89fede0e6ea604e04afce4f1e64bc9c6cc93308f3f956df09526d96cfb3532827b529c178eac542bb703acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41tj38.exe
Filesize
403KB

MD5
35170ed0a1ef88b162db7371908a2878

SHA1
899a9583ed332023652afcc383e350bc52ff2fc3

SHA256
c66ad22a06fa54f8d09d2ded5260e6431eb25bee67e4c55db56da4b1ed001a3b

SHA512
08e71afdd3e39eaa7a968fa5bc831dce7d6ad781fd5e9d8f28f80fb81684f6669a3d7c4253293e12a72e8a2263f017e4f1b3627eebc900f403030c7a957dd5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41tj38.exe
Filesize
403KB

MD5
35170ed0a1ef88b162db7371908a2878

SHA1
899a9583ed332023652afcc383e350bc52ff2fc3

SHA256
c66ad22a06fa54f8d09d2ded5260e6431eb25bee67e4c55db56da4b1ed001a3b

SHA512
08e71afdd3e39eaa7a968fa5bc831dce7d6ad781fd5e9d8f28f80fb81684f6669a3d7c4253293e12a72e8a2263f017e4f1b3627eebc900f403030c7a957dd5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2487.exe
Filesize
362KB

MD5
1eeebab19ee0de6ec83b1516afc7dabd

SHA1
b8b75f6816789b014c1a85a7e03103c2bee23419

SHA256
3b5caac2c37ca6dff937c419776ba431009de82f55a988cf9532f87950a63438

SHA512
1f1206baf8c768b7a8015dfe5ef32da47a6fdf6757018246168c2b9f8f18920c381f4f3eb29924bb15f9b7182fc0cd2f2bb0b9c4a6a2c07697c4374162f24da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2487.exe
Filesize
362KB

MD5
1eeebab19ee0de6ec83b1516afc7dabd

SHA1
b8b75f6816789b014c1a85a7e03103c2bee23419

SHA256
3b5caac2c37ca6dff937c419776ba431009de82f55a988cf9532f87950a63438

SHA512
1f1206baf8c768b7a8015dfe5ef32da47a6fdf6757018246168c2b9f8f18920c381f4f3eb29924bb15f9b7182fc0cd2f2bb0b9c4a6a2c07697c4374162f24da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5419.exe
Filesize
12KB

MD5
ddd8f1127b3746679570d6a60f3fb5a7

SHA1
5b8308db305fd8014805f5462076212a62c49442

SHA256
90bd3d0c31fda634cd767330f1d8b721ac9fe274cba1f94442b48f452711bf8a

SHA512
4fd23e07c475760db2be65e3ee63b52d573d64c8139231b1168abd915f0dcf9b0bc8d20c31f2fa2d6c01ef0d76a781939f19d8a7562590471a798ea93ab9809e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5419.exe
Filesize
12KB

MD5
ddd8f1127b3746679570d6a60f3fb5a7

SHA1
5b8308db305fd8014805f5462076212a62c49442

SHA256
90bd3d0c31fda634cd767330f1d8b721ac9fe274cba1f94442b48f452711bf8a

SHA512
4fd23e07c475760db2be65e3ee63b52d573d64c8139231b1168abd915f0dcf9b0bc8d20c31f2fa2d6c01ef0d76a781939f19d8a7562590471a798ea93ab9809e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3446SI.exe
Filesize
345KB

MD5
322704798fc9ed44a331348d3f4429dc

SHA1
a9736f33c7edec97138c751877d4bfea54280391

SHA256
ff595b44194e46a97dc155846c857cc3b8e29ff346f243c9fbb123e57e502b0f

SHA512
8cac948a7bd1c23afd667dbd89518080f750f0b94581751dfc1b71d9f88baaaf25fb5e7dc90350c60597a2eb58e66a256daff30f08d4807b2e53631ab06e753b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3446SI.exe
Filesize
345KB

MD5
322704798fc9ed44a331348d3f4429dc

SHA1
a9736f33c7edec97138c751877d4bfea54280391

SHA256
ff595b44194e46a97dc155846c857cc3b8e29ff346f243c9fbb123e57e502b0f

SHA512
8cac948a7bd1c23afd667dbd89518080f750f0b94581751dfc1b71d9f88baaaf25fb5e7dc90350c60597a2eb58e66a256daff30f08d4807b2e53631ab06e753b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KJyiXJrscc
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOpbUOpEdK
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCoaNatyyiNKARe
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzRyWJjPjz
Filesize
92KB

MD5
367544a2a5551a41c869eb1b0b5871c3

SHA1
9051340b95090c07deda0a1df3a9c0b9233f5054

SHA256
eb0e2b2ee04cab66e2f7930ea82a5f1b42469ac50e063a8492f9c585f90bc542

SHA512
6d1275291530cb8b9944db296c4aed376765015ad6bbf51f4475a347776c99dbb2e748d0c331d89c9e6118adf641ed10e390c8ccb8ae4de4811c858d195cc34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdeoz11d.2pk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZRjxAwnwe
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
c7a9c90034b99764c319a03ffbff935e

SHA1
4bbd6e95eff9995aaea3bd6cf14f64cd899bda85

SHA256
75a5c85ae6b54d53061c87681274723169087f710caedf10905e1a62f84cd25e

SHA512
d2ce71cc63c7b60fb2732775709be7c94a8180670dba5b304ba6d91d425e15ea392c8088d3b5682d4656b6c1771d6b8b1754666154cde83d969ed89e5a4cc825

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
c7a9c90034b99764c319a03ffbff935e

SHA1
4bbd6e95eff9995aaea3bd6cf14f64cd899bda85

SHA256
75a5c85ae6b54d53061c87681274723169087f710caedf10905e1a62f84cd25e

SHA512
d2ce71cc63c7b60fb2732775709be7c94a8180670dba5b304ba6d91d425e15ea392c8088d3b5682d4656b6c1771d6b8b1754666154cde83d969ed89e5a4cc825

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
c7a9c90034b99764c319a03ffbff935e

SHA1
4bbd6e95eff9995aaea3bd6cf14f64cd899bda85

SHA256
75a5c85ae6b54d53061c87681274723169087f710caedf10905e1a62f84cd25e

SHA512
d2ce71cc63c7b60fb2732775709be7c94a8180670dba5b304ba6d91d425e15ea392c8088d3b5682d4656b6c1771d6b8b1754666154cde83d969ed89e5a4cc825

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
c7a9c90034b99764c319a03ffbff935e

SHA1
4bbd6e95eff9995aaea3bd6cf14f64cd899bda85

SHA256
75a5c85ae6b54d53061c87681274723169087f710caedf10905e1a62f84cd25e

SHA512
d2ce71cc63c7b60fb2732775709be7c94a8180670dba5b304ba6d91d425e15ea392c8088d3b5682d4656b6c1771d6b8b1754666154cde83d969ed89e5a4cc825

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjQZLCtTMt
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\krBEmfdzdcEkXBA
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQleQYh
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozFZBsbOJi
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfRFEgmotaFetHs
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tNswYNsGRussVma
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\updOMeRVjaRzLNT
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\updOMeRVjaRzLNT
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/536-1374-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/536-1373-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/544-1322-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/544-1323-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1148-1234-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/1148-1235-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/1408-1414-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/1408-1413-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/2316-1358-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2316-1359-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2616-177-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2616-195-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-176-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-181-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2616-180-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-183-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-185-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-187-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-179-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2616-174-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-189-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-191-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-193-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-167-0x0000000002B90000-0x0000000002BBD000-memory.dmp

Filesize
180KB

Download
memory/2616-197-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-199-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-200-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/2616-201-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2616-202-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2616-172-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-170-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-204-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/2616-169-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2616-168-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/3036-1269-0x00000000047A0000-0x00000000047B0000-memory.dmp

Filesize
64KB

Download
memory/3036-1280-0x00000000047A0000-0x00000000047B0000-memory.dmp

Filesize
64KB

Download
memory/3612-1216-0x00000000073E0000-0x0000000007476000-memory.dmp

Filesize
600KB

Download
memory/3612-1203-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/3612-1218-0x0000000006760000-0x0000000006782000-memory.dmp

Filesize
136KB

Download
memory/3612-1217-0x0000000006710000-0x000000000672A000-memory.dmp

Filesize
104KB

Download
memory/3612-1215-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/3612-1214-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/3612-1200-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/3612-1201-0x00000000052F0000-0x0000000005918000-memory.dmp

Filesize
6.2MB

Download
memory/3612-1202-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/3612-1213-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/4016-1254-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4016-1255-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4076-161-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/4136-1294-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4136-1295-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4172-1248-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/4172-1249-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/4264-1344-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/4332-1309-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4440-1141-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4440-1140-0x0000000000DD0000-0x0000000000E02000-memory.dmp

Filesize
200KB

Download
memory/4820-1398-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4820-1399-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4916-1428-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/5044-1337-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/5044-1338-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/5088-244-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-230-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-211-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-212-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-209-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/5088-213-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-246-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-215-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-218-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-1134-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-242-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-216-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-220-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-1119-0x0000000007A70000-0x0000000008088000-memory.dmp

Filesize
6.1MB

Download
memory/5088-222-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-224-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-226-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-228-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-240-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-210-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-1120-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download
memory/5088-1121-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5088-1122-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/5088-232-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-1123-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-1125-0x0000000008290000-0x0000000008322000-memory.dmp

Filesize
584KB

Download
memory/5088-1126-0x0000000008330000-0x0000000008396000-memory.dmp

Filesize
408KB

Download
memory/5088-1127-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-1128-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-1129-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/5088-1130-0x0000000008A60000-0x0000000008C22000-memory.dmp

Filesize
1.8MB

Download
memory/5088-1131-0x0000000008C30000-0x000000000915C000-memory.dmp

Filesize
5.2MB

Download
memory/5088-234-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-236-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download
memory/5088-1132-0x00000000092A0000-0x0000000009316000-memory.dmp

Filesize
472KB

Download
memory/5088-1133-0x0000000009320000-0x0000000009370000-memory.dmp

Filesize
320KB

Download
memory/5088-238-0x0000000004B10000-0x0000000004B4F000-memory.dmp

Filesize
252KB

Download