amadey | 96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfb

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2023 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe
Size

517KB
MD5

86818b54abcb9714887b580624b1af43
SHA1

96aece978c389e1f9e791dc99c85bfcf04e434b2
SHA256

96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfb
SHA512

bed70aed021237c3c5c3f96412cb0e896a5ff55fecc0d564213d67e9719ae59eb89821d921acb40374d87edd2230f54c7c2e3c1bcf3718dd8c07fbcfe0d371c0
SSDEEP

12288:qMray90oDKUQ79sC8K6DVZAQw2ifwKBz2oo2y3wu2tpTDyg:wyRTY9sPK6fl92e73wHvyg

Score

10^/10

amadey healer redline papik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

5.42.92.67/norm/index.php

Extracted

Family

redline

Botnet

papik

77.91.124.156:19071

Attributes

auth_value
325a615d8be5db8e2f7a4c2448fdac3a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0819175.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0819175.exe	healer
behavioral2/memory/4452-154-0x00000000000C0000-0x00000000000CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

p0819175.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p0819175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p0819175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p0819175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p0819175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p0819175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p0819175.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 8 IoCs

Processes:

z2460316.exez5728902.exep0819175.exer9696224.exelegola.exes4401612.exelegola.exelegola.exe

pid process

3960 z2460316.exe
2828 z5728902.exe
4452 p0819175.exe
4180 r9696224.exe
3968 legola.exe
4384 s4401612.exe
4688 legola.exe
3228 legola.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

p0819175.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p0819175.exe

pid	process
3960	z2460316.exe
2828	z5728902.exe
4452	p0819175.exe
4180	r9696224.exe
3968	legola.exe
4384	s4401612.exe
4688	legola.exe
3228	legola.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p0819175.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exez2460316.exez5728902.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2460316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5728902.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1628 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

p0819175.exe

pid process

4452 p0819175.exe
4452 p0819175.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

p0819175.exe

description pid process

Token: SeDebugPrivilege 4452 p0819175.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

r9696224.exe

pid process

4180 r9696224.exe

pid	process
1628	schtasks.exe

pid	process
4452	p0819175.exe
4452	p0819175.exe

description	pid	process
Token: SeDebugPrivilege	4452	p0819175.exe

pid	process
4180	r9696224.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exez2460316.exez5728902.exer9696224.exelegola.execmd.exe

description	pid	process	target process
PID 2100 wrote to memory of 3960	2100	96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe	z2460316.exe
PID 2100 wrote to memory of 3960	2100	96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe	z2460316.exe
PID 2100 wrote to memory of 3960	2100	96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe	z2460316.exe
PID 3960 wrote to memory of 2828	3960	z2460316.exe	z5728902.exe
PID 3960 wrote to memory of 2828	3960	z2460316.exe	z5728902.exe
PID 3960 wrote to memory of 2828	3960	z2460316.exe	z5728902.exe
PID 2828 wrote to memory of 4452	2828	z5728902.exe	p0819175.exe
PID 2828 wrote to memory of 4452	2828	z5728902.exe	p0819175.exe
PID 2828 wrote to memory of 4180	2828	z5728902.exe	r9696224.exe
PID 2828 wrote to memory of 4180	2828	z5728902.exe	r9696224.exe
PID 2828 wrote to memory of 4180	2828	z5728902.exe	r9696224.exe
PID 4180 wrote to memory of 3968	4180	r9696224.exe	legola.exe
PID 4180 wrote to memory of 3968	4180	r9696224.exe	legola.exe
PID 4180 wrote to memory of 3968	4180	r9696224.exe	legola.exe
PID 3960 wrote to memory of 4384	3960	z2460316.exe	s4401612.exe
PID 3960 wrote to memory of 4384	3960	z2460316.exe	s4401612.exe
PID 3960 wrote to memory of 4384	3960	z2460316.exe	s4401612.exe
PID 3968 wrote to memory of 1628	3968	legola.exe	schtasks.exe
PID 3968 wrote to memory of 1628	3968	legola.exe	schtasks.exe
PID 3968 wrote to memory of 1628	3968	legola.exe	schtasks.exe
PID 3968 wrote to memory of 4592	3968	legola.exe	cmd.exe
PID 3968 wrote to memory of 4592	3968	legola.exe	cmd.exe
PID 3968 wrote to memory of 4592	3968	legola.exe	cmd.exe
PID 4592 wrote to memory of 4220	4592	cmd.exe	cmd.exe
PID 4592 wrote to memory of 4220	4592	cmd.exe	cmd.exe
PID 4592 wrote to memory of 4220	4592	cmd.exe	cmd.exe
PID 4592 wrote to memory of 792	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 792	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 792	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 3752	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 3752	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 3752	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 4596	4592	cmd.exe	cmd.exe
PID 4592 wrote to memory of 4596	4592	cmd.exe	cmd.exe
PID 4592 wrote to memory of 4596	4592	cmd.exe	cmd.exe
PID 4592 wrote to memory of 4440	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 4440	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 4440	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 4468	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 4468	4592	cmd.exe	cacls.exe
PID 4592 wrote to memory of 4468	4592	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\96aa8a40689f2588a79dee841589dce9b9da79737fb445259afce033646a1dfbexe_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2460316.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2460316.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5728902.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5728902.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0819175.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0819175.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r9696224.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r9696224.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:N"
        7⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:R" /E
        7⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        7⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        7⤵
        
        PID:4468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4401612.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4401612.exe
    3⤵
    - Executes dropped EXE
    PID:4384

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2460316.exe

Filesize
390KB

MD5
42422bea3b0b432044a61635fb39ff2c

SHA1
3216d5c8c9ad6d8a3f17b2702edd754cb8f83e34

SHA256
cabd28e4ed96e703be41acb33438eef31fa4664f3dc643aa9214a9db6af961a1

SHA512
99be4c255e4a2a9e5b30df8bd67a32ecf73d0bbe9aa2f41930f97031c624eab9e51b13ea790bbe6edf9d6169d93e62f89014d8a225def4934f9bbb5ec8b08ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2460316.exe

Filesize
390KB

MD5
42422bea3b0b432044a61635fb39ff2c

SHA1
3216d5c8c9ad6d8a3f17b2702edd754cb8f83e34

SHA256
cabd28e4ed96e703be41acb33438eef31fa4664f3dc643aa9214a9db6af961a1

SHA512
99be4c255e4a2a9e5b30df8bd67a32ecf73d0bbe9aa2f41930f97031c624eab9e51b13ea790bbe6edf9d6169d93e62f89014d8a225def4934f9bbb5ec8b08ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4401612.exe

Filesize
173KB

MD5
8d96883e59ca2e9e5e67bfe91be8ed7e

SHA1
b29c66faa71350d21856746e9c4060ce2b63b7be

SHA256
ef37e1278ef032d792a5b96613c915d26f8dbd5e3aedcafc4b427c7121140ded

SHA512
4c4e063b85f6486a3b895712189f746c74cf708b718c7fed29646f7c994ec44cea4e3eac36f02a24d555ec5332fb0fc11b95647a7ed87f5af601ae69e4d7f752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4401612.exe

Filesize
173KB

MD5
8d96883e59ca2e9e5e67bfe91be8ed7e

SHA1
b29c66faa71350d21856746e9c4060ce2b63b7be

SHA256
ef37e1278ef032d792a5b96613c915d26f8dbd5e3aedcafc4b427c7121140ded

SHA512
4c4e063b85f6486a3b895712189f746c74cf708b718c7fed29646f7c994ec44cea4e3eac36f02a24d555ec5332fb0fc11b95647a7ed87f5af601ae69e4d7f752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5728902.exe

Filesize
234KB

MD5
108d9c96c6bcfe27a7aa08cfb3252f0f

SHA1
56d76e6c0264704dd1aa473bacdb696a59622c1d

SHA256
ab194ae224dc58b661586ad2ecb6c7e072cb7bbfa54510639810a8dc11a6f994

SHA512
a7b18e483e16ad865db3a7a878877397c0e84af565923db656bf3d534adaeb0f1d8543d87901ef6694dff277f6b965893dc721544719f1330926e2e9af3a99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5728902.exe

Filesize
234KB

MD5
108d9c96c6bcfe27a7aa08cfb3252f0f

SHA1
56d76e6c0264704dd1aa473bacdb696a59622c1d

SHA256
ab194ae224dc58b661586ad2ecb6c7e072cb7bbfa54510639810a8dc11a6f994

SHA512
a7b18e483e16ad865db3a7a878877397c0e84af565923db656bf3d534adaeb0f1d8543d87901ef6694dff277f6b965893dc721544719f1330926e2e9af3a99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0819175.exe

Filesize
11KB

MD5
2ba35091955f256e0da61c7eefd22eb4

SHA1
56e0d7b74f7a333619f37c4c39893c008af6904b

SHA256
19024e8c617245a5955fd61314583eb94d8affa9902dd8b16f1dea799afad2c4

SHA512
9a1e33011f61170a79bed6e2acccc491aa3d66b63b262a386ded0d5543e4459bb805a1ace540c4338a3aa1e4d0796359b135e13d904a3e08e72e9b68b37e17fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0819175.exe

Filesize
11KB

MD5
2ba35091955f256e0da61c7eefd22eb4

SHA1
56e0d7b74f7a333619f37c4c39893c008af6904b

SHA256
19024e8c617245a5955fd61314583eb94d8affa9902dd8b16f1dea799afad2c4

SHA512
9a1e33011f61170a79bed6e2acccc491aa3d66b63b262a386ded0d5543e4459bb805a1ace540c4338a3aa1e4d0796359b135e13d904a3e08e72e9b68b37e17fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r9696224.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r9696224.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Filesize
225KB

MD5
62b30998413261319fe2d3f89913c761

SHA1
50e7986130b7ef5568624d665b19179a1877510f

SHA256
fa1849abef818f4b10d034cbd37b02f32e4b804e2a3984bc4a0dbfaf12ca72eb

SHA512
be573c537ae7afaa0383bbb391eb34ac770ae5e92294f926213c0d43c876e65e04a4a96fe4680385800a9024aaf99901921f1c984f1585468b75a77767d992bf

Download Submit
memory/4384-176-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4384-174-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/4384-175-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4384-177-0x00000000050C0000-0x00000000051CA000-memory.dmp

Filesize
1.0MB

Download
memory/4384-178-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4384-179-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/4384-180-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/4384-181-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4384-182-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4452-157-0x00007FFA81000000-0x00007FFA81AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-155-0x00007FFA81000000-0x00007FFA81AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-154-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download