amadey | 495c2c85a156323a148520615d4f1362ad22fa6d22da98c29a5f11b9aa343114

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe
Size

1.0MB
MD5

e79f05588bbbfde58d9334be4453bf95
SHA1

f00db9e40f8fa04a24566c484dd1c8ee7d9b2965
SHA256

495c2c85a156323a148520615d4f1362ad22fa6d22da98c29a5f11b9aa343114
SHA512

54a543f3436ef0ac14a31b325be733df97d9ebba5d4d9805c7fa73cfb66461ad5bd3e596fab17fba84b2134761e49d5f62bfcf3f06eafbddaad0ec4cb2a72e44
SSDEEP

24576:VyhPMtebhwSVVkpXh4vqA2/LW+IOKoB5DCmVfRgd:whPMUbhwS8cvq/LW+dKoTRfRg

Score

10^/10

amadey lumma raccoon redline 301867536c206e3dae52e6d17c16cc9b anhthe007 duna rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

duna

176.113.115.145:4125

Attributes

auth_value
8879c60b4740ac2d7fb8831d4d3c396f

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

raccoon

Botnet

301867536c206e3dae52e6d17c16cc9b

http://213.226.100.108/

rc4.plain

Extracted

Family

redline

66.42.108.195:40499

Attributes

auth_value
f93019ca42e7f9440be3a7ee1ebc636d

Extracted

Family

redline

Botnet

anhthe007

199.115.193.116:11300

Attributes

auth_value
99c4662d697e1c7cb2fd84190b835994

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz5036.exev0645yE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5036.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0645yE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0645yE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0645yE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0645yE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0645yE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0645yE.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3540-209-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-210-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-212-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-214-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-216-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-218-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-220-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-222-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-224-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-226-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-228-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-231-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-238-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-234-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-240-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-242-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-244-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-246-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/3540-1128-0x0000000007200000-0x0000000007210000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exeGmeyad.exey33iu09.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Gmeyad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y33iu09.exe

Executes dropped EXE 16 IoCs

Processes:

zap6009.exezap7230.exezap4111.exetz5036.exev0645yE.exew61kK90.exexobyE61.exey33iu09.exelegenda.exe2.exeTarlatan.exe123ds.exeTarlatan.exeGmeyad.exeGmeyad.exelegenda.exe

pid	process
1860	zap6009.exe
2560	zap7230.exe
2244	zap4111.exe
2112	tz5036.exe
1748	v0645yE.exe
3540	w61kK90.exe
2484	xobyE61.exe
1720	y33iu09.exe
4132	legenda.exe
3632	2.exe
3812	Tarlatan.exe
4184	123ds.exe
2208	Tarlatan.exe
2676	Gmeyad.exe
4796	Gmeyad.exe
1672	legenda.exe

Loads dropped DLL 4 IoCs

Processes:

2.exerundll32.exe

pid process

3632 2.exe
3632 2.exe
3632 2.exe
3768 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3632	2.exe
3632	2.exe
3632	2.exe
3768	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v0645yE.exetz5036.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0645yE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5036.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0645yE.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

495c2c85a156323a148520615d4f1362ad22fa6d22da9.exezap6009.exezap7230.exezap4111.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6009.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7230.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4111.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

Tarlatan.exeGmeyad.exe

description	pid	process	target process
PID 3812 set thread context of 2208	3812	Tarlatan.exe	Tarlatan.exe
PID 2676 set thread context of 4796	2676	Gmeyad.exe	Gmeyad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4512 1748 WerFault.exe v0645yE.exe
4584 3540 WerFault.exe w61kK90.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1472 schtasks.exe

pid	pid_target	process	target process
4512	1748	WerFault.exe	v0645yE.exe
4584	3540	WerFault.exe	w61kK90.exe

pid	process
1472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

tz5036.exev0645yE.exew61kK90.exexobyE61.exepowershell.exeTarlatan.exe

pid	process
2112	tz5036.exe
2112	tz5036.exe
1748	v0645yE.exe
1748	v0645yE.exe
3540	w61kK90.exe
3540	w61kK90.exe
2484	xobyE61.exe
2484	xobyE61.exe
4060	powershell.exe
4060	powershell.exe
2208	Tarlatan.exe
2208	Tarlatan.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

tz5036.exev0645yE.exew61kK90.exexobyE61.exepowershell.exeTarlatan.exeGmeyad.exe

description	pid	process
Token: SeDebugPrivilege	2112	tz5036.exe
Token: SeDebugPrivilege	1748	v0645yE.exe
Token: SeDebugPrivilege	3540	w61kK90.exe
Token: SeDebugPrivilege	2484	xobyE61.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2208	Tarlatan.exe
Token: SeDebugPrivilege	2676	Gmeyad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

495c2c85a156323a148520615d4f1362ad22fa6d22da9.exezap6009.exezap7230.exezap4111.exey33iu09.exelegenda.execmd.exeTarlatan.exe

description	pid	process	target process
PID 3704 wrote to memory of 1860	3704	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe	zap6009.exe
PID 3704 wrote to memory of 1860	3704	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe	zap6009.exe
PID 3704 wrote to memory of 1860	3704	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe	zap6009.exe
PID 1860 wrote to memory of 2560	1860	zap6009.exe	zap7230.exe
PID 1860 wrote to memory of 2560	1860	zap6009.exe	zap7230.exe
PID 1860 wrote to memory of 2560	1860	zap6009.exe	zap7230.exe
PID 2560 wrote to memory of 2244	2560	zap7230.exe	zap4111.exe
PID 2560 wrote to memory of 2244	2560	zap7230.exe	zap4111.exe
PID 2560 wrote to memory of 2244	2560	zap7230.exe	zap4111.exe
PID 2244 wrote to memory of 2112	2244	zap4111.exe	tz5036.exe
PID 2244 wrote to memory of 2112	2244	zap4111.exe	tz5036.exe
PID 2244 wrote to memory of 1748	2244	zap4111.exe	v0645yE.exe
PID 2244 wrote to memory of 1748	2244	zap4111.exe	v0645yE.exe
PID 2244 wrote to memory of 1748	2244	zap4111.exe	v0645yE.exe
PID 2560 wrote to memory of 3540	2560	zap7230.exe	w61kK90.exe
PID 2560 wrote to memory of 3540	2560	zap7230.exe	w61kK90.exe
PID 2560 wrote to memory of 3540	2560	zap7230.exe	w61kK90.exe
PID 1860 wrote to memory of 2484	1860	zap6009.exe	xobyE61.exe
PID 1860 wrote to memory of 2484	1860	zap6009.exe	xobyE61.exe
PID 1860 wrote to memory of 2484	1860	zap6009.exe	xobyE61.exe
PID 3704 wrote to memory of 1720	3704	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe	y33iu09.exe
PID 3704 wrote to memory of 1720	3704	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe	y33iu09.exe
PID 3704 wrote to memory of 1720	3704	495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe	y33iu09.exe
PID 1720 wrote to memory of 4132	1720	y33iu09.exe	legenda.exe
PID 1720 wrote to memory of 4132	1720	y33iu09.exe	legenda.exe
PID 1720 wrote to memory of 4132	1720	y33iu09.exe	legenda.exe
PID 4132 wrote to memory of 1472	4132	legenda.exe	schtasks.exe
PID 4132 wrote to memory of 1472	4132	legenda.exe	schtasks.exe
PID 4132 wrote to memory of 1472	4132	legenda.exe	schtasks.exe
PID 4132 wrote to memory of 872	4132	legenda.exe	cmd.exe
PID 4132 wrote to memory of 872	4132	legenda.exe	cmd.exe
PID 4132 wrote to memory of 872	4132	legenda.exe	cmd.exe
PID 872 wrote to memory of 1900	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 1900	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 1900	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 2040	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 2040	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 2040	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 3520	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 3520	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 3520	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 5020	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 5020	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 5020	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 4600	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 4600	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 4600	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 1636	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 1636	872	cmd.exe	cacls.exe
PID 872 wrote to memory of 1636	872	cmd.exe	cacls.exe
PID 4132 wrote to memory of 3632	4132	legenda.exe	2.exe
PID 4132 wrote to memory of 3632	4132	legenda.exe	2.exe
PID 4132 wrote to memory of 3632	4132	legenda.exe	2.exe
PID 4132 wrote to memory of 3812	4132	legenda.exe	Tarlatan.exe
PID 4132 wrote to memory of 3812	4132	legenda.exe	Tarlatan.exe
PID 4132 wrote to memory of 3812	4132	legenda.exe	Tarlatan.exe
PID 3812 wrote to memory of 2208	3812	Tarlatan.exe	Tarlatan.exe
PID 3812 wrote to memory of 2208	3812	Tarlatan.exe	Tarlatan.exe
PID 3812 wrote to memory of 2208	3812	Tarlatan.exe	Tarlatan.exe
PID 4132 wrote to memory of 4184	4132	legenda.exe	123ds.exe
PID 4132 wrote to memory of 4184	4132	legenda.exe	123ds.exe
PID 4132 wrote to memory of 4184	4132	legenda.exe	123ds.exe
PID 3812 wrote to memory of 2208	3812	Tarlatan.exe	Tarlatan.exe
PID 3812 wrote to memory of 2208	3812	Tarlatan.exe	Tarlatan.exe

C:\Users\Admin\AppData\Local\Temp\495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe
"C:\Users\Admin\AppData\Local\Temp\495c2c85a156323a148520615d4f1362ad22fa6d22da9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6009.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6009.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7230.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7230.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4111.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4111.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5036.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5036.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0645yE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0645yE.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1072
6⤵
- Program crash
PID:4512

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61kK90.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61kK90.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1328
5⤵
- Program crash
PID:4584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xobyE61.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xobyE61.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33iu09.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33iu09.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1900

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2040

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5020

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4600

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe
"C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3632

C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
"C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Admin\AppData\Local\Temp\1000201001\123ds.exe
"C:\Users\Admin\AppData\Local\Temp\1000201001\123ds.exe"
4⤵
- Executes dropped EXE
PID:4184

C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
"C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
5⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1748 -ip 1748
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3540 -ip 3540
1⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tarlatan.exe.log
Filesize
1KB

MD5
99f88b99e0d77c5607bb7826596c5340

SHA1
4d2902c0c3a8c134139e9e85f4ca557750c7b21a

SHA256
baa2292d20266e157ecc8340d1c201b82dcce67629a1c95ec27fea646624c56d

SHA512
ff3ee0ad2a99c952f3fb709f9c3159138d66abb16f022e8f62f717c2edf621f43967fc3d7418b3bdd78b1399567fcc899c1e38aaf44abf97032d2c696b928a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe
Filesize
110KB

MD5
bc338e23e5411697561306eabb29bd9c

SHA1
2503a1d824af32214f3102d6e0d2e52d439b91f8

SHA256
fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379

SHA512
f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe
Filesize
110KB

MD5
bc338e23e5411697561306eabb29bd9c

SHA1
2503a1d824af32214f3102d6e0d2e52d439b91f8

SHA256
fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379

SHA512
f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe
Filesize
110KB

MD5
bc338e23e5411697561306eabb29bd9c

SHA1
2503a1d824af32214f3102d6e0d2e52d439b91f8

SHA256
fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379

SHA512
f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
Filesize
897KB

MD5
b26480dce772642635204619f30c35d6

SHA1
7693a39461090bde35919ea4f6652955f5159a47

SHA256
20f9eb4bd36001f8c3c80ad01078221bb823b2846a00c12549f77f07ef5498ec

SHA512
f03b9ef6e79234e53ce5933525003d0c1380f5452cc676d04de8a4092c32f69cec0dff58c0bf47739faeebadfed021963326bdbff4de05f27d4cb23831563641

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
Filesize
897KB

MD5
b26480dce772642635204619f30c35d6

SHA1
7693a39461090bde35919ea4f6652955f5159a47

SHA256
20f9eb4bd36001f8c3c80ad01078221bb823b2846a00c12549f77f07ef5498ec

SHA512
f03b9ef6e79234e53ce5933525003d0c1380f5452cc676d04de8a4092c32f69cec0dff58c0bf47739faeebadfed021963326bdbff4de05f27d4cb23831563641

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
Filesize
897KB

MD5
b26480dce772642635204619f30c35d6

SHA1
7693a39461090bde35919ea4f6652955f5159a47

SHA256
20f9eb4bd36001f8c3c80ad01078221bb823b2846a00c12549f77f07ef5498ec

SHA512
f03b9ef6e79234e53ce5933525003d0c1380f5452cc676d04de8a4092c32f69cec0dff58c0bf47739faeebadfed021963326bdbff4de05f27d4cb23831563641

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000200001\Tarlatan.exe
Filesize
897KB

MD5
b26480dce772642635204619f30c35d6

SHA1
7693a39461090bde35919ea4f6652955f5159a47

SHA256
20f9eb4bd36001f8c3c80ad01078221bb823b2846a00c12549f77f07ef5498ec

SHA512
f03b9ef6e79234e53ce5933525003d0c1380f5452cc676d04de8a4092c32f69cec0dff58c0bf47739faeebadfed021963326bdbff4de05f27d4cb23831563641

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000201001\123ds.exe
Filesize
175KB

MD5
20b01b94fec9143a2adf624945aa41c3

SHA1
3e3690bb58b1a42cea254a0eb039019c7ebbbf3f

SHA256
97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9

SHA512
52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000201001\123ds.exe
Filesize
175KB

MD5
20b01b94fec9143a2adf624945aa41c3

SHA1
3e3690bb58b1a42cea254a0eb039019c7ebbbf3f

SHA256
97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9

SHA512
52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000201001\123ds.exe
Filesize
175KB

MD5
20b01b94fec9143a2adf624945aa41c3

SHA1
3e3690bb58b1a42cea254a0eb039019c7ebbbf3f

SHA256
97a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9

SHA512
52b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000204001\v1.exe
Filesize
12KB

MD5
6905d765ef1cb5e902a82a0102240f7f

SHA1
fc985b3b362ee9c87fc1816ededeafc522f33b54

SHA256
0c13da6ebd841a774c96320f8ed08638cbd42ddf0d610a924dc03d61e36b2d2a

SHA512
ad47910688fddf12ae67af349f47845fcdaf81e98469acec245d0c40c2ae9791b8566b64e4baea409977f2ce57e2e6b15cbce3686d5e6ec4d845dd83b0e5948f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
Filesize
3.9MB

MD5
a8001f151c1ce13aac56097a2bf1f789

SHA1
414d9f4219570bc75eb6e6cf2932c4fb407afa56

SHA256
7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b

SHA512
9c20f91c378d9559f6e5115857401def02145bb665a4c64f7842175b077bb6406544caa8197c9713f9b22943ffd87405beb809cf0e684c53b934acfe8d421060

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
Filesize
3.9MB

MD5
a8001f151c1ce13aac56097a2bf1f789

SHA1
414d9f4219570bc75eb6e6cf2932c4fb407afa56

SHA256
7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b

SHA512
9c20f91c378d9559f6e5115857401def02145bb665a4c64f7842175b077bb6406544caa8197c9713f9b22943ffd87405beb809cf0e684c53b934acfe8d421060

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
Filesize
3.9MB

MD5
a8001f151c1ce13aac56097a2bf1f789

SHA1
414d9f4219570bc75eb6e6cf2932c4fb407afa56

SHA256
7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b

SHA512
9c20f91c378d9559f6e5115857401def02145bb665a4c64f7842175b077bb6406544caa8197c9713f9b22943ffd87405beb809cf0e684c53b934acfe8d421060

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000205001\Gmeyad.exe
Filesize
3.9MB

MD5
a8001f151c1ce13aac56097a2bf1f789

SHA1
414d9f4219570bc75eb6e6cf2932c4fb407afa56

SHA256
7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b

SHA512
9c20f91c378d9559f6e5115857401def02145bb665a4c64f7842175b077bb6406544caa8197c9713f9b22943ffd87405beb809cf0e684c53b934acfe8d421060

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33iu09.exe
Filesize
237KB

MD5
5b362682ea28743cad0b5f28399923cf

SHA1
308eba49da62c2c159c1de233dd245731d032fe8

SHA256
f4236bb3db7febfc191c2133454e428d8deec29079550c79207a4a2b71764ae1

SHA512
b33b66fc015361d1f01fd81e8c9beced3a8aba573768d10812f0d7ac1f2a829f96e86cad84d1f39dc7c11822045733183a9e5815b1bcb79161c1b547f273d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y33iu09.exe
Filesize
237KB

MD5
5b362682ea28743cad0b5f28399923cf

SHA1
308eba49da62c2c159c1de233dd245731d032fe8

SHA256
f4236bb3db7febfc191c2133454e428d8deec29079550c79207a4a2b71764ae1

SHA512
b33b66fc015361d1f01fd81e8c9beced3a8aba573768d10812f0d7ac1f2a829f96e86cad84d1f39dc7c11822045733183a9e5815b1bcb79161c1b547f273d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6009.exe
Filesize
872KB

MD5
43384467ae7e83a02e7830df616a6e99

SHA1
307b4b73118ec717ca7635707afdd4e55b888d7d

SHA256
623ff78dad71d3609f08ad1dfb4099e452357324fe5aafaec6b02296183c5206

SHA512
a23450e22d5da9c9acd39414ba4be9b0d5bd017e25fe7835b684d5c40702a57831eca02a9f465b5d61b9b474f09997865f174051096aeb60cb445d4b75286c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6009.exe
Filesize
872KB

MD5
43384467ae7e83a02e7830df616a6e99

SHA1
307b4b73118ec717ca7635707afdd4e55b888d7d

SHA256
623ff78dad71d3609f08ad1dfb4099e452357324fe5aafaec6b02296183c5206

SHA512
a23450e22d5da9c9acd39414ba4be9b0d5bd017e25fe7835b684d5c40702a57831eca02a9f465b5d61b9b474f09997865f174051096aeb60cb445d4b75286c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xobyE61.exe
Filesize
175KB

MD5
49de8a1d515a6f4693506651df5604e5

SHA1
1bd98f0cff47bff985c9eefda29d6804108c6a85

SHA256
e9e29d1abedb5a6486bc9db2faf4af11beefe775daedae771021ba9d2c4652b7

SHA512
e99bd02bc55003fa27334cd25c05e704ebd3e95cc71524524fc6f9be0c6024ac185572e9ce55cc7cf986f573b11f8f3abb97c0ad7e233148f2ec8a0d4932a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xobyE61.exe
Filesize
175KB

MD5
49de8a1d515a6f4693506651df5604e5

SHA1
1bd98f0cff47bff985c9eefda29d6804108c6a85

SHA256
e9e29d1abedb5a6486bc9db2faf4af11beefe775daedae771021ba9d2c4652b7

SHA512
e99bd02bc55003fa27334cd25c05e704ebd3e95cc71524524fc6f9be0c6024ac185572e9ce55cc7cf986f573b11f8f3abb97c0ad7e233148f2ec8a0d4932a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7230.exe
Filesize
730KB

MD5
fbc2ac8fe841af9b6f2ac7f8be6a5d52

SHA1
a41d91893c1d448282e76ab78641b0717e6d2033

SHA256
6d045245d7ef5bbcbe0430fd22c5170f13e8648fe27ea5e69c243791376d4a5d

SHA512
fbfecab3e343a1c1442d20ab86e375042730ce9b2b63cc89663d53b270f8f281eed2d1eb5f87e9265ad39c7ea4cf480df2264d1ae2ce78c4ccb0a6d613a02f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7230.exe
Filesize
730KB

MD5
fbc2ac8fe841af9b6f2ac7f8be6a5d52

SHA1
a41d91893c1d448282e76ab78641b0717e6d2033

SHA256
6d045245d7ef5bbcbe0430fd22c5170f13e8648fe27ea5e69c243791376d4a5d

SHA512
fbfecab3e343a1c1442d20ab86e375042730ce9b2b63cc89663d53b270f8f281eed2d1eb5f87e9265ad39c7ea4cf480df2264d1ae2ce78c4ccb0a6d613a02f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61kK90.exe
Filesize
405KB

MD5
685d1b3ee89b5ea611e5db69e50ef6f7

SHA1
1cadc54b211c9f17e78c452338564766de03d7dd

SHA256
cbb51140ae973149653184b17fbc938709cb8949cf131ea17e9a7e79ffa25593

SHA512
98e55c0e6b24e54641f4acc5805a7f5d9e68c4165e59e891e76ad90190ef2442ddefe2d3bc529b8aa5939ae7fbd91c2bba28869c42c0d6a83bdd9ad86296014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61kK90.exe
Filesize
405KB

MD5
685d1b3ee89b5ea611e5db69e50ef6f7

SHA1
1cadc54b211c9f17e78c452338564766de03d7dd

SHA256
cbb51140ae973149653184b17fbc938709cb8949cf131ea17e9a7e79ffa25593

SHA512
98e55c0e6b24e54641f4acc5805a7f5d9e68c4165e59e891e76ad90190ef2442ddefe2d3bc529b8aa5939ae7fbd91c2bba28869c42c0d6a83bdd9ad86296014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4111.exe
Filesize
361KB

MD5
a8a94d17d38bf712d2ffbeb3fefde155

SHA1
8483d314d4e2d96a245cfbea34caefdcd9a2fa9a

SHA256
84e52107cc8431121279bdf0e9520e2bb29e1686e4e2bff7e9621e6effbf68c1

SHA512
7b62f1ed8a4bf2b5a67d431d7e28477b250e5d8a4ef5a775bf0ff7f58433932d67e38ac0f6ac1e622b54e45a99e363ce627abb07d651599200f7db38c0eddebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4111.exe
Filesize
361KB

MD5
a8a94d17d38bf712d2ffbeb3fefde155

SHA1
8483d314d4e2d96a245cfbea34caefdcd9a2fa9a

SHA256
84e52107cc8431121279bdf0e9520e2bb29e1686e4e2bff7e9621e6effbf68c1

SHA512
7b62f1ed8a4bf2b5a67d431d7e28477b250e5d8a4ef5a775bf0ff7f58433932d67e38ac0f6ac1e622b54e45a99e363ce627abb07d651599200f7db38c0eddebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5036.exe
Filesize
11KB

MD5
fe2d320eaa2c3a81365d16b0bd48bb08

SHA1
bdd82503642efb6f34a377f68429544a03a1e0b6

SHA256
e85e79e86e6afcb3990d66257f7a6e9df043573d0d9d67ebc9c1f506287e0ca0

SHA512
31a86cb4ada00ab76b46db20f69d4e63c0ebabf8326d356fa14c76a72f21fba5cdd65c00c09b62cc787a7eaf453152dffb8ef108b711f2b78a2fa70a55e1bdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5036.exe
Filesize
11KB

MD5
fe2d320eaa2c3a81365d16b0bd48bb08

SHA1
bdd82503642efb6f34a377f68429544a03a1e0b6

SHA256
e85e79e86e6afcb3990d66257f7a6e9df043573d0d9d67ebc9c1f506287e0ca0

SHA512
31a86cb4ada00ab76b46db20f69d4e63c0ebabf8326d356fa14c76a72f21fba5cdd65c00c09b62cc787a7eaf453152dffb8ef108b711f2b78a2fa70a55e1bdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0645yE.exe
Filesize
347KB

MD5
5119bc174f2964be274815fb13a28f7f

SHA1
6b630b4d681fe35dc6dd67784f0be254bf6f896a

SHA256
c07658d0fde60920f43fa5cb677b94167e3d6e6a099a970306f5ee2db1ee8f6b

SHA512
4766ea82f1aabc893c746b6083c462cc470ec695dc78e88e7ab9ccaf3d81e4fbf825540aee8c2a2c67c20ef3f6a48b91d690bcaf323a0ead38ebb5286f0b9047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0645yE.exe
Filesize
347KB

MD5
5119bc174f2964be274815fb13a28f7f

SHA1
6b630b4d681fe35dc6dd67784f0be254bf6f896a

SHA256
c07658d0fde60920f43fa5cb677b94167e3d6e6a099a970306f5ee2db1ee8f6b

SHA512
4766ea82f1aabc893c746b6083c462cc470ec695dc78e88e7ab9ccaf3d81e4fbf825540aee8c2a2c67c20ef3f6a48b91d690bcaf323a0ead38ebb5286f0b9047

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_watyzjlo.ayd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
5b362682ea28743cad0b5f28399923cf

SHA1
308eba49da62c2c159c1de233dd245731d032fe8

SHA256
f4236bb3db7febfc191c2133454e428d8deec29079550c79207a4a2b71764ae1

SHA512
b33b66fc015361d1f01fd81e8c9beced3a8aba573768d10812f0d7ac1f2a829f96e86cad84d1f39dc7c11822045733183a9e5815b1bcb79161c1b547f273d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
5b362682ea28743cad0b5f28399923cf

SHA1
308eba49da62c2c159c1de233dd245731d032fe8

SHA256
f4236bb3db7febfc191c2133454e428d8deec29079550c79207a4a2b71764ae1

SHA512
b33b66fc015361d1f01fd81e8c9beced3a8aba573768d10812f0d7ac1f2a829f96e86cad84d1f39dc7c11822045733183a9e5815b1bcb79161c1b547f273d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
5b362682ea28743cad0b5f28399923cf

SHA1
308eba49da62c2c159c1de233dd245731d032fe8

SHA256
f4236bb3db7febfc191c2133454e428d8deec29079550c79207a4a2b71764ae1

SHA512
b33b66fc015361d1f01fd81e8c9beced3a8aba573768d10812f0d7ac1f2a829f96e86cad84d1f39dc7c11822045733183a9e5815b1bcb79161c1b547f273d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
5b362682ea28743cad0b5f28399923cf

SHA1
308eba49da62c2c159c1de233dd245731d032fe8

SHA256
f4236bb3db7febfc191c2133454e428d8deec29079550c79207a4a2b71764ae1

SHA512
b33b66fc015361d1f01fd81e8c9beced3a8aba573768d10812f0d7ac1f2a829f96e86cad84d1f39dc7c11822045733183a9e5815b1bcb79161c1b547f273d5c0

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1748-203-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/1748-181-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-185-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/1748-167-0x0000000007170000-0x0000000007714000-memory.dmp

Filesize
5.6MB

Download
memory/1748-168-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-169-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-171-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-175-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-202-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/1748-204-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/1748-173-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-179-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-184-0x0000000004550000-0x000000000457D000-memory.dmp

Filesize
180KB

Download
memory/1748-189-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/1748-200-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/1748-197-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-199-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-195-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-193-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-177-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-183-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-188-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-191-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/1748-187-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/2112-161-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2208-1331-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2208-1259-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2208-1267-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2484-1140-0x0000000000140000-0x0000000000172000-memory.dmp

Filesize
200KB

Download
memory/2484-1141-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/2676-1263-0x0000000000B40000-0x0000000000F24000-memory.dmp

Filesize
3.9MB

Download
memory/2676-1265-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/2676-1269-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/2676-1270-0x00000000075F0000-0x0000000007612000-memory.dmp

Filesize
136KB

Download
memory/2676-1332-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3540-1128-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-224-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-212-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-210-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-209-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-216-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-218-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-220-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-222-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-1134-0x0000000008F60000-0x000000000948C000-memory.dmp

Filesize
5.2MB

Download
memory/3540-226-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-1133-0x0000000008D90000-0x0000000008F52000-memory.dmp

Filesize
1.8MB

Download
memory/3540-1132-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-1131-0x0000000008C20000-0x0000000008C70000-memory.dmp

Filesize
320KB

Download
memory/3540-214-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-228-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-230-0x0000000002DB0000-0x0000000002DFB000-memory.dmp

Filesize
300KB

Download
memory/3540-1130-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/3540-1129-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-238-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-1127-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-1126-0x0000000008950000-0x00000000089E2000-memory.dmp

Filesize
584KB

Download
memory/3540-1125-0x0000000008290000-0x00000000082F6000-memory.dmp

Filesize
408KB

Download
memory/3540-1123-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-1122-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/3540-1121-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/3540-1120-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3540-1119-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/3540-246-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-244-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-242-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-240-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-231-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-233-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-235-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3540-234-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/3540-236-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3812-1210-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3812-1190-0x00000000005A0000-0x0000000000686000-memory.dmp

Filesize
920KB

Download
memory/4060-1312-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4060-1326-0x0000000007410000-0x0000000007A8A000-memory.dmp

Filesize
6.5MB

Download
memory/4060-1327-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/4060-1323-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/4060-1318-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4060-1310-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/4060-1333-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4060-1334-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4060-1335-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4060-1311-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/4060-1325-0x00000000046F0000-0x0000000004700000-memory.dmp

Filesize
64KB

Download
memory/4060-1309-0x00000000025D0000-0x0000000002606000-memory.dmp

Filesize
216KB

Download
memory/4184-1330-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4184-1216-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4184-1211-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/4796-1346-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4796-1345-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download