amadey | baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe
Size

1005KB
MD5

f8d3e20da85ccb850974b77f3408043b
SHA1

2fc2941e3ee1144b458ca421f683ecbf5a39882b
SHA256

baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2
SHA512

9b0864edea3436bd354ab3449760afa1000fb3fa822042c9fd234020e955e71c6fcfd3e6ef8c3528f4ee80051abfe44830c4a50b4db6cdc783d0a8a19b857c4d
SSDEEP

24576:rylIJ6XJ9epAyaalQJa7xAIBkvPFMPU/5n:euQHepnh7xAIB4FMM/5

Score

10^/10

amadey healer redline warzonerat gruha dropper evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

warzonerat

5.181.80.111:5200

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7332472.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7332472.exe	healer
behavioral1/memory/4156-35-0x0000000000E40000-0x0000000000E4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q7332472.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q7332472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q7332472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q7332472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q7332472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q7332472.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q7332472.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3796-130-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/3796-137-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/3796-139-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u6990448.exeexplothe.exelegota.exe7iEFnai6i3.exesvchost.exet3243919.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	u6990448.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	7iEFnai6i3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	t3243919.exe

Executes dropped EXE 20 IoCs

Processes:

z5810253.exez1995620.exez0515044.exez0720652.exeq7332472.exer7482563.exes7178577.exet3243919.exeexplothe.exeu6990448.exelegota.exew4735325.exe7iEFnai6i3.exeexplothe.exelegota.exesvchost.exeexplothe.exelegota.exeexplothe.exelegota.exe

pid	process
2392	z5810253.exe
1512	z1995620.exe
4544	z0515044.exe
1460	z0720652.exe
4156	q7332472.exe
1716	r7482563.exe
1788	s7178577.exe
3588	t3243919.exe
4744	explothe.exe
3636	u6990448.exe
3452	legota.exe
448	w4735325.exe
616	7iEFnai6i3.exe
1512	explothe.exe
2608	legota.exe
952	svchost.exe
4472	explothe.exe
4608	legota.exe
2016	explothe.exe
2796	legota.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2704 rundll32.exe
4504 rundll32.exe

pid	process
2704	rundll32.exe
4504	rundll32.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exeq7332472.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q7332472.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z1995620.exez0515044.exez0720652.exe7iEFnai6i3.exebaf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exez5810253.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1995620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0515044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0720652.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	7iEFnai6i3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5810253.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

r7482563.exes7178577.exesvchost.exe

description	pid	process	target process
PID 1716 set thread context of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1788 set thread context of 2812	1788	s7178577.exe	AppLaunch.exe
PID 952 set thread context of 3796	952	svchost.exe	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
868	2016	WerFault.exe	AppLaunch.exe
2732	1716	WerFault.exe	r7482563.exe
4300	1788	WerFault.exe	s7178577.exe
1812	3796	WerFault.exe	mscorsvw.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4904 schtasks.exe
5088 schtasks.exe
4580 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1112 timeout.exe

pid	process
4904	schtasks.exe
5088	schtasks.exe
4580	schtasks.exe

pid	process
1112	timeout.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

q7332472.exe7iEFnai6i3.exesvchost.exepowershell.exe

pid	process
4156	q7332472.exe
4156	q7332472.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
616	7iEFnai6i3.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

q7332472.exe7iEFnai6i3.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4156	q7332472.exe
Token: SeDebugPrivilege	616	7iEFnai6i3.exe
Token: SeDebugPrivilege	952	svchost.exe
Token: SeDebugPrivilege	740	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exez5810253.exez1995620.exez0515044.exez0720652.exer7482563.exes7178577.exet3243919.exeu6990448.exeexplothe.exelegota.exe

description	pid	process	target process
PID 4324 wrote to memory of 2392	4324	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe	z5810253.exe
PID 4324 wrote to memory of 2392	4324	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe	z5810253.exe
PID 4324 wrote to memory of 2392	4324	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe	z5810253.exe
PID 2392 wrote to memory of 1512	2392	z5810253.exe	z1995620.exe
PID 2392 wrote to memory of 1512	2392	z5810253.exe	z1995620.exe
PID 2392 wrote to memory of 1512	2392	z5810253.exe	z1995620.exe
PID 1512 wrote to memory of 4544	1512	z1995620.exe	z0515044.exe
PID 1512 wrote to memory of 4544	1512	z1995620.exe	z0515044.exe
PID 1512 wrote to memory of 4544	1512	z1995620.exe	z0515044.exe
PID 4544 wrote to memory of 1460	4544	z0515044.exe	z0720652.exe
PID 4544 wrote to memory of 1460	4544	z0515044.exe	z0720652.exe
PID 4544 wrote to memory of 1460	4544	z0515044.exe	z0720652.exe
PID 1460 wrote to memory of 4156	1460	z0720652.exe	q7332472.exe
PID 1460 wrote to memory of 4156	1460	z0720652.exe	q7332472.exe
PID 1460 wrote to memory of 1716	1460	z0720652.exe	r7482563.exe
PID 1460 wrote to memory of 1716	1460	z0720652.exe	r7482563.exe
PID 1460 wrote to memory of 1716	1460	z0720652.exe	r7482563.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 1716 wrote to memory of 2016	1716	r7482563.exe	AppLaunch.exe
PID 4544 wrote to memory of 1788	4544	z0515044.exe	s7178577.exe
PID 4544 wrote to memory of 1788	4544	z0515044.exe	s7178577.exe
PID 4544 wrote to memory of 1788	4544	z0515044.exe	s7178577.exe
PID 1788 wrote to memory of 4396	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 4396	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 4396	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1788 wrote to memory of 2812	1788	s7178577.exe	AppLaunch.exe
PID 1512 wrote to memory of 3588	1512	z1995620.exe	t3243919.exe
PID 1512 wrote to memory of 3588	1512	z1995620.exe	t3243919.exe
PID 1512 wrote to memory of 3588	1512	z1995620.exe	t3243919.exe
PID 3588 wrote to memory of 4744	3588	t3243919.exe	explothe.exe
PID 3588 wrote to memory of 4744	3588	t3243919.exe	explothe.exe
PID 3588 wrote to memory of 4744	3588	t3243919.exe	explothe.exe
PID 2392 wrote to memory of 3636	2392	z5810253.exe	u6990448.exe
PID 2392 wrote to memory of 3636	2392	z5810253.exe	u6990448.exe
PID 2392 wrote to memory of 3636	2392	z5810253.exe	u6990448.exe
PID 3636 wrote to memory of 3452	3636	u6990448.exe	legota.exe
PID 3636 wrote to memory of 3452	3636	u6990448.exe	legota.exe
PID 3636 wrote to memory of 3452	3636	u6990448.exe	legota.exe
PID 4744 wrote to memory of 4904	4744	explothe.exe	schtasks.exe
PID 4744 wrote to memory of 4904	4744	explothe.exe	schtasks.exe
PID 4744 wrote to memory of 4904	4744	explothe.exe	schtasks.exe
PID 4324 wrote to memory of 448	4324	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe	w4735325.exe
PID 4324 wrote to memory of 448	4324	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe	w4735325.exe
PID 4324 wrote to memory of 448	4324	baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe	w4735325.exe
PID 4744 wrote to memory of 372	4744	explothe.exe	cmd.exe
PID 4744 wrote to memory of 372	4744	explothe.exe	cmd.exe
PID 4744 wrote to memory of 372	4744	explothe.exe	cmd.exe
PID 3452 wrote to memory of 5088	3452	legota.exe	schtasks.exe
PID 3452 wrote to memory of 5088	3452	legota.exe	schtasks.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe
"C:\Users\Admin\AppData\Local\Temp\baf549a93f717c94ff515f4f5b4b72e7ee8089f26758a07245feee4c09d009b2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5810253.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5810253.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1995620.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1995620.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0515044.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0515044.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0720652.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0720652.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7332472.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7332472.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7482563.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7482563.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 540
8⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 600
7⤵
- Program crash
PID:2732

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7178577.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7178577.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 592
6⤵
- Program crash
PID:4300

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3243919.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3243919.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:372

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3880

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:680

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:1252

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:4904

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6990448.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6990448.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:3632

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3996

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2400

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:4496

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe
"C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
6⤵
PID:5076

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
7⤵
- Creates scheduled task(s)
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp.bat""
6⤵
PID:4612

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:1112

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
7⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
8⤵
PID:3640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
8⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
8⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
8⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 656
9⤵
- Program crash
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
8⤵
PID:1836

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4735325.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4735325.exe
2⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1716 -ip 1716
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2016 -ip 2016
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1788 -ip 1788
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3796 -ip 3796
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe
Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe
Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe
Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4735325.exe
Filesize
24KB

MD5
0b3fcd390514cf7b0befd294f03e97e4

SHA1
ccd6e8a6c2222a47f99b84068df3f23bc2e646a5

SHA256
751c441b42cacbba7f3dd40801192b0b0e172977b8cf0562eaff62aa16ddade6

SHA512
4bc44e0323e68a9f1d546e1417b5c69f7e6af1a17f8a059214d6b68642669cb67289c11cecdf9ec7362913a612d9b763455c524d339fa3fd07ee3f56847323b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4735325.exe
Filesize
24KB

MD5
0b3fcd390514cf7b0befd294f03e97e4

SHA1
ccd6e8a6c2222a47f99b84068df3f23bc2e646a5

SHA256
751c441b42cacbba7f3dd40801192b0b0e172977b8cf0562eaff62aa16ddade6

SHA512
4bc44e0323e68a9f1d546e1417b5c69f7e6af1a17f8a059214d6b68642669cb67289c11cecdf9ec7362913a612d9b763455c524d339fa3fd07ee3f56847323b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5810253.exe
Filesize
903KB

MD5
b1ab0082a01b206358e73769e8b87a79

SHA1
f56fec3438e77c37eaf6abdab7d5331afcb9065d

SHA256
29712ca49222ac7e74f9e4463bd7170d8b5f0e9831dc5232667c4199f23b2b2c

SHA512
832ce62642a35dd3ddb8aad721c1946081ae7adb46f66bce97e79cf6180037628b000d72b49255b95f8f5d5e075c1bb4240f3540e63df712a1ad67e57f6ecbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5810253.exe
Filesize
903KB

MD5
b1ab0082a01b206358e73769e8b87a79

SHA1
f56fec3438e77c37eaf6abdab7d5331afcb9065d

SHA256
29712ca49222ac7e74f9e4463bd7170d8b5f0e9831dc5232667c4199f23b2b2c

SHA512
832ce62642a35dd3ddb8aad721c1946081ae7adb46f66bce97e79cf6180037628b000d72b49255b95f8f5d5e075c1bb4240f3540e63df712a1ad67e57f6ecbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6990448.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6990448.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1995620.exe
Filesize
720KB

MD5
c5c2058fd33f6d23313e823c9afafd31

SHA1
572aa0c655c6e039ebab868b93758ba7e9db1070

SHA256
1bb6ce16a4fafb9f7efa8955f629f14486db5338d61f93b36be63a31052974a9

SHA512
372ead9967dfadc2ede1be4aff3926a9092974a56055568f8f1cc475188a3135bd03d3a6e8f96d3e9f0ea5c3db9fb80cd9493826a33e73f95759e8b85e79390e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1995620.exe
Filesize
720KB

MD5
c5c2058fd33f6d23313e823c9afafd31

SHA1
572aa0c655c6e039ebab868b93758ba7e9db1070

SHA256
1bb6ce16a4fafb9f7efa8955f629f14486db5338d61f93b36be63a31052974a9

SHA512
372ead9967dfadc2ede1be4aff3926a9092974a56055568f8f1cc475188a3135bd03d3a6e8f96d3e9f0ea5c3db9fb80cd9493826a33e73f95759e8b85e79390e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3243919.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3243919.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0515044.exe
Filesize
538KB

MD5
604ca6ce2e4b083d683b8ec3028333ee

SHA1
752ed223360f24113f959aedbb55c5b693d6d7ff

SHA256
544acfe62777c8b3226c79b71b3bc77c6f5f91bc8b4b4bc7410c8e70d47384d9

SHA512
880f5c5ae57f6d5ce38c4ddebe70edfad3e63fbf3fe202e40ace8d4cccb571b96f358c03729423e16fa85ea3df263bc02984c98722a2696a18bfcc69af867e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0515044.exe
Filesize
538KB

MD5
604ca6ce2e4b083d683b8ec3028333ee

SHA1
752ed223360f24113f959aedbb55c5b693d6d7ff

SHA256
544acfe62777c8b3226c79b71b3bc77c6f5f91bc8b4b4bc7410c8e70d47384d9

SHA512
880f5c5ae57f6d5ce38c4ddebe70edfad3e63fbf3fe202e40ace8d4cccb571b96f358c03729423e16fa85ea3df263bc02984c98722a2696a18bfcc69af867e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7178577.exe
Filesize
328KB

MD5
edc6ac499f2f251ab94622aca0fa425b

SHA1
3674ef28d0eb92c3d3de0812f3f0798b8c3f8c10

SHA256
e16c5d0d9fcc2af3fb9299b7762d8f7197af61a4cd4cf66267ab1e0fd1084cad

SHA512
fda75035865ae6cf368f044e0cd0034f91be1092ed586b9eddb005a222947b0b312b571a15397c8495bec596247c5f4c2508f628841b71410bd0de702fa5e2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7178577.exe
Filesize
328KB

MD5
edc6ac499f2f251ab94622aca0fa425b

SHA1
3674ef28d0eb92c3d3de0812f3f0798b8c3f8c10

SHA256
e16c5d0d9fcc2af3fb9299b7762d8f7197af61a4cd4cf66267ab1e0fd1084cad

SHA512
fda75035865ae6cf368f044e0cd0034f91be1092ed586b9eddb005a222947b0b312b571a15397c8495bec596247c5f4c2508f628841b71410bd0de702fa5e2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0720652.exe
Filesize
301KB

MD5
1844dda553db920b22b2678a2b1b7d85

SHA1
5bc3ccc8383d64f54a1cdce1173e36ee199c0d82

SHA256
0e7c33f8e0a9b2d690709b723ecb86c273cab3fe69e9b2a0abaf15d292829b56

SHA512
c367f4b8dcda4ae20b56a3e85f0b3ed761077bbacb9b43d41780734c7d3318bcd1ec21ba4f692c93d3d9d0a604374da2d34ab931e2ce910f47e7b5855ade3c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0720652.exe
Filesize
301KB

MD5
1844dda553db920b22b2678a2b1b7d85

SHA1
5bc3ccc8383d64f54a1cdce1173e36ee199c0d82

SHA256
0e7c33f8e0a9b2d690709b723ecb86c273cab3fe69e9b2a0abaf15d292829b56

SHA512
c367f4b8dcda4ae20b56a3e85f0b3ed761077bbacb9b43d41780734c7d3318bcd1ec21ba4f692c93d3d9d0a604374da2d34ab931e2ce910f47e7b5855ade3c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7332472.exe
Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7332472.exe
Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7482563.exe
Filesize
294KB

MD5
15d03b931f0cd72a662bda764d22d68d

SHA1
8b5776a046af9b0b757781a64ffdd811a3c1ae83

SHA256
cd04e4ee868279f3c64f46da366beb15b3c13716a27372517871d5d5c46aa63a

SHA512
c548baa7729ac3a17a86f4763f16ed22179d7e25722c914ce53771f99ba78cc1d35c841c3abdf24f6379e7c50d68633bea4b3e5f8d5cf7fb567951cacb213a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7482563.exe
Filesize
294KB

MD5
15d03b931f0cd72a662bda764d22d68d

SHA1
8b5776a046af9b0b757781a64ffdd811a3c1ae83

SHA256
cd04e4ee868279f3c64f46da366beb15b3c13716a27372517871d5d5c46aa63a

SHA512
c548baa7729ac3a17a86f4763f16ed22179d7e25722c914ce53771f99ba78cc1d35c841c3abdf24f6379e7c50d68633bea4b3e5f8d5cf7fb567951cacb213a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yiyeyd5g.he1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp.bat
Filesize
151B

MD5
b3cb3932d50ec81071dff816746bd783

SHA1
c8420043640ec9be0fd9859c8fc5a6b561f6990c

SHA256
ddf50441c4343a8f41959254a970695534e60ee90c36ca1c197804f34669cb19

SHA512
23b38791d14c327f1ecf61a82d64357c01e4bd562b2c3c59a8a0fcbeec6ae361c6cc102a05549a1989661f4ad8e02c19f3b1ee122e354e7bd5dc1bf0ef7018a7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
memory/616-107-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/616-118-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/616-112-0x0000000005580000-0x000000000559A000-memory.dmp

Filesize
104KB

Download
memory/616-111-0x0000000005400000-0x0000000005490000-memory.dmp

Filesize
576KB

Download
memory/616-110-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/616-109-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/616-108-0x0000000000B10000-0x0000000000BC2000-memory.dmp

Filesize
712KB

Download
memory/740-156-0x000000006CF80000-0x000000006CFCC000-memory.dmp

Filesize
304KB

Download
memory/740-150-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/740-175-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/740-174-0x0000000007950000-0x0000000007964000-memory.dmp

Filesize
80KB

Download
memory/740-128-0x0000000004E00000-0x0000000004E36000-memory.dmp

Filesize
216KB

Download
memory/740-129-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/740-173-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/740-132-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/740-131-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/740-133-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/740-172-0x0000000007910000-0x0000000007921000-memory.dmp

Filesize
68KB

Download
memory/740-171-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/740-179-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/740-140-0x0000000005C40000-0x0000000005C62000-memory.dmp

Filesize
136KB

Download
memory/740-170-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/740-169-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/740-151-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/740-152-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/740-153-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/740-154-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/740-155-0x00000000069A0000-0x00000000069D2000-memory.dmp

Filesize
200KB

Download
memory/740-176-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/740-166-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/740-167-0x00000000075C0000-0x0000000007663000-memory.dmp

Filesize
652KB

Download
memory/740-168-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/952-136-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/952-127-0x0000000006330000-0x00000000068D4000-memory.dmp

Filesize
5.6MB

Download
memory/952-126-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/2016-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2016-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2016-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2016-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2812-119-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/2812-63-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/2812-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2812-51-0x0000000073D10000-0x00000000744C0000-memory.dmp

Filesize
7.7MB

Download
memory/2812-125-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/2812-84-0x0000000005800000-0x000000000584C000-memory.dmp

Filesize
304KB

Download
memory/2812-74-0x0000000005660000-0x000000000569C000-memory.dmp

Filesize
240KB

Download
memory/2812-65-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/2812-64-0x0000000005600000-0x0000000005612000-memory.dmp

Filesize
72KB

Download
memory/2812-52-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/2812-61-0x0000000005BC0000-0x00000000061D8000-memory.dmp

Filesize
6.1MB

Download
memory/3796-139-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/3796-130-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/3796-137-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4156-35-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/4156-36-0x00007FF8AEE20000-0x00007FF8AF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-38-0x00007FF8AEE20000-0x00007FF8AF8E1000-memory.dmp

Filesize
10.8MB

Download