amadey | 247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe
Size

992KB
MD5

f65561bd9f78915f5a2846728839d32f
SHA1

0d05bae2018d4cd91a649fdcf748027f89ca412c
SHA256

247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f
SHA512

d007a84f040971f16c697a5d0eb3b920691649526453407c5c69a26cb22e92f29c581eadfda6d46a19a48ad26d38e7b4cd6f2444c044baacd598cfb51fb8e003
SSDEEP

24576:jy8W6WNuO3NWwaPhy2pR7Jx0KiA9DrvHD5yu:28W6W4ONWwaYwlx0KiA9nPD5

Score

10^/10

amadey healer redline warzonerat gruha dropper evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

warzonerat

5.181.80.111:5200

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6904468.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6904468.exe	healer
behavioral1/memory/4580-35-0x00000000008A0000-0x00000000008AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q6904468.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6904468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6904468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6904468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6904468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6904468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6904468.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1904-131-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/1904-135-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/1904-138-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exelegota.exe7iEFnai6i3.exesvchost.exet2766624.exeu6373386.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	7iEFnai6i3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	t2766624.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	u6373386.exe

Executes dropped EXE 18 IoCs

Processes:

z1597482.exez1488341.exez3477683.exez0433278.exeq6904468.exer7523134.exes8018535.exet2766624.exeexplothe.exeu6373386.exelegota.exew6269814.exe7iEFnai6i3.exesvchost.exelegota.exeexplothe.exelegota.exeexplothe.exe

pid	process
3596	z1597482.exe
3912	z1488341.exe
2480	z3477683.exe
4516	z0433278.exe
4580	q6904468.exe
224	r7523134.exe
4636	s8018535.exe
4012	t2766624.exe
4052	explothe.exe
4212	u6373386.exe
4176	legota.exe
3816	w6269814.exe
1688	7iEFnai6i3.exe
4068	svchost.exe
2260	legota.exe
4180	explothe.exe
3536	legota.exe
880	explothe.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2952 rundll32.exe
4348 rundll32.exe

pid	process
2952	rundll32.exe
4348	rundll32.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

q6904468.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6904468.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exez1597482.exez1488341.exez3477683.exez0433278.exe7iEFnai6i3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1597482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1488341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3477683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0433278.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	7iEFnai6i3.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

r7523134.exes8018535.exesvchost.exe

description	pid	process	target process
PID 224 set thread context of 3076	224	r7523134.exe	AppLaunch.exe
PID 4636 set thread context of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4068 set thread context of 1904	4068	svchost.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4344	3076	WerFault.exe	AppLaunch.exe
1504	224	WerFault.exe	r7523134.exe
4524	4636	WerFault.exe	s8018535.exe
4524	1904	WerFault.exe	csc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2372 schtasks.exe
3300 schtasks.exe
456 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3940 timeout.exe

pid	process
2372	schtasks.exe
3300	schtasks.exe
456	schtasks.exe

pid	process
3940	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

q6904468.exe7iEFnai6i3.exepowershell.exe

pid	process
4580	q6904468.exe
4580	q6904468.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
1688	7iEFnai6i3.exe
4392	powershell.exe
4392	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

q6904468.exe7iEFnai6i3.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4580	q6904468.exe
Token: SeDebugPrivilege	1688	7iEFnai6i3.exe
Token: SeDebugPrivilege	4068	svchost.exe
Token: SeDebugPrivilege	4392	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exez1597482.exez1488341.exez3477683.exez0433278.exer7523134.exes8018535.exet2766624.exeu6373386.exeexplothe.exelegota.exe

description	pid	process	target process
PID 2984 wrote to memory of 3596	2984	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe	z1597482.exe
PID 2984 wrote to memory of 3596	2984	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe	z1597482.exe
PID 2984 wrote to memory of 3596	2984	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe	z1597482.exe
PID 3596 wrote to memory of 3912	3596	z1597482.exe	z1488341.exe
PID 3596 wrote to memory of 3912	3596	z1597482.exe	z1488341.exe
PID 3596 wrote to memory of 3912	3596	z1597482.exe	z1488341.exe
PID 3912 wrote to memory of 2480	3912	z1488341.exe	z3477683.exe
PID 3912 wrote to memory of 2480	3912	z1488341.exe	z3477683.exe
PID 3912 wrote to memory of 2480	3912	z1488341.exe	z3477683.exe
PID 2480 wrote to memory of 4516	2480	z3477683.exe	z0433278.exe
PID 2480 wrote to memory of 4516	2480	z3477683.exe	z0433278.exe
PID 2480 wrote to memory of 4516	2480	z3477683.exe	z0433278.exe
PID 4516 wrote to memory of 4580	4516	z0433278.exe	q6904468.exe
PID 4516 wrote to memory of 4580	4516	z0433278.exe	q6904468.exe
PID 4516 wrote to memory of 224	4516	z0433278.exe	r7523134.exe
PID 4516 wrote to memory of 224	4516	z0433278.exe	r7523134.exe
PID 4516 wrote to memory of 224	4516	z0433278.exe	r7523134.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 224 wrote to memory of 3076	224	r7523134.exe	AppLaunch.exe
PID 2480 wrote to memory of 4636	2480	z3477683.exe	s8018535.exe
PID 2480 wrote to memory of 4636	2480	z3477683.exe	s8018535.exe
PID 2480 wrote to memory of 4636	2480	z3477683.exe	s8018535.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 4636 wrote to memory of 4704	4636	s8018535.exe	AppLaunch.exe
PID 3912 wrote to memory of 4012	3912	z1488341.exe	t2766624.exe
PID 3912 wrote to memory of 4012	3912	z1488341.exe	t2766624.exe
PID 3912 wrote to memory of 4012	3912	z1488341.exe	t2766624.exe
PID 4012 wrote to memory of 4052	4012	t2766624.exe	explothe.exe
PID 4012 wrote to memory of 4052	4012	t2766624.exe	explothe.exe
PID 4012 wrote to memory of 4052	4012	t2766624.exe	explothe.exe
PID 3596 wrote to memory of 4212	3596	z1597482.exe	u6373386.exe
PID 3596 wrote to memory of 4212	3596	z1597482.exe	u6373386.exe
PID 3596 wrote to memory of 4212	3596	z1597482.exe	u6373386.exe
PID 4212 wrote to memory of 4176	4212	u6373386.exe	legota.exe
PID 4212 wrote to memory of 4176	4212	u6373386.exe	legota.exe
PID 4212 wrote to memory of 4176	4212	u6373386.exe	legota.exe
PID 4052 wrote to memory of 2372	4052	explothe.exe	schtasks.exe
PID 4052 wrote to memory of 2372	4052	explothe.exe	schtasks.exe
PID 4052 wrote to memory of 2372	4052	explothe.exe	schtasks.exe
PID 4052 wrote to memory of 1140	4052	explothe.exe	cmd.exe
PID 4052 wrote to memory of 1140	4052	explothe.exe	cmd.exe
PID 4052 wrote to memory of 1140	4052	explothe.exe	cmd.exe
PID 2984 wrote to memory of 3816	2984	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe	w6269814.exe
PID 2984 wrote to memory of 3816	2984	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe	w6269814.exe
PID 2984 wrote to memory of 3816	2984	247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe	w6269814.exe
PID 4176 wrote to memory of 3300	4176	legota.exe	schtasks.exe
PID 4176 wrote to memory of 3300	4176	legota.exe	schtasks.exe
PID 4176 wrote to memory of 3300	4176	legota.exe	schtasks.exe
PID 4176 wrote to memory of 2272	4176	legota.exe	cmd.exe
PID 4176 wrote to memory of 2272	4176	legota.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe
"C:\Users\Admin\AppData\Local\Temp\247d0d57ec9bf54448c51158ec8d17d7c80bfb0d638dc1b04fc8e5aca9e3067f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1597482.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1597482.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1488341.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1488341.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3477683.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3477683.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0433278.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0433278.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6904468.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6904468.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7523134.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7523134.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 540
        8⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 148
        7⤵
        Program crash
        
        PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8018535.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8018535.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 152
        6⤵
        Program crash
        
        PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2766624.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2766624.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6373386.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6373386.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3860
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:3828
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4696
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        6⤵
        
        PID:500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DB.tmp.bat""
        6⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        7⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 652
        9⤵
        Program crash
        
        PID:4524
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6269814.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6269814.exe
  2⤵
  - Executes dropped EXE
  PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 224 -ip 224
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3076 -ip 3076
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4636 -ip 4636
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1904 -ip 1904
1⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe

Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe

Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000086001\7iEFnai6i3.exe

Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6269814.exe

Filesize
24KB

MD5
bd8d3edb6f47a77b8e34e43b6f3a4587

SHA1
be147a0ed48e5215a5ee6ae3f8a4627c4619b5f8

SHA256
a7203c7ec4135cc0fa5f38c68a7f61b9c37f4667138320f9d0527a2523acd06e

SHA512
e5133ac14f0554c39098adb0031a00ea43853e98b2e51fbd63e26f376932f4020613cbb067db8019a25cf7606f59ecfc64f9f7b6f5ab7ab296416aec0cbab0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6269814.exe

Filesize
24KB

MD5
bd8d3edb6f47a77b8e34e43b6f3a4587

SHA1
be147a0ed48e5215a5ee6ae3f8a4627c4619b5f8

SHA256
a7203c7ec4135cc0fa5f38c68a7f61b9c37f4667138320f9d0527a2523acd06e

SHA512
e5133ac14f0554c39098adb0031a00ea43853e98b2e51fbd63e26f376932f4020613cbb067db8019a25cf7606f59ecfc64f9f7b6f5ab7ab296416aec0cbab0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1597482.exe

Filesize
890KB

MD5
a16a9e7911d7c2a105f2ffac83e76b57

SHA1
1efc33011567110d65feb929942ec89f7356bd4a

SHA256
32da056848058d0360a2dc64a889851df5870b682982e1eedad0b87d3580ea45

SHA512
6fa7fe88b86948493ece87f886a5fd68939e12949f0006c6c26a45386de70d3c8086f90fe8c27c09f53521d12d10305030f152e3883695be055582a9e3569781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1597482.exe

Filesize
890KB

MD5
a16a9e7911d7c2a105f2ffac83e76b57

SHA1
1efc33011567110d65feb929942ec89f7356bd4a

SHA256
32da056848058d0360a2dc64a889851df5870b682982e1eedad0b87d3580ea45

SHA512
6fa7fe88b86948493ece87f886a5fd68939e12949f0006c6c26a45386de70d3c8086f90fe8c27c09f53521d12d10305030f152e3883695be055582a9e3569781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6373386.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6373386.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1488341.exe

Filesize
709KB

MD5
4a0a9a345a6849918935115083722516

SHA1
4941dc8370b2025fd8bc09d74be88739565709bb

SHA256
d4aa6dbb8e527e8a37d2a837094e079d15bffc51f8e6ddb1b3f0f02391128edf

SHA512
337055d659f3d068009740efe0a0be61fac480b3f41d20b6bee784655bf446d9ca96d49e4af3f55ce40a62255784a1cf0a1504e3ca1bb9564a85134f824a4222

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1488341.exe

Filesize
709KB

MD5
4a0a9a345a6849918935115083722516

SHA1
4941dc8370b2025fd8bc09d74be88739565709bb

SHA256
d4aa6dbb8e527e8a37d2a837094e079d15bffc51f8e6ddb1b3f0f02391128edf

SHA512
337055d659f3d068009740efe0a0be61fac480b3f41d20b6bee784655bf446d9ca96d49e4af3f55ce40a62255784a1cf0a1504e3ca1bb9564a85134f824a4222

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2766624.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2766624.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3477683.exe

Filesize
526KB

MD5
9807f42d9fd928bdb531d9974da54070

SHA1
d48e60732dcb7514c04d6776afc6f8b1dbe34ac8

SHA256
55943acf7e8b33c54f084149473653d24aa9a52ec70a9f98ba0fe855631cbdf7

SHA512
7a39d7ef6b104513c92e6d05f31d8c63b0aa207757a5f04637d8d4fb0c0d5586b390d243d2a8a3fca3f300d710118b5f83a6192e41bb044fa3d49e17ea42f328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3477683.exe

Filesize
526KB

MD5
9807f42d9fd928bdb531d9974da54070

SHA1
d48e60732dcb7514c04d6776afc6f8b1dbe34ac8

SHA256
55943acf7e8b33c54f084149473653d24aa9a52ec70a9f98ba0fe855631cbdf7

SHA512
7a39d7ef6b104513c92e6d05f31d8c63b0aa207757a5f04637d8d4fb0c0d5586b390d243d2a8a3fca3f300d710118b5f83a6192e41bb044fa3d49e17ea42f328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8018535.exe

Filesize
310KB

MD5
b1dd9a03278967159432a135f308c005

SHA1
ce85a3292b2f633ed14cbfa10fdc28d79ce653bc

SHA256
15e215ee74e5f23ee1ae40d468dcbc1265711da4f471cf5df3a2c3d9656fa80d

SHA512
cd3d7eec515dbf9d23b3b656f252b2c118ea7938776de12ae52c62ab240d6782d177414973fce938a03232231f85fca01e254d2f3d1f5cea2ab9fa64d6ddcc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8018535.exe

Filesize
310KB

MD5
b1dd9a03278967159432a135f308c005

SHA1
ce85a3292b2f633ed14cbfa10fdc28d79ce653bc

SHA256
15e215ee74e5f23ee1ae40d468dcbc1265711da4f471cf5df3a2c3d9656fa80d

SHA512
cd3d7eec515dbf9d23b3b656f252b2c118ea7938776de12ae52c62ab240d6782d177414973fce938a03232231f85fca01e254d2f3d1f5cea2ab9fa64d6ddcc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0433278.exe

Filesize
296KB

MD5
afcefeb7e1457d1437107afac7c2ffe6

SHA1
7cb8242075837175d7a9419cb5ba28091d41dc21

SHA256
f85f05f806b36556a222b1bd6eb995cfc966a740dc94c2b5103f480a3d7e3f65

SHA512
da6b402d13257b0e0453ff66a0ff7942c3c70475612b02da20ffbb143c3a2d6ff518c33affdab14a30f76ce88938a9bf81ceb3ba1f09f8a65b678bbc1ffa33a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0433278.exe

Filesize
296KB

MD5
afcefeb7e1457d1437107afac7c2ffe6

SHA1
7cb8242075837175d7a9419cb5ba28091d41dc21

SHA256
f85f05f806b36556a222b1bd6eb995cfc966a740dc94c2b5103f480a3d7e3f65

SHA512
da6b402d13257b0e0453ff66a0ff7942c3c70475612b02da20ffbb143c3a2d6ff518c33affdab14a30f76ce88938a9bf81ceb3ba1f09f8a65b678bbc1ffa33a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6904468.exe

Filesize
11KB

MD5
4d9b11761eea77b43cf27fea542de780

SHA1
b82e091c5ee4f7668b7c4712293db20baa3403a6

SHA256
20577f396436f941d05dc871c4dbd59215708c9e013a11c6d3bdb0d1fea71527

SHA512
106828b7558f1fe3c39fe8924614ba68fed7e9400056fc309c4ca1f40d4c777011d4ea6447097bd803791762b107387a98c56ae620693deed1e6e5c3dfa2c7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6904468.exe

Filesize
11KB

MD5
4d9b11761eea77b43cf27fea542de780

SHA1
b82e091c5ee4f7668b7c4712293db20baa3403a6

SHA256
20577f396436f941d05dc871c4dbd59215708c9e013a11c6d3bdb0d1fea71527

SHA512
106828b7558f1fe3c39fe8924614ba68fed7e9400056fc309c4ca1f40d4c777011d4ea6447097bd803791762b107387a98c56ae620693deed1e6e5c3dfa2c7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7523134.exe

Filesize
276KB

MD5
3ba31f55ab9bdb83386d1805e08da63e

SHA1
c4690fcc98b4da215399c48f7eb16c42685bd34c

SHA256
92ece3f2b7ad390e9a196244401bc0be5cba012226b42639770e045d0370123e

SHA512
d352eb88d66e382add0a17f2b8211ca0fb91132396bf3af21097460e3fbe98b0c722dbb1179fc7fb28f8d520e6c0836f285fd42516dc06fc64010e97a0620f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7523134.exe

Filesize
276KB

MD5
3ba31f55ab9bdb83386d1805e08da63e

SHA1
c4690fcc98b4da215399c48f7eb16c42685bd34c

SHA256
92ece3f2b7ad390e9a196244401bc0be5cba012226b42639770e045d0370123e

SHA512
d352eb88d66e382add0a17f2b8211ca0fb91132396bf3af21097460e3fbe98b0c722dbb1179fc7fb28f8d520e6c0836f285fd42516dc06fc64010e97a0620f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwsx5ry2.j3w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DB.tmp.bat

Filesize
150B

MD5
62f78eb8a08f03169093b76a9c8c7e23

SHA1
c10572e81fb3d56347ea7f0837bff836b2dee24c

SHA256
55c5600560f32604cba0a064d69f6372a2ae7a8cee8316087789be01541fabff

SHA512
7e2fb9e19aab15e5d21dfabf2c4593497e92d9d654b89eba3cd6b20fa6e351063408d4b9de52ebfcae0ec838a0b27c3bb3cbb33d17c2b38f4f8ef6d3aaad2127

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
694KB

MD5
4996c96e36b3ce6c41f136c83cbedfc5

SHA1
3baaa685c77e8d2eae2487c95c405ec4dfc7d790

SHA256
6cc99c09a40c47a90d892650315d0267602d1fe89ddadb11b496523f3219e778

SHA512
c6b9afc246c49fefc1f90ed6b2b2e448ed6d7d4e3c8c63654ce1947ab00fb252105cfc79dbdd9d8d3014a497e5e98a05bde9f4ed4d84ee244c322bdd6e78840e

Download Submit
memory/1688-107-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1688-114-0x0000000004BF0000-0x0000000004C0A000-memory.dmp

Filesize
104KB

Download
memory/1688-108-0x0000000004B30000-0x0000000004BCC000-memory.dmp

Filesize
624KB

Download
memory/1688-110-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1688-111-0x0000000002530000-0x00000000025C0000-memory.dmp

Filesize
576KB

Download
memory/1688-106-0x0000000000170000-0x0000000000222000-memory.dmp

Filesize
712KB

Download
memory/1688-119-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1904-131-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1904-138-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1904-135-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/3076-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4068-124-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-125-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/4068-134-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-153-0x0000000006EA0000-0x0000000006ED2000-memory.dmp

Filesize
200KB

Download
memory/4392-168-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/4392-129-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4392-128-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-127-0x0000000005240000-0x0000000005276000-memory.dmp

Filesize
216KB

Download
memory/4392-137-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/4392-178-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-175-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

Filesize
32KB

Download
memory/4392-139-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/4392-145-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/4392-150-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-151-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/4392-152-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4392-174-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

Filesize
104KB

Download
memory/4392-154-0x0000000071E40000-0x0000000071E8C000-memory.dmp

Filesize
304KB

Download
memory/4392-164-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/4392-165-0x0000000007AC0000-0x0000000007B63000-memory.dmp

Filesize
652KB

Download
memory/4392-166-0x00000000081F0000-0x000000000886A000-memory.dmp

Filesize
6.5MB

Download
memory/4392-167-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/4392-130-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/4392-169-0x0000000007E30000-0x0000000007EC6000-memory.dmp

Filesize
600KB

Download
memory/4392-170-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

Filesize
68KB

Download
memory/4392-171-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-172-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

Filesize
56KB

Download
memory/4392-173-0x0000000007DF0000-0x0000000007E04000-memory.dmp

Filesize
80KB

Download
memory/4580-39-0x00007FFF66CB0000-0x00007FFF67771000-memory.dmp

Filesize
10.8MB

Download
memory/4580-35-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4580-36-0x00007FFF66CB0000-0x00007FFF67771000-memory.dmp

Filesize
10.8MB

Download
memory/4580-37-0x00007FFF66CB0000-0x00007FFF67771000-memory.dmp

Filesize
10.8MB

Download
memory/4704-101-0x0000000004BC0000-0x0000000004CCA000-memory.dmp

Filesize
1.0MB

Download
memory/4704-104-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4704-112-0x0000000004AB0000-0x0000000004AFC000-memory.dmp

Filesize
304KB

Download
memory/4704-87-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/4704-70-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/4704-57-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4704-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4704-105-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4704-109-0x0000000004A10000-0x0000000004A4C000-memory.dmp

Filesize
240KB

Download
memory/4704-126-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4704-113-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download