amadey | f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2023 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe
Size

1.1MB
MD5

13c47f99e37bbbc466c0ea4027911317
SHA1

32df4c419aa95c19b474fe0eb8fa420a0dfa0b4e
SHA256

f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4
SHA512

37d5061b403623828640cba9a02965f6964710100163c95355ae352651ba2de73cccfb44952de4732709967ca60b4e059c7e33408d3fafd21f4cd495ecbaf1bf
SSDEEP

24576:3yuiN8iDvvaIfAmrR3XtkZqW4d/ntqPaNh7W2iWo:C78afA2g14d/D37W2

Score

10^/10

amadey redline sectoprat build123456789 cheat lenox norm collection discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

lenox

77.91.124.145:4125

Attributes

auth_value
a5c9c17a250a084c5fd706c1df7c2d4e

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

Build123456789

91.237.124.206:44224

Attributes

auth_value
604ef43e255e32e816084fe3f7e0a809

Extracted

Family

redline

Botnet

cheat

154.81.220.233:28105

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3915.exev0977PS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3915.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0977PS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0977PS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0977PS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0977PS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0977PS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0977PS.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe	family_redline
behavioral1/memory/3392-2536-0x0000000000F90000-0x0000000000FAE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe	family_sectoprat
behavioral1/memory/3392-2536-0x0000000000F90000-0x0000000000FAE000-memory.dmp	family_sectoprat

Downloads MZ/PE file
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1636 attrib.exe

pid	process
1636	attrib.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

w17Jv94.exey92Qd33.exeoneetx.exeInstaller.exesec2.exeVivaldi Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	w17Jv94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y92Qd33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	sec2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Vivaldi Installer.exe

Executes dropped EXE 28 IoCs

Processes:

zap9538.exezap1503.exezap9829.exetz3915.exev0977PS.exew17Jv94.exe1.exexvBmY30.exey92Qd33.exeoneetx.execc.exebuild123456789.exesec2.exetestt.exeWerFault.exeInstaller.exedheend.exe20230408_205708_signed_build.exepowershell.exesec.exeSecEdit_protected.exesigned.exeOneDriveUpdater.exeoneetx.exeMsedge.execb4180a5.exeVivaldi Installer.exeoneetx.exe

pid	process
3816	zap9538.exe
4388	zap1503.exe
3840	zap9829.exe
2040	tz3915.exe
1616	v0977PS.exe
4520	w17Jv94.exe
3420	1.exe
5048	xvBmY30.exe
3988	y92Qd33.exe
2516	oneetx.exe
1228	cc.exe
208	build123456789.exe
4556	sec2.exe
4688	testt.exe
2864	WerFault.exe
4516	Installer.exe
4568	dheend.exe
3392	20230408_205708_signed_build.exe
3316	powershell.exe
3884	sec.exe
212	SecEdit_protected.exe
1044	signed.exe
2816	OneDriveUpdater.exe
5840	oneetx.exe
4512	Msedge.exe
5160	cb4180a5.exe
1956	Vivaldi Installer.exe
1304	oneetx.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

2456 rundll32.exe
5576 rundll32.exe
1464 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

6036 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2456	rundll32.exe
5576	rundll32.exe
1464	rundll32.exe

pid	process
6036	icacls.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe	upx
behavioral1/memory/2864-2469-0x0000000140000000-0x0000000140043000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1000018001\Installer.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000018001\Installer.exe	upx
behavioral1/memory/4516-2490-0x0000000140000000-0x0000000140043000-memory.dmp	upx
behavioral1/memory/2864-2593-0x0000000140000000-0x0000000140043000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz3915.exev0977PS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3915.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0977PS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0977PS.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

signed.exef533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exezap9538.exezap1503.exezap9829.exedheend.exepowershell.execb4180a5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	signed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Local\\Msedge.exe"	signed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9538.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1503.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\735f4e42 = "C:\\ProgramData\\cb4180a5.exe"	dheend.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9829.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecEdit = "C:\\Users\\Admin\\AppData\\Roaming\\SecEdit\\SecEdit.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\735f4e42 = "C:\\ProgramData\\cb4180a5.exe"	cb4180a5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecEdit_protected.exe

description pid process target process

PID 212 set thread context of 4688 212 SecEdit_protected.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 212 set thread context of 4688	212	SecEdit_protected.exe	RegAsm.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3444	1616	WerFault.exe	v0977PS.exe
2372	4520	WerFault.exe	w17Jv94.exe
2120	4688	WerFault.exe	testt.exe
3988	3884	WerFault.exe	sec.exe
5896	1228	WerFault.exe	cc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3588 schtasks.exe
1720 schtasks.exe
6008 schtasks.exe
6016 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2712 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4612 PING.EXE
4408 PING.EXE

pid	process
3588	schtasks.exe
1720	schtasks.exe
6008	schtasks.exe
6016	schtasks.exe

pid	process
2712	tasklist.exe

pid	process
4612	PING.EXE
4408	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tz3915.exev0977PS.exe1.exexvBmY30.exedheend.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.exepowershell.exeSecEdit_protected.exepowershell.execc.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exepowershell.exe

pid	process
2040	tz3915.exe
2040	tz3915.exe
1616	v0977PS.exe
1616	v0977PS.exe
3420	1.exe
5048	xvBmY30.exe
3420	1.exe
5048	xvBmY30.exe
4568	dheend.exe
4568	dheend.exe
208
208
2856	powershell.exe
2856	powershell.exe
3712	powershell.exe
3712	powershell.exe
208
2856	powershell.exe
3712	powershell.exe
2168	powershell.exe
2168	powershell.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2508	powershell.exe
2508	powershell.exe
2168	powershell.exe
5076	powershell.exe
5076	powershell.exe
5096	powershell.exe
5096	powershell.exe
4324	powershell.exe
4324	powershell.exe
212	SecEdit_protected.exe
212	SecEdit_protected.exe
2508	powershell.exe
2508	powershell.exe
5076	powershell.exe
5076	powershell.exe
5096	powershell.exe
5096	powershell.exe
3316	powershell.exe
3316	powershell.exe
1228	cc.exe
1228	cc.exe
4696	powershell.exe
4696	powershell.exe
3316	powershell.exe
3316	powershell.exe
3892	powershell.exe
3892	powershell.exe
1856	powershell.exe
1856	powershell.exe
5404	powershell.exe
5404	powershell.exe
3900	dllhost.exe
3900	dllhost.exe
3892	powershell.exe
5720	powershell.exe
5720	powershell.exe
5728	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

tz3915.exev0977PS.exew17Jv94.exexvBmY30.exe1.exesec2.exepowershell.exepowershell.exe20230408_205708_signed_build.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSecEdit_protected.exeRegAsm.exepowershell.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	tz3915.exe
Token: SeDebugPrivilege	1616	v0977PS.exe
Token: SeDebugPrivilege	4520	w17Jv94.exe
Token: SeDebugPrivilege	5048	xvBmY30.exe
Token: SeDebugPrivilege	3420	1.exe
Token: SeDebugPrivilege	4556	sec2.exe
Token: SeDebugPrivilege	208
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	3392	20230408_205708_signed_build.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	212	SecEdit_protected.exe
Token: SeDebugPrivilege	4688	RegAsm.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	5404	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	5332	powershell.exe
Token: SeDebugPrivilege	5324	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y92Qd33.exe

pid process

3988 y92Qd33.exe

pid	process
3988	y92Qd33.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exezap9538.exezap1503.exezap9829.exew17Jv94.exey92Qd33.exeoneetx.exeWerFault.exesec2.exeInstaller.execmd.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 3816	2036	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe	zap9538.exe
PID 2036 wrote to memory of 3816	2036	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe	zap9538.exe
PID 2036 wrote to memory of 3816	2036	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe	zap9538.exe
PID 3816 wrote to memory of 4388	3816	zap9538.exe	zap1503.exe
PID 3816 wrote to memory of 4388	3816	zap9538.exe	zap1503.exe
PID 3816 wrote to memory of 4388	3816	zap9538.exe	zap1503.exe
PID 4388 wrote to memory of 3840	4388	zap1503.exe	zap9829.exe
PID 4388 wrote to memory of 3840	4388	zap1503.exe	zap9829.exe
PID 4388 wrote to memory of 3840	4388	zap1503.exe	zap9829.exe
PID 3840 wrote to memory of 2040	3840	zap9829.exe	tz3915.exe
PID 3840 wrote to memory of 2040	3840	zap9829.exe	tz3915.exe
PID 3840 wrote to memory of 1616	3840	zap9829.exe	v0977PS.exe
PID 3840 wrote to memory of 1616	3840	zap9829.exe	v0977PS.exe
PID 3840 wrote to memory of 1616	3840	zap9829.exe	v0977PS.exe
PID 4388 wrote to memory of 4520	4388	zap1503.exe	w17Jv94.exe
PID 4388 wrote to memory of 4520	4388	zap1503.exe	w17Jv94.exe
PID 4388 wrote to memory of 4520	4388	zap1503.exe	w17Jv94.exe
PID 4520 wrote to memory of 3420	4520	w17Jv94.exe	1.exe
PID 4520 wrote to memory of 3420	4520	w17Jv94.exe	1.exe
PID 4520 wrote to memory of 3420	4520	w17Jv94.exe	1.exe
PID 3816 wrote to memory of 5048	3816	zap9538.exe	xvBmY30.exe
PID 3816 wrote to memory of 5048	3816	zap9538.exe	xvBmY30.exe
PID 3816 wrote to memory of 5048	3816	zap9538.exe	xvBmY30.exe
PID 2036 wrote to memory of 3988	2036	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe	y92Qd33.exe
PID 2036 wrote to memory of 3988	2036	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe	y92Qd33.exe
PID 2036 wrote to memory of 3988	2036	f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe	y92Qd33.exe
PID 3988 wrote to memory of 2516	3988	y92Qd33.exe	oneetx.exe
PID 3988 wrote to memory of 2516	3988	y92Qd33.exe	oneetx.exe
PID 3988 wrote to memory of 2516	3988	y92Qd33.exe	oneetx.exe
PID 2516 wrote to memory of 3588	2516	oneetx.exe	schtasks.exe
PID 2516 wrote to memory of 3588	2516	oneetx.exe	schtasks.exe
PID 2516 wrote to memory of 3588	2516	oneetx.exe	schtasks.exe
PID 2516 wrote to memory of 1228	2516	oneetx.exe	cc.exe
PID 2516 wrote to memory of 1228	2516	oneetx.exe	cc.exe
PID 2516 wrote to memory of 1228	2516	oneetx.exe	cc.exe
PID 2516 wrote to memory of 208	2516	oneetx.exe	build123456789.exe
PID 2516 wrote to memory of 208	2516	oneetx.exe	build123456789.exe
PID 2516 wrote to memory of 208	2516	oneetx.exe	build123456789.exe
PID 2516 wrote to memory of 4556	2516	oneetx.exe	sec2.exe
PID 2516 wrote to memory of 4556	2516	oneetx.exe	sec2.exe
PID 2516 wrote to memory of 4688	2516	oneetx.exe	testt.exe
PID 2516 wrote to memory of 4688	2516	oneetx.exe	testt.exe
PID 2516 wrote to memory of 4688	2516	oneetx.exe	testt.exe
PID 2516 wrote to memory of 2864	2516	oneetx.exe	WerFault.exe
PID 2516 wrote to memory of 2864	2516	oneetx.exe	WerFault.exe
PID 2516 wrote to memory of 4516	2516	oneetx.exe	Installer.exe
PID 2516 wrote to memory of 4516	2516	oneetx.exe	Installer.exe
PID 2864 wrote to memory of 5024	2864	WerFault.exe	cmd.exe
PID 2864 wrote to memory of 5024	2864	WerFault.exe	cmd.exe
PID 4556 wrote to memory of 1616	4556	sec2.exe	cmd.exe
PID 4556 wrote to memory of 1616	4556	sec2.exe	cmd.exe
PID 4516 wrote to memory of 2104	4516	Installer.exe	cmd.exe
PID 4516 wrote to memory of 2104	4516	Installer.exe	cmd.exe
PID 4556 wrote to memory of 1688	4556	sec2.exe	cmd.exe
PID 4556 wrote to memory of 1688	4556	sec2.exe	cmd.exe
PID 4556 wrote to memory of 2748	4556	sec2.exe	cmd.exe
PID 4556 wrote to memory of 2748	4556	sec2.exe	cmd.exe
PID 2516 wrote to memory of 4568	2516	oneetx.exe	dheend.exe
PID 2516 wrote to memory of 4568	2516	oneetx.exe	dheend.exe
PID 2516 wrote to memory of 4568	2516	oneetx.exe	dheend.exe
PID 2748 wrote to memory of 3712	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 3712	2748	cmd.exe	powershell.exe
PID 1616 wrote to memory of 2856	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 2856	1616	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1636 attrib.exe

pid	process
1636	attrib.exe

outlook_office_path 1 IoCs

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe
"C:\Users\Admin\AppData\Local\Temp\f533ea768e7cb7f85b100bf45c5559d62d56459f903b8a27bbb8ab58eda1aae4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9538.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9538.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1503.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1503.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9829.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9829.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3915.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3915.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0977PS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0977PS.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1080
6⤵
- Program crash
PID:3444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Jv94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Jv94.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1372
5⤵
- Program crash
PID:2372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvBmY30.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvBmY30.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Qd33.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Qd33.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3588

C:\Users\Admin\AppData\Local\Temp\1000005001\cc.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\cc.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 712
5⤵
- Program crash
PID:5896

C:\Users\Admin\AppData\Local\Temp\1000009001\build123456789.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\build123456789.exe"
4⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\Temp\1000015001\sec2.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\sec2.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\sec.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\sec.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe
"C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\sec.exe
"C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\sec.exe"
5⤵
- Executes dropped EXE
PID:3884

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
6⤵
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
6⤵
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
6⤵
PID:4428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3884 -s 1080
6⤵
- Program crash
PID:3988

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe
"C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecEdit /tr "C:\Users\Admin\AppData\Roaming\SecEdit\SecEdit.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:1060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecEdit /tr "C:\Users\Admin\AppData\Roaming\SecEdit\SecEdit.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecEdit';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecEdit' -Value '"C:\Users\Admin\AppData\Roaming\SecEdit\SecEdit.exe"' -PropertyType 'String'
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\signed.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5720

C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe
"C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe" && exit" && && exit "
6⤵
PID:1948

C:\Windows\system32\cmd.exe
cmd /Q /C " ping localhost -n 1 && copy "C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe" "C:\Users\Admin\AppData\Local\Msedge.exe" && attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe" && icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA) && del "C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe" && cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe"
7⤵
PID:3084

C:\Windows\system32\PING.EXE
ping localhost -n 1
8⤵
- Runs ping.exe
PID:4408

C:\Windows\system32\attrib.exe
attrib +r +h +a "C:\Users\Admin\AppData\Local\Msedge.exe"
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1636

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Msedge.exe" /deny "everyone":(WD,AD,WEA,WA)
8⤵
- Modifies file permissions
PID:6036

C:\Windows\system32\cmd.exe
cmd /C "start "C:\Users\Admin\AppData\Local\Msedge.exe
8⤵
PID:3288

C:\Users\Admin\AppData\Local\Msedge.exe
C:\Users\Admin\AppData\Local\Msedge.exe
9⤵
- Executes dropped EXE
PID:4512

C:\OneDriveUpdater\OneDriveUpdater.exe
"C:\OneDriveUpdater\OneDriveUpdater.exe"
5⤵
- Executes dropped EXE
PID:2816

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\OnedriveUpdate\signed.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
5⤵
PID:2964

C:\Windows\system32\schtasks.exe
schtasks /create /tn "testM" /xml "C:\Users\Admin\AppData\Local\Temp\f1.xml"
6⤵
- Creates scheduled task(s)
PID:6008

C:\Windows\system32\schtasks.exe
schtasks /create /tn "test" /xml "C:\Users\Admin\AppData\Local\Temp\f2.xml"
6⤵
- Creates scheduled task(s)
PID:6016

C:\Users\Admin\AppData\Local\Temp\1000016001\testt.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\testt.exe"
4⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 936
5⤵
- Program crash
PID:2120

C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe"
4⤵
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\7zSFX" "Installer.exe""
5⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe
"C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe"
5⤵
PID:3316

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" cache.tmp,setup
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item 'C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe' -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
5⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\1000018001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000018001\Installer.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\7zSFX" "Installer.exe""
5⤵
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TaskList /fo CSV /nh
6⤵
PID:4360

C:\Windows\system32\tasklist.exe
TaskList /fo CSV /nh
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe
"C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1956

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" cache.tmp,setup
6⤵
- Loads dropped DLL
PID:5576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item 'C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe' -Force
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx001.cmd" "
5⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\1000019001\dheend.exe
"C:\Users\Admin\AppData\Local\Temp\1000019001\dheend.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c (ping -n 10 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\1000019001\dheend.exe") & (start "" "C:\ProgramData\cb4180a5.exe")
5⤵
PID:4988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 127.0.0.1
6⤵
- Runs ping.exe
PID:4612

C:\ProgramData\cb4180a5.exe
"C:\ProgramData\cb4180a5.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1616 -ip 1616
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4520 -ip 4520
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4688 -ip 4688
1⤵
PID:1624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 3884 -ip 3884
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1228 -ip 1228
1⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
- Executes dropped EXE
PID:5840

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
- Executes dropped EXE
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\OneDriveUpdater\OneDriveUpdater.exe
Filesize
305KB

MD5
b459927d1bcdc4e6d03b4d8455a1e881

SHA1
02f66bf0d8f3ee85ea50f4c61c792828b8c4f074

SHA256
74ad55905fc3758bef0317803cf2df61a9172f0c4bca6a0312388f18352b8284

SHA512
09a03d880f89743cfcfe656930c583063f446a6483e4874a87539aeb553acd1b0379c0f344701c89e28347d7471e4ddc0362e44f00dad4e1e6a30da2c31fb8e6

Download Submit
C:\OneDriveUpdater\OneDriveUpdater.exe
Filesize
305KB

MD5
b459927d1bcdc4e6d03b4d8455a1e881

SHA1
02f66bf0d8f3ee85ea50f4c61c792828b8c4f074

SHA256
74ad55905fc3758bef0317803cf2df61a9172f0c4bca6a0312388f18352b8284

SHA512
09a03d880f89743cfcfe656930c583063f446a6483e4874a87539aeb553acd1b0379c0f344701c89e28347d7471e4ddc0362e44f00dad4e1e6a30da2c31fb8e6

Download Submit
C:\OneDriveUpdater\OneDriveUpdater.exe
Filesize
305KB

MD5
b459927d1bcdc4e6d03b4d8455a1e881

SHA1
02f66bf0d8f3ee85ea50f4c61c792828b8c4f074

SHA256
74ad55905fc3758bef0317803cf2df61a9172f0c4bca6a0312388f18352b8284

SHA512
09a03d880f89743cfcfe656930c583063f446a6483e4874a87539aeb553acd1b0379c0f344701c89e28347d7471e4ddc0362e44f00dad4e1e6a30da2c31fb8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
85502ce8813f7174d5989a982a473094

SHA1
767982aed807f5f28ad7037139db874adebae5ed

SHA256
df0b71db6a6f78fcea4a935928560506f0c099e75aba717fd04cc9226d720ec6

SHA512
224ba8f3fc1d9a04bceb006af989f2838f4253074ba58b9082c7761daa1067e9d742ae51212d9116c89bda346538e8806790121deacf67a1c7b4a81bc95e6f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\cc.exe
Filesize
264KB

MD5
31cbb461ae7f1dd4d88241102a5a3bef

SHA1
36f41745d0007d387244ebfde6fe3a72f86154ea

SHA256
65ac1748ccb5db16410ecd159a221568c6a8ae858d6bc0526741511112da9b8a

SHA512
462b351c46b6aeedc2c4316fdd13aee2152da3bbf7741d76b69836d9ef972a291c3289bf3cd333c78ae6f2407580c227620f89233d16a86db0b2deba6000ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\cc.exe
Filesize
264KB

MD5
31cbb461ae7f1dd4d88241102a5a3bef

SHA1
36f41745d0007d387244ebfde6fe3a72f86154ea

SHA256
65ac1748ccb5db16410ecd159a221568c6a8ae858d6bc0526741511112da9b8a

SHA512
462b351c46b6aeedc2c4316fdd13aee2152da3bbf7741d76b69836d9ef972a291c3289bf3cd333c78ae6f2407580c227620f89233d16a86db0b2deba6000ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\cc.exe
Filesize
264KB

MD5
31cbb461ae7f1dd4d88241102a5a3bef

SHA1
36f41745d0007d387244ebfde6fe3a72f86154ea

SHA256
65ac1748ccb5db16410ecd159a221568c6a8ae858d6bc0526741511112da9b8a

SHA512
462b351c46b6aeedc2c4316fdd13aee2152da3bbf7741d76b69836d9ef972a291c3289bf3cd333c78ae6f2407580c227620f89233d16a86db0b2deba6000ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\build123456789.exe
Filesize
168KB

MD5
2b5fc061696f29db6b1e55ffa37506c0

SHA1
83204a0173b7198ec918fe22c71bd38ebc134fa2

SHA256
61b3495f62f6a52d7687e9d25e9d29f19d10435bf899a752f97c800eee07ed40

SHA512
572ea463f7e03618f05cb81a79d8c14485f3233be0bdb6ed284fab013bf6e461d160b5ef3bcf205c4a73d37109fd1139e82b602dff5629cd56f03072912740b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\build123456789.exe
Filesize
168KB

MD5
2b5fc061696f29db6b1e55ffa37506c0

SHA1
83204a0173b7198ec918fe22c71bd38ebc134fa2

SHA256
61b3495f62f6a52d7687e9d25e9d29f19d10435bf899a752f97c800eee07ed40

SHA512
572ea463f7e03618f05cb81a79d8c14485f3233be0bdb6ed284fab013bf6e461d160b5ef3bcf205c4a73d37109fd1139e82b602dff5629cd56f03072912740b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\build123456789.exe
Filesize
168KB

MD5
2b5fc061696f29db6b1e55ffa37506c0

SHA1
83204a0173b7198ec918fe22c71bd38ebc134fa2

SHA256
61b3495f62f6a52d7687e9d25e9d29f19d10435bf899a752f97c800eee07ed40

SHA512
572ea463f7e03618f05cb81a79d8c14485f3233be0bdb6ed284fab013bf6e461d160b5ef3bcf205c4a73d37109fd1139e82b602dff5629cd56f03072912740b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\sec2.exe
Filesize
5.3MB

MD5
6eea1248a188ec88b2e7d50242da4965

SHA1
a08f6574178ab2cc4fed339caee2e0b584a7ca38

SHA256
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

SHA512
76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\sec2.exe
Filesize
5.3MB

MD5
6eea1248a188ec88b2e7d50242da4965

SHA1
a08f6574178ab2cc4fed339caee2e0b584a7ca38

SHA256
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

SHA512
76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\sec2.exe
Filesize
5.3MB

MD5
6eea1248a188ec88b2e7d50242da4965

SHA1
a08f6574178ab2cc4fed339caee2e0b584a7ca38

SHA256
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

SHA512
76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\testt.exe
Filesize
168KB

MD5
a2ac6c5d603c263031f0230c6f3c6911

SHA1
68d41a7c246ed50ca05f24896f11a88fb19c4f18

SHA256
20c92d576331b8a966c68297e73b78472392f2e4e17b2631f1f4c1eade87484e

SHA512
c65bdeca0e73a5cf473bd8d1bcc38068e2aa01a609c52d27941b6dd1c3692fc6d42de7bd5131f2a8a38e2c5fd9b7852fff16973409a3a391872c6b2dc935cc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\testt.exe
Filesize
168KB

MD5
a2ac6c5d603c263031f0230c6f3c6911

SHA1
68d41a7c246ed50ca05f24896f11a88fb19c4f18

SHA256
20c92d576331b8a966c68297e73b78472392f2e4e17b2631f1f4c1eade87484e

SHA512
c65bdeca0e73a5cf473bd8d1bcc38068e2aa01a609c52d27941b6dd1c3692fc6d42de7bd5131f2a8a38e2c5fd9b7852fff16973409a3a391872c6b2dc935cc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\testt.exe
Filesize
168KB

MD5
a2ac6c5d603c263031f0230c6f3c6911

SHA1
68d41a7c246ed50ca05f24896f11a88fb19c4f18

SHA256
20c92d576331b8a966c68297e73b78472392f2e4e17b2631f1f4c1eade87484e

SHA512
c65bdeca0e73a5cf473bd8d1bcc38068e2aa01a609c52d27941b6dd1c3692fc6d42de7bd5131f2a8a38e2c5fd9b7852fff16973409a3a391872c6b2dc935cc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe
Filesize
2.2MB

MD5
456f6c49f089b47c546a8bde8e8c4eec

SHA1
0945f27c53b7f53f03c47614b443a6990269b4c3

SHA256
1f5ec4e745475b08a5f6df6b83e4e829a00c6211731319cd332bde600e5a60e1

SHA512
e97918a017da9dbd46fe9ef27ed90fb766c87b372b7b534a736108c447d21e91e7446ee54c9274edd1d9108fa08b819c380fc8718e22b937fd3532833e98f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe
Filesize
2.2MB

MD5
456f6c49f089b47c546a8bde8e8c4eec

SHA1
0945f27c53b7f53f03c47614b443a6990269b4c3

SHA256
1f5ec4e745475b08a5f6df6b83e4e829a00c6211731319cd332bde600e5a60e1

SHA512
e97918a017da9dbd46fe9ef27ed90fb766c87b372b7b534a736108c447d21e91e7446ee54c9274edd1d9108fa08b819c380fc8718e22b937fd3532833e98f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Installer.exe
Filesize
2.2MB

MD5
456f6c49f089b47c546a8bde8e8c4eec

SHA1
0945f27c53b7f53f03c47614b443a6990269b4c3

SHA256
1f5ec4e745475b08a5f6df6b83e4e829a00c6211731319cd332bde600e5a60e1

SHA512
e97918a017da9dbd46fe9ef27ed90fb766c87b372b7b534a736108c447d21e91e7446ee54c9274edd1d9108fa08b819c380fc8718e22b937fd3532833e98f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018001\Installer.exe
Filesize
2.2MB

MD5
456f6c49f089b47c546a8bde8e8c4eec

SHA1
0945f27c53b7f53f03c47614b443a6990269b4c3

SHA256
1f5ec4e745475b08a5f6df6b83e4e829a00c6211731319cd332bde600e5a60e1

SHA512
e97918a017da9dbd46fe9ef27ed90fb766c87b372b7b534a736108c447d21e91e7446ee54c9274edd1d9108fa08b819c380fc8718e22b937fd3532833e98f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018001\Installer.exe
Filesize
2.2MB

MD5
456f6c49f089b47c546a8bde8e8c4eec

SHA1
0945f27c53b7f53f03c47614b443a6990269b4c3

SHA256
1f5ec4e745475b08a5f6df6b83e4e829a00c6211731319cd332bde600e5a60e1

SHA512
e97918a017da9dbd46fe9ef27ed90fb766c87b372b7b534a736108c447d21e91e7446ee54c9274edd1d9108fa08b819c380fc8718e22b937fd3532833e98f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\dheend.exe
Filesize
94KB

MD5
93fd11cf69ac4f2b596f4e51a561b7b0

SHA1
077e1d02b17f023a13e64b43d9b19764705e3e8d

SHA256
ae221670729038f92398b7fe4e08928ea6ebc0c1d006c63c8a3bac2e30770c2b

SHA512
4d870ba8af1617982c5f0e9cbd2da6fa5b0f109b8cd9ef2e6f7fcefacd4e44a13a018e2d1733798e59d2bbe62d337c121eef3408efb315252eed729dd1cb6372

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\dheend.exe
Filesize
94KB

MD5
93fd11cf69ac4f2b596f4e51a561b7b0

SHA1
077e1d02b17f023a13e64b43d9b19764705e3e8d

SHA256
ae221670729038f92398b7fe4e08928ea6ebc0c1d006c63c8a3bac2e30770c2b

SHA512
4d870ba8af1617982c5f0e9cbd2da6fa5b0f109b8cd9ef2e6f7fcefacd4e44a13a018e2d1733798e59d2bbe62d337c121eef3408efb315252eed729dd1cb6372

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\dheend.exe
Filesize
94KB

MD5
93fd11cf69ac4f2b596f4e51a561b7b0

SHA1
077e1d02b17f023a13e64b43d9b19764705e3e8d

SHA256
ae221670729038f92398b7fe4e08928ea6ebc0c1d006c63c8a3bac2e30770c2b

SHA512
4d870ba8af1617982c5f0e9cbd2da6fa5b0f109b8cd9ef2e6f7fcefacd4e44a13a018e2d1733798e59d2bbe62d337c121eef3408efb315252eed729dd1cb6372

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
212B

MD5
b7388d05cf327ace52865565ba4dd69c

SHA1
e2843085187e84be066b0a5228a3a27d7b4298a3

SHA256
1dd561a77ac9aef179bc668bb96669bfb8b34ce453eada548a140f67e54a33df

SHA512
ac43f9172a35317d0ee6f1f61348fd5697f6352d1634a496d1ed5296a7e0009be9beb425808d648362f1197c797229d10bff77bf5b65da98ab268fe36fb05d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd
Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd
Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe
Filesize
2.7MB

MD5
4c45a1d1b2fcb7c1d34db07e166b6251

SHA1
e8d18e2a1f9224b12ba0df465cda612bcfbdf24f

SHA256
8ef1c813980faa61a94e0289444bf952c7fd2e9c9d0fa6ecb6cfc58b88bc8d48

SHA512
a2c4800c71bb6ced15a541e619527f05cf585e7376b45d8a6308d6538c6baad8dbcb9d19f3f845c557ab07a5785aafb0d0197b3ebfde1634f08003f9a9b37306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe
Filesize
2.7MB

MD5
4c45a1d1b2fcb7c1d34db07e166b6251

SHA1
e8d18e2a1f9224b12ba0df465cda612bcfbdf24f

SHA256
8ef1c813980faa61a94e0289444bf952c7fd2e9c9d0fa6ecb6cfc58b88bc8d48

SHA512
a2c4800c71bb6ced15a541e619527f05cf585e7376b45d8a6308d6538c6baad8dbcb9d19f3f845c557ab07a5785aafb0d0197b3ebfde1634f08003f9a9b37306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\Vivaldi Installer.exe
Filesize
2.7MB

MD5
4c45a1d1b2fcb7c1d34db07e166b6251

SHA1
e8d18e2a1f9224b12ba0df465cda612bcfbdf24f

SHA256
8ef1c813980faa61a94e0289444bf952c7fd2e9c9d0fa6ecb6cfc58b88bc8d48

SHA512
a2c4800c71bb6ced15a541e619527f05cf585e7376b45d8a6308d6538c6baad8dbcb9d19f3f845c557ab07a5785aafb0d0197b3ebfde1634f08003f9a9b37306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Qd33.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y92Qd33.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9538.exe
Filesize
934KB

MD5
acb766097e2663082a81909900aa1da1

SHA1
f36efaac23562c11362589ec682521aebd514a2c

SHA256
e16e2c1708897748bcb3553e50ed3b5e074ef3d4911b26181bd7087bbff9f4c8

SHA512
dcea88595bb95c75515926b6d78d4e29e8b172f918c7ae6e0cedebacd087243c2140d2cf52f7a00c381365481d631c43d84127cf6bc28ea983017db2da9a184f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9538.exe
Filesize
934KB

MD5
acb766097e2663082a81909900aa1da1

SHA1
f36efaac23562c11362589ec682521aebd514a2c

SHA256
e16e2c1708897748bcb3553e50ed3b5e074ef3d4911b26181bd7087bbff9f4c8

SHA512
dcea88595bb95c75515926b6d78d4e29e8b172f918c7ae6e0cedebacd087243c2140d2cf52f7a00c381365481d631c43d84127cf6bc28ea983017db2da9a184f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvBmY30.exe
Filesize
168KB

MD5
b86009831e8d5622adb3766a04489563

SHA1
5d3c61e02f18c0502d583580aa0e045f27bab631

SHA256
c28219dacb5e54eef5877eec7e62a6d88dd5408eb2ae12157fa7fc9143c8bc0f

SHA512
532fb8767aa2d6d4fe8b29ce076c4e9a39658f5539bae888f007d9d7a35680a5265d9a44b69bf052321e46808347b152f533062976c374088d844f8cae70070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvBmY30.exe
Filesize
168KB

MD5
b86009831e8d5622adb3766a04489563

SHA1
5d3c61e02f18c0502d583580aa0e045f27bab631

SHA256
c28219dacb5e54eef5877eec7e62a6d88dd5408eb2ae12157fa7fc9143c8bc0f

SHA512
532fb8767aa2d6d4fe8b29ce076c4e9a39658f5539bae888f007d9d7a35680a5265d9a44b69bf052321e46808347b152f533062976c374088d844f8cae70070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1503.exe
Filesize
780KB

MD5
0f4962d1278b6ffa8d72e247ceca2d23

SHA1
8e46bc2e66baa666cb4cd31037c609836cdf82be

SHA256
d8bd04e7f4d2307b05f414d004d7ce9af76a9e0af6785c824e7321cc4b370787

SHA512
2e62334e0da4ecac9b1993e63dbd3353d7512464b50bd814bd2bc5bf3ea9722dc3681b41007014a570197d64c61d1de42e204aa9dd6935bf190250c4bc7ea3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1503.exe
Filesize
780KB

MD5
0f4962d1278b6ffa8d72e247ceca2d23

SHA1
8e46bc2e66baa666cb4cd31037c609836cdf82be

SHA256
d8bd04e7f4d2307b05f414d004d7ce9af76a9e0af6785c824e7321cc4b370787

SHA512
2e62334e0da4ecac9b1993e63dbd3353d7512464b50bd814bd2bc5bf3ea9722dc3681b41007014a570197d64c61d1de42e204aa9dd6935bf190250c4bc7ea3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Jv94.exe
Filesize
427KB

MD5
f0b4dd047db263d82be50a7d8dd6328b

SHA1
fd02be2f49a09ca96074b3bf69ac20083bd50f46

SHA256
6bc1f8034fd51f3623c67d8a77b8281c1ba02b456937623e1aedb34d0f7103d6

SHA512
63f737dbda2928b49144c318b2e416a42a2a83f3eabc076d4951e4ef4436855994bad80982e9d88fe21b50d3e9642b6b74f661407ada2d14611a115d21eae35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17Jv94.exe
Filesize
427KB

MD5
f0b4dd047db263d82be50a7d8dd6328b

SHA1
fd02be2f49a09ca96074b3bf69ac20083bd50f46

SHA256
6bc1f8034fd51f3623c67d8a77b8281c1ba02b456937623e1aedb34d0f7103d6

SHA512
63f737dbda2928b49144c318b2e416a42a2a83f3eabc076d4951e4ef4436855994bad80982e9d88fe21b50d3e9642b6b74f661407ada2d14611a115d21eae35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9829.exe
Filesize
324KB

MD5
02cb0f1a4cf00faa94d9a4d72edcb191

SHA1
f00e191c6d0bc56f1b34fd2c64921c7801a7632c

SHA256
f9ff9f12453a87ec33cbe4211967ea14ca9b5385824832a16bea1d57a3255d67

SHA512
ed21374829283be975e598b9209bfb0f2ab8fd5bce91d1866dfa8c63ce748ee2bd803b5e97194a37a1d038dea0bc230096a21dda8aa28e6999ec88b5eb38e0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9829.exe
Filesize
324KB

MD5
02cb0f1a4cf00faa94d9a4d72edcb191

SHA1
f00e191c6d0bc56f1b34fd2c64921c7801a7632c

SHA256
f9ff9f12453a87ec33cbe4211967ea14ca9b5385824832a16bea1d57a3255d67

SHA512
ed21374829283be975e598b9209bfb0f2ab8fd5bce91d1866dfa8c63ce748ee2bd803b5e97194a37a1d038dea0bc230096a21dda8aa28e6999ec88b5eb38e0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3915.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3915.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0977PS.exe
Filesize
243KB

MD5
be767eeaccb8e14f403cf77a91673d03

SHA1
251b685c7690293beb38355e3e4d2d0802e379db

SHA256
ae1af5fdf18414940ee320bd9ec478b6ceb1d66d2eaf8dcac47e4df3b2c77e38

SHA512
f4850b1e9ef9da5d3806f2fc8e4ea334e797771c8ba20d881f93f8117433b2dd2cfaa3a795e4072989af137f39924431186de90920714d0d6af07654d703e2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0977PS.exe
Filesize
243KB

MD5
be767eeaccb8e14f403cf77a91673d03

SHA1
251b685c7690293beb38355e3e4d2d0802e379db

SHA256
ae1af5fdf18414940ee320bd9ec478b6ceb1d66d2eaf8dcac47e4df3b2c77e38

SHA512
f4850b1e9ef9da5d3806f2fc8e4ea334e797771c8ba20d881f93f8117433b2dd2cfaa3a795e4072989af137f39924431186de90920714d0d6af07654d703e2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe
Filesize
105KB

MD5
140fe4dc113bd5d5197a3571e9a85925

SHA1
322c1e09e1ad3330a457863635f6b8ac183b8a20

SHA256
6c3aaf9d4f65fc103ceaaf41c25d58b6ae1c4657a10f33d6a6e341052473334c

SHA512
9edf3aaf08c1ffd9a19c21f02f14eeec56fc8859a7d77435bce928307417fd4cf5f9ec7645d0e5c81ff76b14d2824562198bff25b01711bb376060844f783952

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe
Filesize
105KB

MD5
140fe4dc113bd5d5197a3571e9a85925

SHA1
322c1e09e1ad3330a457863635f6b8ac183b8a20

SHA256
6c3aaf9d4f65fc103ceaaf41c25d58b6ae1c4657a10f33d6a6e341052473334c

SHA512
9edf3aaf08c1ffd9a19c21f02f14eeec56fc8859a7d77435bce928307417fd4cf5f9ec7645d0e5c81ff76b14d2824562198bff25b01711bb376060844f783952

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\20230408_205708_signed_build.exe
Filesize
105KB

MD5
140fe4dc113bd5d5197a3571e9a85925

SHA1
322c1e09e1ad3330a457863635f6b8ac183b8a20

SHA256
6c3aaf9d4f65fc103ceaaf41c25d58b6ae1c4657a10f33d6a6e341052473334c

SHA512
9edf3aaf08c1ffd9a19c21f02f14eeec56fc8859a7d77435bce928307417fd4cf5f9ec7645d0e5c81ff76b14d2824562198bff25b01711bb376060844f783952

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe
Filesize
3.2MB

MD5
80ad7f7f17e1ebbd45b189aab353c26b

SHA1
ef3a2b61a569afad611c1fd0449fa3b1b3918a97

SHA256
975ab8217500e66602991d85c3a742b0f660b991d08eec2d9db4776a3b5c2ebf

SHA512
50feabd3ac2211582b387f06b4fdd4d600b06a1305b43237ac5482f38f69bc258608dc415351c96ae763bf031d69b53c7a66c99ae870709ae60f5ce827ed8ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe
Filesize
3.2MB

MD5
80ad7f7f17e1ebbd45b189aab353c26b

SHA1
ef3a2b61a569afad611c1fd0449fa3b1b3918a97

SHA256
975ab8217500e66602991d85c3a742b0f660b991d08eec2d9db4776a3b5c2ebf

SHA512
50feabd3ac2211582b387f06b4fdd4d600b06a1305b43237ac5482f38f69bc258608dc415351c96ae763bf031d69b53c7a66c99ae870709ae60f5ce827ed8ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\SecEdit_protected.exe
Filesize
3.2MB

MD5
80ad7f7f17e1ebbd45b189aab353c26b

SHA1
ef3a2b61a569afad611c1fd0449fa3b1b3918a97

SHA256
975ab8217500e66602991d85c3a742b0f660b991d08eec2d9db4776a3b5c2ebf

SHA512
50feabd3ac2211582b387f06b4fdd4d600b06a1305b43237ac5482f38f69bc258608dc415351c96ae763bf031d69b53c7a66c99ae870709ae60f5ce827ed8ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\sec.exe
Filesize
10.7MB

MD5
d87a49f43af3c2e3ce29f31fd7103a63

SHA1
647d908489f47f7ddef6c3a4dcdfa92e5ccdfd03

SHA256
d77fc57e1a34801441db127acac98cc2d0046788082bb753f0917e0bc6a3765b

SHA512
74866638619bf365018e3d89d8876c22f2987fe2fe8a9ebb3ef2a23993cc88648c8af1f2be43be30e0a5d6ec4473b73bc47cee796f8060be45ffc2affeba5358

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\sec.exe
Filesize
10.7MB

MD5
d87a49f43af3c2e3ce29f31fd7103a63

SHA1
647d908489f47f7ddef6c3a4dcdfa92e5ccdfd03

SHA256
d77fc57e1a34801441db127acac98cc2d0046788082bb753f0917e0bc6a3765b

SHA512
74866638619bf365018e3d89d8876c22f2987fe2fe8a9ebb3ef2a23993cc88648c8af1f2be43be30e0a5d6ec4473b73bc47cee796f8060be45ffc2affeba5358

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\sec.exe
Filesize
10.7MB

MD5
d87a49f43af3c2e3ce29f31fd7103a63

SHA1
647d908489f47f7ddef6c3a4dcdfa92e5ccdfd03

SHA256
d77fc57e1a34801441db127acac98cc2d0046788082bb753f0917e0bc6a3765b

SHA512
74866638619bf365018e3d89d8876c22f2987fe2fe8a9ebb3ef2a23993cc88648c8af1f2be43be30e0a5d6ec4473b73bc47cee796f8060be45ffc2affeba5358

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe
Filesize
90KB

MD5
bc5831bdfc4206117e756afc796e8c27

SHA1
81268b9b3ad4e45b8f29e400ed041bc36b4d348c

SHA256
98458379dc294e3307f8265024020e182ca8e364fb7e1e35815b207ca2dcd38c

SHA512
b9b286a0c03dbcfed8b7c5cd7273e91e7550b96438656ded80b769409cd9402c49212fd4f7a73bf0f5e182eaf47b068e3ba76183e086dafbc5f10d9d7394d332

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe
Filesize
90KB

MD5
bc5831bdfc4206117e756afc796e8c27

SHA1
81268b9b3ad4e45b8f29e400ed041bc36b4d348c

SHA256
98458379dc294e3307f8265024020e182ca8e364fb7e1e35815b207ca2dcd38c

SHA512
b9b286a0c03dbcfed8b7c5cd7273e91e7550b96438656ded80b769409cd9402c49212fd4f7a73bf0f5e182eaf47b068e3ba76183e086dafbc5f10d9d7394d332

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnedriveUpdate\signed.exe
Filesize
90KB

MD5
bc5831bdfc4206117e756afc796e8c27

SHA1
81268b9b3ad4e45b8f29e400ed041bc36b4d348c

SHA256
98458379dc294e3307f8265024020e182ca8e364fb7e1e35815b207ca2dcd38c

SHA512
b9b286a0c03dbcfed8b7c5cd7273e91e7550b96438656ded80b769409cd9402c49212fd4f7a73bf0f5e182eaf47b068e3ba76183e086dafbc5f10d9d7394d332

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eojtqmkp.rvc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb4A0.tmp
Filesize
1KB

MD5
0dc72abf28bbb94520d06508e1ff7be8

SHA1
cb2870553f3fdcdab7a59b924724fd9d993337fb

SHA256
f889f747c774b02367ef494044a688dd8421c36f8b4e766ed3f365629c01a801

SHA512
adc671113771b47c1becdb327395768782b8cdbfcc305c2391a650ee7246bb43f55e84e3151444dc7d7a7c8244f4335148a342c05dc69132acdae8a792d0b5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1.xml
Filesize
1KB

MD5
d0318e2f99b2d71017df5cf1a131d034

SHA1
039fec93f2ef2cf06e01673ba861086bd09cdb7f

SHA256
f3f97226fa47a7a9325db10a23cc4c2f830651166ad0d82226bdab1ffa5a0139

SHA512
fe98e235509243a07e4320e0d516a0f6f36fe42c17dc1f374fcfaaa02b15c8eddf887c4804516926184a0dc9a3f9bf6b7a76f025104ca77de55c280926efeedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2.xml
Filesize
1KB

MD5
491393b9a180350b9db889f27943b2c3

SHA1
52d160b34c999ca7ed60b4033a7123fd59833500

SHA256
081eeba7b7cdb0f882e91e33340d52130e48d20730ed8a02ee471afb2e575c7f

SHA512
2b24bc4cbc17caee5f9cdd1501bb7407d043288487c5d709e105acef8247ae229efb934f91623a2230e9e50a27699564902c8ed98c0e8484c19342cf61cd0368

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp340C.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3441.tmp
Filesize
92KB

MD5
988b3b69326285fe3025cafc08a1bc8b

SHA1
3cf978d7e8f6281558c2c34fa60d13882edfd81e

SHA256
0acbaf311f2539bdf907869f7b8e75c614597d7d0084e2073ac002cf7e5437f4

SHA512
6fcc3acea7bee90489a23f76d4090002a10d8c735174ad90f8641a310717cfceb9b063dc700a88fcb3f9054f0c28b86f31329759f71c8eaf15620cefa87a17d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3576.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp358C.tmp
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3605.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/208-2404-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/208-2397-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/1228-2362-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/1616-195-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-187-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-202-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1616-201-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1616-205-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1616-167-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/1616-200-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1616-199-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-197-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-168-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/1616-193-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-191-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-189-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-203-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1616-185-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-183-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-181-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-179-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-177-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-175-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-173-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-172-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1616-171-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1616-169-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1616-170-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2040-161-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2168-2582-0x0000023CADFF0000-0x0000023CAE000000-memory.dmp

Filesize
64KB

Download
memory/2168-2583-0x0000023CADFF0000-0x0000023CAE000000-memory.dmp

Filesize
64KB

Download
memory/2456-2579-0x00000003AF2D0000-0x00000003AFD09000-memory.dmp

Filesize
10.2MB

Download
memory/2456-2592-0x00000161A96C0000-0x00000161A9763000-memory.dmp

Filesize
652KB

Download
memory/2456-2590-0x00000003AF2D0000-0x00000003AFD09000-memory.dmp

Filesize
10.2MB

Download
memory/2456-2569-0x00007FFC23810000-0x00007FFC23820000-memory.dmp

Filesize
64KB

Download
memory/2456-2555-0x00000161A96C0000-0x00000161A9763000-memory.dmp

Filesize
652KB

Download
memory/2508-2627-0x000002485DEF0000-0x000002485DF00000-memory.dmp

Filesize
64KB

Download
memory/2508-2625-0x000002485DEF0000-0x000002485DF00000-memory.dmp

Filesize
64KB

Download
memory/2856-2551-0x0000021464C50000-0x0000021464C60000-memory.dmp

Filesize
64KB

Download
memory/2856-2586-0x0000021464C50000-0x0000021464C60000-memory.dmp

Filesize
64KB

Download
memory/2856-2540-0x0000021464C50000-0x0000021464C60000-memory.dmp

Filesize
64KB

Download
memory/2864-2469-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2864-2593-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/3316-2577-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3316-2534-0x00007FFC23810000-0x00007FFC23820000-memory.dmp

Filesize
64KB

Download
memory/3316-2533-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3392-2536-0x0000000000F90000-0x0000000000FAE000-memory.dmp

Filesize
120KB

Download
memory/3392-2568-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/3420-2318-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3420-2321-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/3420-2322-0x0000000006120000-0x00000000062E2000-memory.dmp

Filesize
1.8MB

Download
memory/3420-2313-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/3420-2325-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3420-2314-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

Filesize
1.0MB

Download
memory/3420-2323-0x0000000008690000-0x0000000008BBC000-memory.dmp

Filesize
5.2MB

Download
memory/3420-2316-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/3420-2307-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/3712-2554-0x000001C17DD60000-0x000001C17DD70000-memory.dmp

Filesize
64KB

Download
memory/3712-2589-0x000001C17DD60000-0x000001C17DD70000-memory.dmp

Filesize
64KB

Download
memory/4324-2581-0x000002940B8E0000-0x000002940B983000-memory.dmp

Filesize
652KB

Download
memory/4324-2588-0x00007FFC23810000-0x00007FFC23820000-memory.dmp

Filesize
64KB

Download
memory/4324-2626-0x0000029425CF0000-0x0000029425D00000-memory.dmp

Filesize
64KB

Download
memory/4516-2490-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/4520-235-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-225-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-210-0x00000000005B0000-0x000000000060B000-memory.dmp

Filesize
364KB

Download
memory/4520-211-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4520-212-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4520-213-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4520-214-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-215-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-217-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-219-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-221-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-223-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-227-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-2302-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4520-247-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-245-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-243-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-241-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-239-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-237-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-229-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-233-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4520-231-0x0000000005180000-0x00000000051DF000-memory.dmp

Filesize
380KB

Download
memory/4556-2447-0x0000000002A50000-0x0000000002A6E000-memory.dmp

Filesize
120KB

Download
memory/4556-2434-0x00000000005B0000-0x0000000000B04000-memory.dmp

Filesize
5.3MB

Download
memory/4556-2448-0x000000001C460000-0x000000001C470000-memory.dmp

Filesize
64KB

Download
memory/4556-2449-0x0000000002AE0000-0x0000000002B02000-memory.dmp

Filesize
136KB

Download
memory/4556-2445-0x000000001C2B0000-0x000000001C326000-memory.dmp

Filesize
472KB

Download
memory/4688-2446-0x0000000000C70000-0x0000000000C9E000-memory.dmp

Filesize
184KB

Download
memory/5048-2312-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download
memory/5048-2324-0x0000000001910000-0x0000000001920000-memory.dmp

Filesize
64KB

Download
memory/5048-2317-0x0000000001910000-0x0000000001920000-memory.dmp

Filesize
64KB

Download
memory/5048-2315-0x00000000033F0000-0x0000000003402000-memory.dmp

Filesize
72KB

Download
memory/5048-2319-0x0000000005CB0000-0x0000000005D26000-memory.dmp

Filesize
472KB

Download
memory/5048-2320-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/5048-2326-0x0000000007680000-0x00000000076D0000-memory.dmp

Filesize
320KB

Download