amadey | 98912576e25e14b01af0544d9312595571eaf5ba4486687b265de54fa7726e53

Analysis

max time kernel
101s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

426KB
MD5

762bdd4f13589cc0fb1de03410f924cb
SHA1

1314a19473186fca59eeaaf03fff4cb362e2b152
SHA256

98912576e25e14b01af0544d9312595571eaf5ba4486687b265de54fa7726e53
SHA512

4f5ac1005da1cdc4ca9ed203be7c7033ba4199545d8940bdb04326feb2147c2c51438611ac5460167d6b7e34424263ac64ea4822033d4d4fef55ace84a96b443
SSDEEP

6144:Kky+bnr+dp0yN90QEj+laC3qh1ymUWWLxJOnHWV9SgrZZI6WMLE7Z7Fx+GmLhVL:oMrhy90hMaC3qTyJLxlYgvIXooRSht

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Extracted

Family

redline

Botnet

@ytlogsbot

176.123.4.46:33783

Attributes

auth_value
295b226f1b63bcd55148625381b27b19

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

file.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
2376	schtasks.exe
2252	schtasks.exe
5884	schtasks.exe

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/8-314-0x0000000002FA0000-0x00000000030D1000-memory.dmp	family_fabookie

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2156-80-0x0000000000100000-0x000000000010A000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\6B5B.exe	healer
C:\Users\Admin\AppData\Local\Temp\6B5B.exe	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-207-0x0000000004B60000-0x000000000544B000-memory.dmp	family_glupteba
behavioral2/memory/3376-219-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-298-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-329-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-385-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-396-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-415-0x0000000004B60000-0x000000000544B000-memory.dmp	family_glupteba
behavioral2/memory/3376-496-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-562-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3376-638-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

6B5B.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6B5B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6B5B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6B5B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6B5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	6B5B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6B5B.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4868-115-0x00000000007C0000-0x000000000081A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1008 netsh.exe

pid	process
1008	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6D7F.exeexplothe.exe7FF0.exekos1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	6D7F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	7FF0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	kos1.exe

Executes dropped EXE 32 IoCs

Processes:

v4292332.exea7989946.exeb9964615.exec1140046.exe66A4.exe679F.exex0151560.exex5312124.exe6A32.exex4164560.exe6B5B.exex3079184.exeg9947978.exe6D7F.exe6FF1.exeexplothe.exe7FF0.exe8456.exess41.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exekos1.exetoolspub2.exeh7672766.exeset16.exekos.exeis-UGBVD.tmppreviewer.exepreviewer.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplothe.exejbdhbic

pid	process
4808	v4292332.exe
2092	a7989946.exe
3000	b9964615.exe
2840	c1140046.exe
4056	66A4.exe
752	679F.exe
2088	x0151560.exe
4600	x5312124.exe
4472	6A32.exe
3616	x4164560.exe
2156	6B5B.exe
856	x3079184.exe
4692	g9947978.exe
3180	6D7F.exe
4868	6FF1.exe
2124	explothe.exe
4796	7FF0.exe
1080	8456.exe
8	ss41.exe
4700	toolspub2.exe
3376	31839b57a4f11171d6abc8bbc4451ee4.exe
3608	kos1.exe
2100	toolspub2.exe
2668	h7672766.exe
3184	set16.exe
4536	kos.exe
4180	is-UGBVD.tmp
220	previewer.exe
2768	previewer.exe
5936	31839b57a4f11171d6abc8bbc4451ee4.exe
5428	explothe.exe
5444	jbdhbic

Loads dropped DLL 6 IoCs

Processes:

6FF1.exeis-UGBVD.tmprundll32.exe

pid process

4868 6FF1.exe
4868 6FF1.exe
4180 is-UGBVD.tmp
4180 is-UGBVD.tmp
4180 is-UGBVD.tmp
5616 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

6B5B.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 6B5B.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4868	6FF1.exe
4868	6FF1.exe
4180	is-UGBVD.tmp
4180	is-UGBVD.tmp
4180	is-UGBVD.tmp
5616	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	6B5B.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x0151560.exex5312124.exex4164560.exex3079184.exefile.exev4292332.exe66A4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0151560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5312124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4164560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x3079184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4292332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66A4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

Processes:

a7989946.exeb9964615.exe679F.exe6A32.exeg9947978.exetoolspub2.exe8456.exe

description	pid	process	target process
PID 2092 set thread context of 772	2092	a7989946.exe	AppLaunch.exe
PID 3000 set thread context of 4112	3000	b9964615.exe	AppLaunch.exe
PID 752 set thread context of 1032	752	679F.exe	AppLaunch.exe
PID 4472 set thread context of 3744	4472	6A32.exe	AppLaunch.exe
PID 4692 set thread context of 3372	4692	g9947978.exe	AppLaunch.exe
PID 4700 set thread context of 2100	4700	toolspub2.exe	toolspub2.exe
PID 1080 set thread context of 2968	1080	8456.exe	vbc.exe

Drops file in Program Files directory 7 IoCs

Processes:

is-UGBVD.tmp

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\is-26R2N.tmp	is-UGBVD.tmp
File created	C:\Program Files (x86)\PA Previewer\is-D6OBQ.tmp	is-UGBVD.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-UGBVD.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-UGBVD.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-UGBVD.tmp
File created	C:\Program Files (x86)\PA Previewer\is-6JFIH.tmp	is-UGBVD.tmp
File created	C:\Program Files (x86)\PA Previewer\is-MDT7B.tmp	is-UGBVD.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
768	2092	WerFault.exe	a7989946.exe
3256	3000	WerFault.exe	b9964615.exe
3248	4112	WerFault.exe	AppLaunch.exe
4036	752	WerFault.exe	679F.exe
3764	4472	WerFault.exe	6A32.exe
4912	4692	WerFault.exe	g9947978.exe
2160	3372	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2376 schtasks.exe
2252 schtasks.exe
5884 schtasks.exe

pid	process
2376	schtasks.exe
2252	schtasks.exe
5884	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
772	AppLaunch.exe
772	AppLaunch.exe
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3164
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

772 AppLaunch.exe
2100 toolspub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

116 msedge.exe
116 msedge.exe
116 msedge.exe
116 msedge.exe
116 msedge.exe
116 msedge.exe
116 msedge.exe

pid	process
3164

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6B5B.exekos.exepreviewer.exe

description	pid	process
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeDebugPrivilege	2156	6B5B.exe
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeDebugPrivilege	4536	kos.exe
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeDebugPrivilege	220	previewer.exe
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exev4292332.exea7989946.exeb9964615.exe66A4.exex0151560.exex5312124.exex4164560.exex3079184.exe679F.exe

description	pid	process	target process
PID 4908 wrote to memory of 4808	4908	file.exe	v4292332.exe
PID 4908 wrote to memory of 4808	4908	file.exe	v4292332.exe
PID 4908 wrote to memory of 4808	4908	file.exe	v4292332.exe
PID 4808 wrote to memory of 2092	4808	v4292332.exe	a7989946.exe
PID 4808 wrote to memory of 2092	4808	v4292332.exe	a7989946.exe
PID 4808 wrote to memory of 2092	4808	v4292332.exe	a7989946.exe
PID 2092 wrote to memory of 772	2092	a7989946.exe	AppLaunch.exe
PID 2092 wrote to memory of 772	2092	a7989946.exe	AppLaunch.exe
PID 2092 wrote to memory of 772	2092	a7989946.exe	AppLaunch.exe
PID 2092 wrote to memory of 772	2092	a7989946.exe	AppLaunch.exe
PID 2092 wrote to memory of 772	2092	a7989946.exe	AppLaunch.exe
PID 2092 wrote to memory of 772	2092	a7989946.exe	AppLaunch.exe
PID 4808 wrote to memory of 3000	4808	v4292332.exe	b9964615.exe
PID 4808 wrote to memory of 3000	4808	v4292332.exe	b9964615.exe
PID 4808 wrote to memory of 3000	4808	v4292332.exe	b9964615.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 3000 wrote to memory of 4112	3000	b9964615.exe	AppLaunch.exe
PID 4908 wrote to memory of 2840	4908	file.exe	c1140046.exe
PID 4908 wrote to memory of 2840	4908	file.exe	c1140046.exe
PID 4908 wrote to memory of 2840	4908	file.exe	c1140046.exe
PID 3164 wrote to memory of 4056	3164		66A4.exe
PID 3164 wrote to memory of 4056	3164		66A4.exe
PID 3164 wrote to memory of 4056	3164		66A4.exe
PID 3164 wrote to memory of 752	3164		679F.exe
PID 3164 wrote to memory of 752	3164		679F.exe
PID 3164 wrote to memory of 752	3164		679F.exe
PID 4056 wrote to memory of 2088	4056	66A4.exe	x0151560.exe
PID 4056 wrote to memory of 2088	4056	66A4.exe	x0151560.exe
PID 4056 wrote to memory of 2088	4056	66A4.exe	x0151560.exe
PID 3164 wrote to memory of 3100	3164		cmd.exe
PID 3164 wrote to memory of 3100	3164		cmd.exe
PID 2088 wrote to memory of 4600	2088	x0151560.exe	x5312124.exe
PID 2088 wrote to memory of 4600	2088	x0151560.exe	x5312124.exe
PID 2088 wrote to memory of 4600	2088	x0151560.exe	x5312124.exe
PID 3164 wrote to memory of 4472	3164		6A32.exe
PID 3164 wrote to memory of 4472	3164		6A32.exe
PID 3164 wrote to memory of 4472	3164		6A32.exe
PID 4600 wrote to memory of 3616	4600	x5312124.exe	x4164560.exe
PID 4600 wrote to memory of 3616	4600	x5312124.exe	x4164560.exe
PID 4600 wrote to memory of 3616	4600	x5312124.exe	x4164560.exe
PID 3164 wrote to memory of 2156	3164		6B5B.exe
PID 3164 wrote to memory of 2156	3164		6B5B.exe
PID 3616 wrote to memory of 856	3616	x4164560.exe	x3079184.exe
PID 3616 wrote to memory of 856	3616	x4164560.exe	x3079184.exe
PID 3616 wrote to memory of 856	3616	x4164560.exe	x3079184.exe
PID 856 wrote to memory of 4692	856	x3079184.exe	g9947978.exe
PID 856 wrote to memory of 4692	856	x3079184.exe	g9947978.exe
PID 856 wrote to memory of 4692	856	x3079184.exe	g9947978.exe
PID 3164 wrote to memory of 3180	3164		6D7F.exe
PID 3164 wrote to memory of 3180	3164		6D7F.exe
PID 3164 wrote to memory of 3180	3164		6D7F.exe
PID 752 wrote to memory of 768	752	679F.exe	AppLaunch.exe
PID 752 wrote to memory of 768	752	679F.exe	AppLaunch.exe
PID 752 wrote to memory of 768	752	679F.exe	AppLaunch.exe
PID 752 wrote to memory of 1032	752	679F.exe	AppLaunch.exe
PID 752 wrote to memory of 1032	752	679F.exe	AppLaunch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4292332.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4292332.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7989946.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7989946.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 148
4⤵
- Program crash
PID:768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9964615.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9964615.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 540
5⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 164
4⤵
- Program crash
PID:3256

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1140046.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1140046.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2092 -ip 2092
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3000 -ip 3000
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4112 -ip 4112
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\66A4.exe
C:\Users\Admin\AppData\Local\Temp\66A4.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 540
8⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 156
7⤵
- Program crash
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe
6⤵
- Executes dropped EXE
PID:2668

C:\Users\Admin\AppData\Local\Temp\679F.exe
C:\Users\Admin\AppData\Local\Temp\679F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 240
2⤵
- Program crash
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\687B.bat" "
1⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda10c46f8,0x7ffda10c4708,0x7ffda10c4718
3⤵
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
3⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
3⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
3⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
3⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
3⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
3⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
3⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
3⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,770067182235997062,17715220610664465338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
3⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda10c46f8,0x7ffda10c4708,0x7ffda10c4718
3⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1440,11914222550354595452,1578978933528975243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
3⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\6A32.exe
C:\Users\Admin\AppData\Local\Temp\6A32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 264
2⤵
- Program crash
PID:3764

C:\Users\Admin\AppData\Local\Temp\6B5B.exe
C:\Users\Admin\AppData\Local\Temp\6B5B.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\6D7F.exe
C:\Users\Admin\AppData\Local\Temp\6D7F.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3180

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
3⤵
PID:488

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
4⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3680

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
4⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4612

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
4⤵
PID:3076

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
4⤵
PID:2472

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:5616

C:\Users\Admin\AppData\Local\Temp\6FF1.exe
C:\Users\Admin\AppData\Local\Temp\6FF1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 752 -ip 752
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4472 -ip 4472
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4692 -ip 4692
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4868 -ip 4868
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\7FF0.exe
C:\Users\Admin\AppData\Local\Temp\7FF0.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4700

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2100

C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
2⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2464

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2272

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:5044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2112

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2252

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:3936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:5724

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:5884

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
3⤵
- Executes dropped EXE
PID:3184

C:\Users\Admin\AppData\Local\Temp\is-B7OFU.tmp\is-UGBVD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B7OFU.tmp\is-UGBVD.tmp" /SL4 $D020A "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4180

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
5⤵
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
6⤵
PID:1236

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
5⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 3372
1⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\8456.exe
C:\Users\Admin\AppData\Local\Temp\8456.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5428

C:\Users\Admin\AppData\Roaming\jbdhbic
C:\Users\Admin\AppData\Roaming\jbdhbic
1⤵
- Executes dropped EXE
PID:5444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ddfdd941bc6e8ff391543970c95d1147

SHA1
59a1aa28b614cf70a4efdfdb54e71e5857fb1361

SHA256
4c4e91b4d0d3071c4798867e87f86d25d8afaddd4dcb73b776d613a4bdeed938

SHA512
491c21d062f01c54711558da4fc897f317e9a29eacbc78dc16d81b6599d070197973d9371ccff021511c4dd5b14a7cae886e7e7c4dcf6087e4d37de9f1f7646b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7f499cd01e3107f8889f5ef20e863cb1

SHA1
113cc1d18bc9c3cd97371c8be6a0358a241d3a11

SHA256
96f20070e1c2d835abd73875da53ccab2ed2cfe35899577772e5eb893d6d2265

SHA512
d58fcf119723766cdcab8efbdbadca5cf142dd26e0b903cd7abf9b04cc31ffbd1ae92dfdce5fc10e1a3382803b80772794fc1c2eb81f9ed259e0cb42bc10f494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cd3af5a05d40bcc33f92b020df05f7fb

SHA1
cda27585b0810b92dc67d7dfef8db857dbf6b34d

SHA256
07687bee8466ae8ed19c165622a9c7acc172d76e8e910bc77a40c2a077b7896b

SHA512
be28bcf6445a389c9c8c657327c34f76e0b8edc0bf5160d633b2b008582d5f91e496cc71aeb7d717e5059fe7bdc1587ac1c6698a6fee53e357ef1fc57475d09f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3588b872f42d0fa92aad08a5ce50cb59

SHA1
1c2fced01e23ccc041c230dc42b5cc77b16c4eff

SHA256
4c6aa5e347c447799d12bb99e26ac303b42e8642de97f6715e7707c44cc36c26

SHA512
1b4339e0d9c873322e8ffa58ce30382421a82720c5ade53364c8b3509dc93b25a859aae491348e691c8ef08ca442e99a3fa47d1a06ab0f731314146d6b148aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
872B

MD5
71f3e6a805c1be178810a1867f9f19ea

SHA1
22133418234e793ee990e955fd0b70c2aa71bef3

SHA256
c3286054b8e94ea4642b2cc765821fff9483a412f177f1e80e4781e8b99387e5

SHA512
a11e2ad861337a1a2cf4b989f7ffa0ddfbf93628524595c24944b70a08e0aae4d089b51a42c5f0c59ebb1b6c0044b182eee73a8af48333353b7c9629da523e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
872B

MD5
ed8745645b360aeb176f7acd9b61ae54

SHA1
8297e339203dfaee3df2e3ab541acb68d67429be

SHA256
d14f1a28ee356796737e1d9decf031ddb0bb56f85725229dbee64b31f9bf21cb

SHA512
52ffbc15518e6d1a0fa4a69c7d565864d4431191664b8b54d371c25c204098c47f45505db8e8eed896db2aa1516532a221b9dceb7d10ef866ebde801ea9dde33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
872B

MD5
4fbb36fc38105fdbfe354d92473da021

SHA1
599b7a9e29635e9fb8d3c1a5f807f08f1fa413cc

SHA256
b67d167d65c367dad8ac638251b9ebbb01c256442dccfea196b581bf49faa0eb

SHA512
9b27644f0d721a62cd8dea3526ed5f9cebe21c60e807c4ab87b500d37be1342da146a77beef9718d7011953f1cbd02fd8dd4f8830a2a965595f9916d85208f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594f3f.TMP
Filesize
872B

MD5
c883aec38e1be0e58fd4dbd956a03ad8

SHA1
9d0e3c7cd1544a1e7aaceff74ae2bddd7c137f11

SHA256
6454013af102c78804d5282ddf93b97738c51b2a5f082e3a832e1143a85df2a3

SHA512
213b05464fb0310c11a085d199eff100c5b90e45dcd5cc6d694f6c259a94214ae06aead7b60335a902cd8f52e7e3797c53e53089b36cfcc295ea1ebae0ec0bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
61094bc64e0fcefbaafe20736192f2bb

SHA1
b9233b441bfcae24a7fb6674c9279047675228f0

SHA256
22da986c623295e9e0fb0b96eda6efb340e9430682f0175b58315283f23af368

SHA512
92ca2a47443171b299d45e180e87243dd96c701061b8996c567bde7a7b10f10dd59101944db9ca352d03a0f4bf99ebff8348a5d01f0bee36b5c09e23c92bf480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
d8d93a06c33ab23fe08cc739afa8a29b

SHA1
fd6374af14dde2064954d99c0f46e97caf7c2a5d

SHA256
a98a496e0c30d7318b634cec96478be2682a52763b7905d44e6fb70c321f6aa5

SHA512
79ee43172310bdea5da8f9b0f2354c4577e74362a9a03fecae529dc54d05f48c94b37d5887cec2b51df8352470c4cef6a7bed96d550f073c11b447d14f7902e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
014a360b51eca09fe2ee4bfcc3620c68

SHA1
8575ebc0cdc3913b9d80681a0add41a3026263b3

SHA256
5ae4a57b0486ef89ef3d40a6e16dbdc02819bf0eb424cb039a1cff034758dac9

SHA512
5b5685ce9f6451b13aae54347a57f52504071dc45385d86e9beb0c94bf331a3bd1e47ed8683525ead0f5ae41c1fb428fb8f19637e07dbc597c048bfa81d1aee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A4.exe
Filesize
1.0MB

MD5
4b40718893333aef8f222bb64a26d71a

SHA1
d7e2627b5bbad2b3b1d21d7af194289fe2f6f4a1

SHA256
8f45d7623fe6020ead49c5a608d4a53e5d15b98c8d4518fc215f9659d26c284e

SHA512
370ceb63434b65619f070873b08e42e5674010adc44b54d8c5469804168f6907c030e0f4b345cc2349625df66a1c4a83818a2f8a4f4bb66259dd2d76da47de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A4.exe
Filesize
1.0MB

MD5
4b40718893333aef8f222bb64a26d71a

SHA1
d7e2627b5bbad2b3b1d21d7af194289fe2f6f4a1

SHA256
8f45d7623fe6020ead49c5a608d4a53e5d15b98c8d4518fc215f9659d26c284e

SHA512
370ceb63434b65619f070873b08e42e5674010adc44b54d8c5469804168f6907c030e0f4b345cc2349625df66a1c4a83818a2f8a4f4bb66259dd2d76da47de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\679F.exe
Filesize
276KB

MD5
36580bf86d3df87ccd923183d274ebf9

SHA1
b7dbe05df051579308d4ae89b0f05e0a0cda4577

SHA256
99e958e9d9c5c496b7929e6776e9fecf46bc786e45ab7273f4cf2ddc9e0c5b4c

SHA512
aeed09f98d85464c6b1fa054bc2b12bc58863ea2c2a5b57676f2edbbea044f0bb0f67a9274d629b180a8f174018bb287353d7660d53621e07622e5e6d05a3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\679F.exe
Filesize
276KB

MD5
36580bf86d3df87ccd923183d274ebf9

SHA1
b7dbe05df051579308d4ae89b0f05e0a0cda4577

SHA256
99e958e9d9c5c496b7929e6776e9fecf46bc786e45ab7273f4cf2ddc9e0c5b4c

SHA512
aeed09f98d85464c6b1fa054bc2b12bc58863ea2c2a5b57676f2edbbea044f0bb0f67a9274d629b180a8f174018bb287353d7660d53621e07622e5e6d05a3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\687B.bat
Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A32.exe
Filesize
310KB

MD5
b1076978d5ee4be765e8a49dcf8fea57

SHA1
2c29733e7369d1be3578130d704c498041af30c4

SHA256
8bc9fa85bb9a2878b231c8cf656f66a5aaa30f6c9b54f24ff0a2d84f0272c955

SHA512
aec4345faa2e3e5dc80cc59259dfa9bef5adc03a96bb846d3de89969d8e788499f63369bb811f4dcbfe74d93c36fa1c10c80165c2f40327480f883543dc6d013

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A32.exe
Filesize
310KB

MD5
b1076978d5ee4be765e8a49dcf8fea57

SHA1
2c29733e7369d1be3578130d704c498041af30c4

SHA256
8bc9fa85bb9a2878b231c8cf656f66a5aaa30f6c9b54f24ff0a2d84f0272c955

SHA512
aec4345faa2e3e5dc80cc59259dfa9bef5adc03a96bb846d3de89969d8e788499f63369bb811f4dcbfe74d93c36fa1c10c80165c2f40327480f883543dc6d013

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B5B.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B5B.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D7F.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D7F.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FF1.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FF1.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FF1.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FF1.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FF0.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FF0.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\8456.exe
Filesize
1.4MB

MD5
965fcf373f3e95995f8ae35df758eca1

SHA1
a62d2494f6ba8a02a80a02017e7c347f76b18fa6

SHA256
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

SHA512
55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8456.exe
Filesize
1.4MB

MD5
965fcf373f3e95995f8ae35df758eca1

SHA1
a62d2494f6ba8a02a80a02017e7c347f76b18fa6

SHA256
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

SHA512
55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1140046.exe
Filesize
24KB

MD5
4eba1c0b99838156311615affb64bf1a

SHA1
b1bc4b7fbf2c2fcec6c5e78e86494e007fabd79f

SHA256
5f744a7d12c9f469c24fb1c5ab9b5cd23277db31fdade92430897220e1346044

SHA512
bb11fec1ff7e45e45955a851750e8d529c368acdbad393299e7608c16c4c98b415ecff57488ce180751828b17c994658b00c2a1617390ab6a8fdbc15f5127409

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1140046.exe
Filesize
24KB

MD5
4eba1c0b99838156311615affb64bf1a

SHA1
b1bc4b7fbf2c2fcec6c5e78e86494e007fabd79f

SHA256
5f744a7d12c9f469c24fb1c5ab9b5cd23277db31fdade92430897220e1346044

SHA512
bb11fec1ff7e45e45955a851750e8d529c368acdbad393299e7608c16c4c98b415ecff57488ce180751828b17c994658b00c2a1617390ab6a8fdbc15f5127409

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3493954.exe
Filesize
23KB

MD5
77db413ae4fec32a49abafe781566b4a

SHA1
fc6112c376d19da27e59693971e33b740922d248

SHA256
348579c873e04e40d4b2f57135969ae00d33336dd7579769f7268bf3f0d03aac

SHA512
bc254e9561e34fcb335d1ed4c32491c5350f6aebab95c45f14962b21e42cc8bebe6869362bc9d3cb5ce08424dd8d904a77ebec79612db425b35c103336455440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4292332.exe
Filesize
324KB

MD5
7aeff437cf6fb31abef5570d41ab3bd7

SHA1
febb505281fd5940e7060f49f3e6e34830816576

SHA256
0a629466bbfcb5a414a3afea346351b204a947cf61c80be8560960b1ac9db54e

SHA512
790669eb96ca5dc76ad18327226eddd17a96aa7f2d1e78c03ccb39f8a059714217652b9fcbd06c4b375fe18d9ac2d9b5bbb8d96071a5e204762b6ee3b0a11639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4292332.exe
Filesize
324KB

MD5
7aeff437cf6fb31abef5570d41ab3bd7

SHA1
febb505281fd5940e7060f49f3e6e34830816576

SHA256
0a629466bbfcb5a414a3afea346351b204a947cf61c80be8560960b1ac9db54e

SHA512
790669eb96ca5dc76ad18327226eddd17a96aa7f2d1e78c03ccb39f8a059714217652b9fcbd06c4b375fe18d9ac2d9b5bbb8d96071a5e204762b6ee3b0a11639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe
Filesize
930KB

MD5
ddee606bcadb4ef045544138ec65ff26

SHA1
e638e86518d372e6507e378a6b80433625327b29

SHA256
c5424b8849311e071c5c706bd5daa9b00445fbc7ec0a375b6a73defc62f047d4

SHA512
2fcaff7990cd3b96ccffabe7b0b729f99924c1e73874862776307bdfbcececd6e5cbe3cfd7d48b5f45f33de3f2a067d249766f80a9448119b555d9fd6787428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0151560.exe
Filesize
930KB

MD5
ddee606bcadb4ef045544138ec65ff26

SHA1
e638e86518d372e6507e378a6b80433625327b29

SHA256
c5424b8849311e071c5c706bd5daa9b00445fbc7ec0a375b6a73defc62f047d4

SHA512
2fcaff7990cd3b96ccffabe7b0b729f99924c1e73874862776307bdfbcececd6e5cbe3cfd7d48b5f45f33de3f2a067d249766f80a9448119b555d9fd6787428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7989946.exe
Filesize
166KB

MD5
77f11bda1e9cfb1c0c0fb1abfe576e9e

SHA1
f073c0cf1d4f819f497f7190dd4ba97685f10b20

SHA256
4d6947cc1126f5705e23413c5a40b942cdf52feefb844ea133d39c89a0a66f9d

SHA512
f41d6c64b042b8ec4f006d14aa2a885b47124550d89e2a3bb2dfeef0fe36536980d8f2ef7f1e53a6e1338e710377a013230510f7bbb341b565342c3acc21060e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7989946.exe
Filesize
166KB

MD5
77f11bda1e9cfb1c0c0fb1abfe576e9e

SHA1
f073c0cf1d4f819f497f7190dd4ba97685f10b20

SHA256
4d6947cc1126f5705e23413c5a40b942cdf52feefb844ea133d39c89a0a66f9d

SHA512
f41d6c64b042b8ec4f006d14aa2a885b47124550d89e2a3bb2dfeef0fe36536980d8f2ef7f1e53a6e1338e710377a013230510f7bbb341b565342c3acc21060e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9964615.exe
Filesize
276KB

MD5
6a355119cab7d60f37dc853d2353ec1b

SHA1
dd89916d2a57f05353d97666a3a477a7f22dd3e6

SHA256
b3dd7749a39675ed753d0e5fd4deb7b33acd04650905e3db578c096582af6d83

SHA512
5c0ba0b86a906903cd1da495bf5553d64412c5808b1d3099aab083ce7f9589449c455ca33e418af0ccd7684e2a11d6dfa2e5646a63ccda19e55181a27fa4c5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9964615.exe
Filesize
276KB

MD5
6a355119cab7d60f37dc853d2353ec1b

SHA1
dd89916d2a57f05353d97666a3a477a7f22dd3e6

SHA256
b3dd7749a39675ed753d0e5fd4deb7b33acd04650905e3db578c096582af6d83

SHA512
5c0ba0b86a906903cd1da495bf5553d64412c5808b1d3099aab083ce7f9589449c455ca33e418af0ccd7684e2a11d6dfa2e5646a63ccda19e55181a27fa4c5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe
Filesize
747KB

MD5
f05ed256cd058d1e1f402330a0844da6

SHA1
fd9ab1c2096b19093bbca4bf1454ad2297b715fd

SHA256
ceceffbcc7a69d14e28c775bd5638ab89b82135a35215c6bca3c43d53ea6705b

SHA512
ea7eeeacf031bf7a492402c4d12de8e7f52c959e02c7b4958e9610613edf3cdc37dd399dc5b8f1b09bf01ccb94bfc6d784850395d3ef6fbe45411a3f4ff9b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5312124.exe
Filesize
747KB

MD5
f05ed256cd058d1e1f402330a0844da6

SHA1
fd9ab1c2096b19093bbca4bf1454ad2297b715fd

SHA256
ceceffbcc7a69d14e28c775bd5638ab89b82135a35215c6bca3c43d53ea6705b

SHA512
ea7eeeacf031bf7a492402c4d12de8e7f52c959e02c7b4958e9610613edf3cdc37dd399dc5b8f1b09bf01ccb94bfc6d784850395d3ef6fbe45411a3f4ff9b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe
Filesize
516KB

MD5
87b4c0570ce64b120c2cc6c2b848f8ac

SHA1
028a2228429e0b29b14e59a4cf5eb649f23bd4b3

SHA256
111403e2b1489acd64d6c81f470359e002f914aee5e0d8cfc59a0ba079d90609

SHA512
75013a3120403e2de7051d6fef31ff4370082080f1ea1dc438a2dc2ae2dba314ad35c315447687f8ba26ce3308b26ae739bb23be810e43bd936bad022f5f332b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4164560.exe
Filesize
516KB

MD5
87b4c0570ce64b120c2cc6c2b848f8ac

SHA1
028a2228429e0b29b14e59a4cf5eb649f23bd4b3

SHA256
111403e2b1489acd64d6c81f470359e002f914aee5e0d8cfc59a0ba079d90609

SHA512
75013a3120403e2de7051d6fef31ff4370082080f1ea1dc438a2dc2ae2dba314ad35c315447687f8ba26ce3308b26ae739bb23be810e43bd936bad022f5f332b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe
Filesize
350KB

MD5
9be0cc653a06e9f37747a1fb7168113c

SHA1
37c247216f9be8f5ca629f9e498eddc51ff4ff8f

SHA256
4c8e414605f66cdda6c419af34b3a69f5c92d9f77796fa99bd137f1ca8505329

SHA512
92059e5df93b9e7922bc98d47546b32ba54fdaa1c596cf3fd2758364da439f40c2e14f63e5832a63f893ddf47ae6a35c656479bfac924c836bf3418791f2cc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3079184.exe
Filesize
350KB

MD5
9be0cc653a06e9f37747a1fb7168113c

SHA1
37c247216f9be8f5ca629f9e498eddc51ff4ff8f

SHA256
4c8e414605f66cdda6c419af34b3a69f5c92d9f77796fa99bd137f1ca8505329

SHA512
92059e5df93b9e7922bc98d47546b32ba54fdaa1c596cf3fd2758364da439f40c2e14f63e5832a63f893ddf47ae6a35c656479bfac924c836bf3418791f2cc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe
Filesize
276KB

MD5
bc5d6c21c9ba272735e4490ba056407e

SHA1
27f5715ab1f899cefc7935e02709f5f7392f1c5d

SHA256
1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c

SHA512
e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9947978.exe
Filesize
276KB

MD5
bc5d6c21c9ba272735e4490ba056407e

SHA1
27f5715ab1f899cefc7935e02709f5f7392f1c5d

SHA256
1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c

SHA512
e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe
Filesize
174KB

MD5
aa7375d73dd3ea72bb012c59e46d9f55

SHA1
5dd990107051cf5d337d6edebce430b18315f703

SHA256
99500a327ecbbc8bc43d135638933b2531d7341333a6a9ef3c84e5523556e78a

SHA512
d266e388b96cd5820616f326c064207de7a42678a4977aba635ebfe582bc19654902fad4d87e81d9e15f4e8596251e8411bdea771f8e6bad610fffee4cfd95a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h7672766.exe
Filesize
174KB

MD5
aa7375d73dd3ea72bb012c59e46d9f55

SHA1
5dd990107051cf5d337d6edebce430b18315f703

SHA256
99500a327ecbbc8bc43d135638933b2531d7341333a6a9ef3c84e5523556e78a

SHA512
d266e388b96cd5820616f326c064207de7a42678a4977aba635ebfe582bc19654902fad4d87e81d9e15f4e8596251e8411bdea771f8e6bad610fffee4cfd95a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqhtssb3.h3p.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7OFU.tmp\is-UGBVD.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7OFU.tmp\is-UGBVD.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7ST7.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7ST7.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7ST7.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
memory/8-314-0x0000000002FA0000-0x00000000030D1000-memory.dmp

Filesize
1.2MB

Download
memory/8-170-0x00007FF656990000-0x00007FF6569FA000-memory.dmp

Filesize
424KB

Download
memory/8-317-0x0000000002E20000-0x0000000002F91000-memory.dmp

Filesize
1.4MB

Download
memory/220-302-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/220-305-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/772-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/772-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/772-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1032-101-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1032-100-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1032-122-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1032-102-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1080-144-0x00000000002B0000-0x000000000046D000-memory.dmp

Filesize
1.7MB

Download
memory/1080-242-0x00000000002B0000-0x000000000046D000-memory.dmp

Filesize
1.7MB

Download
memory/2100-193-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2100-256-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2100-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2156-80-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2156-94-0x00007FFD9FA60000-0x00007FFDA0521000-memory.dmp

Filesize
10.8MB

Download
memory/2156-202-0x00007FFD9FA60000-0x00007FFDA0521000-memory.dmp

Filesize
10.8MB

Download
memory/2668-492-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/2668-426-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-248-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/2668-231-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-205-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2668-206-0x00000000009C0000-0x00000000009C6000-memory.dmp

Filesize
24KB

Download
memory/2768-490-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2768-534-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2768-328-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2768-622-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2768-311-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2968-495-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/2968-216-0x0000000000A20000-0x0000000000A50000-memory.dmp

Filesize
192KB

Download
memory/2968-331-0x0000000005350000-0x00000000053C6000-memory.dmp

Filesize
472KB

Download
memory/2968-335-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/2968-340-0x00000000066E0000-0x0000000006C84000-memory.dmp

Filesize
5.6MB

Download
memory/2968-253-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/2968-280-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2968-503-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2968-341-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/2968-244-0x00000000028E0000-0x00000000028E6000-memory.dmp

Filesize
24KB

Download
memory/2968-423-0x00000000088B0000-0x0000000008DDC000-memory.dmp

Filesize
5.2MB

Download
memory/2968-421-0x0000000006400000-0x00000000065C2000-memory.dmp

Filesize
1.8MB

Download
memory/3164-19-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/3164-254-0x00000000026E0000-0x00000000026F6000-memory.dmp

Filesize
88KB

Download
memory/3184-235-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3184-260-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3372-114-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3372-121-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3372-116-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3376-396-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-329-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-638-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-207-0x0000000004B60000-0x000000000544B000-memory.dmp

Filesize
8.9MB

Download
memory/3376-219-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-424-0x0000000004760000-0x0000000004B5C000-memory.dmp

Filesize
4.0MB

Download
memory/3376-562-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-415-0x0000000004B60000-0x000000000544B000-memory.dmp

Filesize
8.9MB

Download
memory/3376-298-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-241-0x0000000004760000-0x0000000004B5C000-memory.dmp

Filesize
4.0MB

Download
memory/3376-496-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3376-385-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3608-245-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/3608-189-0x0000000000AF0000-0x0000000000C64000-memory.dmp

Filesize
1.5MB

Download
memory/3608-196-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/3744-124-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/3744-186-0x0000000004AC0000-0x0000000004BCA000-memory.dmp

Filesize
1.0MB

Download
memory/3744-414-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/3744-123-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/3744-208-0x0000000004A70000-0x0000000004ABC000-memory.dmp

Filesize
304KB

Download
memory/3744-174-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/3744-197-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/3744-192-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3744-200-0x0000000004A30000-0x0000000004A6C000-memory.dmp

Filesize
240KB

Download
memory/3744-110-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3744-283-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4112-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4112-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4112-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4112-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4180-281-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4180-308-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4536-307-0x000000001B700000-0x000000001B802000-memory.dmp

Filesize
1.0MB

Download
memory/4536-491-0x00007FFD9FA60000-0x00007FFDA0521000-memory.dmp

Filesize
10.8MB

Download
memory/4536-502-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/4536-259-0x00007FFD9FA60000-0x00007FFDA0521000-memory.dmp

Filesize
10.8MB

Download
memory/4536-276-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/4536-240-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/4700-190-0x0000000002710000-0x0000000002719000-memory.dmp

Filesize
36KB

Download
memory/4700-185-0x00000000027A0000-0x00000000028A0000-memory.dmp

Filesize
1024KB

Download
memory/4868-126-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4868-115-0x00000000007C0000-0x000000000081A000-memory.dmp

Filesize
360KB

Download
memory/4868-133-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4868-146-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4868-158-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download