amadey | 8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348

Analysis

max time kernel
74s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe
Size

194KB
MD5

78b6dec3a3fa096a9750cf77a3e0b1c8
SHA1

d41dd71945a57f9ce3c2a380fee10adb6cc910b5
SHA256

8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348
SHA512

6d06e383d67604e7fc07893909aa449856d0f4eb5e0d6d6ec1a5a44a689f5260b9cb2975ccad0bdfb437e0f9ffd7e656cd3d411bc8f80c66c945474e0ac141c9
SSDEEP

6144:CFB8VpmGrjYEBi3ZbEbzCt8ISh1cEVHAX0wCTRXK:ssrrjYEBiwCthSh1xHrTRXK

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

lada

77.91.124.55:19071

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@ytlogsbot

176.123.4.46:33783

Attributes

auth_value
295b226f1b63bcd55148625381b27b19

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Processes:

schtasks.exeAppLaunch.exeschtasks.exeschtasks.exe

pid process

3260 schtasks.exe
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe
1128 schtasks.exe
5216 schtasks.exe

pid	process
3260	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
1128	schtasks.exe
5216	schtasks.exe

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2468-338-0x00000000032F0000-0x0000000003421000-memory.dmp	family_fabookie

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DD93.exe	healer
behavioral1/memory/3800-71-0x00000000002F0000-0x00000000002FA000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\DD93.exe	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3280-190-0x0000000004A90000-0x000000000537B000-memory.dmp	family_glupteba
behavioral1/memory/3280-211-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/3280-305-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/3280-417-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/3280-430-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/3280-543-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/5532-640-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/5532-741-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/4672-748-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/4672-757-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

DD93.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	DD93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	DD93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	DD93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	DD93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	DD93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	DD93.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1316-83-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/4376-213-0x0000000000690000-0x00000000006EA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1400 netsh.exe

pid	process
1400	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kos1.exekos.exeDEDC.exeexplothe.exeE9CA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	kos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	DEDC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	E9CA.exe

Executes dropped EXE 28 IoCs

Processes:

D784.exeD8EC.exex9435037.exex7886351.exex4902647.exex4718039.exeg8315913.exeDCC6.exeDD93.exeDEDC.exeexplothe.exeh8940647.exeE9CA.exess41.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exekos1.exeEF68.exetoolspub2.exeF313.exeset16.exekos.exeis-AP4VJ.tmppreviewer.exepreviewer.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplothe.execsrss.exe

pid	process
2200	D784.exe
1980	D8EC.exe
2708	x9435037.exe
1104	x7886351.exe
1500	x4902647.exe
1296	x4718039.exe
4008	g8315913.exe
748	DCC6.exe
3800	DD93.exe
1600	DEDC.exe
3884	explothe.exe
4948	h8940647.exe
5024	E9CA.exe
2468	ss41.exe
736	toolspub2.exe
3280	31839b57a4f11171d6abc8bbc4451ee4.exe
4824	kos1.exe
4288	EF68.exe
2576	toolspub2.exe
4376	F313.exe
4768	set16.exe
2912	kos.exe
4308	is-AP4VJ.tmp
3100	previewer.exe
5408	previewer.exe
5532	31839b57a4f11171d6abc8bbc4451ee4.exe
4700	explothe.exe
4672	csrss.exe

Loads dropped DLL 5 IoCs

Processes:

is-AP4VJ.tmpF313.exe

pid process

4308 is-AP4VJ.tmp
4308 is-AP4VJ.tmp
4308 is-AP4VJ.tmp
4376 F313.exe
4376 F313.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

DD93.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" DD93.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4308	is-AP4VJ.tmp
4308	is-AP4VJ.tmp
4308	is-AP4VJ.tmp
4376	F313.exe
4376	F313.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	DD93.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x9435037.exex7886351.exex4902647.exex4718039.exe31839b57a4f11171d6abc8bbc4451ee4.exeD784.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9435037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7886351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4902647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x4718039.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	D784.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exeD8EC.exeg8315913.exeDCC6.exetoolspub2.exeEF68.exe

description	pid	process	target process
PID 908 set thread context of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 1980 set thread context of 4460	1980	D8EC.exe	AppLaunch.exe
PID 4008 set thread context of 1008	4008	g8315913.exe	AppLaunch.exe
PID 748 set thread context of 1316	748	DCC6.exe	AppLaunch.exe
PID 736 set thread context of 2576	736	toolspub2.exe	toolspub2.exe
PID 4288 set thread context of 1764	4288	EF68.exe	vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 7 IoCs

Processes:

is-AP4VJ.tmp

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-AP4VJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-RU9C1.tmp	is-AP4VJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-64459.tmp	is-AP4VJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-M5BGQ.tmp	is-AP4VJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-QKVCM.tmp	is-AP4VJ.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-AP4VJ.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-AP4VJ.tmp

Drops file in Windows directory 2 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1828	908	WerFault.exe	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe
1828	1980	WerFault.exe	D8EC.exe
4956	4008	WerFault.exe	g8315913.exe
4780	1008	WerFault.exe	AppLaunch.exe
1392	748	WerFault.exe	DCC6.exe
5428	4376	WerFault.exe	F313.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exetoolspub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1128 schtasks.exe
5216 schtasks.exe
3260 schtasks.exe

pid	process
1128	schtasks.exe
5216	schtasks.exe
3260	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
4464	AppLaunch.exe
4464	AppLaunch.exe
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3104
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

4464 AppLaunch.exe
2576 toolspub2.exe

pid	process
3104

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DD93.exekos.exepreviewer.exe

description	pid	process
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeDebugPrivilege	3800	DD93.exe
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeDebugPrivilege	2912	kos.exe
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeDebugPrivilege	3100	previewer.exe
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exeD784.exex9435037.exex7886351.exex4902647.exex4718039.exeD8EC.exeg8315913.exe

description	pid	process	target process
PID 908 wrote to memory of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 908 wrote to memory of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 908 wrote to memory of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 908 wrote to memory of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 908 wrote to memory of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 908 wrote to memory of 4464	908	8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe	AppLaunch.exe
PID 3104 wrote to memory of 2200	3104		D784.exe
PID 3104 wrote to memory of 2200	3104		D784.exe
PID 3104 wrote to memory of 2200	3104		D784.exe
PID 3104 wrote to memory of 1980	3104		D8EC.exe
PID 3104 wrote to memory of 1980	3104		D8EC.exe
PID 3104 wrote to memory of 1980	3104		D8EC.exe
PID 2200 wrote to memory of 2708	2200	D784.exe	x9435037.exe
PID 2200 wrote to memory of 2708	2200	D784.exe	x9435037.exe
PID 2200 wrote to memory of 2708	2200	D784.exe	x9435037.exe
PID 2708 wrote to memory of 1104	2708	x9435037.exe	x7886351.exe
PID 2708 wrote to memory of 1104	2708	x9435037.exe	x7886351.exe
PID 2708 wrote to memory of 1104	2708	x9435037.exe	x7886351.exe
PID 1104 wrote to memory of 1500	1104	x7886351.exe	x4902647.exe
PID 1104 wrote to memory of 1500	1104	x7886351.exe	x4902647.exe
PID 1104 wrote to memory of 1500	1104	x7886351.exe	x4902647.exe
PID 1500 wrote to memory of 1296	1500	x4902647.exe	x4718039.exe
PID 1500 wrote to memory of 1296	1500	x4902647.exe	x4718039.exe
PID 1500 wrote to memory of 1296	1500	x4902647.exe	x4718039.exe
PID 3104 wrote to memory of 1276	3104		cmd.exe
PID 3104 wrote to memory of 1276	3104		cmd.exe
PID 1296 wrote to memory of 4008	1296	x4718039.exe	g8315913.exe
PID 1296 wrote to memory of 4008	1296	x4718039.exe	g8315913.exe
PID 1296 wrote to memory of 4008	1296	x4718039.exe	g8315913.exe
PID 1980 wrote to memory of 4344	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4344	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4344	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 516	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 516	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 516	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 1232	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 1232	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 1232	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 1980 wrote to memory of 4460	1980	D8EC.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 4008 wrote to memory of 1008	4008	g8315913.exe	AppLaunch.exe
PID 3104 wrote to memory of 748	3104		DCC6.exe
PID 3104 wrote to memory of 748	3104		DCC6.exe
PID 3104 wrote to memory of 748	3104		DCC6.exe
PID 3104 wrote to memory of 3800	3104		DD93.exe
PID 3104 wrote to memory of 3800	3104		DD93.exe
PID 3104 wrote to memory of 1600	3104		DEDC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe
"C:\Users\Admin\AppData\Local\Temp\8b5a6e4107095b911f952b6a8bb582627476c1be248225daa4792b38270c0348.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 408
2⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 908 -ip 908
1⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\D784.exe
C:\Users\Admin\AppData\Local\Temp\D784.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 548
8⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 596
7⤵
- Program crash
PID:4956

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe
6⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\D8EC.exe
C:\Users\Admin\AppData\Local\Temp\D8EC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 152
2⤵
- Program crash
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DA54.bat" "
1⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc606d46f8,0x7ffc606d4708,0x7ffc606d4718
3⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
3⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
3⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
3⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
3⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
3⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
3⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
3⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
3⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
3⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
3⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
3⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
3⤵
PID:5172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
3⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
3⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
3⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
3⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:8
3⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,3677612701044876774,17267475137488837303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:8
3⤵
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1980 -ip 1980
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\DCC6.exe
C:\Users\Admin\AppData\Local\Temp\DCC6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 152
2⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4008 -ip 4008
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\DD93.exe
C:\Users\Admin\AppData\Local\Temp\DD93.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1008 -ip 1008
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\DEDC.exe
C:\Users\Admin\AppData\Local\Temp\DEDC.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
3⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2180

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
4⤵
PID:4416

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
4⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5936

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
4⤵
PID:6044

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
4⤵
PID:6140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:1128

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 748 -ip 748
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\E9CA.exe
C:\Users\Admin\AppData\Local\Temp\E9CA.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
2⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:736

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2576

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
PID:3280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:5616

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5376

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:5216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:5880

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:5900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:6116

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:3260

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\EF68.exe
C:\Users\Admin\AppData\Local\Temp\EF68.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\F313.exe
C:\Users\Admin\AppData\Local\Temp\F313.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 792
2⤵
- Program crash
PID:5428

C:\Users\Admin\AppData\Local\Temp\is-OCV47.tmp\is-AP4VJ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OCV47.tmp\is-AP4VJ.tmp" /SL4 $C0028 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4308

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
2⤵
PID:3268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
3⤵
PID:5540

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
2⤵
- Executes dropped EXE
PID:5408

C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
1⤵
- Executes dropped EXE
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc606d46f8,0x7ffc606d4708,0x7ffc606d4718
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4376 -ip 4376
1⤵
PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5564

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5016

C:\Users\Admin\AppData\Roaming\basjgaj
C:\Users\Admin\AppData\Roaming\basjgaj
1⤵
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\ProgramData\ContentDVSvc\ContentDVSvc.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
863B

MD5
84a63db1060a039a9f5a3b654b9e6246

SHA1
1e656248570b86ce2be0e5df932b11a8424f6aea

SHA256
38e4b359d8633746ff0f391c9273edcf5d2e08cfe2d4b137fc4b9f63d35b71d3

SHA512
fabef7370df9acf2a571ebe7c5a26536b7c03dcf6cd5e3d67dfb60a1a7dd394671f0c4d7073fd615dc287b97905b11f6e6bf84002ef76231fddc0e640477abb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d0a9154ff0c8d8539819076c7600f71e

SHA1
ae733db79157a64623da267b9404142540eedbfa

SHA256
aad7573e8ed5cc385ecbcf94275efdcc1ff0bb979cdc071c8dfc9141dd66109c

SHA512
8793c1a1788f2e8ae62f161ce795f2f7e9dd0cc6f9a98c45c6b7a1612b64231e71717cdd6cf61cdbeb3fd57f4566b10d27ab4d807819f1d2c4cd97d857c3c506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
47a78bc7f0b68e09fd916599014e83ab

SHA1
85b4763f09f28968f473cad17eebbce961fdfe72

SHA256
d8d823fcee611994e3275bb46b91a77732011b828013b8ad656f92d19783a5af

SHA512
87fd1bdf5455d84bad78f5ea00e1a9338667630f93649ebc4911eaae4b4b2b92c10dfc41552830e7c548b627570a9d0ab99240296cf853be58f0b36e9872f0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
b690c7643af8bf5f3a96b59e33522135

SHA1
204ca48a942ecba4d2f2ef844275c3f5905ed453

SHA256
4577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695

SHA512
f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
a63132423a10354a5e5af098c3f738a2

SHA1
446799e46112c3a5770576bfdfb9c655c6d742ae

SHA256
91dcbf431faf50ba0ef06f3c7c600264d76bb8caee4b243527026c18c8582be2

SHA512
38dc9fcc73b2f90d2d63b698580a00875c9f889a3e5fd5767222d1468c88e398f8103bdd7f34d1e2c2e4ae86fec43f48d3626ec254ac3bf5f156e148cd52a61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bfd60db8fa3ce69145b0032c6da672a9

SHA1
0f4ba83178205b916b3c060ef7d69460fdc25468

SHA256
d975e5a12b704a958c3c7a866e1509edb36d4f410ddd11953e66fdcb69018630

SHA512
d3203c6b08112befc1b67b96be62217f21951743615e635fed0ae4e45740482aabee4f270b46929127bc97657d5ddca51f692303952c2dba95a94678938c3a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bfd60db8fa3ce69145b0032c6da672a9

SHA1
0f4ba83178205b916b3c060ef7d69460fdc25468

SHA256
d975e5a12b704a958c3c7a866e1509edb36d4f410ddd11953e66fdcb69018630

SHA512
d3203c6b08112befc1b67b96be62217f21951743615e635fed0ae4e45740482aabee4f270b46929127bc97657d5ddca51f692303952c2dba95a94678938c3a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D784.exe
Filesize
1.0MB

MD5
38245a63ed4c5c803fc8bde8967a88ff

SHA1
38b412cde27ec02e05f7eb2d61983b74f50ae289

SHA256
f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab

SHA512
e92f5e1a07afbcad8ae829b914ce60edcca7d65128ae1261f1e2715dcd5c30f07aee8263bd2f516205737b52c9178b8d3555a96e7b105fe427a716235b42dcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D784.exe
Filesize
1.0MB

MD5
38245a63ed4c5c803fc8bde8967a88ff

SHA1
38b412cde27ec02e05f7eb2d61983b74f50ae289

SHA256
f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab

SHA512
e92f5e1a07afbcad8ae829b914ce60edcca7d65128ae1261f1e2715dcd5c30f07aee8263bd2f516205737b52c9178b8d3555a96e7b105fe427a716235b42dcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8EC.exe
Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8EC.exe
Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA54.bat
Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCC6.exe
Filesize
386KB

MD5
b2f74506c29b008e4f76d55593ac3d74

SHA1
16c9a77d8f4b55710d1756e9983ae030903f2ff5

SHA256
3cc8a757b5a6a4d5dbb5bb34165de99d8b4a81602920bf0172299789f6b55a1c

SHA512
bf3508b475e1f34b540283bdffab415b842d9fc49bf3a7e534a1def9b87cfe9942dd881ef32d93113323bd1765070883bf58d49a6e8f079745bdeb345078868a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCC6.exe
Filesize
386KB

MD5
b2f74506c29b008e4f76d55593ac3d74

SHA1
16c9a77d8f4b55710d1756e9983ae030903f2ff5

SHA256
3cc8a757b5a6a4d5dbb5bb34165de99d8b4a81602920bf0172299789f6b55a1c

SHA512
bf3508b475e1f34b540283bdffab415b842d9fc49bf3a7e534a1def9b87cfe9942dd881ef32d93113323bd1765070883bf58d49a6e8f079745bdeb345078868a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD93.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD93.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEDC.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEDC.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9CA.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9CA.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF68.exe
Filesize
1.4MB

MD5
965fcf373f3e95995f8ae35df758eca1

SHA1
a62d2494f6ba8a02a80a02017e7c347f76b18fa6

SHA256
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

SHA512
55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF68.exe
Filesize
1.4MB

MD5
965fcf373f3e95995f8ae35df758eca1

SHA1
a62d2494f6ba8a02a80a02017e7c347f76b18fa6

SHA256
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

SHA512
55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\F313.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F313.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F313.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F313.exe
Filesize
407KB

MD5
264d1eb69bcce00fdf11a6a39472dd0a

SHA1
e466c80da7f961743681b6dbdae3eaa0756a4dcd

SHA256
a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79

SHA512
f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe
Filesize
974KB

MD5
8b8e02e778b926266ef60ea128fd4246

SHA1
c2fba20814c9a6b00e10ebd7e6617dfad269de85

SHA256
740d0a84b01bd96dd973514f061f71fddcdbbf0da221fd9cdc0738872b5893fa

SHA512
c7b0ebeb8cd51cea6f9c098d9c06ccc178f881a2e77e865fd848a57a85c6271c8038ebe4107ef92f3b1bba719a23b350a4c2b25f7236f3a9b118919e8df17758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe
Filesize
974KB

MD5
8b8e02e778b926266ef60ea128fd4246

SHA1
c2fba20814c9a6b00e10ebd7e6617dfad269de85

SHA256
740d0a84b01bd96dd973514f061f71fddcdbbf0da221fd9cdc0738872b5893fa

SHA512
c7b0ebeb8cd51cea6f9c098d9c06ccc178f881a2e77e865fd848a57a85c6271c8038ebe4107ef92f3b1bba719a23b350a4c2b25f7236f3a9b118919e8df17758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe
Filesize
792KB

MD5
918aa4d929aa61a54588a18f72b49c8c

SHA1
7a8ac5c2944b9b4a250b475bd010a15b5cf5ad3a

SHA256
d03d28985143381cd0a1ffe527e7c7a7f6c0d761e4947c6ae60a7d612a3f1a0b

SHA512
5dbf3f616d90d3d2cc0a5702787141413cd6ac04647aa2adff1fba2c22571f6db869369b9773392e644e975cfd652093bc0fcc54cd4b716731323adfbb72188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe
Filesize
792KB

MD5
918aa4d929aa61a54588a18f72b49c8c

SHA1
7a8ac5c2944b9b4a250b475bd010a15b5cf5ad3a

SHA256
d03d28985143381cd0a1ffe527e7c7a7f6c0d761e4947c6ae60a7d612a3f1a0b

SHA512
5dbf3f616d90d3d2cc0a5702787141413cd6ac04647aa2adff1fba2c22571f6db869369b9773392e644e975cfd652093bc0fcc54cd4b716731323adfbb72188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe
Filesize
529KB

MD5
297dd12ccc8eac76a2a9a92dde3807c5

SHA1
022a71fa1156e98be31066f99059335b9d99416c

SHA256
b4168d6ca0886cbd37d7a4415db937f0cd07b569aa812d3166d4d324b9de2a7f

SHA512
1e5629758619fd1ce7628c3175c097ab5ecf88b81d83513d3c7c8e4b7574b951ec0dce04d12975209988bd912417280acdc1d1c9e1b22e2772aedea538d80de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe
Filesize
529KB

MD5
297dd12ccc8eac76a2a9a92dde3807c5

SHA1
022a71fa1156e98be31066f99059335b9d99416c

SHA256
b4168d6ca0886cbd37d7a4415db937f0cd07b569aa812d3166d4d324b9de2a7f

SHA512
1e5629758619fd1ce7628c3175c097ab5ecf88b81d83513d3c7c8e4b7574b951ec0dce04d12975209988bd912417280acdc1d1c9e1b22e2772aedea538d80de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe
Filesize
364KB

MD5
fc08cbb6100631b04e4bc11cd851d71a

SHA1
7c011b471bbfd2a5fab5f7ccf133c69db1261b09

SHA256
c34fb765bd3fb1c98079f29352354a90f43bcf9ea27a31bde6fb45bbee4024d3

SHA512
f758e0598cb1b071a86a2b53cf928038719a7147a4c7abd08818b4548c5fda69c8673559f4910f192037b7f47bc26eb4adbf9d646b9db59641e19856dfa81992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe
Filesize
364KB

MD5
fc08cbb6100631b04e4bc11cd851d71a

SHA1
7c011b471bbfd2a5fab5f7ccf133c69db1261b09

SHA256
c34fb765bd3fb1c98079f29352354a90f43bcf9ea27a31bde6fb45bbee4024d3

SHA512
f758e0598cb1b071a86a2b53cf928038719a7147a4c7abd08818b4548c5fda69c8673559f4910f192037b7f47bc26eb4adbf9d646b9db59641e19856dfa81992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe
Filesize
174KB

MD5
3deaf33ce806e8572a34310cb933424c

SHA1
db3a2ec27ede5301bb4f0d65d49eb07653c88df2

SHA256
baccc7e8f5788d82e6356f1765bace9718546d50d811cfa865a76edf690f5242

SHA512
7f60d210522951e9b942aefe3438c1490ff88edc1563376682dd11a13cb197f81769ab5c3835139959d1d2620329a3c84d149d264d0643b000369c5301e48a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe
Filesize
174KB

MD5
3deaf33ce806e8572a34310cb933424c

SHA1
db3a2ec27ede5301bb4f0d65d49eb07653c88df2

SHA256
baccc7e8f5788d82e6356f1765bace9718546d50d811cfa865a76edf690f5242

SHA512
7f60d210522951e9b942aefe3438c1490ff88edc1563376682dd11a13cb197f81769ab5c3835139959d1d2620329a3c84d149d264d0643b000369c5301e48a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oargmpib.wez.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OCV47.tmp\is-AP4VJ.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OCV47.tmp\is-AP4VJ.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VF167.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VF167.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VF167.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
\??\pipe\LOCAL\crashpad_3388_VSQFAJCFQDMOQDKZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/736-162-0x0000000002790000-0x0000000002890000-memory.dmp

Filesize
1024KB

Download
memory/736-164-0x00000000025F0000-0x00000000025F9000-memory.dmp

Filesize
36KB

Download
memory/1008-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1008-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1008-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1316-100-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/1316-111-0x0000000007830000-0x000000000787C000-memory.dmp

Filesize
304KB

Download
memory/1316-103-0x0000000007690000-0x00000000076A2000-memory.dmp

Filesize
72KB

Download
memory/1316-279-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/1316-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-98-0x0000000007530000-0x00000000075C2000-memory.dmp

Filesize
584KB

Download
memory/1316-97-0x0000000007A40000-0x0000000007FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1316-212-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-93-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-99-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/1316-108-0x00000000077F0000-0x000000000782C000-memory.dmp

Filesize
240KB

Download
memory/1764-431-0x00000000058A0000-0x0000000005916000-memory.dmp

Filesize
472KB

Download
memory/1764-326-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1764-284-0x0000000002D40000-0x0000000002D46000-memory.dmp

Filesize
24KB

Download
memory/1764-439-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/1764-288-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/1764-237-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2344-448-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2344-446-0x00000000045A0000-0x00000000045D6000-memory.dmp

Filesize
216KB

Download
memory/2468-133-0x00007FF7738D0000-0x00007FF77393A000-memory.dmp

Filesize
424KB

Download
memory/2468-338-0x00000000032F0000-0x0000000003421000-memory.dmp

Filesize
1.2MB

Download
memory/2468-337-0x0000000003170000-0x00000000032E1000-memory.dmp

Filesize
1.4MB

Download
memory/2576-289-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2576-163-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2576-166-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2912-231-0x000000001B130000-0x000000001B140000-memory.dmp

Filesize
64KB

Download
memory/2912-418-0x00007FFC62AC0000-0x00007FFC63581000-memory.dmp

Filesize
10.8MB

Download
memory/2912-230-0x00007FFC62AC0000-0x00007FFC63581000-memory.dmp

Filesize
10.8MB

Download
memory/2912-436-0x000000001B130000-0x000000001B140000-memory.dmp

Filesize
64KB

Download
memory/2912-203-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/3100-280-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3100-271-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3100-285-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3104-2-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/3104-286-0x0000000002EB0000-0x0000000002EC6000-memory.dmp

Filesize
88KB

Download
memory/3280-417-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3280-331-0x0000000004680000-0x0000000004A85000-memory.dmp

Filesize
4.0MB

Download
memory/3280-211-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3280-305-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3280-430-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3280-543-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3280-190-0x0000000004A90000-0x000000000537B000-memory.dmp

Filesize
8.9MB

Download
memory/3280-176-0x0000000004680000-0x0000000004A85000-memory.dmp

Filesize
4.0MB

Download
memory/3800-71-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/3800-78-0x00007FFC62AC0000-0x00007FFC63581000-memory.dmp

Filesize
10.8MB

Download
memory/3800-324-0x00007FFC62AC0000-0x00007FFC63581000-memory.dmp

Filesize
10.8MB

Download
memory/3800-187-0x00007FFC62AC0000-0x00007FFC63581000-memory.dmp

Filesize
10.8MB

Download
memory/4288-252-0x0000000000170000-0x000000000032D000-memory.dmp

Filesize
1.7MB

Download
memory/4288-276-0x0000000000170000-0x000000000032D000-memory.dmp

Filesize
1.7MB

Download
memory/4288-172-0x0000000000170000-0x000000000032D000-memory.dmp

Filesize
1.7MB

Download
memory/4308-266-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4308-330-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4376-437-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4376-270-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-239-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4376-213-0x0000000000690000-0x00000000006EA000-memory.dmp

Filesize
360KB

Download
memory/4376-447-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4460-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-81-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4464-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4464-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4464-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4672-748-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/4672-757-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/4768-242-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4768-191-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4824-206-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4824-160-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4824-156-0x00000000002C0000-0x0000000000434000-memory.dmp

Filesize
1.5MB

Download
memory/4948-106-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/4948-272-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-94-0x0000000000810000-0x0000000000840000-memory.dmp

Filesize
192KB

Download
memory/4948-95-0x0000000072520000-0x0000000072CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-96-0x00000000050F0000-0x00000000050F6000-memory.dmp

Filesize
24KB

Download
memory/4948-101-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/4948-102-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4948-290-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/5408-595-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5408-702-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5408-304-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5408-754-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5408-327-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5408-760-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5532-640-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/5532-741-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download