amadey | 960cf0207bafa828b28a6def06937b39ec52a9fbe0f4574275e40b349bd3bd76

Analysis

max time kernel
35s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b73df30d0bdf006ae273f0ce4ed356ec.exe
Size

1.8MB
MD5

b73df30d0bdf006ae273f0ce4ed356ec
SHA1

7b55cf4bbb4000c3202c304959e0e9990f1ff9d8
SHA256

960cf0207bafa828b28a6def06937b39ec52a9fbe0f4574275e40b349bd3bd76
SHA512

be88f74ed3f5d70402efb011498c84c34289941fa4172c3a6d4a22128237b5bef531d3eba0d1dff3f6c8b543225a92a5cd9008c09305bd4932119dc6e9cd01e7
SSDEEP

49152:7GApQoqkGbXcJt2Ooco50wsbobWVqca79MuzDZK:JpQoqDbXc250wsUig79jI

Score

10^/10

amadey dcrat healer mystic redline smokeloader 6012068394_99 frant lutyr magia backdoor dropper evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Extracted

Family

redline

Botnet

6012068394_99

https://pastebin.com/raw/8baCJyMF

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 2 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

b73df30d0bdf006ae273f0ce4ed356ec.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b73df30d0bdf006ae273f0ce4ed356ec.exe
5496	schtasks.exe

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4528-61-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4528-64-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4528-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4528-70-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\464.exe	healer
behavioral2/memory/4260-359-0x0000000000920000-0x000000000092A000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\464.exe	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4808-84-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/memory/5752-372-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/memory/6116-392-0x0000000000E50000-0x0000000000E8E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nr330lu.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nr330lu.exe	family_redline
behavioral2/memory/5088-574-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe698.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	698.exe

Executes dropped EXE 20 IoCs

Processes:

xM5KX76.exeCe2iC43.exeDx6LR29.exe1cq12Lv2.exe2Ux1265.exe3Kv30GR.exe4ci777kh.exe5LE5RL8.exeFD6B.exeia1GS7CY.exeFEE3.exeNc9Ze5bE.exeUF2xe4Mg.exeNm4Gw6QP.exe1oe66rb0.exe2EC.exe464.exe698.exe2nr330lu.exeexplothe.exe

pid	process
4388	xM5KX76.exe
3772	Ce2iC43.exe
3140	Dx6LR29.exe
1652	1cq12Lv2.exe
1540	2Ux1265.exe
1776	3Kv30GR.exe
452	4ci777kh.exe
4992	5LE5RL8.exe
5592	FD6B.exe
64	ia1GS7CY.exe
1576	FEE3.exe
4072	Nc9Ze5bE.exe
5336	UF2xe4Mg.exe
3716	Nm4Gw6QP.exe
1660	1oe66rb0.exe
4108	2EC.exe
4260	464.exe
5928	698.exe
6116	2nr330lu.exe
5424	explothe.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ia1GS7CY.exeNc9Ze5bE.exeUF2xe4Mg.exeNm4Gw6QP.exeCe2iC43.exeFD6B.exeDx6LR29.exeb73df30d0bdf006ae273f0ce4ed356ec.exexM5KX76.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ia1GS7CY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Nc9Ze5bE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	UF2xe4Mg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Nm4Gw6QP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ce2iC43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FD6B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Dx6LR29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b73df30d0bdf006ae273f0ce4ed356ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xM5KX76.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 7 IoCs

Processes:

1cq12Lv2.exe2Ux1265.exe3Kv30GR.exe4ci777kh.exeFEE3.exe1oe66rb0.exe2EC.exe

description	pid	process	target process
PID 1652 set thread context of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1540 set thread context of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1776 set thread context of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 452 set thread context of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 1576 set thread context of 2180	1576	FEE3.exe	AppLaunch.exe
PID 1660 set thread context of 1732	1660	1oe66rb0.exe	AppLaunch.exe
PID 4108 set thread context of 5752	4108	2EC.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2816	1652	WerFault.exe	1cq12Lv2.exe
1216	1540	WerFault.exe	2Ux1265.exe
2972	4528	WerFault.exe	AppLaunch.exe
4152	1776	WerFault.exe	3Kv30GR.exe
4760	452	WerFault.exe	4ci777kh.exe
5800	1576	WerFault.exe	FEE3.exe
5888	1660	WerFault.exe	1oe66rb0.exe
5676	1732	WerFault.exe	AppLaunch.exe
5996	4108	WerFault.exe	2EC.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5496 schtasks.exe

pid	process
5496	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeAppLaunch.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
3172	AppLaunch.exe
3172	AppLaunch.exe
4172	AppLaunch.exe
4172	AppLaunch.exe
4172	AppLaunch.exe
1216	msedge.exe
1216	msedge.exe
4628	msedge.exe
4628	msedge.exe
2544	msedge.exe
2544	msedge.exe
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
5948	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

3172 AppLaunch.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AppLaunch.exe464.exe

description	pid	process
Token: SeDebugPrivilege	4172	AppLaunch.exe
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164
Token: SeDebugPrivilege	4260	464.exe
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b73df30d0bdf006ae273f0ce4ed356ec.exexM5KX76.exeCe2iC43.exeDx6LR29.exe1cq12Lv2.exe2Ux1265.exe3Kv30GR.exe4ci777kh.exe5LE5RL8.exe

description	pid	process	target process
PID 2200 wrote to memory of 4388	2200	b73df30d0bdf006ae273f0ce4ed356ec.exe	xM5KX76.exe
PID 2200 wrote to memory of 4388	2200	b73df30d0bdf006ae273f0ce4ed356ec.exe	xM5KX76.exe
PID 2200 wrote to memory of 4388	2200	b73df30d0bdf006ae273f0ce4ed356ec.exe	xM5KX76.exe
PID 4388 wrote to memory of 3772	4388	xM5KX76.exe	Ce2iC43.exe
PID 4388 wrote to memory of 3772	4388	xM5KX76.exe	Ce2iC43.exe
PID 4388 wrote to memory of 3772	4388	xM5KX76.exe	Ce2iC43.exe
PID 3772 wrote to memory of 3140	3772	Ce2iC43.exe	Dx6LR29.exe
PID 3772 wrote to memory of 3140	3772	Ce2iC43.exe	Dx6LR29.exe
PID 3772 wrote to memory of 3140	3772	Ce2iC43.exe	Dx6LR29.exe
PID 3140 wrote to memory of 1652	3140	Dx6LR29.exe	1cq12Lv2.exe
PID 3140 wrote to memory of 1652	3140	Dx6LR29.exe	1cq12Lv2.exe
PID 3140 wrote to memory of 1652	3140	Dx6LR29.exe	1cq12Lv2.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 1652 wrote to memory of 4172	1652	1cq12Lv2.exe	AppLaunch.exe
PID 3140 wrote to memory of 1540	3140	Dx6LR29.exe	2Ux1265.exe
PID 3140 wrote to memory of 1540	3140	Dx6LR29.exe	2Ux1265.exe
PID 3140 wrote to memory of 1540	3140	Dx6LR29.exe	2Ux1265.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 1540 wrote to memory of 4528	1540	2Ux1265.exe	AppLaunch.exe
PID 3772 wrote to memory of 1776	3772	Ce2iC43.exe	3Kv30GR.exe
PID 3772 wrote to memory of 1776	3772	Ce2iC43.exe	3Kv30GR.exe
PID 3772 wrote to memory of 1776	3772	Ce2iC43.exe	3Kv30GR.exe
PID 1776 wrote to memory of 1072	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 1072	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 1072	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 1776 wrote to memory of 3172	1776	3Kv30GR.exe	AppLaunch.exe
PID 4388 wrote to memory of 452	4388	xM5KX76.exe	4ci777kh.exe
PID 4388 wrote to memory of 452	4388	xM5KX76.exe	4ci777kh.exe
PID 4388 wrote to memory of 452	4388	xM5KX76.exe	4ci777kh.exe
PID 452 wrote to memory of 1304	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 1304	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 1304	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 452 wrote to memory of 4808	452	4ci777kh.exe	AppLaunch.exe
PID 2200 wrote to memory of 4992	2200	b73df30d0bdf006ae273f0ce4ed356ec.exe	5LE5RL8.exe
PID 2200 wrote to memory of 4992	2200	b73df30d0bdf006ae273f0ce4ed356ec.exe	5LE5RL8.exe
PID 2200 wrote to memory of 4992	2200	b73df30d0bdf006ae273f0ce4ed356ec.exe	5LE5RL8.exe
PID 4992 wrote to memory of 3424	4992	5LE5RL8.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b73df30d0bdf006ae273f0ce4ed356ec.exe
"C:\Users\Admin\AppData\Local\Temp\b73df30d0bdf006ae273f0ce4ed356ec.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5KX76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5KX76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ce2iC43.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ce2iC43.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dx6LR29.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dx6LR29.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cq12Lv2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cq12Lv2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 580
        6⤵
        Program crash
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux1265.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux1265.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 540
        7⤵
        Program crash
        
        PID:2972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 572
        6⤵
        Program crash
        
        PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Kv30GR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Kv30GR.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1072
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 592
        5⤵
        Program crash
        
        PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ci777kh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ci777kh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 592
      4⤵
      Program crash
      PID:4760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5LE5RL8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5LE5RL8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\A4CC.tmp\A4CD.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5LE5RL8.exe"
    3⤵
    PID:3424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:2216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffef1a846f8,0x7ffef1a84708,0x7ffef1a84718
        5⤵
        
        PID:2772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2692237252694003077,16892443636602902712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2692237252694003077,16892443636602902712,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        5⤵
        
        PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef1a846f8,0x7ffef1a84708,0x7ffef1a84718
        5⤵
        
        PID:1692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
        5⤵
        
        PID:2560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
        5⤵
        
        PID:4152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        5⤵
        
        PID:2636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:4252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
        5⤵
        
        PID:3736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
        5⤵
        
        PID:5932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
        5⤵
        
        PID:5976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
        5⤵
        
        PID:5968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
        5⤵
        
        PID:3424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
        5⤵
        
        PID:5132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
        5⤵
        
        PID:3428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5933123222689196486,18095972766143372261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1652 -ip 1652
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1540 -ip 1540
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4528 -ip 4528
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1776 -ip 1776
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 452 -ip 452
1⤵
PID:2040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\FD6B.exe
C:\Users\Admin\AppData\Local\Temp\FD6B.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ia1GS7CY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ia1GS7CY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nc9Ze5bE.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nc9Ze5bE.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UF2xe4Mg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UF2xe4Mg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Nm4Gw6QP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Nm4Gw6QP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oe66rb0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oe66rb0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 540
        8⤵
        Program crash
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 600
        7⤵
        Program crash
        
        PID:5888
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nr330lu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nr330lu.exe
        6⤵
        Executes dropped EXE
        
        PID:6116

C:\Users\Admin\AppData\Local\Temp\FEE3.exe
C:\Users\Admin\AppData\Local\Temp\FEE3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 416
  2⤵
  - Program crash
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A9.bat" "
1⤵
PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef1a846f8,0x7ffef1a84708,0x7ffef1a84718
    3⤵
    PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:5732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef1a846f8,0x7ffef1a84708,0x7ffef1a84718
    3⤵
    PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1576 -ip 1576
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\2EC.exe
C:\Users\Admin\AppData\Local\Temp\2EC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 364
  2⤵
  - Program crash
  PID:5996

C:\Users\Admin\AppData\Local\Temp\464.exe
C:\Users\Admin\AppData\Local\Temp\464.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1660 -ip 1660
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1732 -ip 1732
1⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\698.exe
C:\Users\Admin\AppData\Local\Temp\698.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5928
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5424
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:5496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:5524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4108 -ip 4108
1⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\326B.exe
C:\Users\Admin\AppData\Local\Temp\326B.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:5928
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\kos1.exe
  "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
  2⤵
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\set16.exe
    "C:\Users\Admin\AppData\Local\Temp\set16.exe"
    3⤵
    PID:6040
  - - C:\Users\Admin\AppData\Local\Temp\is-331N2.tmp\is-RNMBU.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-331N2.tmp\is-RNMBU.tmp" /SL4 $D0050 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
      4⤵
      PID:1060
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        5⤵
        
        PID:5820
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        5⤵
        
        PID:2736
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        5⤵
        
        PID:5448
- - C:\Users\Admin\AppData\Local\Temp\kos.exe
    "C:\Users\Admin\AppData\Local\Temp\kos.exe"
    3⤵
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:5812

C:\Users\Admin\AppData\Local\Temp\375E.exe
C:\Users\Admin\AppData\Local\Temp\375E.exe
1⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3C02.exe
C:\Users\Admin\AppData\Local\Temp\3C02.exe
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a602869e579f44dfa2a249baa8c20fe

SHA1
e0ac4a8508f60cb0408597eb1388b3075e27383f

SHA256
9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5

SHA512
1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e9513919630f1d5588e14bc29b7de6c7

SHA1
08bb55eb4a79195d4c4eda7bd52a780ac8247289

SHA256
dfa3e817958fdb0ba1823cb5f3c39cd6cb3ece0891c436abdb1d151f11ff9a13

SHA512
de418ec53eb282261365b85a02db904ac70b6c21de89a6f5aab382d9f46b90e82d9386dd0e5c9a1392a1b47549fe96ace875e745dea22898896f89ca2d3828d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb5587cfc2ac201d39ce49d0c0544523

SHA1
222c17e969714674a246f34e2bbbe7e0460adc8b

SHA256
2b3d15e1dafccec3964c52f736bab8ec165a923790032e333bcf515f1544a190

SHA512
9b1d44309b075b494bfce768cc97ba221861d4a005ddfdf7b2d649b9680e321b9a064d1ce6cfa501ece26c003a2ca0ccf2f5bcad6a35c98a4b33019251abee6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0a25d68c31db11b2f069f52537241a8

SHA1
26ac4e17cc29a6939c3164980c00ac8055ceeb0c

SHA256
18e9d50ac93dc5937a4a4df11f8c4b3a061ad31e4b0ff2c4239efcf483b8795e

SHA512
379c59f937c0d71a48c298751e72d87554bc8948dadd02f9bf498ca69cd33e004492e9d219e03316af2df2cfc811d0c303a0654a9032f67903ee216edf5b9037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a9a05dd5141456860cf13b824240dcf

SHA1
fb35d2585b5e4c0eee38d96b55b0b98e86b10d16

SHA256
981bdc7a52181796ecaa8a362e2fca8f98e5c8504d50bb39ae6e1b7a846c9c03

SHA512
db5d0697130cfb7ae54671eff7b74f7f4ab8118dffc5fe722c8bb974bf3e937378cb8a600713049870aa7e46c7a44cd148cc727c8e035d87a2602b8bd80cafee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
10f5b64000466c1e6da25fb5a0115924

SHA1
cb253bacf2b087c4040eb3c6a192924234f68639

SHA256
d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b

SHA512
8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
45c2eba0d19761ab3d36ce95854806a7

SHA1
2c613d6e11bcf0be6c9555bb9ebb13f1531250f9

SHA256
e1764f70220fdeb868030643b2b31384e859fdfcef36796aad4c55e75c1291f8

SHA512
58d630c75ab36cb5c1297804d4b976d43ec974ec3101c54e12c6ea69949e13f2e7864a60c5e69a0335abc8d3287bfa066dd35e6272d84ad1cf4717f40468a8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
862B

MD5
0479bb0885220275de2cbaa689684f19

SHA1
a408ea404567326bc8bf443f022724bd59b8b02e

SHA256
d4a6d8eea2082fd9baa79e8f011551bad70599b92d8da71a4f264a28654ffe83

SHA512
a1a2d81603449299c9f82b6671a9eca0869d26d22770c5ea07b3d42c347bb9d4fb99b0b1acafedfff0c471b17670ebdff1af563259432fd5c44817b042435670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58003a.TMP

Filesize
872B

MD5
3012bf3083fde6a34dbff3b8bb26456b

SHA1
53b686e31c827fac3d9eb90c3f269366e1bf329b

SHA256
f06c767148823079981c47efd8e7aa1159c35939a6c247052f51215107060a8f

SHA512
731bdde36dbd01c315a6d08898a3310ed33da40ce7a4354ae82c9f9f34ba4226a5e3fa2c3555c18af9247ee8907a4b13901724497e810316ce6f05ea9a3619a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6933222636dea2eb92a06a10d9cac498

SHA1
e67c357e1d863a78d9b1486606ea223ec9c817ea

SHA256
793b2f08805dca0f877a6e7c63c6b085ee09b576c8fb39101fba8a880ce00c52

SHA512
59699003a0a13d708ce3e8360990cc3e900fa4d4c507a86807dc3d1f7e8d9239ef022b5acbc01b830bfb176b3416bf4b2a71c7fc6ee9ebb5ab24cf0217273941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
bcbec8c543b22de6b218a90e9d2a74d3

SHA1
35428d6342e77479321b2705642a2ab6e47efbe1

SHA256
9006a87a6eefe643d95904561d1c1c4a565d70ef5c2396039f88ef3a423e621f

SHA512
3fe603bfde5ff48f5dda1518fef58e7cad9acecff54c4cf742eaa0cbc8c8c4438260e6e3e53b017d1f5fb71ff42bc1a7526da665bad624e5fdb2bacfa828fdca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
bcbec8c543b22de6b218a90e9d2a74d3

SHA1
35428d6342e77479321b2705642a2ab6e47efbe1

SHA256
9006a87a6eefe643d95904561d1c1c4a565d70ef5c2396039f88ef3a423e621f

SHA512
3fe603bfde5ff48f5dda1518fef58e7cad9acecff54c4cf742eaa0cbc8c8c4438260e6e3e53b017d1f5fb71ff42bc1a7526da665bad624e5fdb2bacfa828fdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EC.exe

Filesize
461KB

MD5
08d96f4bfae31af3e064051faf2bc7e4

SHA1
5290b692c71f95fdc7be88321044ea0a14e1f4a2

SHA256
9f78079e233806ad3b0c891964e083f4ae498d151d8fc05399ee59745ce70b61

SHA512
36cc57cc7469677244ef343e9a732c1c83a1da4ac496b306a1cbba1e925c52b7153cd384bac7396e5be99bfcf4b6a03d2fc130d63f2c0f755dafc111af27d4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EC.exe

Filesize
461KB

MD5
08d96f4bfae31af3e064051faf2bc7e4

SHA1
5290b692c71f95fdc7be88321044ea0a14e1f4a2

SHA256
9f78079e233806ad3b0c891964e083f4ae498d151d8fc05399ee59745ce70b61

SHA512
36cc57cc7469677244ef343e9a732c1c83a1da4ac496b306a1cbba1e925c52b7153cd384bac7396e5be99bfcf4b6a03d2fc130d63f2c0f755dafc111af27d4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
9066252ec48e20ddd82d2ec928cb7867

SHA1
222cbf0415a3166b1f55ff1ba293c4f8b5b840c8

SHA256
97501b83431f3b3f369d96c268ef1de99d588e74f0b28d7b853ff3ebf259f96c

SHA512
4be0962e8cfdb2e723b87a76c9b43c5d3bb5e432e7ef3f28146056ec0cb854256a0a67c44fd9fabfbb66e5f150047890b76bab3d5bf86175a94e33d9d6f4e7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\464.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\464.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\698.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\698.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\A4CC.tmp\A4CD.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD6B.exe

Filesize
1.2MB

MD5
15f9db13b7dc286d39b401caa1848662

SHA1
6e68b4dddf2233eceae99f7eceb880bf0f39258d

SHA256
f08f1ea1806075953a38aedfa0f8979a26b6e50758b84af6eb759b231de51978

SHA512
8f60670015b0e1da501a26e286d3eb17b7bfd459172a577fddb9a923409902336db72c86905017ba301ac177abece972baef415f7e86b4c7bcb6f19e241367ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD6B.exe

Filesize
1.2MB

MD5
15f9db13b7dc286d39b401caa1848662

SHA1
6e68b4dddf2233eceae99f7eceb880bf0f39258d

SHA256
f08f1ea1806075953a38aedfa0f8979a26b6e50758b84af6eb759b231de51978

SHA512
8f60670015b0e1da501a26e286d3eb17b7bfd459172a577fddb9a923409902336db72c86905017ba301ac177abece972baef415f7e86b4c7bcb6f19e241367ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE3.exe

Filesize
422KB

MD5
509a9574e5c0d7c8d34fda1ee948e4e3

SHA1
2673c375e1c4985674a2e2ddd09ff2753abc31af

SHA256
cd032cc20f3c364edd80dd79dde5cf34e1f0a318e06b365214b8f4599e4ebcc5

SHA512
97d35a4a51d16b03828faef56d1b7782e60a54ee6a357ab66e1f5844ca3183d5ebb8885782edeb0f4046239edf966bd59eb9ccc9d1ebbe8643de5d6ebe8f044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE3.exe

Filesize
422KB

MD5
509a9574e5c0d7c8d34fda1ee948e4e3

SHA1
2673c375e1c4985674a2e2ddd09ff2753abc31af

SHA256
cd032cc20f3c364edd80dd79dde5cf34e1f0a318e06b365214b8f4599e4ebcc5

SHA512
97d35a4a51d16b03828faef56d1b7782e60a54ee6a357ab66e1f5844ca3183d5ebb8885782edeb0f4046239edf966bd59eb9ccc9d1ebbe8643de5d6ebe8f044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5LE5RL8.exe

Filesize
100KB

MD5
adb88d6e7a9bd7bca9dcec62df800d8a

SHA1
37deec92b660828309ee54f9e6784e92b7ba54d0

SHA256
97c5dd95e15df5b5fc35f4935c1771ed2ac4f6d041c4451e5c9155ef3e5f4013

SHA512
28a712ed37c77023bf7627e727d60f1454fd0a0afcd9a8840b22a60d65bc8ee3fbcee5d8b84f8269acc505a38627c901872779b9c5edf431df7c47e28b1545ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5LE5RL8.exe

Filesize
100KB

MD5
adb88d6e7a9bd7bca9dcec62df800d8a

SHA1
37deec92b660828309ee54f9e6784e92b7ba54d0

SHA256
97c5dd95e15df5b5fc35f4935c1771ed2ac4f6d041c4451e5c9155ef3e5f4013

SHA512
28a712ed37c77023bf7627e727d60f1454fd0a0afcd9a8840b22a60d65bc8ee3fbcee5d8b84f8269acc505a38627c901872779b9c5edf431df7c47e28b1545ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ia1GS7CY.exe

Filesize
1.1MB

MD5
e585d88012849c1011797728afedbb51

SHA1
1ce95fa4543ad28829faaca7e0ca7a2aefdd09a0

SHA256
1dddb0b7191599f040b38d01f5615e52953879a1c7883afb20a7d23aa83b8553

SHA512
249c1057597bba578176e25d98aa25ae95641e5b4f8dad8042b8f845c5cc31dabff8ece56c60ed91ee87e3357834ec44399b4c95ef3b558bf67be3df0d5bb4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ia1GS7CY.exe

Filesize
1.1MB

MD5
e585d88012849c1011797728afedbb51

SHA1
1ce95fa4543ad28829faaca7e0ca7a2aefdd09a0

SHA256
1dddb0b7191599f040b38d01f5615e52953879a1c7883afb20a7d23aa83b8553

SHA512
249c1057597bba578176e25d98aa25ae95641e5b4f8dad8042b8f845c5cc31dabff8ece56c60ed91ee87e3357834ec44399b4c95ef3b558bf67be3df0d5bb4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5KX76.exe

Filesize
1.7MB

MD5
2e772a5ed1bb826a3ecd2091252c67ef

SHA1
30c59cdfaaa8491fb646acb26ba0344c158551a1

SHA256
98c2c66088b53635dcbb665fe9394351762ea56e11b1a1401c38b0b2d02cff4a

SHA512
2dca85ab4b05aa0ae0e085b7d125f371d318e6e2aafc1594b9851b2f005c5528fa5dbc4bc694fbbbcd3292d98fee5df016f1b457bd6025b3e88324d1fb94a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5KX76.exe

Filesize
1.7MB

MD5
2e772a5ed1bb826a3ecd2091252c67ef

SHA1
30c59cdfaaa8491fb646acb26ba0344c158551a1

SHA256
98c2c66088b53635dcbb665fe9394351762ea56e11b1a1401c38b0b2d02cff4a

SHA512
2dca85ab4b05aa0ae0e085b7d125f371d318e6e2aafc1594b9851b2f005c5528fa5dbc4bc694fbbbcd3292d98fee5df016f1b457bd6025b3e88324d1fb94a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ci777kh.exe

Filesize
1.8MB

MD5
ed3ce451fc2fc20177660b73645c754e

SHA1
3351359997e2d964ce46bcf5ab6681f77b6efc0c

SHA256
a2a13737bb962f7698e4b3978e768b1650f3662495e7b1702d5be83ee649336c

SHA512
592c6aa0abcd3476ef1cb742b0a9343fe442e36730b3206878bd589d6b0226a9f459a96ca6f2b0712f70366bc19b3d8bf163ec342cc3f68cba473d0135ece2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ci777kh.exe

Filesize
1.8MB

MD5
ed3ce451fc2fc20177660b73645c754e

SHA1
3351359997e2d964ce46bcf5ab6681f77b6efc0c

SHA256
a2a13737bb962f7698e4b3978e768b1650f3662495e7b1702d5be83ee649336c

SHA512
592c6aa0abcd3476ef1cb742b0a9343fe442e36730b3206878bd589d6b0226a9f459a96ca6f2b0712f70366bc19b3d8bf163ec342cc3f68cba473d0135ece2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ce2iC43.exe

Filesize
1.2MB

MD5
f39b3ce7f4c467180e91322815bad3c5

SHA1
46b361f732b32b247d511b3f06e4da916a61e9d5

SHA256
b019cd8c08e2199f39c3fbd8e8239dd4fba62755cf78d266476339aacbecec73

SHA512
3d330d2decbcc6773783090505518cfd906687981295a9722d25192becde1d1b5c4d721db93648b6e82476fd4b72c322e1c75a8847a0b645a0bfd12c786e9793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ce2iC43.exe

Filesize
1.2MB

MD5
f39b3ce7f4c467180e91322815bad3c5

SHA1
46b361f732b32b247d511b3f06e4da916a61e9d5

SHA256
b019cd8c08e2199f39c3fbd8e8239dd4fba62755cf78d266476339aacbecec73

SHA512
3d330d2decbcc6773783090505518cfd906687981295a9722d25192becde1d1b5c4d721db93648b6e82476fd4b72c322e1c75a8847a0b645a0bfd12c786e9793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Kv30GR.exe

Filesize
1.6MB

MD5
d93211ee09c48cdb425851201f17a0d0

SHA1
1f9b8f8143b70bd380693b6455e0bbb8fff72d34

SHA256
df10c1a742c54e09916f22855766e8a54b926e6499178d6e0f12f2b6e42a46b5

SHA512
f76e8e22fc76f8a44aed39600f07c80af45ce4f4125dc7ceed25c33a9c3f84b703c1cfa3ab9cdb90ba0cd6e37d3b446b11a41f1bfce4a429e4a16e25a6cb3b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Kv30GR.exe

Filesize
1.6MB

MD5
d93211ee09c48cdb425851201f17a0d0

SHA1
1f9b8f8143b70bd380693b6455e0bbb8fff72d34

SHA256
df10c1a742c54e09916f22855766e8a54b926e6499178d6e0f12f2b6e42a46b5

SHA512
f76e8e22fc76f8a44aed39600f07c80af45ce4f4125dc7ceed25c33a9c3f84b703c1cfa3ab9cdb90ba0cd6e37d3b446b11a41f1bfce4a429e4a16e25a6cb3b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dx6LR29.exe

Filesize
737KB

MD5
bfa373c42f006da6162bb963f1634f68

SHA1
af4c7ddebdd3d5803d8d6b4037c7f8cc92ca9e37

SHA256
6ec8b64ef0f61b396e2ddbf27e6fd02011cc457046feda6e7f16cffd2dba5217

SHA512
37d2b3570487f80da9d6a3f4d97d2916dfe2f97cdb7b889f99be9b091686135e141b27354fd859ac5ccccb84728cefc2d2ecbb33bbb4efe9a8dbcfb730fa8f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dx6LR29.exe

Filesize
737KB

MD5
bfa373c42f006da6162bb963f1634f68

SHA1
af4c7ddebdd3d5803d8d6b4037c7f8cc92ca9e37

SHA256
6ec8b64ef0f61b396e2ddbf27e6fd02011cc457046feda6e7f16cffd2dba5217

SHA512
37d2b3570487f80da9d6a3f4d97d2916dfe2f97cdb7b889f99be9b091686135e141b27354fd859ac5ccccb84728cefc2d2ecbb33bbb4efe9a8dbcfb730fa8f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nc9Ze5bE.exe

Filesize
935KB

MD5
9d69d89dcf85d0764a1d8d6c87115f1c

SHA1
4d36f34ebbd1af2debc20c9b9ca7c581b206dcd5

SHA256
8fdedb6267fb2db3ec8ddcafa0d0fc26fa9dffe70ec6933a1e59df49e85bc820

SHA512
70c488d559b36bd713e26f91e31eef232323e3256185153255cbff78b08211f53bc563d3e239ff0d8373e371495ee0a2df33cf153e87b52ff1a414775b3f73b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nc9Ze5bE.exe

Filesize
935KB

MD5
9d69d89dcf85d0764a1d8d6c87115f1c

SHA1
4d36f34ebbd1af2debc20c9b9ca7c581b206dcd5

SHA256
8fdedb6267fb2db3ec8ddcafa0d0fc26fa9dffe70ec6933a1e59df49e85bc820

SHA512
70c488d559b36bd713e26f91e31eef232323e3256185153255cbff78b08211f53bc563d3e239ff0d8373e371495ee0a2df33cf153e87b52ff1a414775b3f73b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cq12Lv2.exe

Filesize
1.8MB

MD5
95063dd22ad0f74fdcff1ec2c8799e51

SHA1
fe145868bad788fc90a429cf62b781aaede05968

SHA256
b8212d338a145c8054917152f16ba60f9a5062d9d0e3ec1a981238a3f3f2675a

SHA512
e152bfa886e999c667a045f3a1f513e18cf4b08a7e0b7a83203e7c211edd7c59bf9aba0cb596a5bdea8d2eae91721a06dd1ce7defbda914b8c5847e38422b646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cq12Lv2.exe

Filesize
1.8MB

MD5
95063dd22ad0f74fdcff1ec2c8799e51

SHA1
fe145868bad788fc90a429cf62b781aaede05968

SHA256
b8212d338a145c8054917152f16ba60f9a5062d9d0e3ec1a981238a3f3f2675a

SHA512
e152bfa886e999c667a045f3a1f513e18cf4b08a7e0b7a83203e7c211edd7c59bf9aba0cb596a5bdea8d2eae91721a06dd1ce7defbda914b8c5847e38422b646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux1265.exe

Filesize
1.7MB

MD5
57c1f01334ec82235f1b6173cd2f96f2

SHA1
61ff9a084461eabf5828329855cc91a4a7eb9134

SHA256
2c7bb8801d3491495db93a89d3679e3a5de2469caa9ca16f41a22d701b032f73

SHA512
ed02a665d0996526790173a5bbfda04f2801c84beaa1549d2daf2682e4b211904a3e1e27ce11f2ca32a251b7df94ca1d7c52719a628bd98b021835ad11239dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux1265.exe

Filesize
1.7MB

MD5
57c1f01334ec82235f1b6173cd2f96f2

SHA1
61ff9a084461eabf5828329855cc91a4a7eb9134

SHA256
2c7bb8801d3491495db93a89d3679e3a5de2469caa9ca16f41a22d701b032f73

SHA512
ed02a665d0996526790173a5bbfda04f2801c84beaa1549d2daf2682e4b211904a3e1e27ce11f2ca32a251b7df94ca1d7c52719a628bd98b021835ad11239dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UF2xe4Mg.exe

Filesize
639KB

MD5
9675b459175bf00f0a456e481f5f9a87

SHA1
ef2f6a1ce5d437278595022bdfaa4d676c1f809b

SHA256
a9ec372c420569592e9529d2228f287ffbf91e154714f9d40122ace529792129

SHA512
f71eb265e93204f5b38a40517e291e0681c9c9c1d53d38237961d774c330c6af994dc7a3b90b4d73a7b32cddf02b20db8b4c85ee3edc0c76754b5aa32089c942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UF2xe4Mg.exe

Filesize
639KB

MD5
9675b459175bf00f0a456e481f5f9a87

SHA1
ef2f6a1ce5d437278595022bdfaa4d676c1f809b

SHA256
a9ec372c420569592e9529d2228f287ffbf91e154714f9d40122ace529792129

SHA512
f71eb265e93204f5b38a40517e291e0681c9c9c1d53d38237961d774c330c6af994dc7a3b90b4d73a7b32cddf02b20db8b4c85ee3edc0c76754b5aa32089c942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Nm4Gw6QP.exe

Filesize
443KB

MD5
1a595c991095d18da414e0a8b05a1db9

SHA1
cd8562432b451cb4026fc8ef89246bb62d4fcebc

SHA256
9e1822b47c7628d2758c4dcb4e1a30f4a2447a47d06110f146c4d77d3e8f2ce7

SHA512
6bf40c2af0a53e372cdb976d69d83aebd7f003d654ff5e9f2bf68f88810043130649c67d8d12040c81c245947c68669e41a1de7ebe314a5a9bf5e6fa00db8f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Nm4Gw6QP.exe

Filesize
443KB

MD5
1a595c991095d18da414e0a8b05a1db9

SHA1
cd8562432b451cb4026fc8ef89246bb62d4fcebc

SHA256
9e1822b47c7628d2758c4dcb4e1a30f4a2447a47d06110f146c4d77d3e8f2ce7

SHA512
6bf40c2af0a53e372cdb976d69d83aebd7f003d654ff5e9f2bf68f88810043130649c67d8d12040c81c245947c68669e41a1de7ebe314a5a9bf5e6fa00db8f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oe66rb0.exe

Filesize
422KB

MD5
509a9574e5c0d7c8d34fda1ee948e4e3

SHA1
2673c375e1c4985674a2e2ddd09ff2753abc31af

SHA256
cd032cc20f3c364edd80dd79dde5cf34e1f0a318e06b365214b8f4599e4ebcc5

SHA512
97d35a4a51d16b03828faef56d1b7782e60a54ee6a357ab66e1f5844ca3183d5ebb8885782edeb0f4046239edf966bd59eb9ccc9d1ebbe8643de5d6ebe8f044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oe66rb0.exe

Filesize
422KB

MD5
509a9574e5c0d7c8d34fda1ee948e4e3

SHA1
2673c375e1c4985674a2e2ddd09ff2753abc31af

SHA256
cd032cc20f3c364edd80dd79dde5cf34e1f0a318e06b365214b8f4599e4ebcc5

SHA512
97d35a4a51d16b03828faef56d1b7782e60a54ee6a357ab66e1f5844ca3183d5ebb8885782edeb0f4046239edf966bd59eb9ccc9d1ebbe8643de5d6ebe8f044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oe66rb0.exe

Filesize
422KB

MD5
509a9574e5c0d7c8d34fda1ee948e4e3

SHA1
2673c375e1c4985674a2e2ddd09ff2753abc31af

SHA256
cd032cc20f3c364edd80dd79dde5cf34e1f0a318e06b365214b8f4599e4ebcc5

SHA512
97d35a4a51d16b03828faef56d1b7782e60a54ee6a357ab66e1f5844ca3183d5ebb8885782edeb0f4046239edf966bd59eb9ccc9d1ebbe8643de5d6ebe8f044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nr330lu.exe

Filesize
222KB

MD5
7d3e33e6aed9698761d362da30926db8

SHA1
8dba60f751d863556e0f244dfe0d2548e71749a2

SHA256
70c96b72b132661c1ea4de91e5839910bd0967e22d02aa182b5621b3bc387d08

SHA512
9010d40c6011feb96fc881a6add0458e6a1daf59846703cc7142992452ddae63d0a62d94afae1b9ea360ea84dc2c30b831087ee2d60fdb11dc82b495da3c0f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nr330lu.exe

Filesize
222KB

MD5
7d3e33e6aed9698761d362da30926db8

SHA1
8dba60f751d863556e0f244dfe0d2548e71749a2

SHA256
70c96b72b132661c1ea4de91e5839910bd0967e22d02aa182b5621b3bc387d08

SHA512
9010d40c6011feb96fc881a6add0458e6a1daf59846703cc7142992452ddae63d0a62d94afae1b9ea360ea84dc2c30b831087ee2d60fdb11dc82b495da3c0f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
216KB

MD5
fd134e455dc6caf3b95e7f4dfefb1550

SHA1
bc7fef4d1e9bdb19e79b2d4f0b66ef627e977882

SHA256
aadebe52d66f6c135cdccbf672ba6e7797097c830bb6ee11d8523d5de169d82f

SHA512
a38dada18974648f2291bc08d6c32b8670a86b856e15a51d9836e832e7c4074ebc31e0f78778c65da49c4d91ac23a23c6a686179c82b6a76ed0096c5e1eb83c4

Download Submit
\??\pipe\LOCAL\crashpad_2544_WTUGYEGGGMTVOCDR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1060-667-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1732-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-693-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2736-700-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2736-702-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3164-186-0x0000000002840000-0x0000000002856000-memory.dmp

Filesize
88KB

Download
memory/3172-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3172-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3172-195-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3640-605-0x0000000000C00000-0x0000000000DF8000-memory.dmp

Filesize
2.0MB

Download
memory/3640-669-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/3640-619-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3640-612-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/3640-606-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-648-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/4004-652-0x00007FFEEF610000-0x00007FFEF00D1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-666-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/4008-607-0x0000000000E70000-0x0000000000FE4000-memory.dmp

Filesize
1.5MB

Download
memory/4008-650-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-609-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/4172-63-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-54-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-37-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4172-36-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4172-212-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4172-35-0x0000000000CC0000-0x0000000000CDE000-memory.dmp

Filesize
120KB

Download
memory/4172-234-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4172-34-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4172-244-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4172-58-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-254-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/4172-43-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-41-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-73-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4172-75-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-122-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/4172-60-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-40-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-45-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-39-0x0000000002800000-0x000000000281C000-memory.dmp

Filesize
112KB

Download
memory/4172-52-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-71-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-67-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-33-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/4172-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4172-56-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-49-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/4172-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4172-38-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4172-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4260-527-0x00007FFEEF610000-0x00007FFEF00D1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-359-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/4260-530-0x00007FFEEF610000-0x00007FFEF00D1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-361-0x00007FFEEF610000-0x00007FFEF00D1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4528-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4528-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4528-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4808-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-579-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5088-596-0x0000000007600000-0x0000000007610000-memory.dmp

Filesize
64KB

Download
memory/5088-593-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-653-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-574-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/5088-668-0x0000000007600000-0x0000000007610000-memory.dmp

Filesize
64KB

Download
memory/5088-634-0x0000000008140000-0x00000000081A6000-memory.dmp

Filesize
408KB

Download
memory/5436-608-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/5436-628-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/5436-679-0x0000000005E70000-0x0000000006032000-memory.dmp

Filesize
1.8MB

Download
memory/5436-692-0x0000000006060000-0x000000000658C000-memory.dmp

Filesize
5.2MB

Download
memory/5436-614-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5436-625-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5752-388-0x0000000008CA0000-0x00000000092B8000-memory.dmp

Filesize
6.1MB

Download
memory/5752-385-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

Filesize
64KB

Download
memory/5752-393-0x0000000007E80000-0x0000000007E92000-memory.dmp

Filesize
72KB

Download
memory/5752-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5752-395-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/5752-406-0x0000000008060000-0x00000000080AC000-memory.dmp

Filesize
304KB

Download
memory/5752-380-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/5752-531-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

Filesize
64KB

Download
memory/5752-528-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5752-374-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5752-386-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

Filesize
40KB

Download
memory/5752-391-0x0000000007F50000-0x000000000805A000-memory.dmp

Filesize
1.0MB

Download
memory/5820-624-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-536-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/5820-537-0x0000000000730000-0x0000000001480000-memory.dmp

Filesize
13.3MB

Download
memory/6040-637-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/6116-533-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/6116-392-0x0000000000E50000-0x0000000000E8E000-memory.dmp

Filesize
248KB

Download
memory/6116-394-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/6116-409-0x0000000007E70000-0x0000000007E80000-memory.dmp

Filesize
64KB

Download
memory/6116-535-0x0000000007E70000-0x0000000007E80000-memory.dmp

Filesize
64KB

Download