amadey | 86fe8d6667418a410a70df5cc2378c9f92398196d722619c7691c4f701f3ed95

Analysis

max time kernel
31s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4e28196d021a3dbd5a7238d374c7864.exe
Size

268KB
MD5

a4e28196d021a3dbd5a7238d374c7864
SHA1

427c40f7d4d98758a53aa3172860c1cf95563d87
SHA256

86fe8d6667418a410a70df5cc2378c9f92398196d722619c7691c4f701f3ed95
SHA512

0c821630d7a14093059695d562c70eefdc6f851935315c4549b829172166010ed65c4884fe19f47b13e74ec08747bf8ba75c99a8b1700e1c00c5be66433782f2
SSDEEP

6144:HzAZaSpfiocte/Xc44W9wL5IAOZxOt6tNq:HzjSdioCaa6Pxpq

Score

10^/10

amadey dcrat healer redline smokeloader lutyr magia backdoor dropper evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023206-71.dat	healer
behavioral2/memory/2056-72-0x0000000000C40000-0x0000000000C4A000-memory.dmp	healer
behavioral2/files/0x0008000000023206-70.dat	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	CA88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	CA88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	CA88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	CA88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CA88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	CA88.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/memory/2940-91-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/files/0x00060000000231ff-97.dat	family_redline
behavioral2/files/0x00060000000231ff-96.dat	family_redline
behavioral2/memory/3412-99-0x0000000000CB0000-0x0000000000CEE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	C5E2.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	CBE0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 13 IoCs

pid	Process
1884	C35F.exe
1940	C4A9.exe
4696	xK6tV5Pf.exe
5096	ZL8DT3Xh.exe
748	ZP0HI7Nb.exe
3792	C5E2.bat
1888	ug3uv8Yx.exe
856	1Fl46ww5.exe
2636	C910.exe
2056	CA88.exe
4808	CBE0.exe
4368	explothe.exe
3412	2Cc716Pi.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	CA88.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	C35F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xK6tV5Pf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZL8DT3Xh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZP0HI7Nb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ug3uv8Yx.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4516 set thread context of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 1940 set thread context of 2020	1940	C4A9.exe	110
PID 856 set thread context of 1148	856	1Fl46ww5.exe	115
PID 2636 set thread context of 2940	2636	C910.exe	126

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1396	4516	WerFault.exe	84
4232	1940	WerFault.exe	102
3048	856	WerFault.exe	108
1040	1148	WerFault.exe	115
2512	2636	WerFault.exe	112

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	AppLaunch.exe
1248	AppLaunch.exe
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found
772	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1248	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	Process not Found
Token: SeCreatePagefilePrivilege	772	Process not Found
Token: SeShutdownPrivilege	772	Process not Found
Token: SeCreatePagefilePrivilege	772	Process not Found
Token: SeDebugPrivilege	2056	CA88.exe
Token: SeShutdownPrivilege	772	Process not Found
Token: SeCreatePagefilePrivilege	772	Process not Found
Token: SeShutdownPrivilege	772	Process not Found
Token: SeCreatePagefilePrivilege	772	Process not Found
Token: SeShutdownPrivilege	772	Process not Found
Token: SeCreatePagefilePrivilege	772	Process not Found
Token: SeShutdownPrivilege	772	Process not Found
Token: SeCreatePagefilePrivilege	772	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 4516 wrote to memory of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 4516 wrote to memory of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 4516 wrote to memory of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 4516 wrote to memory of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 4516 wrote to memory of 1248	4516	a4e28196d021a3dbd5a7238d374c7864.exe	86
PID 772 wrote to memory of 1884	772	Process not Found	101
PID 772 wrote to memory of 1884	772	Process not Found	101
PID 772 wrote to memory of 1884	772	Process not Found	101
PID 772 wrote to memory of 1940	772	Process not Found	102
PID 772 wrote to memory of 1940	772	Process not Found	102
PID 772 wrote to memory of 1940	772	Process not Found	102
PID 1884 wrote to memory of 4696	1884	C35F.exe	103
PID 1884 wrote to memory of 4696	1884	C35F.exe	103
PID 1884 wrote to memory of 4696	1884	C35F.exe	103
PID 4696 wrote to memory of 5096	4696	xK6tV5Pf.exe	104
PID 4696 wrote to memory of 5096	4696	xK6tV5Pf.exe	104
PID 4696 wrote to memory of 5096	4696	xK6tV5Pf.exe	104
PID 5096 wrote to memory of 748	5096	ZL8DT3Xh.exe	105
PID 5096 wrote to memory of 748	5096	ZL8DT3Xh.exe	105
PID 5096 wrote to memory of 748	5096	ZL8DT3Xh.exe	105
PID 772 wrote to memory of 3792	772	Process not Found	107
PID 772 wrote to memory of 3792	772	Process not Found	107
PID 772 wrote to memory of 3792	772	Process not Found	107
PID 748 wrote to memory of 1888	748	ZP0HI7Nb.exe	106
PID 748 wrote to memory of 1888	748	ZP0HI7Nb.exe	106
PID 748 wrote to memory of 1888	748	ZP0HI7Nb.exe	106
PID 1888 wrote to memory of 856	1888	ug3uv8Yx.exe	108
PID 1888 wrote to memory of 856	1888	ug3uv8Yx.exe	108
PID 1888 wrote to memory of 856	1888	ug3uv8Yx.exe	108
PID 1940 wrote to memory of 4972	1940	C4A9.exe	109
PID 1940 wrote to memory of 4972	1940	C4A9.exe	109
PID 1940 wrote to memory of 4972	1940	C4A9.exe	109
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 1940 wrote to memory of 2020	1940	C4A9.exe	110
PID 772 wrote to memory of 2636	772	Process not Found	112
PID 772 wrote to memory of 2636	772	Process not Found	112
PID 772 wrote to memory of 2636	772	Process not Found	112
PID 3792 wrote to memory of 2816	3792	C5E2.bat	111
PID 3792 wrote to memory of 2816	3792	C5E2.bat	111
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 856 wrote to memory of 1148	856	1Fl46ww5.exe	115
PID 772 wrote to memory of 2056	772	Process not Found	119
PID 772 wrote to memory of 2056	772	Process not Found	119
PID 772 wrote to memory of 4808	772	Process not Found	122
PID 772 wrote to memory of 4808	772	Process not Found	122
PID 772 wrote to memory of 4808	772	Process not Found	122
PID 4808 wrote to memory of 4368	4808	CBE0.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a4e28196d021a3dbd5a7238d374c7864.exe
"C:\Users\Admin\AppData\Local\Temp\a4e28196d021a3dbd5a7238d374c7864.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 416
  2⤵
  - Program crash
  PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4516 -ip 4516
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\C35F.exe
C:\Users\Admin\AppData\Local\Temp\C35F.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xK6tV5Pf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xK6tV5Pf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZL8DT3Xh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZL8DT3Xh.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0HI7Nb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0HI7Nb.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug3uv8Yx.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug3uv8Yx.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fl46ww5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fl46ww5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 540
        8⤵
        Program crash
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 600
        7⤵
        Program crash
        
        PID:3048
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Cc716Pi.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Cc716Pi.exe
        6⤵
        Executes dropped EXE
        
        PID:3412

C:\Users\Admin\AppData\Local\Temp\C4A9.exe
C:\Users\Admin\AppData\Local\Temp\C4A9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 420
  2⤵
  - Program crash
  PID:4232

C:\Users\Admin\AppData\Local\Temp\C5E2.bat
"C:\Users\Admin\AppData\Local\Temp\C5E2.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C6BB.tmp\C6BC.tmp\C6BD.bat C:\Users\Admin\AppData\Local\Temp\C5E2.bat"
  2⤵
  PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa21b46f8,0x7ffaa21b4708,0x7ffaa21b4718
      4⤵
      PID:1628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17864872249732505121,15974663995122372842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
      4⤵
      PID:2396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17864872249732505121,15974663995122372842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
      4⤵
      PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaa21b46f8,0x7ffaa21b4708,0x7ffaa21b4718
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3140 /prefetch:2
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:3
      4⤵
      PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:8
      4⤵
      PID:1040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
      4⤵
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
      4⤵
      PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
      4⤵
      PID:864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
      4⤵
      PID:5632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
      4⤵
      PID:5624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
      4⤵
      PID:5884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
      4⤵
      PID:5972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      PID:4956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18437526893421571263,8800806917730178946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
      4⤵
      PID:4960

C:\Users\Admin\AppData\Local\Temp\C910.exe
C:\Users\Admin\AppData\Local\Temp\C910.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 388
  2⤵
  - Program crash
  PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1940 -ip 1940
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 856 -ip 856
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\CA88.exe
C:\Users\Admin\AppData\Local\Temp\CA88.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1148 -ip 1148
1⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\CBE0.exe
C:\Users\Admin\AppData\Local\Temp\CBE0.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4368
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2636 -ip 2636
1⤵
PID:4112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\157D.exe
C:\Users\Admin\AppData\Local\Temp\157D.exe
1⤵
PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a602869e579f44dfa2a249baa8c20fe

SHA1
e0ac4a8508f60cb0408597eb1388b3075e27383f

SHA256
9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5

SHA512
1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fecc48dde35b0306b4396f44acd2f0a3

SHA1
08890cdcba0d11d39e652b9b2dd62582fcc31d8f

SHA256
fb3ce75f61f987d4346b35cef4a28376d0897c6ba06bcb53165ca88c9c72fdfc

SHA512
a967b46d6bf3a8cd183586486f22e760a53a17a03d4c68184448bca2768bb0d675e94043d5419309821ef191e79484f4c2e6cc6ce050c38c81a0a0695c1b4682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b22815473e7cb5bd1e087395f3f062d3

SHA1
d48ccf73a2545ebb4e94da90de9057c07981a95a

SHA256
f910345ad005c016f39b64beb6fa5636422a63002c2676f08f27bb3803464b79

SHA512
34e3b584b8eea34411b5282b3baef0d1af8ec55c1d0ecde353e0434d60df74a1f2a6203b08d27b015103834fe37090a2601968ea39c3704786412eabe4459a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
10f5b64000466c1e6da25fb5a0115924

SHA1
cb253bacf2b087c4040eb3c6a192924234f68639

SHA256
d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b

SHA512
8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1fa77e2bf200e19aa137c442aa60d539

SHA1
e2f9cd23d88e76e21ab4ef7bcc78ecbd96894129

SHA256
36176e35a0b95791d3637733873f2f17accf456b8736ef61dfe9cb7346e5be9e

SHA512
3ea79f0d5e5f42cc460a5a9c9cfe6b5460228ed8d89648236a095916a585496990de0645b89b0b6b7793e09b0ae495da170acda95698f670424136f96f5c87bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9c83924eb8012276f9a10c4bba1840b3

SHA1
0c11f5c8f0448585385e3a7b5a4a542966d49945

SHA256
cb178f83e39c00d60a65068bcc382b4d5a7a7a87a264d1cf274d0ed7517da36a

SHA512
78fa1d54ae54dbe9da54cf6ce68a98bffbcd9ac67b908de89abe5897b14cdcf7fb7b45ad968ccff86d8fdc40d003feef6b6a8ad459d7b9b5920db08a6595fea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9c83924eb8012276f9a10c4bba1840b3

SHA1
0c11f5c8f0448585385e3a7b5a4a542966d49945

SHA256
cb178f83e39c00d60a65068bcc382b4d5a7a7a87a264d1cf274d0ed7517da36a

SHA512
78fa1d54ae54dbe9da54cf6ce68a98bffbcd9ac67b908de89abe5897b14cdcf7fb7b45ad968ccff86d8fdc40d003feef6b6a8ad459d7b9b5920db08a6595fea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\157D.exe

Filesize
2.2MB

MD5
1e26f1c1104e0c3c06991570970654a0

SHA1
eeecaf23e75983514714bb5b663c25f80739605b

SHA256
ce09fb0fc8a5e3d5ea870a230f6cdb789cfca87b4c71a2cfa57396fe17e19854

SHA512
10068f769b14ac18e08022533b0c4844aa23d8950b7e3a77c560129517fb6c800fd4444de70b49c9dca43983bcfeb94c0a7e80730b75bc45f0f141a82c448f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\157D.exe

Filesize
1.8MB

MD5
234164b0576fd64c2513dec3032ceb5f

SHA1
4f2347b0a802b3b0a78abaef8e2d40de49444cad

SHA256
4aed2da10ac6fbb977cbc2043fbaafba77d8e59ac3bc59cd62b1c1517f3f10ee

SHA512
ec2561db9ea472581f76660b7a4039093660ba009965a9b93173ce4cbefea47a5b004cdae1994972ee9fe2fa6345b190b540619f3eab3fccd493aa57807849ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\C35F.exe

Filesize
1.3MB

MD5
0c918e1bf2451521490440c0fd8d2037

SHA1
06596420911676954d20087d152cebfbca190dd1

SHA256
884327d0dc7233ea5f473c66cbcaeaa1c8a51e1fc98ec52a39a94f144f312f9c

SHA512
a042d76b0722aca25a5e994ad2d76ea282c4c1861f59d31d310ef194406d92a7a34246701741111b281389239c112e1b602182e7e75b40eb2f0871519d9816a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C35F.exe

Filesize
1.3MB

MD5
0c918e1bf2451521490440c0fd8d2037

SHA1
06596420911676954d20087d152cebfbca190dd1

SHA256
884327d0dc7233ea5f473c66cbcaeaa1c8a51e1fc98ec52a39a94f144f312f9c

SHA512
a042d76b0722aca25a5e994ad2d76ea282c4c1861f59d31d310ef194406d92a7a34246701741111b281389239c112e1b602182e7e75b40eb2f0871519d9816a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A9.exe

Filesize
449KB

MD5
97aea0ae35cbb7258c2fd5c0db610435

SHA1
3f00ee9831bf5fb3d4c5dd25332b3bbeadaf24b0

SHA256
180d3a69446640a8c5ec447c5df6e597923b3a2c0b9c281ad55fbe70eef3fbb4

SHA512
34bb8cfb012c32d807cccad6d78cab6d20f65c007298400ca9ff470fdf5a5d0cd22ae3d7b6db93c2c03f55a17e826c52459978b7ab7a5aabdd2613a25db4ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A9.exe

Filesize
449KB

MD5
97aea0ae35cbb7258c2fd5c0db610435

SHA1
3f00ee9831bf5fb3d4c5dd25332b3bbeadaf24b0

SHA256
180d3a69446640a8c5ec447c5df6e597923b3a2c0b9c281ad55fbe70eef3fbb4

SHA512
34bb8cfb012c32d807cccad6d78cab6d20f65c007298400ca9ff470fdf5a5d0cd22ae3d7b6db93c2c03f55a17e826c52459978b7ab7a5aabdd2613a25db4ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E2.bat

Filesize
97KB

MD5
9db53ae9e8af72f18e08c8b8955f8035

SHA1
50ae5f80c1246733d54db98fac07380b1b2ff90d

SHA256
d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89

SHA512
3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E2.bat

Filesize
97KB

MD5
9db53ae9e8af72f18e08c8b8955f8035

SHA1
50ae5f80c1246733d54db98fac07380b1b2ff90d

SHA256
d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89

SHA512
3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E2.bat

Filesize
97KB

MD5
9db53ae9e8af72f18e08c8b8955f8035

SHA1
50ae5f80c1246733d54db98fac07380b1b2ff90d

SHA256
d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89

SHA512
3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6BB.tmp\C6BC.tmp\C6BD.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\C910.exe

Filesize
486KB

MD5
b3fc584fb52002bb21ffe6aee0720ae4

SHA1
6cf1215afb3bb6350c60050eb70c72ac5e9a2906

SHA256
a630e217ba6d0e7821fca336d8e39ae22a7656b2cf4c7488dc4316ea9388a0a5

SHA512
9259e1a9fcc66f96dfa67bbcd5175fee1031133917236a5882eafc89228137455c8e11c5e2ac97b57ae12a2ce30ba4fdc41e1bc3debfc53b4a3b066976e40916

Download Submit
C:\Users\Admin\AppData\Local\Temp\C910.exe

Filesize
486KB

MD5
b3fc584fb52002bb21ffe6aee0720ae4

SHA1
6cf1215afb3bb6350c60050eb70c72ac5e9a2906

SHA256
a630e217ba6d0e7821fca336d8e39ae22a7656b2cf4c7488dc4316ea9388a0a5

SHA512
9259e1a9fcc66f96dfa67bbcd5175fee1031133917236a5882eafc89228137455c8e11c5e2ac97b57ae12a2ce30ba4fdc41e1bc3debfc53b4a3b066976e40916

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA88.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA88.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBE0.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBE0.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xK6tV5Pf.exe

Filesize
1.1MB

MD5
be21c5d74e56efbaf1165ede64995c4b

SHA1
fece2320f9ec46e256d5163ad0691fa5f890ddd3

SHA256
b524759324927b48f9ce5430be19a97a2047fd194a83bdf0bb4cc28c0ba20bf8

SHA512
e3ce9f012ecb9bf26c3cb01b948d89fd70ac5a5c94f4b2408d19c3a2df2ebe39f7c30aed764005af4a39b2891ffd92daf80dc264e8bdf476705a447679bd9b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xK6tV5Pf.exe

Filesize
1.1MB

MD5
be21c5d74e56efbaf1165ede64995c4b

SHA1
fece2320f9ec46e256d5163ad0691fa5f890ddd3

SHA256
b524759324927b48f9ce5430be19a97a2047fd194a83bdf0bb4cc28c0ba20bf8

SHA512
e3ce9f012ecb9bf26c3cb01b948d89fd70ac5a5c94f4b2408d19c3a2df2ebe39f7c30aed764005af4a39b2891ffd92daf80dc264e8bdf476705a447679bd9b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZL8DT3Xh.exe

Filesize
949KB

MD5
2676ada1d1d16b276d56768d371bfd01

SHA1
1a82caa78874b598c22c4d81d49c1c896ab3f008

SHA256
871d0c84247aabcc6d2ed846f3f4dbf605472b8dce265037fa66bb4f47be350e

SHA512
08c80a90acc096fa6155dae6c1f7f6d26ae53e623eb41a0b54108ead5c30a25097066c9f49bd18570755919bfe1fe6337c4c99fafee1db71a32710dbd0359dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZL8DT3Xh.exe

Filesize
949KB

MD5
2676ada1d1d16b276d56768d371bfd01

SHA1
1a82caa78874b598c22c4d81d49c1c896ab3f008

SHA256
871d0c84247aabcc6d2ed846f3f4dbf605472b8dce265037fa66bb4f47be350e

SHA512
08c80a90acc096fa6155dae6c1f7f6d26ae53e623eb41a0b54108ead5c30a25097066c9f49bd18570755919bfe1fe6337c4c99fafee1db71a32710dbd0359dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0HI7Nb.exe

Filesize
648KB

MD5
8c665a78260f5f33b1856e57345a966c

SHA1
4f629ef3c2a634362effa1fb867b0c50d96ef8ff

SHA256
7bb99402f3bd024fe95cdd3884ce8e5076921f76b8065d896becd5e3e946e848

SHA512
cf20f4920269ef97f7974e50fe67db5752b5b835d4fdea37ef5416e0c09905113ff44618b4633f9e01c53beabac6442b09887fdbc43614400f7a788d4f17385c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0HI7Nb.exe

Filesize
648KB

MD5
8c665a78260f5f33b1856e57345a966c

SHA1
4f629ef3c2a634362effa1fb867b0c50d96ef8ff

SHA256
7bb99402f3bd024fe95cdd3884ce8e5076921f76b8065d896becd5e3e946e848

SHA512
cf20f4920269ef97f7974e50fe67db5752b5b835d4fdea37ef5416e0c09905113ff44618b4633f9e01c53beabac6442b09887fdbc43614400f7a788d4f17385c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug3uv8Yx.exe

Filesize
451KB

MD5
7b0993131ec891fc05f3c2da3bbc0235

SHA1
92f805a7a142de2ecfe6c6ddd2f3c32378c8475c

SHA256
b4c49bec82d0dd34aaaab837c7d5962172e0773dbb7add1faa9583e4f7c2f555

SHA512
5411489d452355b0d4c11741d963247639fceb717e89c7a7c62032a6c8a1e63cb82d4837b5545b41369943859332bd6d8cd55f5f0e06327a644391366876d9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug3uv8Yx.exe

Filesize
451KB

MD5
7b0993131ec891fc05f3c2da3bbc0235

SHA1
92f805a7a142de2ecfe6c6ddd2f3c32378c8475c

SHA256
b4c49bec82d0dd34aaaab837c7d5962172e0773dbb7add1faa9583e4f7c2f555

SHA512
5411489d452355b0d4c11741d963247639fceb717e89c7a7c62032a6c8a1e63cb82d4837b5545b41369943859332bd6d8cd55f5f0e06327a644391366876d9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fl46ww5.exe

Filesize
449KB

MD5
97aea0ae35cbb7258c2fd5c0db610435

SHA1
3f00ee9831bf5fb3d4c5dd25332b3bbeadaf24b0

SHA256
180d3a69446640a8c5ec447c5df6e597923b3a2c0b9c281ad55fbe70eef3fbb4

SHA512
34bb8cfb012c32d807cccad6d78cab6d20f65c007298400ca9ff470fdf5a5d0cd22ae3d7b6db93c2c03f55a17e826c52459978b7ab7a5aabdd2613a25db4ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fl46ww5.exe

Filesize
449KB

MD5
97aea0ae35cbb7258c2fd5c0db610435

SHA1
3f00ee9831bf5fb3d4c5dd25332b3bbeadaf24b0

SHA256
180d3a69446640a8c5ec447c5df6e597923b3a2c0b9c281ad55fbe70eef3fbb4

SHA512
34bb8cfb012c32d807cccad6d78cab6d20f65c007298400ca9ff470fdf5a5d0cd22ae3d7b6db93c2c03f55a17e826c52459978b7ab7a5aabdd2613a25db4ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fl46ww5.exe

Filesize
449KB

MD5
97aea0ae35cbb7258c2fd5c0db610435

SHA1
3f00ee9831bf5fb3d4c5dd25332b3bbeadaf24b0

SHA256
180d3a69446640a8c5ec447c5df6e597923b3a2c0b9c281ad55fbe70eef3fbb4

SHA512
34bb8cfb012c32d807cccad6d78cab6d20f65c007298400ca9ff470fdf5a5d0cd22ae3d7b6db93c2c03f55a17e826c52459978b7ab7a5aabdd2613a25db4ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Cc716Pi.exe

Filesize
222KB

MD5
9a06e7abfce45cbaf8a798e6fdc888db

SHA1
cb35562df1a2e85c7404e81634c7da2d9c5bb009

SHA256
8f5fdd2a6b3cb4d4627b33076ece8e2adfdb94f5043d8961fb48f0dfcce12134

SHA512
6cdbab2d72ff0f64e3c8daef6a6b940cdcceaccb3118cbd19504dd1a4ed35b25f6b4f87b26e96ac6ec32f43bcbf5963bbcc93d65a8998346dbff6d3e6cc5ebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Cc716Pi.exe

Filesize
222KB

MD5
9a06e7abfce45cbaf8a798e6fdc888db

SHA1
cb35562df1a2e85c7404e81634c7da2d9c5bb009

SHA256
8f5fdd2a6b3cb4d4627b33076ece8e2adfdb94f5043d8961fb48f0dfcce12134

SHA512
6cdbab2d72ff0f64e3c8daef6a6b940cdcceaccb3118cbd19504dd1a4ed35b25f6b4f87b26e96ac6ec32f43bcbf5963bbcc93d65a8998346dbff6d3e6cc5ebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
memory/772-2-0x0000000002B00000-0x0000000002B16000-memory.dmp

Filesize
88KB

Download
memory/1148-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1248-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1248-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-205-0x00007FFA9F070000-0x00007FFA9FB31000-memory.dmp

Filesize
10.8MB

Download
memory/2056-78-0x00007FFA9F070000-0x00007FFA9FB31000-memory.dmp

Filesize
10.8MB

Download
memory/2056-198-0x00007FFA9F070000-0x00007FFA9FB31000-memory.dmp

Filesize
10.8MB

Download
memory/2056-72-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2940-104-0x0000000008C00000-0x0000000009218000-memory.dmp

Filesize
6.1MB

Download
memory/2940-108-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

Filesize
304KB

Download
memory/2940-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-95-0x0000000008030000-0x00000000085D4000-memory.dmp

Filesize
5.6MB

Download
memory/2940-93-0x0000000072CF0000-0x00000000734A0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-105-0x0000000007F00000-0x000000000800A000-memory.dmp

Filesize
1.0MB

Download
memory/2940-102-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/2940-217-0x0000000072CF0000-0x00000000734A0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-98-0x0000000007B20000-0x0000000007BB2000-memory.dmp

Filesize
584KB

Download
memory/2940-101-0x0000000007C20000-0x0000000007C2A000-memory.dmp

Filesize
40KB

Download
memory/2940-263-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/3412-107-0x0000000007D80000-0x0000000007DBC000-memory.dmp

Filesize
240KB

Download
memory/3412-100-0x0000000072CF0000-0x00000000734A0000-memory.dmp

Filesize
7.7MB

Download
memory/3412-99-0x0000000000CB0000-0x0000000000CEE000-memory.dmp

Filesize
248KB

Download
memory/3412-264-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/3412-218-0x0000000072CF0000-0x00000000734A0000-memory.dmp

Filesize
7.7MB

Download
memory/3412-103-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/3412-106-0x0000000007D20000-0x0000000007D32000-memory.dmp

Filesize
72KB

Download