amadey | e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355

Analysis

max time kernel
170s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe
Size

1.0MB
MD5

5c988327781c459d741903b4691e03c4
SHA1

8fb63fd9164fd0c816a40bbbe7f5f8f96dc27434
SHA256

e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355
SHA512

0dbe535cf1334467bbec791afdcebeb16eedb746ad04b76770743fa01bf1a2fb1655de710d1f19e6c5925eea157e5c0e90a6c5b7b1f0238127f347478de1254e
SSDEEP

24576:5ynEnHnK8HpRWS2gL52mJNOwHYc5V68QCQSk/mdc2:snEj/WbgL4mSwHvop2k/+c

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

6012068394_99

https://pastebin.com/raw/8baCJyMF

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3036-40-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3036-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3036-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3036-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4512-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\FDC8.exe	healer
behavioral2/memory/1436-214-0x00000000005E0000-0x00000000005EA000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\FDC8.exe	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5428-486-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

FDC8.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	FDC8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	FDC8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	FDC8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	FDC8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	FDC8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	FDC8.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5024-244-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2tj613Cb.exe	family_redline
behavioral2/memory/3764-371-0x00000000006D0000-0x000000000072A000-memory.dmp	family_redline
behavioral2/memory/5468-373-0x0000000000440000-0x000000000047E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

latestX.exe

description pid process target process

PID 5920 created 3224 5920 latestX.exe Explorer.EXE
Downloads MZ/PE file

description	pid	process	target process
PID 5920 created 3224	5920	latestX.exe	Explorer.EXE

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FA2C.bat21EC.exet1488618.exeexplonde.exeu4209303.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	FA2C.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	21EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	t1488618.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	u4209303.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 43 IoCs

Processes:

z3378011.exez4136972.exez8423801.exez2074909.exeq3902305.exer6536205.exes7700343.exet1488618.exeexplonde.exeu4209303.exelegota.exew5837412.exeCF3Tj3lw.exebj6VD2jb.exefi4Gn0uS.exekA4Op6Bg.exe1eO06Jf9.exeF73C.exepF2Mw3kE.exeF950.exeTn0mc4ZR.exeOt4YM5FX.exeFA2C.bateq7sZ5gl.exeFC6F.exe1UG68Fy3.exeFDC8.exeFF5F.exeexplonde.exelegota.exe21EC.exetoolspub2.exe8318.exe9F5B.exe31839b57a4f11171d6abc8bbc4451ee4.exe2tj613Cb.exesource1.exe2XV582de.exeA6A0.exelatestX.exetoolspub2.exeexplonde.exelegota.exe

pid	process
956	z3378011.exe
3956	z4136972.exe
748	z8423801.exe
5072	z2074909.exe
2616	q3902305.exe
3976	r6536205.exe
2664	s7700343.exe
4560	t1488618.exe
1076	explonde.exe
1596	u4209303.exe
1708	legota.exe
4376	w5837412.exe
4620	CF3Tj3lw.exe
4728	bj6VD2jb.exe
3872	fi4Gn0uS.exe
1640	kA4Op6Bg.exe
1360	1eO06Jf9.exe
4192	F73C.exe
1476	pF2Mw3kE.exe
1488	F950.exe
1680	Tn0mc4ZR.exe
2904	Ot4YM5FX.exe
3600	FA2C.bat
944	eq7sZ5gl.exe
2116	FC6F.exe
760	1UG68Fy3.exe
1436	FDC8.exe
3764	FF5F.exe
3368	explonde.exe
1764	legota.exe
4744	21EC.exe
1792	toolspub2.exe
3764	8318.exe
5436	9F5B.exe
5428	31839b57a4f11171d6abc8bbc4451ee4.exe
5468	2tj613Cb.exe
5708	source1.exe
5752	2XV582de.exe
5860	A6A0.exe
5920	latestX.exe
6068	toolspub2.exe
5968	explonde.exe
1260	legota.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exe8318.exe

pid process

4840 rundll32.exe
3764 8318.exe
3764 8318.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

FDC8.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" FDC8.exe

pid	process
4840	rundll32.exe
3764	8318.exe
3764	8318.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	FDC8.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CF3Tj3lw.exeTn0mc4ZR.exez3378011.exez4136972.exekA4Op6Bg.exeOt4YM5FX.exee7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exeexplonde.exefi4Gn0uS.exebj6VD2jb.exeF73C.exepF2Mw3kE.exez8423801.exez2074909.exefoto3553.exeeq7sZ5gl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CF3Tj3lw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	Tn0mc4ZR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3378011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4136972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	kA4Op6Bg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	Ot4YM5FX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto3553.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000063051\\foto3553.exe"	explonde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	fi4Gn0uS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bj6VD2jb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	F73C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	pF2Mw3kE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8423801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2074909.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000062051\\rus.exe"	explonde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nano.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000064051\\nano.exe"	explonde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto3553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\""	eq7sZ5gl.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

q3902305.exer6536205.exes7700343.exerus.exenano.exe1eO06Jf9.exe1UG68Fy3.exeF950.exeFC6F.exetoolspub2.exesource1.exe

description	pid	process	target process
PID 2616 set thread context of 4512	2616	q3902305.exe	AppLaunch.exe
PID 3976 set thread context of 3036	3976	r6536205.exe	AppLaunch.exe
PID 2664 set thread context of 3104	2664	s7700343.exe	AppLaunch.exe
PID 384 set thread context of 2936	384	rus.exe	AppLaunch.exe
PID 2976 set thread context of 3008	2976	nano.exe	AppLaunch.exe
PID 1360 set thread context of 4040	1360	1eO06Jf9.exe	AppLaunch.exe
PID 760 set thread context of 4088	760	1UG68Fy3.exe	AppLaunch.exe
PID 1488 set thread context of 3404	1488	F950.exe	AppLaunch.exe
PID 2116 set thread context of 5024	2116	FC6F.exe	AppLaunch.exe
PID 1792 set thread context of 6068	1792	toolspub2.exe	toolspub2.exe
PID 5708 set thread context of 3360	5708	source1.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4176	2616	WerFault.exe	q3902305.exe
936	3976	WerFault.exe	r6536205.exe
3596	3036	WerFault.exe	AppLaunch.exe
400	2664	WerFault.exe	s7700343.exe
1276	384	WerFault.exe	rus.exe
1688	2976	WerFault.exe	nano.exe
460	3008	WerFault.exe	AppLaunch.exe
4636	1360	WerFault.exe	1eO06Jf9.exe
4204	4040	WerFault.exe	AppLaunch.exe
2928	760	WerFault.exe	1UG68Fy3.exe
1392	1488	WerFault.exe	F950.exe
1272	3764	WerFault.exe	8318.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

464 schtasks.exe
4412 schtasks.exe

pid	process
464	schtasks.exe
4412	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exepowershell.exeAppLaunch.exeExplorer.EXE

pid	process
4512	AppLaunch.exe
4512	AppLaunch.exe
368	powershell.exe
2936	AppLaunch.exe
2936	AppLaunch.exe
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE
3224	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3224 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

2936 AppLaunch.exe
6068 toolspub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe

pid	process
3224	Explorer.EXE

pid	process
2936	AppLaunch.exe
6068	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exepowershell.exeExplorer.EXEFDC8.exesource1.exe

description	pid	process
Token: SeDebugPrivilege	4512	AppLaunch.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeDebugPrivilege	1436	FDC8.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeDebugPrivilege	5708	source1.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3224 Explorer.EXE

pid	process
3224	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exez3378011.exez4136972.exez8423801.exez2074909.exeq3902305.exer6536205.exes7700343.exet1488618.execmd.exeu4209303.exe

description	pid	process	target process
PID 2892 wrote to memory of 956	2892	e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe	z3378011.exe
PID 2892 wrote to memory of 956	2892	e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe	z3378011.exe
PID 2892 wrote to memory of 956	2892	e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe	z3378011.exe
PID 956 wrote to memory of 3956	956	z3378011.exe	z4136972.exe
PID 956 wrote to memory of 3956	956	z3378011.exe	z4136972.exe
PID 956 wrote to memory of 3956	956	z3378011.exe	z4136972.exe
PID 3956 wrote to memory of 748	3956	z4136972.exe	z8423801.exe
PID 3956 wrote to memory of 748	3956	z4136972.exe	z8423801.exe
PID 3956 wrote to memory of 748	3956	z4136972.exe	z8423801.exe
PID 748 wrote to memory of 5072	748	z8423801.exe	z2074909.exe
PID 748 wrote to memory of 5072	748	z8423801.exe	z2074909.exe
PID 748 wrote to memory of 5072	748	z8423801.exe	z2074909.exe
PID 5072 wrote to memory of 2616	5072	z2074909.exe	q3902305.exe
PID 5072 wrote to memory of 2616	5072	z2074909.exe	q3902305.exe
PID 5072 wrote to memory of 2616	5072	z2074909.exe	q3902305.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 2616 wrote to memory of 4512	2616	q3902305.exe	AppLaunch.exe
PID 5072 wrote to memory of 3976	5072	z2074909.exe	r6536205.exe
PID 5072 wrote to memory of 3976	5072	z2074909.exe	r6536205.exe
PID 5072 wrote to memory of 3976	5072	z2074909.exe	r6536205.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 3976 wrote to memory of 3036	3976	r6536205.exe	AppLaunch.exe
PID 748 wrote to memory of 2664	748	z8423801.exe	s7700343.exe
PID 748 wrote to memory of 2664	748	z8423801.exe	s7700343.exe
PID 748 wrote to memory of 2664	748	z8423801.exe	s7700343.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 2664 wrote to memory of 3104	2664	s7700343.exe	AppLaunch.exe
PID 3956 wrote to memory of 4560	3956	z4136972.exe	t1488618.exe
PID 3956 wrote to memory of 4560	3956	z4136972.exe	t1488618.exe
PID 3956 wrote to memory of 4560	3956	z4136972.exe	t1488618.exe
PID 4560 wrote to memory of 1076	4560	t1488618.exe	explonde.exe
PID 4560 wrote to memory of 1076	4560	t1488618.exe	explonde.exe
PID 4560 wrote to memory of 1076	4560	t1488618.exe	explonde.exe
PID 956 wrote to memory of 1596	956	z3378011.exe	u4209303.exe
PID 956 wrote to memory of 1596	956	z3378011.exe	u4209303.exe
PID 956 wrote to memory of 1596	956	z3378011.exe	u4209303.exe
PID 4380 wrote to memory of 4256	4380	cmd.exe	cmd.exe
PID 4380 wrote to memory of 4256	4380	cmd.exe	cmd.exe
PID 4380 wrote to memory of 4256	4380	cmd.exe	cmd.exe
PID 1596 wrote to memory of 1708	1596	u4209303.exe	legota.exe
PID 1596 wrote to memory of 1708	1596	u4209303.exe	legota.exe
PID 1596 wrote to memory of 1708	1596	u4209303.exe	legota.exe
PID 4380 wrote to memory of 3252	4380	cmd.exe	cacls.exe
PID 4380 wrote to memory of 3252	4380	cmd.exe	cacls.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3224
- C:\Users\Admin\AppData\Local\Temp\e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\e7adfd2f2746d3aafb8afacd7044a2cb0d79ef5c2d673aa2b28a37abcc74e355_JC.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3378011.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3378011.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4136972.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4136972.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8423801.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8423801.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2074909.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2074909.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3902305.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3902305.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 152
        8⤵
        Program crash
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6536205.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6536205.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 540
        9⤵
        Program crash
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 76
        8⤵
        Program crash
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7700343.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7700343.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 592
        7⤵
        Program crash
        
        PID:400
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1488618.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1488618.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000061041\1.ps1"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        8⤵
        
        PID:3716
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17410 /prefetch:2
        9⤵
        
        PID:1304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
        8⤵
        
        PID:5792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x74,0x80,0x104,0xe0,0x108,0x7ffc9bca9758,0x7ffc9bca9768,0x7ffc9bca9778
        9⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\1000062051\rus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000062051\rus.exe"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 136
        8⤵
        Program crash
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\1000063051\foto3553.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000063051\foto3553.exe"
        7⤵
        Adds Run key to start application
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF3Tj3lw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF3Tj3lw.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bj6VD2jb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bj6VD2jb.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fi4Gn0uS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fi4Gn0uS.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kA4Op6Bg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kA4Op6Bg.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1eO06Jf9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1eO06Jf9.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        13⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 540
        14⤵
        Program crash
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 148
        13⤵
        Program crash
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2XV582de.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2XV582de.exe
        12⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\1000064051\nano.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000064051\nano.exe"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 540
        9⤵
        Program crash
        
        PID:460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 148
        8⤵
        Program crash
        
        PID:1688
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        
        PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4209303.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4209303.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1708
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        7⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        7⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        7⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        7⤵
        
        PID:3000
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4840
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5837412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5837412.exe
    3⤵
    - Executes dropped EXE
    PID:4376
- C:\Users\Admin\AppData\Local\Temp\F73C.exe
  C:\Users\Admin\AppData\Local\Temp\F73C.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\pF2Mw3kE.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\pF2Mw3kE.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Tn0mc4ZR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Tn0mc4ZR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1680
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ot4YM5FX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ot4YM5FX.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\eq7sZ5gl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\eq7sZ5gl.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1UG68Fy3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1UG68Fy3.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 580
        8⤵
        Program crash
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2tj613Cb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2tj613Cb.exe
        7⤵
        Executes dropped EXE
        
        PID:5468
- C:\Users\Admin\AppData\Local\Temp\F950.exe
  C:\Users\Admin\AppData\Local\Temp\F950.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 260
    3⤵
    - Program crash
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\FC6F.exe
  C:\Users\Admin\AppData\Local\Temp\FC6F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5024
- C:\Users\Admin\AppData\Local\Temp\FA2C.bat
  "C:\Users\Admin\AppData\Local\Temp\FA2C.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FB91.tmp\FB92.tmp\FB93.bat C:\Users\Admin\AppData\Local\Temp\FA2C.bat"
    3⤵
    PID:1280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca21a46f8,0x7ffca21a4708,0x7ffca21a4718
        5⤵
        
        PID:4792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1524,2045174339984797212,14913600791296145279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:4360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,2045174339984797212,14913600791296145279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        5⤵
        
        PID:3952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
        5⤵
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
        5⤵
        
        PID:460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        5⤵
        
        PID:2340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
        5⤵
        
        PID:408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
        5⤵
        
        PID:4292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
        5⤵
        
        PID:760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        5⤵
        
        PID:728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
        5⤵
        
        PID:5352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6534482097877052979,11587411331106789929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
        5⤵
        
        PID:3392
- C:\Users\Admin\AppData\Local\Temp\FDC8.exe
  C:\Users\Admin\AppData\Local\Temp\FDC8.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\FF5F.exe
  C:\Users\Admin\AppData\Local\Temp\FF5F.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\21EC.exe
  C:\Users\Admin\AppData\Local\Temp\21EC.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:6068
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:5428
- - C:\Users\Admin\AppData\Local\Temp\source1.exe
    "C:\Users\Admin\AppData\Local\Temp\source1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:3360
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    PID:5920
- C:\Users\Admin\AppData\Local\Temp\8318.exe
  C:\Users\Admin\AppData\Local\Temp\8318.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 792
    3⤵
    - Program crash
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\9F5B.exe
  C:\Users\Admin\AppData\Local\Temp\9F5B.exe
  2⤵
  - Executes dropped EXE
  PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9F5B.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca21a46f8,0x7ffca21a4708,0x7ffca21a4718
      4⤵
      PID:3852
- C:\Users\Admin\AppData\Local\Temp\A6A0.exe
  C:\Users\Admin\AppData\Local\Temp\A6A0.exe
  2⤵
  - Executes dropped EXE
  PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2616 -ip 2616
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3976 -ip 3976
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3036 -ip 3036
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2664 -ip 2664
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 384 -ip 384
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2976 -ip 2976
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3008 -ip 3008
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1360 -ip 1360
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4040 -ip 4040
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1488 -ip 1488
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 760 -ip 760
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4088 -ip 4088
1⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2116 -ip 2116
1⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca21a46f8,0x7ffca21a4708,0x7ffca21a4718
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3764 -ip 3764
1⤵
PID:5988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc1545f40e709a9447a266260fdc751e

SHA1
8afed6d761fb82c918c1d95481170a12fe94af51

SHA256
3dadfc7e0bd965d4d61db057861a84761abf6af17b17250e32b7450c1ddc4d48

SHA512
ed0ae5280736022a9ef6c5878bf3750c2c5473cc122a4511d3fb75eb6188a2c3931c8fa1eaa01203a7748f323ed73c0d2eb4357ac230d14b65d18ac2727d020f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
a9a089bbd99498db390fa741ca293d23

SHA1
9a60fc26dd6e32c3133bdbd5251a0d5196197ace

SHA256
866d11b443883795b0219cd9af67840556e3f37b7a77b897309eb10b82f009c8

SHA512
00fa7c046abcaa094401dd1a9d5944746b5d6d2a109a1309dfab972662c5e21d1e5331dc321fd4b453ab57407e7f2444fda3f514505939efde3f1cab97508693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f93afc207e5bb08264c16a80e184aa2

SHA1
67d6ee219ab4e5123492a55c1d99de03a3234b6f

SHA256
4b5c6339b9e5d18d5b5b7c6dc889aef4a186c9d7d9b7bf58d5d0544a988841d4

SHA512
d568dc45bd7e3a2a4afc09df6db216b92c6f6fb91921e841050f70aa43cecad31e3517b8e69cead90fa450e647e8b4c6a00c1a0c019942f0987e2b45a360cf5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98e59b66985e588e61891febb0dc0798

SHA1
b8f06d150eb5528297ecbe6708dd033b32041a8c

SHA256
34e774e0bdbb83c4ca5c5f5d9848e626ad584f517d6b5117c99bd8181eb0bb9c

SHA512
133d1e2fcbc8abec7658bbe57846c5d337b11f317b4b5bc893940588be8fc91f796e59d783a2685e8a11aec6a867ea7d30699f9b1be314c7f360672c1138f31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
15ad31a14e9a92d2937174141e80c28d

SHA1
b09e8d44c07123754008ba2f9ff4b8d4e332d4e5

SHA256
bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde

SHA512
ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b0071b703fc665e99378866fc72deab8

SHA1
b2bf99aeba5345e3369ff5df7341e520b4afd6ff

SHA256
f8ec3c4b10f414d2bca3ff214b575a8e12190590415183d787ab8faf95cf2c79

SHA512
92d487adc8709232ab8be7b646d9d2ad7f986293a06f25ce81127472ec5ae8b2551a89eee4938c9fbd670cc8f39afafbcbaa9c62457cff963b563c673f19ee0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85f072c5d0123b4a811acf6b430debd4

SHA1
577826cc4da1df3ca039f4abb6e106c68a9d71cf

SHA256
ff2220a859eb2962c485a30b3c02816741a1ebb40528dd08a5c3dc0c3942bcba

SHA512
70a440f50ecb373d71b6c32be9aff6dec09cb75fa063671d3830dc47334206beffcb22b2f92edb518153c544cc1911a7fee481575fb9fe3622c76aa9aca59253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b0df75a5843774c55aaae73f7c5622c1

SHA1
e8837f5461cfcba66bc5c3d2a787831c0c1e2636

SHA256
91aaaf9d9e2d1b52fafbb01212729d4e569d17ed27de8b7972ede95948c6b3e8

SHA512
61f72b442e1cebff9c318d772042d9e0e2ea980da283692995f7caa846c636f4cb22be5fe6f2c4ed3fdc13e951be2a5b3c31907210d62ce2cbead10a41e41b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\21EC.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\21EC.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
C:\Users\Admin\AppData\Local\Temp\F73C.exe

Filesize
1.2MB

MD5
82b79267c00b075a51c703c4f8a6d8da

SHA1
96a88e7d3b66b5e03f9b36de60e9b085b0ca9e09

SHA256
497609f2a6c36aca4477ebe8fa7e8a0a3edc832035bab4de71651b0d4b49e9df

SHA512
a9bb0461d4e8983053cbcab4580812de2e1eea8252db6d7891999793e3c9a22c2dddd345504d0248e200771f0a57c04d73ac32a832b80f7c6728cd40cbb1f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F73C.exe

Filesize
1.2MB

MD5
82b79267c00b075a51c703c4f8a6d8da

SHA1
96a88e7d3b66b5e03f9b36de60e9b085b0ca9e09

SHA256
497609f2a6c36aca4477ebe8fa7e8a0a3edc832035bab4de71651b0d4b49e9df

SHA512
a9bb0461d4e8983053cbcab4580812de2e1eea8252db6d7891999793e3c9a22c2dddd345504d0248e200771f0a57c04d73ac32a832b80f7c6728cd40cbb1f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F950.exe

Filesize
407KB

MD5
10aad9d67dd19dd16e73c56218baa51c

SHA1
ab5ec3b76cd71230e0b371853c3468aa9bd99477

SHA256
f5796fd37d21026bc41e21755d1b9797b9ea32a3d8a3d5f7d0b940677bb7f268

SHA512
0b69d97b729eaa80c3c9cb8b0810dad752bce5b131af3065cc512e4917024309f34c4d88262dada70fcb3da4e65abef955a2b313f72c09cdd5db0c2fc7e6dcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F950.exe

Filesize
407KB

MD5
10aad9d67dd19dd16e73c56218baa51c

SHA1
ab5ec3b76cd71230e0b371853c3468aa9bd99477

SHA256
f5796fd37d21026bc41e21755d1b9797b9ea32a3d8a3d5f7d0b940677bb7f268

SHA512
0b69d97b729eaa80c3c9cb8b0810dad752bce5b131af3065cc512e4917024309f34c4d88262dada70fcb3da4e65abef955a2b313f72c09cdd5db0c2fc7e6dcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA2C.bat

Filesize
97KB

MD5
65fe77999d164d3e3e610057f8335307

SHA1
15d0876b1f6e63d2bb60012467cca69c822c4169

SHA256
0b8dfe9c4304604dab0cdb1dec7ba229133b1a2c7aceeae29de79b50f2a53f6c

SHA512
546859f4c9f588aef27e58686fbdf9d82b682219df22ac416b0bba3ee6ef9d9d2a0bf75df60a212d897019ca9c705881cf8bd5b2cb7c497050b3a720f0b60923

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA2C.bat

Filesize
97KB

MD5
65fe77999d164d3e3e610057f8335307

SHA1
15d0876b1f6e63d2bb60012467cca69c822c4169

SHA256
0b8dfe9c4304604dab0cdb1dec7ba229133b1a2c7aceeae29de79b50f2a53f6c

SHA512
546859f4c9f588aef27e58686fbdf9d82b682219df22ac416b0bba3ee6ef9d9d2a0bf75df60a212d897019ca9c705881cf8bd5b2cb7c497050b3a720f0b60923

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA2C.bat

Filesize
97KB

MD5
65fe77999d164d3e3e610057f8335307

SHA1
15d0876b1f6e63d2bb60012467cca69c822c4169

SHA256
0b8dfe9c4304604dab0cdb1dec7ba229133b1a2c7aceeae29de79b50f2a53f6c

SHA512
546859f4c9f588aef27e58686fbdf9d82b682219df22ac416b0bba3ee6ef9d9d2a0bf75df60a212d897019ca9c705881cf8bd5b2cb7c497050b3a720f0b60923

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB91.tmp\FB92.tmp\FB93.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC6F.exe

Filesize
446KB

MD5
cb6c295f2f164feb0d76a7d22334db32

SHA1
667e7d0df30dfafc21459e02208686cb95b1cec6

SHA256
c38a7d20f8fa6f362ce61b584fefa1bd6f31c600cda7e6f0f2cf9d99d7ac5d37

SHA512
0f6114a3b2e97a8434dcb23c4803cbd555864df39c944668e56502f5f410ea1855c37578503461c0d268a834cc7f0256d90a72c3136b41bd23a9eac041a1cb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC6F.exe

Filesize
446KB

MD5
cb6c295f2f164feb0d76a7d22334db32

SHA1
667e7d0df30dfafc21459e02208686cb95b1cec6

SHA256
c38a7d20f8fa6f362ce61b584fefa1bd6f31c600cda7e6f0f2cf9d99d7ac5d37

SHA512
0f6114a3b2e97a8434dcb23c4803cbd555864df39c944668e56502f5f410ea1855c37578503461c0d268a834cc7f0256d90a72c3136b41bd23a9eac041a1cb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDC8.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDC8.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF5F.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF5F.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF3Tj3lw.exe

Filesize
1.1MB

MD5
6cbe888dee1fd02980d050224535fe52

SHA1
961e76e0ac9edf0d42cc356d26b0c170df7df933

SHA256
5be3bb572a29f7b99316bd2e6ee6c3ec63e2cbfa5484cc1fb39c1b7b65db0896

SHA512
9bed692bf6322a75761b8eb92bf89fd62d618b07360e5aa9c752079e22665674bbaa155dfbd0623ddd3a1181e56867aff134a0826c4414287d55f98bc95f2d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF3Tj3lw.exe

Filesize
1.1MB

MD5
6cbe888dee1fd02980d050224535fe52

SHA1
961e76e0ac9edf0d42cc356d26b0c170df7df933

SHA256
5be3bb572a29f7b99316bd2e6ee6c3ec63e2cbfa5484cc1fb39c1b7b65db0896

SHA512
9bed692bf6322a75761b8eb92bf89fd62d618b07360e5aa9c752079e22665674bbaa155dfbd0623ddd3a1181e56867aff134a0826c4414287d55f98bc95f2d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5837412.exe

Filesize
22KB

MD5
1258ba0e7d1b95567cb886b5b67ab69c

SHA1
e6875c3dfc9404cbf0fbef459e6113c925138fff

SHA256
1d4a40a3cf9aefdfde9bcd4431b4feb73172a6ff2d98b3eac04213a35c3b3516

SHA512
4dede04819614c52cea96e5a1f71868adf320366034da8050209654152a89ba5e9b1f00cd5d635705447c6964863bf52f9c2741056a2328e356cedd63ea79a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5837412.exe

Filesize
22KB

MD5
1258ba0e7d1b95567cb886b5b67ab69c

SHA1
e6875c3dfc9404cbf0fbef459e6113c925138fff

SHA256
1d4a40a3cf9aefdfde9bcd4431b4feb73172a6ff2d98b3eac04213a35c3b3516

SHA512
4dede04819614c52cea96e5a1f71868adf320366034da8050209654152a89ba5e9b1f00cd5d635705447c6964863bf52f9c2741056a2328e356cedd63ea79a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3378011.exe

Filesize
965KB

MD5
755efdc8f0436991868090bc50b5137d

SHA1
b54a47a8eec2260bc47c13474457766329b32e33

SHA256
8112362eb93ce4be85e9174b4438d7d6b743f966dc5fd8849e33bd1b2f12a574

SHA512
9270c4b1dc985d77010272623a26ea2450a42977c358a48604eea18ccb71f705e66d2ba1e536574e6fc27a831b6ce93bfba3e2859f4251acf4d3f9ab0c243e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3378011.exe

Filesize
965KB

MD5
755efdc8f0436991868090bc50b5137d

SHA1
b54a47a8eec2260bc47c13474457766329b32e33

SHA256
8112362eb93ce4be85e9174b4438d7d6b743f966dc5fd8849e33bd1b2f12a574

SHA512
9270c4b1dc985d77010272623a26ea2450a42977c358a48604eea18ccb71f705e66d2ba1e536574e6fc27a831b6ce93bfba3e2859f4251acf4d3f9ab0c243e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bj6VD2jb.exe

Filesize
921KB

MD5
4b6e33c2ff58e0568baec741eadc2359

SHA1
b37d29dec5ce443207c857a251e6b055e285c714

SHA256
e3c84f8f0bab96349abb9a7a575ff959edffd2bc83c0b25fcd2f87e41f6aa741

SHA512
33e6cb6c2677330211df01958fea85295bbde12c6406d5eee9f7ff240d0991743747635e7c083e5a9b2709c4352accb6537d4ba4aab8689c191f87476339b2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bj6VD2jb.exe

Filesize
921KB

MD5
4b6e33c2ff58e0568baec741eadc2359

SHA1
b37d29dec5ce443207c857a251e6b055e285c714

SHA256
e3c84f8f0bab96349abb9a7a575ff959edffd2bc83c0b25fcd2f87e41f6aa741

SHA512
33e6cb6c2677330211df01958fea85295bbde12c6406d5eee9f7ff240d0991743747635e7c083e5a9b2709c4352accb6537d4ba4aab8689c191f87476339b2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4209303.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4209303.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4136972.exe

Filesize
782KB

MD5
4b83b0a89f9247f1f8382d4149612272

SHA1
3f6d8b97cf85d4a063b18ed8bf49bfd52c3affd9

SHA256
3b53741fee60713cb967ebf82b0f0151393782546a4c631ccce0ed7b5d2b4976

SHA512
e481d98f569b8f92e2c1eadc78a4630eb0a57a092b9dcb90c5b4075a75e848bedbbabe742fbf2f765b0e3591562fbcbd7d87bd72a9fd74ea46c3bfbf614b3d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4136972.exe

Filesize
782KB

MD5
4b83b0a89f9247f1f8382d4149612272

SHA1
3f6d8b97cf85d4a063b18ed8bf49bfd52c3affd9

SHA256
3b53741fee60713cb967ebf82b0f0151393782546a4c631ccce0ed7b5d2b4976

SHA512
e481d98f569b8f92e2c1eadc78a4630eb0a57a092b9dcb90c5b4075a75e848bedbbabe742fbf2f765b0e3591562fbcbd7d87bd72a9fd74ea46c3bfbf614b3d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fi4Gn0uS.exe

Filesize
633KB

MD5
a0a9ba6b4793a8ed380de9311ef1ff90

SHA1
c16320fa4c795477cf73edd6c7cd2ec9fad1d51b

SHA256
813f1ef90717a51c4895adde80cc762f87d1784a2e58c9ac14fc6c3af8d237c2

SHA512
b190fc2ceaed526ada542ae02ba37a2c67b9272b416a8de71b2e74a2e0d0244d73bdd1c06e70322f60945d480b2e84c2401edae5e0dadbff9a895171ae498ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fi4Gn0uS.exe

Filesize
633KB

MD5
a0a9ba6b4793a8ed380de9311ef1ff90

SHA1
c16320fa4c795477cf73edd6c7cd2ec9fad1d51b

SHA256
813f1ef90717a51c4895adde80cc762f87d1784a2e58c9ac14fc6c3af8d237c2

SHA512
b190fc2ceaed526ada542ae02ba37a2c67b9272b416a8de71b2e74a2e0d0244d73bdd1c06e70322f60945d480b2e84c2401edae5e0dadbff9a895171ae498ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1488618.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1488618.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8423801.exe

Filesize
600KB

MD5
de9c780946faca9dcb2a7ef78ff5afe5

SHA1
d0c5d49c41f1c925e366e6d76cd24c05aee1fe4d

SHA256
f6263f616a7f5b8473c122ae73ea05f97f320383cb10b1526fa9a40d26559b7b

SHA512
9217356e32c161ada16f874f6b41a922a4737ebc78bc1afc6a68940b3fffa6110f57f26147d8faeb28eb0aaaebd1f7b33f40d32fca0931de1725acc8e6cd96d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8423801.exe

Filesize
600KB

MD5
de9c780946faca9dcb2a7ef78ff5afe5

SHA1
d0c5d49c41f1c925e366e6d76cd24c05aee1fe4d

SHA256
f6263f616a7f5b8473c122ae73ea05f97f320383cb10b1526fa9a40d26559b7b

SHA512
9217356e32c161ada16f874f6b41a922a4737ebc78bc1afc6a68940b3fffa6110f57f26147d8faeb28eb0aaaebd1f7b33f40d32fca0931de1725acc8e6cd96d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7700343.exe

Filesize
380KB

MD5
5570609c5c5828b8c7c0e0a59704104d

SHA1
fee824527156c32b63f788421ec8e4049678d7a4

SHA256
0e90a9f4f5ecc3c9261837a7028c475095e919c8d702a039710180374dc1b71c

SHA512
b7e0d499ccb16184254e053f10264022ce28ffeb7a8e08c8169f6c01941b24c4eded5499d0102bd81e56e860a4e9de1d1669d87e976224da5b43b92719a77be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7700343.exe

Filesize
380KB

MD5
5570609c5c5828b8c7c0e0a59704104d

SHA1
fee824527156c32b63f788421ec8e4049678d7a4

SHA256
0e90a9f4f5ecc3c9261837a7028c475095e919c8d702a039710180374dc1b71c

SHA512
b7e0d499ccb16184254e053f10264022ce28ffeb7a8e08c8169f6c01941b24c4eded5499d0102bd81e56e860a4e9de1d1669d87e976224da5b43b92719a77be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2074909.exe

Filesize
337KB

MD5
0c2d296e87a649e8ea966bd73cce083c

SHA1
9f3d9d4a803fd9c4d00f98ed86c2781be99d4537

SHA256
8e695b043aadac3b0b6120cc8b774a623a62ffab0fd1f55a6445d2fe3f5590ab

SHA512
9992e8fec4b3258f9c4da227a61dcfb9568d6bda7be934d4909b63cfe9b94d9c7cc5877def5d9980d6e65c496e48d74cfc9baedd85b783e7a1a09aa71616d5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2074909.exe

Filesize
337KB

MD5
0c2d296e87a649e8ea966bd73cce083c

SHA1
9f3d9d4a803fd9c4d00f98ed86c2781be99d4537

SHA256
8e695b043aadac3b0b6120cc8b774a623a62ffab0fd1f55a6445d2fe3f5590ab

SHA512
9992e8fec4b3258f9c4da227a61dcfb9568d6bda7be934d4909b63cfe9b94d9c7cc5877def5d9980d6e65c496e48d74cfc9baedd85b783e7a1a09aa71616d5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kA4Op6Bg.exe

Filesize
436KB

MD5
e3cdcd01197f874c53c494a8bf5ef5b2

SHA1
ae62c7d81b0e6b596e3865b22aecaa892286e35d

SHA256
02541a67d0007e8cf627f482903eda794a3151e725daac5cbbc5c841a9b7b963

SHA512
4789a13ad54c748a2da7d42c51445e22f5fe974824a75549b6384eba83e0bf2de40778c9ac05ba1b233d8ed56ca83dc1740c4a0acf04f28cea4b26ac5512b427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kA4Op6Bg.exe

Filesize
436KB

MD5
e3cdcd01197f874c53c494a8bf5ef5b2

SHA1
ae62c7d81b0e6b596e3865b22aecaa892286e35d

SHA256
02541a67d0007e8cf627f482903eda794a3151e725daac5cbbc5c841a9b7b963

SHA512
4789a13ad54c748a2da7d42c51445e22f5fe974824a75549b6384eba83e0bf2de40778c9ac05ba1b233d8ed56ca83dc1740c4a0acf04f28cea4b26ac5512b427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3902305.exe

Filesize
217KB

MD5
1f1917340fb5dd49c5a68300344e7ac1

SHA1
c9cbf671cb05d893f9334132b32d4e55a9eb0669

SHA256
1224843696123c4741566202711ebd64dff1221d171894f5aeccee958baf7a71

SHA512
df6b3b060f3bf0adc2ada6ce4409ba2bef8838deddc6be0f91f699fbef32425f539b1bafe0a6a50fd5460a5571beb79661dcdab84ee43795a330d1263b81bfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3902305.exe

Filesize
217KB

MD5
1f1917340fb5dd49c5a68300344e7ac1

SHA1
c9cbf671cb05d893f9334132b32d4e55a9eb0669

SHA256
1224843696123c4741566202711ebd64dff1221d171894f5aeccee958baf7a71

SHA512
df6b3b060f3bf0adc2ada6ce4409ba2bef8838deddc6be0f91f699fbef32425f539b1bafe0a6a50fd5460a5571beb79661dcdab84ee43795a330d1263b81bfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6536205.exe

Filesize
346KB

MD5
78fb9de54b424e1e9c14984c9b844f91

SHA1
39a41337fe326b85e6e237e9c885a58f647b6a7a

SHA256
37bc2c7917682ea8887ef1e13c89c47fb4fbe8d34644d83603033cbeff9fc1d8

SHA512
9b8b0a5cc862bd0e23651b17f3e656ad4a167baa5b948c1ea762e07842e8b4da0fa6a5df929271dfbece04a6917433a0b05c3265864f700642b635f83b8cf221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6536205.exe

Filesize
346KB

MD5
78fb9de54b424e1e9c14984c9b844f91

SHA1
39a41337fe326b85e6e237e9c885a58f647b6a7a

SHA256
37bc2c7917682ea8887ef1e13c89c47fb4fbe8d34644d83603033cbeff9fc1d8

SHA512
9b8b0a5cc862bd0e23651b17f3e656ad4a167baa5b948c1ea762e07842e8b4da0fa6a5df929271dfbece04a6917433a0b05c3265864f700642b635f83b8cf221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1eO06Jf9.exe

Filesize
407KB

MD5
4f68bf0c7a9f6e0973ea96c078ffc6ba

SHA1
bf71e713c1a736300f21e383f9c8a2f39d5cc678

SHA256
d4bfe4bd12b6aa12b9d27700423a1437286a009469de5ebe77145ab8768f1772

SHA512
bc57d4a71a478e9816748131c2b6e08d619ca34634932d98dbc859cb7eed835717c02eec9750af66b0b5830b65f254110bae6831ceb0ff5e350c29696d97644c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1eO06Jf9.exe

Filesize
407KB

MD5
4f68bf0c7a9f6e0973ea96c078ffc6ba

SHA1
bf71e713c1a736300f21e383f9c8a2f39d5cc678

SHA256
d4bfe4bd12b6aa12b9d27700423a1437286a009469de5ebe77145ab8768f1772

SHA512
bc57d4a71a478e9816748131c2b6e08d619ca34634932d98dbc859cb7eed835717c02eec9750af66b0b5830b65f254110bae6831ceb0ff5e350c29696d97644c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\pF2Mw3kE.exe

Filesize
1.1MB

MD5
e6affd6c86aa0a21d036158aa518a88c

SHA1
57a97d7398b4f15edb146ba0763e3a24663368eb

SHA256
bc054c474ec1a2053e9a33197f518374ae2939dd17289ed1d00f5c2b1af4ac3b

SHA512
1330dc9e5e08e955f3233651f05f12fb103dab5593de72bf1a7098efa8d1259582f47d4e748342898c6da907091f06a296c943f02e60cffa5524cb929bd11ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\pF2Mw3kE.exe

Filesize
1.1MB

MD5
e6affd6c86aa0a21d036158aa518a88c

SHA1
57a97d7398b4f15edb146ba0763e3a24663368eb

SHA256
bc054c474ec1a2053e9a33197f518374ae2939dd17289ed1d00f5c2b1af4ac3b

SHA512
1330dc9e5e08e955f3233651f05f12fb103dab5593de72bf1a7098efa8d1259582f47d4e748342898c6da907091f06a296c943f02e60cffa5524cb929bd11ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Tn0mc4ZR.exe

Filesize
921KB

MD5
b33e13f0f171995e85aec93189b70fe1

SHA1
5f613ae0c618217c1dda19eea2ecd0818ac65a94

SHA256
02f019f33b42438f0cb075345cc02b85e594f96ca41603f231edd7a3bd501663

SHA512
bdc6c73fc5c03286097110a0c568802843aba373caf1a3f60004df08a664f77eb2c3aec6908cc754ac043dd3a6ac3042f8ccb616672882ba5415600fb695e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Tn0mc4ZR.exe

Filesize
921KB

MD5
b33e13f0f171995e85aec93189b70fe1

SHA1
5f613ae0c618217c1dda19eea2ecd0818ac65a94

SHA256
02f019f33b42438f0cb075345cc02b85e594f96ca41603f231edd7a3bd501663

SHA512
bdc6c73fc5c03286097110a0c568802843aba373caf1a3f60004df08a664f77eb2c3aec6908cc754ac043dd3a6ac3042f8ccb616672882ba5415600fb695e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ot4YM5FX.exe

Filesize
633KB

MD5
7eb0fbc64a21241414c7ecb0160b7bb3

SHA1
5a756dcfe97671e2c856c7a8075ff7216fb6c88c

SHA256
b374b9d53cb9e91de205875391d7160d29afb043291fcf83ac10a20984de0020

SHA512
5f2ae9efa4a6738bc52a166874b1d8f840fe8e9794df6cfda52e9a3f775fd3600007622c405644888a684b7521765f5b998f746a0048773a0b7d5326126eaec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ot4YM5FX.exe

Filesize
633KB

MD5
7eb0fbc64a21241414c7ecb0160b7bb3

SHA1
5a756dcfe97671e2c856c7a8075ff7216fb6c88c

SHA256
b374b9d53cb9e91de205875391d7160d29afb043291fcf83ac10a20984de0020

SHA512
5f2ae9efa4a6738bc52a166874b1d8f840fe8e9794df6cfda52e9a3f775fd3600007622c405644888a684b7521765f5b998f746a0048773a0b7d5326126eaec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\eq7sZ5gl.exe

Filesize
436KB

MD5
5674e2403bb2bdc6aea1c6801828a95e

SHA1
67d1aff153e24be10ab809b99ff196c8a5866073

SHA256
bf5c5aa6f0dabbb42a653c470c5da7a024b302dadf5e3128293c6860f58c5a7b

SHA512
371f15e60a1764d9fe20e8116335011eca785d63ff11f7d04fae824956aefca7dc8321e1696dbe5002a63f8be91c7a6e0a2822b0b578116362b5fd7ff18ff1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\eq7sZ5gl.exe

Filesize
436KB

MD5
5674e2403bb2bdc6aea1c6801828a95e

SHA1
67d1aff153e24be10ab809b99ff196c8a5866073

SHA256
bf5c5aa6f0dabbb42a653c470c5da7a024b302dadf5e3128293c6860f58c5a7b

SHA512
371f15e60a1764d9fe20e8116335011eca785d63ff11f7d04fae824956aefca7dc8321e1696dbe5002a63f8be91c7a6e0a2822b0b578116362b5fd7ff18ff1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1UG68Fy3.exe

Filesize
407KB

MD5
852f56210c8576cf6202480087461d06

SHA1
3d71a2a6e60c2689450892dd0f5c803a2b5be326

SHA256
258d1831c983474d56641317cbd6eae08b56545a6b4210308440f9d441251067

SHA512
b1044f88bf28b7baaedce39b73deb6b02096f035f06b54987f18f76cb039354af45e7edad3fd7021ec97b78f8dde6224a9269fbad98f1c83551fb1af8323e50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1UG68Fy3.exe

Filesize
407KB

MD5
852f56210c8576cf6202480087461d06

SHA1
3d71a2a6e60c2689450892dd0f5c803a2b5be326

SHA256
258d1831c983474d56641317cbd6eae08b56545a6b4210308440f9d441251067

SHA512
b1044f88bf28b7baaedce39b73deb6b02096f035f06b54987f18f76cb039354af45e7edad3fd7021ec97b78f8dde6224a9269fbad98f1c83551fb1af8323e50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2tj613Cb.exe

Filesize
221KB

MD5
546b1de1a4e2b74189f3db69c1a02c84

SHA1
7b7bcdc6ff14e45018e08a8172f6dd47f97b60ec

SHA256
04f0d1ed5b49681cf7e8ffe9e787f0d956c247b1d6efb1957b65c47b2a29641b

SHA512
c40222759691605d826d6ff63fc5cc23ad59abbe604e4b3e421a1c31354c5b1392874984361338c32241b0416fc363033e1531d19e9c9becdafeb828ec63f48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5j4dhlwn.w50.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\source1.exe

Filesize
5.1MB

MD5
e082a92a00272a3c1cd4b0de30967a79

SHA1
16c391acf0f8c637d36a93e217591d8319e3f041

SHA256
eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc

SHA512
26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
memory/368-96-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/368-350-0x000000006E4E0000-0x000000006E52C000-memory.dmp

Filesize
304KB

Download
memory/368-320-0x000000007FB50000-0x000000007FB60000-memory.dmp

Filesize
64KB

Download
memory/368-113-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/368-112-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/368-89-0x00000000025A0000-0x00000000025D6000-memory.dmp

Filesize
216KB

Download
memory/368-397-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/368-248-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/368-90-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/368-94-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/368-252-0x0000000007560000-0x0000000007B04000-memory.dmp

Filesize
5.6MB

Download
memory/368-242-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/368-158-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/368-246-0x0000000006360000-0x0000000006382000-memory.dmp

Filesize
136KB

Download
memory/368-93-0x0000000005130000-0x0000000005152000-memory.dmp

Filesize
136KB

Download
memory/368-92-0x00000000051D0000-0x00000000057F8000-memory.dmp

Filesize
6.2MB

Download
memory/368-222-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/368-363-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/368-347-0x0000000006480000-0x00000000064B2000-memory.dmp

Filesize
200KB

Download
memory/368-91-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/368-360-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/368-229-0x0000000006F10000-0x0000000006FA6000-memory.dmp

Filesize
600KB

Download
memory/368-95-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/1436-239-0x00007FFCA4440000-0x00007FFCA4F01000-memory.dmp

Filesize
10.8MB

Download
memory/1436-220-0x00007FFCA4440000-0x00007FFCA4F01000-memory.dmp

Filesize
10.8MB

Download
memory/1436-214-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1436-253-0x00007FFCA4440000-0x00007FFCA4F01000-memory.dmp

Filesize
10.8MB

Download
memory/1792-401-0x00000000022E0000-0x00000000022E9000-memory.dmp

Filesize
36KB

Download
memory/2936-106-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2936-107-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2936-109-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3008-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3036-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3036-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3036-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3104-74-0x000000000A950000-0x000000000A99C000-memory.dmp

Filesize
304KB

Download
memory/3104-61-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3104-60-0x000000000A840000-0x000000000A94A000-memory.dmp

Filesize
1.0MB

Download
memory/3104-63-0x000000000A750000-0x000000000A762000-memory.dmp

Filesize
72KB

Download
memory/3104-49-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3104-88-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3104-52-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3104-58-0x000000000AD50000-0x000000000B368000-memory.dmp

Filesize
6.1MB

Download
memory/3104-66-0x000000000A7B0000-0x000000000A7EC000-memory.dmp

Filesize
240KB

Download
memory/3104-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3104-51-0x00000000051D0000-0x00000000051D6000-memory.dmp

Filesize
24KB

Download
memory/3224-450-0x0000000003020000-0x0000000003036000-memory.dmp

Filesize
88KB

Download
memory/3224-108-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/3404-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-349-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3764-400-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3764-371-0x00000000006D0000-0x000000000072A000-memory.dmp

Filesize
360KB

Download
memory/4040-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-86-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4512-50-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4512-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4512-36-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4744-275-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4744-398-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4744-276-0x0000000000820000-0x000000000174A000-memory.dmp

Filesize
15.2MB

Download
memory/4744-300-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/5024-245-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/5024-270-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/5024-277-0x0000000007780000-0x0000000007790000-memory.dmp

Filesize
64KB

Download
memory/5024-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-254-0x0000000007530000-0x00000000075C2000-memory.dmp

Filesize
584KB

Download
memory/5024-260-0x0000000007780000-0x0000000007790000-memory.dmp

Filesize
64KB

Download
memory/5024-271-0x0000000007500000-0x000000000750A000-memory.dmp

Filesize
40KB

Download
memory/5428-486-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/5436-411-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/5468-374-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/5468-394-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/5468-373-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/5708-506-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-508-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-391-0x0000000000B20000-0x0000000001036000-memory.dmp

Filesize
5.1MB

Download
memory/5708-502-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-503-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-520-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-392-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/5708-518-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-510-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-514-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-512-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5708-516-0x0000000005B80000-0x0000000005B95000-memory.dmp

Filesize
84KB

Download
memory/5752-402-0x0000000007BE0000-0x0000000007BF0000-memory.dmp

Filesize
64KB

Download
memory/5752-396-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/6068-451-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6068-407-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download