amadey | 04edc8669856f78c88c9fd9697fb5f8ba5250054da2f133fbf67c3ac15b806ce

Analysis

max time kernel
134s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

881eb140d503a417f9dd8a4e8382bfa3
SHA1

06c756e61758544c880c14480c1ba0a378999138
SHA256

04edc8669856f78c88c9fd9697fb5f8ba5250054da2f133fbf67c3ac15b806ce
SHA512

58ef53ecb919883605a87604d46f8405f6c09c66f6cf85652d94ccbaccfcf5ee48e63cfe17b409debd1dca51c02177ed3269112136ee5a18b29abef9b05556b5
SSDEEP

12288:yMrSy90+QBicNC0j/a8x01BOwPq3w65OE5vTkwkpOeekMNr8BBiTDrnf3zIzn36a:QyLQ9/OCAfcEO9zVQgLIznOwnSov

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

pixelscloud

85.209.176.171:80

Extracted

Family

redline

Botnet

6012068394_99

https://pastebin.com/raw/8baCJyMF

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023061-121.dat	healer
behavioral2/memory/4408-126-0x0000000000130000-0x000000000013A000-memory.dmp	healer
behavioral2/files/0x0007000000023061-122.dat	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral2/memory/4680-314-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	FF3A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	FF3A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	FF3A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	FF3A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	FF3A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	FF3A.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral2/memory/2540-51-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/files/0x000700000002306c-196.dat	family_redline
behavioral2/memory/1140-200-0x00000000020F0000-0x000000000214A000-memory.dmp	family_redline
behavioral2/memory/1884-206-0x00000000006B0000-0x00000000006CE000-memory.dmp	family_redline
behavioral2/files/0x000700000002306c-205.dat	family_redline
behavioral2/files/0x0006000000023060-285.dat	family_redline
behavioral2/files/0x0006000000023060-286.dat	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002306c-196.dat	family_sectoprat
behavioral2/memory/1884-206-0x00000000006B0000-0x00000000006CE000-memory.dmp	family_sectoprat
behavioral2/files/0x000700000002306c-205.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	FA18.bat
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	5CZ4sr6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	A2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	2D9F.exe

Executes dropped EXE 30 IoCs

pid	Process
3964	hw8DN76.exe
4672	ZE9PB32.exe
4428	VG2rQ62.exe
3940	1Hc93cw6.exe
1452	2BB9104.exe
2148	3QQ41KO.exe
4136	4Xo359Ze.exe
4536	5CZ4sr6.exe
3088	F737.exe
4892	Xk3rD5tp.exe
4300	F8FD.exe
5092	TQ7hK3Ty.exe
4796	zw3Vx7ss.exe
4476	FA18.bat
4940	za5EU1Jq.exe
4972	FDC2.exe
4408	FF3A.exe
3940	1zV53qy0.exe
1380	A2.exe
4204	explothe.exe
2040	2D9F.exe
1140	3800.exe
2044	3AB1.exe
1884	3E8A.exe
4360	toolspub2.exe
4680	31839b57a4f11171d6abc8bbc4451ee4.exe
4732	source1.exe
2168	latestX.exe
4092	toolspub2.exe
556	2Oi187es.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	FF3A.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	TQ7hK3Ty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	zw3Vx7ss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZE9PB32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	F737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Xk3rD5tp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hw8DN76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	VG2rQ62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	za5EU1Jq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3940 set thread context of 2012	3940	1Hc93cw6.exe	91
PID 1452 set thread context of 4688	1452	2BB9104.exe	99
PID 2148 set thread context of 4424	2148	3QQ41KO.exe	106
PID 4136 set thread context of 2540	4136	4Xo359Ze.exe	111
PID 4300 set thread context of 3196	4300	F8FD.exe	135
PID 3940 set thread context of 1240	3940	1zV53qy0.exe	152
PID 4972 set thread context of 3312	4972	FDC2.exe	154
PID 4360 set thread context of 4092	4360	toolspub2.exe	164

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2180	3940	WerFault.exe	89
784	1452	WerFault.exe	97
1944	4688	WerFault.exe	99
644	2148	WerFault.exe	104
4000	4136	WerFault.exe	110
3580	4300	WerFault.exe	119
4744	3940	WerFault.exe	127
2200	4972	WerFault.exe	124
1424	1240	WerFault.exe	152

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	AppLaunch.exe
4424	AppLaunch.exe
2012	AppLaunch.exe
2012	AppLaunch.exe
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found
536	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
536	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4424	AppLaunch.exe
4092	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	AppLaunch.exe
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeDebugPrivilege	4408	FF3A.exe
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeDebugPrivilege	4732	source1.exe
Token: SeDebugPrivilege	2044	3AB1.exe
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found
Token: SeShutdownPrivilege	536	Process not Found
Token: SeCreatePagefilePrivilege	536	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 3964	2020	file.exe	86
PID 2020 wrote to memory of 3964	2020	file.exe	86
PID 2020 wrote to memory of 3964	2020	file.exe	86
PID 3964 wrote to memory of 4672	3964	hw8DN76.exe	87
PID 3964 wrote to memory of 4672	3964	hw8DN76.exe	87
PID 3964 wrote to memory of 4672	3964	hw8DN76.exe	87
PID 4672 wrote to memory of 4428	4672	ZE9PB32.exe	88
PID 4672 wrote to memory of 4428	4672	ZE9PB32.exe	88
PID 4672 wrote to memory of 4428	4672	ZE9PB32.exe	88
PID 4428 wrote to memory of 3940	4428	VG2rQ62.exe	89
PID 4428 wrote to memory of 3940	4428	VG2rQ62.exe	89
PID 4428 wrote to memory of 3940	4428	VG2rQ62.exe	89
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 3940 wrote to memory of 2012	3940	1Hc93cw6.exe	91
PID 4428 wrote to memory of 1452	4428	VG2rQ62.exe	97
PID 4428 wrote to memory of 1452	4428	VG2rQ62.exe	97
PID 4428 wrote to memory of 1452	4428	VG2rQ62.exe	97
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 1452 wrote to memory of 4688	1452	2BB9104.exe	99
PID 4672 wrote to memory of 2148	4672	ZE9PB32.exe	104
PID 4672 wrote to memory of 2148	4672	ZE9PB32.exe	104
PID 4672 wrote to memory of 2148	4672	ZE9PB32.exe	104
PID 2148 wrote to memory of 4424	2148	3QQ41KO.exe	106
PID 2148 wrote to memory of 4424	2148	3QQ41KO.exe	106
PID 2148 wrote to memory of 4424	2148	3QQ41KO.exe	106
PID 2148 wrote to memory of 4424	2148	3QQ41KO.exe	106
PID 2148 wrote to memory of 4424	2148	3QQ41KO.exe	106
PID 2148 wrote to memory of 4424	2148	3QQ41KO.exe	106
PID 3964 wrote to memory of 4136	3964	hw8DN76.exe	110
PID 3964 wrote to memory of 4136	3964	hw8DN76.exe	110
PID 3964 wrote to memory of 4136	3964	hw8DN76.exe	110
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 4136 wrote to memory of 2540	4136	4Xo359Ze.exe	111
PID 2020 wrote to memory of 4536	2020	file.exe	114
PID 2020 wrote to memory of 4536	2020	file.exe	114
PID 2020 wrote to memory of 4536	2020	file.exe	114
PID 536 wrote to memory of 3088	536	Process not Found	116
PID 536 wrote to memory of 3088	536	Process not Found	116
PID 536 wrote to memory of 3088	536	Process not Found	116
PID 3088 wrote to memory of 4892	3088	F737.exe	117
PID 3088 wrote to memory of 4892	3088	F737.exe	117
PID 3088 wrote to memory of 4892	3088	F737.exe	117
PID 536 wrote to memory of 4300	536	Process not Found	119
PID 536 wrote to memory of 4300	536	Process not Found	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hw8DN76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hw8DN76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZE9PB32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZE9PB32.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VG2rQ62.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VG2rQ62.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Hc93cw6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Hc93cw6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 140
        6⤵
        Program crash
        
        PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BB9104.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BB9104.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 540
        7⤵
        Program crash
        
        PID:1944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 572
        6⤵
        Program crash
        
        PID:784
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3QQ41KO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3QQ41KO.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 152
        5⤵
        Program crash
        
        PID:644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Xo359Ze.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Xo359Ze.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 560
      4⤵
      Program crash
      PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CZ4sr6.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CZ4sr6.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4536
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B953.tmp\B954.tmp\B955.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CZ4sr6.exe"
    3⤵
    PID:4692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff672446f8,0x7fff67244708,0x7fff67244718
        5⤵
        
        PID:2356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,17857209315475791770,17418591185088186937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        
        PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:1980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff672446f8,0x7fff67244708,0x7fff67244718
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1102175677805245648,672285193805889574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        
        PID:5532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1102175677805245648,672285193805889574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3940 -ip 3940
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1452 -ip 1452
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4688 -ip 4688
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2148 -ip 2148
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4136 -ip 4136
1⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\F737.exe
C:\Users\Admin\AppData\Local\Temp\F737.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk3rD5tp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk3rD5tp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ7hK3Ty.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ7hK3Ty.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zw3Vx7ss.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zw3Vx7ss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\za5EU1Jq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\za5EU1Jq.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1zV53qy0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1zV53qy0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 540
        8⤵
        Program crash
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 136
        7⤵
        Program crash
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Oi187es.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Oi187es.exe
        6⤵
        Executes dropped EXE
        
        PID:556

C:\Users\Admin\AppData\Local\Temp\F8FD.exe
C:\Users\Admin\AppData\Local\Temp\F8FD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 236
  2⤵
  - Program crash
  PID:3580

C:\Users\Admin\AppData\Local\Temp\FA18.bat
"C:\Users\Admin\AppData\Local\Temp\FA18.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4476
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FD13.tmp\FD14.tmp\FD15.bat C:\Users\Admin\AppData\Local\Temp\FA18.bat"
  2⤵
  PID:1452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:1288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff672446f8,0x7fff67244708,0x7fff67244718
      4⤵
      PID:1532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,5487446753990017880,6903248312529110603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    PID:1324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff672446f8,0x7fff67244708,0x7fff67244718
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:1452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
      4⤵
      PID:2780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:1120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:2264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      PID:5408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
      4⤵
      PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
      4⤵
      PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
      4⤵
      PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:5972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
      4⤵
      PID:5964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
      4⤵
      PID:5956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
      4⤵
      PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15628378767991972861,10919893205682729959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      PID:5940

C:\Users\Admin\AppData\Local\Temp\FDC2.exe
C:\Users\Admin\AppData\Local\Temp\FDC2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 236
  2⤵
  - Program crash
  PID:2200

C:\Users\Admin\AppData\Local\Temp\FF3A.exe
C:\Users\Admin\AppData\Local\Temp\FF3A.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\A2.exe
C:\Users\Admin\AppData\Local\Temp\A2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1380
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4204
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4920
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    PID:5400

C:\Users\Admin\AppData\Local\Temp\2D9F.exe
C:\Users\Admin\AppData\Local\Temp\2D9F.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2040
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:4680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5432
- C:\Users\Admin\AppData\Local\Temp\source1.exe
  "C:\Users\Admin\AppData\Local\Temp\source1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5208
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  - Executes dropped EXE
  PID:2168

C:\Users\Admin\AppData\Local\Temp\3800.exe
C:\Users\Admin\AppData\Local\Temp\3800.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4300 -ip 4300
1⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\3AB1.exe
C:\Users\Admin\AppData\Local\Temp\3AB1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\3E8A.exe
C:\Users\Admin\AppData\Local\Temp\3E8A.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3940 -ip 3940
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4972 -ip 4972
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1240 -ip 1240
1⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4d662f66-9f8b-485f-98e6-a1663d57680d.tmp

Filesize
2KB

MD5
60a7ff964b407279023aa810be5013b1

SHA1
49234541a2bd383039d51e5ae1e8a5ae1e182cfe

SHA256
9b3c1193b59bb04b85303cf297efbf8b9ca5137bcec939e268f778a4d99838df

SHA512
1c56a37ffa3b57d3cfeb65c1916468d457fb261dcf70309db8d8bf475c47fddca1af4e2c4f415807b1761883bd1cb88c8c878d237e661a68e2856877024722ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
451fddf78747a5a4ebf64cabb4ac94e7

SHA1
6925bd970418494447d800e213bfd85368ac8dc9

SHA256
64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d

SHA512
edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
451fddf78747a5a4ebf64cabb4ac94e7

SHA1
6925bd970418494447d800e213bfd85368ac8dc9

SHA256
64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d

SHA512
edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
451fddf78747a5a4ebf64cabb4ac94e7

SHA1
6925bd970418494447d800e213bfd85368ac8dc9

SHA256
64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d

SHA512
edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5fd8fede-6f77-4776-9946-bc5d7118a2d3.tmp

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3022193dbb7419010aafabc79c4d3670

SHA1
985ce99daa5d7521afac33524907a740ca4cad78

SHA256
ecd6a605e36a6eacacdd7bb465743fcfa62b51bcf4315fcbefc349bed0f0273b

SHA512
62eeabddcb399f5f5be4a3aec698a36b62b2d61a592882b0c10250fd26e77d4c34905ace2729f095adfb116b4071ac5ca454b8336b8b547a303baca684b94cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c401d77ea67b0a0ea9cf2831a2cd73bd

SHA1
b2135c61b249272188dbcc68b7ce8a7b382e60f6

SHA256
a70aefdc8c0ef5098e4987659df2aa866eacead60c24aeee3fd0a3aeaddcc86e

SHA512
050a425f1578b9a3462951dcbcf33aa60614ec755a7ce71e3232669e29767e57e7e6c6b0713f8552894adde4951371672f29393c2906a38df36b50c16286e958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2534d026a9b035750d33b58c74b4128b

SHA1
e22c630b66023d1ffd6ec67813415a0ea436d528

SHA256
29787db9f0f260faff265b29cd48ed8452daad0d12c2be6cbe1ca40158263d52

SHA512
fe846ae047a3b01a581d702c5001c7d6493c9cbda8dedce5349625380ea54a89dc5fced5c6f88e85564f8ef6676ae196cf98cafab4529b3187fa89d04c32dbd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f2f5be7deaf723030faf50a8b6ef310b

SHA1
6e12532cd3d0d0745ff63429616556313ec9dc65

SHA256
27182d9693e0161168af39094cb67ab98ba6897483a43b0aa34b0a2d575bcb54

SHA512
f3d1cc04eae38f5ff137cf9887b2819816d93bfdf99b70072a54857adecde319e3fe4b240bceead012ccdfbb243ec58331e34d0cc4ceb601f8121086ba03679d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
84bc67cadf58da5c2e871d39c7427d16

SHA1
2626f857b73423983a38f2c01f241d0582f02698

SHA256
570cdf10dc12f79c4d95b1a8e8d3c360772c31d514d82a0ee09c1a031d56a1b6

SHA512
99dd3b99d357c183de1beb24d2a59ae51bc52d976bb5031796c582f1d29fa809eb6984fc813a383abf9d40b969e31ad15888d7e43abdefd558639c882dac002a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3dbda49f4ad1a917e4f5ae1b1a102c0e

SHA1
18ade2b2a32765b2528e662fbe826a54d4eae214

SHA256
1ea7c710f9d26d6aa00bbff7c75451c6d2c7d71335d7a6938e384cf7943594b0

SHA512
71603250077651bd0510ed2f59a1d65f534d5ca5cdb7ce55abb84a9d183adcee209f9970c8a7c11c53af236639dac89a63efc38c4388ac0f45ef99e626ca5948

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D9F.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D9F.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
C:\Users\Admin\AppData\Local\Temp\3800.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3800.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3AB1.exe

Filesize
180KB

MD5
109da216e61cf349221bd2455d2170d4

SHA1
ea6983b8581b8bb57e47c8492783256313c19480

SHA256
a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

SHA512
460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\3AB1.exe

Filesize
180KB

MD5
109da216e61cf349221bd2455d2170d4

SHA1
ea6983b8581b8bb57e47c8492783256313c19480

SHA256
a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

SHA512
460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E8A.exe

Filesize
95KB

MD5
1199c88022b133b321ed8e9c5f4e6739

SHA1
8e5668edc9b4e1f15c936e68b59c84e165c9cb07

SHA256
e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836

SHA512
7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E8A.exe

Filesize
95KB

MD5
1199c88022b133b321ed8e9c5f4e6739

SHA1
8e5668edc9b4e1f15c936e68b59c84e165c9cb07

SHA256
e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836

SHA512
7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\B953.tmp\B954.tmp\B955.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\F737.exe

Filesize
1.2MB

MD5
5c566772164e87d28109c095e5650a69

SHA1
27e7b81318cfb62527378e8f38f9930363371fb9

SHA256
84db23ef9d0c6c3f30ac835d2b56a85d8006bc503165d4b339a2074c96ce0b5e

SHA512
c5f84221d1dd8042eef3ecd4cbdf9ddeefa59ab1da6d69702eac6119a8e369882df4f56b11ebc7fe7e3fd9796e2b9586886ef37f9dd5390a38f5c46c86c43078

Download Submit
C:\Users\Admin\AppData\Local\Temp\F737.exe

Filesize
1.2MB

MD5
5c566772164e87d28109c095e5650a69

SHA1
27e7b81318cfb62527378e8f38f9930363371fb9

SHA256
84db23ef9d0c6c3f30ac835d2b56a85d8006bc503165d4b339a2074c96ce0b5e

SHA512
c5f84221d1dd8042eef3ecd4cbdf9ddeefa59ab1da6d69702eac6119a8e369882df4f56b11ebc7fe7e3fd9796e2b9586886ef37f9dd5390a38f5c46c86c43078

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8FD.exe

Filesize
407KB

MD5
df749f3f2e0255b8bb50deced070ca54

SHA1
164aece3005588477a6bb9c70a8729ada5513ef2

SHA256
86cdd705b6b0676bdf79f57e2beb9f152d5e4e4b76ca7a6692a84381daa665ad

SHA512
c3150a6e5a50094d3040b60bddd66e9c08a7787b41c1932143834cfbdd169f4dd67ff1599b9f01599b224ece4ac90b33f876465b9e8339f91cc2f66eb18ba69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8FD.exe

Filesize
407KB

MD5
df749f3f2e0255b8bb50deced070ca54

SHA1
164aece3005588477a6bb9c70a8729ada5513ef2

SHA256
86cdd705b6b0676bdf79f57e2beb9f152d5e4e4b76ca7a6692a84381daa665ad

SHA512
c3150a6e5a50094d3040b60bddd66e9c08a7787b41c1932143834cfbdd169f4dd67ff1599b9f01599b224ece4ac90b33f876465b9e8339f91cc2f66eb18ba69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA18.bat

Filesize
97KB

MD5
c88fea8e1dd3e82350156e389e6631f0

SHA1
d1b36d91320acd6aff0f0143defb4e9170f7d09e

SHA256
bd9c111ee91eb2199936a975e91afa1f69d859763bc616f831b6d287a500fb4f

SHA512
936956430176d2a6e9066fa0403d1f500c1c3f2b1207e286f184b3d86ebbfea681070bfa426b339dfd775e727f8e38455c23b46024e388a457699ab79825557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA18.bat

Filesize
97KB

MD5
c88fea8e1dd3e82350156e389e6631f0

SHA1
d1b36d91320acd6aff0f0143defb4e9170f7d09e

SHA256
bd9c111ee91eb2199936a975e91afa1f69d859763bc616f831b6d287a500fb4f

SHA512
936956430176d2a6e9066fa0403d1f500c1c3f2b1207e286f184b3d86ebbfea681070bfa426b339dfd775e727f8e38455c23b46024e388a457699ab79825557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD13.tmp\FD14.tmp\FD15.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDC2.exe

Filesize
446KB

MD5
6a1d0da4a681944972cc819356403ea9

SHA1
1b4c55bf61d9e1446ccdeba5fd24db3314c950dc

SHA256
50fb19683a7ece418ee803e7c6f580530a405c6c1cd8d193292238fb4ac7e12a

SHA512
6fd154127b21088e8ab2fa8ef640811ba7eb81152e95b00d9d1f62596a20d4f61a931d44b5f390ad2637afb3d1a2d6100fde1d0fca79332cb4a584ae07f61dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDC2.exe

Filesize
446KB

MD5
6a1d0da4a681944972cc819356403ea9

SHA1
1b4c55bf61d9e1446ccdeba5fd24db3314c950dc

SHA256
50fb19683a7ece418ee803e7c6f580530a405c6c1cd8d193292238fb4ac7e12a

SHA512
6fd154127b21088e8ab2fa8ef640811ba7eb81152e95b00d9d1f62596a20d4f61a931d44b5f390ad2637afb3d1a2d6100fde1d0fca79332cb4a584ae07f61dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF3A.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF3A.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CZ4sr6.exe

Filesize
97KB

MD5
ca8c0c0f88ae97c3aa043505ecd732a0

SHA1
2e1df6cb832ae6fa7ce06e99d73a6f7d31ebeb9d

SHA256
6354cf18a329a1dbd34bb8ea0ebb8c490eddcb1265476a105162393149e5cee8

SHA512
7f7b87234615113271ef0089b0f93d5650f8c51b8aede667cbae5895cf831eaa797cb24e7550c47d475809dfd9014bf38e9f4826aa492a45335afbd588cd8bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CZ4sr6.exe

Filesize
97KB

MD5
ca8c0c0f88ae97c3aa043505ecd732a0

SHA1
2e1df6cb832ae6fa7ce06e99d73a6f7d31ebeb9d

SHA256
6354cf18a329a1dbd34bb8ea0ebb8c490eddcb1265476a105162393149e5cee8

SHA512
7f7b87234615113271ef0089b0f93d5650f8c51b8aede667cbae5895cf831eaa797cb24e7550c47d475809dfd9014bf38e9f4826aa492a45335afbd588cd8bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hw8DN76.exe

Filesize
908KB

MD5
f826583bc8504092ba80283650a8c74e

SHA1
78fff769cca6e4442fe26771b59762170535119c

SHA256
9ff98dbf11a72f7efa62cfe31f2582f875d0015d277fa0bdc86e6a1e2b4b9233

SHA512
41945f8a3bcfde79decea367a7bf6d40853a303923a5de15c4929f5a5e9d098ca7ae8ac7bdd6191715302cb3a48ea569367610b1980147bc332a0f00fd291d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hw8DN76.exe

Filesize
908KB

MD5
f826583bc8504092ba80283650a8c74e

SHA1
78fff769cca6e4442fe26771b59762170535119c

SHA256
9ff98dbf11a72f7efa62cfe31f2582f875d0015d277fa0bdc86e6a1e2b4b9233

SHA512
41945f8a3bcfde79decea367a7bf6d40853a303923a5de15c4929f5a5e9d098ca7ae8ac7bdd6191715302cb3a48ea569367610b1980147bc332a0f00fd291d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Xo359Ze.exe

Filesize
446KB

MD5
072f6aa1b18b5473506665b2cc92883a

SHA1
b8bca56a3e8c6f354406a67bf1a5c05a27a22617

SHA256
1521d7fc7031e71eb04e0e4eff920386a1c1f3d22e0f1cc811ac7c4b0d8b1e80

SHA512
9b02ed0f75c92a65dbf55fab9299aadec24a23bcf283d9cbb32c11663cbd6aea514821c75f192f024b6b475f690af3e3c18d98012e25f894a840a19f06d167d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Xo359Ze.exe

Filesize
446KB

MD5
072f6aa1b18b5473506665b2cc92883a

SHA1
b8bca56a3e8c6f354406a67bf1a5c05a27a22617

SHA256
1521d7fc7031e71eb04e0e4eff920386a1c1f3d22e0f1cc811ac7c4b0d8b1e80

SHA512
9b02ed0f75c92a65dbf55fab9299aadec24a23bcf283d9cbb32c11663cbd6aea514821c75f192f024b6b475f690af3e3c18d98012e25f894a840a19f06d167d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZE9PB32.exe

Filesize
619KB

MD5
86347ff54d7d64f5e0d1d9f8827a58fe

SHA1
3f39ead7993dc313f0909b29f7ac60de49fefc0a

SHA256
e5c718401f34aeb06fa91347ddafae65d2ab3f78abd8221b563f4101a40effa5

SHA512
ef61f8fcd092a6b0dc94f374b78cb89f4e1159ecead0264f5a13f77a139307ed24daf71511a2412e7fd725e99baf5f45dce397a89cef1404dfb62b646eaafd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZE9PB32.exe

Filesize
619KB

MD5
86347ff54d7d64f5e0d1d9f8827a58fe

SHA1
3f39ead7993dc313f0909b29f7ac60de49fefc0a

SHA256
e5c718401f34aeb06fa91347ddafae65d2ab3f78abd8221b563f4101a40effa5

SHA512
ef61f8fcd092a6b0dc94f374b78cb89f4e1159ecead0264f5a13f77a139307ed24daf71511a2412e7fd725e99baf5f45dce397a89cef1404dfb62b646eaafd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3QQ41KO.exe

Filesize
255KB

MD5
5e801972322d6b242e4c362902bf6087

SHA1
ec7d1e03bc31fb81279e8759abadcfda5295e4b8

SHA256
259499777e43769ffa73b144ee79950c98889ce25784eaf667665c7c14aab47b

SHA512
b9c64e547982d8050a3666d3480461df1c3949fab92fab7dfa1a9247adda60dbcb3c9c1f4bce0cf06f20e91025db2ca6fb0671b7e66e630ced4df932146d1e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3QQ41KO.exe

Filesize
255KB

MD5
5e801972322d6b242e4c362902bf6087

SHA1
ec7d1e03bc31fb81279e8759abadcfda5295e4b8

SHA256
259499777e43769ffa73b144ee79950c98889ce25784eaf667665c7c14aab47b

SHA512
b9c64e547982d8050a3666d3480461df1c3949fab92fab7dfa1a9247adda60dbcb3c9c1f4bce0cf06f20e91025db2ca6fb0671b7e66e630ced4df932146d1e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\6wW37bh.exe

Filesize
97KB

MD5
9b66e65f519730da4f56138a60667a0b

SHA1
78fde242e918ab5f5f035a51a71424eefc0ee803

SHA256
e163dda869597d8ee46141718e63f028310baf6a6eff65012fa7e7be128424cc

SHA512
e5349db6902d7040ac57b4e6decee55921e0a1672ca8f0118c201f756d949296bcb94ceecbc7024b12aa8275d0427846461ca06ec313b0d09fbc40358ed4375f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VG2rQ62.exe

Filesize
380KB

MD5
185048e72b7a467f9ee3176a29c7e19f

SHA1
5ed43bf50078300ec010cd0947605f3bcf2362e7

SHA256
f305c42978e8a3719c0695c6c5b6fb74583365ea235ac7ab7c5cc2aa26f97d0a

SHA512
a98cb384f7e8953b8a5430b200dada880c0761760ba80a8d55e20764ab0c8fcf49daadff7013548cb44f14a850e07fb6e309187c0d0746fc8ab5e4fb72c74631

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VG2rQ62.exe

Filesize
380KB

MD5
185048e72b7a467f9ee3176a29c7e19f

SHA1
5ed43bf50078300ec010cd0947605f3bcf2362e7

SHA256
f305c42978e8a3719c0695c6c5b6fb74583365ea235ac7ab7c5cc2aa26f97d0a

SHA512
a98cb384f7e8953b8a5430b200dada880c0761760ba80a8d55e20764ab0c8fcf49daadff7013548cb44f14a850e07fb6e309187c0d0746fc8ab5e4fb72c74631

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk3rD5tp.exe

Filesize
1.1MB

MD5
70c14a8468a75be3e7e4548fcc5c4efe

SHA1
f83fcd38b537c622f0cba1a524c40def225f2c29

SHA256
05e0264c0db2b2a04ee4e2b8cf5bdacd77ce12e501b488356521969b2aa19813

SHA512
206abba87d06d1ce1187dda50c552b7e2f4314d84c680f7290089dc55df85c65fd1e05bcb4bcd3c5d4998c6b0c09a67247e1c1f02ac3628d703d6b178e0d29a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk3rD5tp.exe

Filesize
1.1MB

MD5
70c14a8468a75be3e7e4548fcc5c4efe

SHA1
f83fcd38b537c622f0cba1a524c40def225f2c29

SHA256
05e0264c0db2b2a04ee4e2b8cf5bdacd77ce12e501b488356521969b2aa19813

SHA512
206abba87d06d1ce1187dda50c552b7e2f4314d84c680f7290089dc55df85c65fd1e05bcb4bcd3c5d4998c6b0c09a67247e1c1f02ac3628d703d6b178e0d29a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Hc93cw6.exe

Filesize
237KB

MD5
4fc4f74b5ceba49aa553a9fd1168eaaf

SHA1
d69682ce8a99185e463462650bbd67bfeebe8bea

SHA256
e76a2b641b76f02643425f1bace761562e5f34b1497c61e23e6edc6ff091bb4b

SHA512
378d5a9ee5699c7792107ac136d1283af6409bf3dba010099ce659eb0a5b123a166d9f7e08f7073816589583457090dea349e05fea7b12cbde7a397ae6b1d48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Hc93cw6.exe

Filesize
237KB

MD5
4fc4f74b5ceba49aa553a9fd1168eaaf

SHA1
d69682ce8a99185e463462650bbd67bfeebe8bea

SHA256
e76a2b641b76f02643425f1bace761562e5f34b1497c61e23e6edc6ff091bb4b

SHA512
378d5a9ee5699c7792107ac136d1283af6409bf3dba010099ce659eb0a5b123a166d9f7e08f7073816589583457090dea349e05fea7b12cbde7a397ae6b1d48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BB9104.exe

Filesize
407KB

MD5
511b1a468a85646608d23aa725b04fcb

SHA1
c38af14a48f8608e06f73de0f3435e08b03138ca

SHA256
1473cc5dee477b5953e410047865ccb16af2b53f2920be9b2ad51efbdc4a1592

SHA512
51fdbaf9aef9c6cf6fd95dde1c9ebd892fbc6b276ff69566009d2ba9b7a8fd50726e5654c90eb3b0bcf41b75fde5c57b9339c1dd5804aa6ac501af189f3c8157

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BB9104.exe

Filesize
407KB

MD5
511b1a468a85646608d23aa725b04fcb

SHA1
c38af14a48f8608e06f73de0f3435e08b03138ca

SHA256
1473cc5dee477b5953e410047865ccb16af2b53f2920be9b2ad51efbdc4a1592

SHA512
51fdbaf9aef9c6cf6fd95dde1c9ebd892fbc6b276ff69566009d2ba9b7a8fd50726e5654c90eb3b0bcf41b75fde5c57b9339c1dd5804aa6ac501af189f3c8157

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ7hK3Ty.exe

Filesize
921KB

MD5
c99afea4c336d67b4aea101e0a0ecad7

SHA1
d373e74fd6659bab3b0ae8a23a5db5145bf036ec

SHA256
109322358e6b99518844180ce5f5a1f79aa0f5e8b2a266cf91b2eae2ebaf8386

SHA512
2766fbe38f5e0a8b5bb78837c7e90cad17cce11b63ca82dc7ad7ade076d0eeea288bad5f5961faf535e8a74baf066ce636ae4c02bce0f9abac13049718995fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ7hK3Ty.exe

Filesize
921KB

MD5
c99afea4c336d67b4aea101e0a0ecad7

SHA1
d373e74fd6659bab3b0ae8a23a5db5145bf036ec

SHA256
109322358e6b99518844180ce5f5a1f79aa0f5e8b2a266cf91b2eae2ebaf8386

SHA512
2766fbe38f5e0a8b5bb78837c7e90cad17cce11b63ca82dc7ad7ade076d0eeea288bad5f5961faf535e8a74baf066ce636ae4c02bce0f9abac13049718995fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zw3Vx7ss.exe

Filesize
632KB

MD5
bdb5b5b783dacd99aed823bc63fcb04f

SHA1
84a916b2c74ce52cc7d9ac9983e96bb4f662275a

SHA256
72e9113c30b123579b2432db13d1391795ac81c6a258cbfce9f100f4851347ba

SHA512
0a2e06db9875e95b41466df4be0ac6f1dd2e4f698914594ac9c6f8920c925e42c429e88de0c96df452974712510d7b75e7ba2f87f2cf8ed3cbcfde35dfcd2f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zw3Vx7ss.exe

Filesize
632KB

MD5
bdb5b5b783dacd99aed823bc63fcb04f

SHA1
84a916b2c74ce52cc7d9ac9983e96bb4f662275a

SHA256
72e9113c30b123579b2432db13d1391795ac81c6a258cbfce9f100f4851347ba

SHA512
0a2e06db9875e95b41466df4be0ac6f1dd2e4f698914594ac9c6f8920c925e42c429e88de0c96df452974712510d7b75e7ba2f87f2cf8ed3cbcfde35dfcd2f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\za5EU1Jq.exe

Filesize
436KB

MD5
952d8f8a170d7beb082a45ffd66656d8

SHA1
73ece5a2f218f2165d565d4b916a6a4691360394

SHA256
1e44f6c78e92cc4feeb57ea4b1901debcdb8119f7cfeb5d755677082aaa015b5

SHA512
9522780c0848d92bfff2c61ca5d0463464c9606df577d1a062de7d4bfe3cd16ae7c0d16f0260760abed4db65233ebb5a8d728ff29214b44b32ae008e1fd7a291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\za5EU1Jq.exe

Filesize
436KB

MD5
952d8f8a170d7beb082a45ffd66656d8

SHA1
73ece5a2f218f2165d565d4b916a6a4691360394

SHA256
1e44f6c78e92cc4feeb57ea4b1901debcdb8119f7cfeb5d755677082aaa015b5

SHA512
9522780c0848d92bfff2c61ca5d0463464c9606df577d1a062de7d4bfe3cd16ae7c0d16f0260760abed4db65233ebb5a8d728ff29214b44b32ae008e1fd7a291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1zV53qy0.exe

Filesize
407KB

MD5
df749f3f2e0255b8bb50deced070ca54

SHA1
164aece3005588477a6bb9c70a8729ada5513ef2

SHA256
86cdd705b6b0676bdf79f57e2beb9f152d5e4e4b76ca7a6692a84381daa665ad

SHA512
c3150a6e5a50094d3040b60bddd66e9c08a7787b41c1932143834cfbdd169f4dd67ff1599b9f01599b224ece4ac90b33f876465b9e8339f91cc2f66eb18ba69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1zV53qy0.exe

Filesize
407KB

MD5
df749f3f2e0255b8bb50deced070ca54

SHA1
164aece3005588477a6bb9c70a8729ada5513ef2

SHA256
86cdd705b6b0676bdf79f57e2beb9f152d5e4e4b76ca7a6692a84381daa665ad

SHA512
c3150a6e5a50094d3040b60bddd66e9c08a7787b41c1932143834cfbdd169f4dd67ff1599b9f01599b224ece4ac90b33f876465b9e8339f91cc2f66eb18ba69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1zV53qy0.exe

Filesize
407KB

MD5
df749f3f2e0255b8bb50deced070ca54

SHA1
164aece3005588477a6bb9c70a8729ada5513ef2

SHA256
86cdd705b6b0676bdf79f57e2beb9f152d5e4e4b76ca7a6692a84381daa665ad

SHA512
c3150a6e5a50094d3040b60bddd66e9c08a7787b41c1932143834cfbdd169f4dd67ff1599b9f01599b224ece4ac90b33f876465b9e8339f91cc2f66eb18ba69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Oi187es.exe

Filesize
221KB

MD5
89f3f08ce9f2b960e315ef5b24c540ab

SHA1
c79f695c2f1d8d1c3122a2e62ae7b735275bddd9

SHA256
edf345b08fda563e91cfb3a52932beacd1ed497c5f01009235d0b52ab2126acf

SHA512
756f96c318be0daedf30fd6859b82698b4de65e85b3e17f4376fd9a6c87a46c3d9dfebfbbda9d09a8ccb0e53608c1d3e9d50de3a191bd82dae153f658afcf241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2Oi187es.exe

Filesize
221KB

MD5
89f3f08ce9f2b960e315ef5b24c540ab

SHA1
c79f695c2f1d8d1c3122a2e62ae7b735275bddd9

SHA256
edf345b08fda563e91cfb3a52932beacd1ed497c5f01009235d0b52ab2126acf

SHA512
756f96c318be0daedf30fd6859b82698b4de65e85b3e17f4376fd9a6c87a46c3d9dfebfbbda9d09a8ccb0e53608c1d3e9d50de3a191bd82dae153f658afcf241

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3an1bp3.dux.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\source1.exe

Filesize
5.1MB

MD5
e082a92a00272a3c1cd4b0de30967a79

SHA1
16c391acf0f8c637d36a93e217591d8319e3f041

SHA256
eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc

SHA512
26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

Download Submit
C:\Users\Admin\AppData\Local\Temp\source1.exe

Filesize
5.1MB

MD5
e082a92a00272a3c1cd4b0de30967a79

SHA1
16c391acf0f8c637d36a93e217591d8319e3f041

SHA256
eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc

SHA512
26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

Download Submit
C:\Users\Admin\AppData\Local\Temp\source1.exe

Filesize
5.1MB

MD5
e082a92a00272a3c1cd4b0de30967a79

SHA1
16c391acf0f8c637d36a93e217591d8319e3f041

SHA256
eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc

SHA512
26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
memory/536-136-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-47-0x0000000003240000-0x0000000003256000-memory.dmp

Filesize
88KB

Download
memory/536-168-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-169-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-173-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-163-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-297-0x0000000003320000-0x0000000003336000-memory.dmp

Filesize
88KB

Download
memory/536-167-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-166-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-157-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-159-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-143-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-144-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-153-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-162-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-165-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-154-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-137-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-152-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-140-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-148-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-133-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-151-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-198-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-145-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-161-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-158-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-135-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/536-209-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/536-170-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/1140-200-0x00000000020F0000-0x000000000214A000-memory.dmp

Filesize
360KB

Download
memory/1140-199-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1140-247-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/1140-270-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1140-278-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1140-219-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1240-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-214-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1884-206-0x00000000006B0000-0x00000000006CE000-memory.dmp

Filesize
120KB

Download
memory/1884-271-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1884-250-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/2012-61-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2012-29-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2012-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2012-30-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2040-255-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2040-179-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2040-183-0x0000000000140000-0x000000000106A000-memory.dmp

Filesize
15.2MB

Download
memory/2040-268-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2044-217-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/2044-280-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2044-235-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2044-269-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2044-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2168-310-0x00007FF626970000-0x00007FF626F11000-memory.dmp

Filesize
5.6MB

Download
memory/2540-190-0x0000000008080000-0x000000000818A000-memory.dmp

Filesize
1.0MB

Download
memory/2540-59-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2540-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-66-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/2540-193-0x0000000007990000-0x00000000079A2000-memory.dmp

Filesize
72KB

Download
memory/2540-52-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2540-172-0x00000000086A0000-0x0000000008CB8000-memory.dmp

Filesize
6.1MB

Download
memory/2540-89-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2540-53-0x0000000007AD0000-0x0000000008074000-memory.dmp

Filesize
5.6MB

Download
memory/2540-211-0x00000000079F0000-0x0000000007A2C000-memory.dmp

Filesize
240KB

Download
memory/2540-54-0x0000000007520000-0x00000000075B2000-memory.dmp

Filesize
584KB

Download
memory/2540-249-0x0000000007A30000-0x0000000007A7C000-memory.dmp

Filesize
304KB

Download
memory/2540-62-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/3196-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-261-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/3312-262-0x0000000006FE0000-0x0000000006FF0000-memory.dmp

Filesize
64KB

Download
memory/4092-273-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4092-277-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4092-298-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4360-275-0x0000000002310000-0x0000000002319000-memory.dmp

Filesize
36KB

Download
memory/4360-274-0x0000000002400000-0x0000000002500000-memory.dmp

Filesize
1024KB

Download
memory/4408-126-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/4408-164-0x00007FFF672E0000-0x00007FFF67DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-187-0x00007FFF672E0000-0x00007FFF67DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-134-0x00007FFF672E0000-0x00007FFF67DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4424-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4424-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4424-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4680-314-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/4688-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-279-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4732-346-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-351-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-353-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-355-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-357-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-347-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-349-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

Filesize
84KB

Download
memory/4732-281-0x0000000005CE0000-0x0000000005D7C000-memory.dmp

Filesize
624KB

Download
memory/4732-258-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4732-260-0x0000000000BE0000-0x00000000010F6000-memory.dmp

Filesize
5.1MB

Download