healer | 2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901

Analysis

max time kernel
122s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe
Size

1.0MB
MD5

f283e2e8f27e3b781b5b6723e6ea8436
SHA1

e0f7125d2f4af6d58bb13b0be793ce73d9563a37
SHA256

2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901
SHA512

0e499daf55df075331968f3fd2ede1c898584a57d36ad7ce4be7f9d1c41d2b7ffb2dc0ba441e104c8db494a2db351c55573dfbea68ffd6654e6637224d6a8479
SSDEEP

24576:ay4A/a+pIlp7XlKnQfB0xbIHxMKYTpbB+tGf3cQAW/SVtd:h4AywqfBYGJYVbB+kf1

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016615-44.dat	healer
behavioral1/files/0x0007000000016615-45.dat	healer
behavioral1/files/0x0007000000016615-47.dat	healer
behavioral1/memory/2680-48-0x0000000000840000-0x000000000084A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5197634.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5197634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q5197634.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5197634.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5197634.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5197634.exe

Executes dropped EXE 6 IoCs

pid	Process
2648	z0054052.exe
2920	z5607519.exe
2712	z5434897.exe
2800	z4861380.exe
2680	q5197634.exe
3000	r9514555.exe

Loads dropped DLL 15 IoCs

pid	Process
2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe
2648	z0054052.exe
2648	z0054052.exe
2920	z5607519.exe
2920	z5607519.exe
2712	z5434897.exe
2712	z5434897.exe
2800	z4861380.exe
2800	z4861380.exe
2800	z4861380.exe
3000	r9514555.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	q5197634.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5197634.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5434897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4861380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0054052.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5607519.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 1236	3000	r9514555.exe	139

Program crash 2 IoCs

pid	pid_target	Process	procid_target
880	3000	WerFault.exe	34
596	1236	WerFault.exe	139

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	q5197634.exe
2680	q5197634.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	q5197634.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2264 wrote to memory of 2648	2264	2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe	29
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2648 wrote to memory of 2920	2648	z0054052.exe	30
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2920 wrote to memory of 2712	2920	z5607519.exe	31
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2712 wrote to memory of 2800	2712	z5434897.exe	32
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 2680	2800	z4861380.exe	33
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 2800 wrote to memory of 3000	2800	z4861380.exe	34
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1636	3000	r9514555.exe	35
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1864	3000	r9514555.exe	36
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 1796	3000	r9514555.exe	37
PID 3000 wrote to memory of 2696	3000	r9514555.exe	38

C:\Users\Admin\AppData\Local\Temp\2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe
"C:\Users\Admin\AppData\Local\Temp\2b73b01632c8877c73b68eff364c912a3039fe0c45ab0f9856afad5d790c2901.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0054052.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0054052.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5607519.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5607519.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5434897.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5434897.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4861380.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4861380.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5197634.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5197634.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 268
        8⤵
        Program crash
        
        PID:596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1108
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0054052.exe

Filesize
969KB

MD5
943c1f267576b86ac1fdd823b6bd228a

SHA1
0a6b2b480b8aa916c8acceca3ae408591d2d155c

SHA256
5ec9e01924db97270d39e795328576a27367afbd1eea6a23819e7888ca63e152

SHA512
ee8bb7b901eb4be933f5b6519da09eef2e8c4f7d78d7104628dea97bdd558a655cdef197f251f27c3222144c58c536b1dc49833726e168428813eed014ed2aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0054052.exe

Filesize
969KB

MD5
943c1f267576b86ac1fdd823b6bd228a

SHA1
0a6b2b480b8aa916c8acceca3ae408591d2d155c

SHA256
5ec9e01924db97270d39e795328576a27367afbd1eea6a23819e7888ca63e152

SHA512
ee8bb7b901eb4be933f5b6519da09eef2e8c4f7d78d7104628dea97bdd558a655cdef197f251f27c3222144c58c536b1dc49833726e168428813eed014ed2aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5607519.exe

Filesize
787KB

MD5
5fc3d00191a599c4d1717e04b7c3b513

SHA1
b27191da31addf389bd93987d96eafdabd3b9de8

SHA256
e782aa103a3aeb9416b001f97871750c9fcb9fa37780831bc22b01904901f455

SHA512
b8e62bce782774e5741d90bd66c16d417f5435d6d4b4343f9b18f0251edacc973f88567bd077e82e719977a29cb339350a32913c979c75f4f00f6459f80f99e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5607519.exe

Filesize
787KB

MD5
5fc3d00191a599c4d1717e04b7c3b513

SHA1
b27191da31addf389bd93987d96eafdabd3b9de8

SHA256
e782aa103a3aeb9416b001f97871750c9fcb9fa37780831bc22b01904901f455

SHA512
b8e62bce782774e5741d90bd66c16d417f5435d6d4b4343f9b18f0251edacc973f88567bd077e82e719977a29cb339350a32913c979c75f4f00f6459f80f99e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5434897.exe

Filesize
604KB

MD5
4980945e4ee5911a80089465e56ac26a

SHA1
21a06f935fda62062501698dfffdb2eacbec8d74

SHA256
ed246508b5c2cf52a43b2c8922268f8bea21a5dd8fdfe0a5b7c59a5205868f10

SHA512
3906a0942525a81803e7ae368075ad4545110410ef64a2af738f416cfd1107131889d0de6c068cf8923c07828d92045c8a296401b3892f1fab46038b16224c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5434897.exe

Filesize
604KB

MD5
4980945e4ee5911a80089465e56ac26a

SHA1
21a06f935fda62062501698dfffdb2eacbec8d74

SHA256
ed246508b5c2cf52a43b2c8922268f8bea21a5dd8fdfe0a5b7c59a5205868f10

SHA512
3906a0942525a81803e7ae368075ad4545110410ef64a2af738f416cfd1107131889d0de6c068cf8923c07828d92045c8a296401b3892f1fab46038b16224c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4861380.exe

Filesize
339KB

MD5
cfa112aaa350ffc9b8411a968ce93ea5

SHA1
d992fb5e5ff5daef258aeb1e0ed02a4b8dda2e2d

SHA256
07ac26f6776e1bc198e00877a5ac71a0165845c4de4e1bffdf278bb28171a8c4

SHA512
662247dbb345f30d48c97c4f6aa7a8253231399aee5f6cc05499dde316ee151ca5db5205ce2d59bd29a2d1089917bbd6e6a681a4f2f66e39e7b7759c77b3edf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4861380.exe

Filesize
339KB

MD5
cfa112aaa350ffc9b8411a968ce93ea5

SHA1
d992fb5e5ff5daef258aeb1e0ed02a4b8dda2e2d

SHA256
07ac26f6776e1bc198e00877a5ac71a0165845c4de4e1bffdf278bb28171a8c4

SHA512
662247dbb345f30d48c97c4f6aa7a8253231399aee5f6cc05499dde316ee151ca5db5205ce2d59bd29a2d1089917bbd6e6a681a4f2f66e39e7b7759c77b3edf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5197634.exe

Filesize
12KB

MD5
d68ad8358a830ba6ff0404074548f3ac

SHA1
0e234fcbfef29b629699f8c330cc05b9a4c421b5

SHA256
10d565430bf866f5c9837d2c716d05b33aa318afa8dfd8a3a42b755df208db1e

SHA512
bd2f56f9b43ebeb32a73f525b26dbc4d8b953d0a478dd772814bd65cff91e234d6bf067933c19bda8f7f8ef47ccb18649fc7253e1edb389f0c598eb10c14435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5197634.exe

Filesize
12KB

MD5
d68ad8358a830ba6ff0404074548f3ac

SHA1
0e234fcbfef29b629699f8c330cc05b9a4c421b5

SHA256
10d565430bf866f5c9837d2c716d05b33aa318afa8dfd8a3a42b755df208db1e

SHA512
bd2f56f9b43ebeb32a73f525b26dbc4d8b953d0a478dd772814bd65cff91e234d6bf067933c19bda8f7f8ef47ccb18649fc7253e1edb389f0c598eb10c14435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0054052.exe

Filesize
969KB

MD5
943c1f267576b86ac1fdd823b6bd228a

SHA1
0a6b2b480b8aa916c8acceca3ae408591d2d155c

SHA256
5ec9e01924db97270d39e795328576a27367afbd1eea6a23819e7888ca63e152

SHA512
ee8bb7b901eb4be933f5b6519da09eef2e8c4f7d78d7104628dea97bdd558a655cdef197f251f27c3222144c58c536b1dc49833726e168428813eed014ed2aec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0054052.exe

Filesize
969KB

MD5
943c1f267576b86ac1fdd823b6bd228a

SHA1
0a6b2b480b8aa916c8acceca3ae408591d2d155c

SHA256
5ec9e01924db97270d39e795328576a27367afbd1eea6a23819e7888ca63e152

SHA512
ee8bb7b901eb4be933f5b6519da09eef2e8c4f7d78d7104628dea97bdd558a655cdef197f251f27c3222144c58c536b1dc49833726e168428813eed014ed2aec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5607519.exe

Filesize
787KB

MD5
5fc3d00191a599c4d1717e04b7c3b513

SHA1
b27191da31addf389bd93987d96eafdabd3b9de8

SHA256
e782aa103a3aeb9416b001f97871750c9fcb9fa37780831bc22b01904901f455

SHA512
b8e62bce782774e5741d90bd66c16d417f5435d6d4b4343f9b18f0251edacc973f88567bd077e82e719977a29cb339350a32913c979c75f4f00f6459f80f99e9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5607519.exe

Filesize
787KB

MD5
5fc3d00191a599c4d1717e04b7c3b513

SHA1
b27191da31addf389bd93987d96eafdabd3b9de8

SHA256
e782aa103a3aeb9416b001f97871750c9fcb9fa37780831bc22b01904901f455

SHA512
b8e62bce782774e5741d90bd66c16d417f5435d6d4b4343f9b18f0251edacc973f88567bd077e82e719977a29cb339350a32913c979c75f4f00f6459f80f99e9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5434897.exe

Filesize
604KB

MD5
4980945e4ee5911a80089465e56ac26a

SHA1
21a06f935fda62062501698dfffdb2eacbec8d74

SHA256
ed246508b5c2cf52a43b2c8922268f8bea21a5dd8fdfe0a5b7c59a5205868f10

SHA512
3906a0942525a81803e7ae368075ad4545110410ef64a2af738f416cfd1107131889d0de6c068cf8923c07828d92045c8a296401b3892f1fab46038b16224c46

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5434897.exe

Filesize
604KB

MD5
4980945e4ee5911a80089465e56ac26a

SHA1
21a06f935fda62062501698dfffdb2eacbec8d74

SHA256
ed246508b5c2cf52a43b2c8922268f8bea21a5dd8fdfe0a5b7c59a5205868f10

SHA512
3906a0942525a81803e7ae368075ad4545110410ef64a2af738f416cfd1107131889d0de6c068cf8923c07828d92045c8a296401b3892f1fab46038b16224c46

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4861380.exe

Filesize
339KB

MD5
cfa112aaa350ffc9b8411a968ce93ea5

SHA1
d992fb5e5ff5daef258aeb1e0ed02a4b8dda2e2d

SHA256
07ac26f6776e1bc198e00877a5ac71a0165845c4de4e1bffdf278bb28171a8c4

SHA512
662247dbb345f30d48c97c4f6aa7a8253231399aee5f6cc05499dde316ee151ca5db5205ce2d59bd29a2d1089917bbd6e6a681a4f2f66e39e7b7759c77b3edf7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4861380.exe

Filesize
339KB

MD5
cfa112aaa350ffc9b8411a968ce93ea5

SHA1
d992fb5e5ff5daef258aeb1e0ed02a4b8dda2e2d

SHA256
07ac26f6776e1bc198e00877a5ac71a0165845c4de4e1bffdf278bb28171a8c4

SHA512
662247dbb345f30d48c97c4f6aa7a8253231399aee5f6cc05499dde316ee151ca5db5205ce2d59bd29a2d1089917bbd6e6a681a4f2f66e39e7b7759c77b3edf7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5197634.exe

Filesize
12KB

MD5
d68ad8358a830ba6ff0404074548f3ac

SHA1
0e234fcbfef29b629699f8c330cc05b9a4c421b5

SHA256
10d565430bf866f5c9837d2c716d05b33aa318afa8dfd8a3a42b755df208db1e

SHA512
bd2f56f9b43ebeb32a73f525b26dbc4d8b953d0a478dd772814bd65cff91e234d6bf067933c19bda8f7f8ef47ccb18649fc7253e1edb389f0c598eb10c14435a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9514555.exe

Filesize
365KB

MD5
aff264af00e7f52b47c475c2898772d9

SHA1
770e0c2ed43b29f226113215a964617b93b2af90

SHA256
406bf725d9402056f4c65cf60e70aab8d26109db05e65910d37b681fa5a21725

SHA512
cb251451fb63a64e5a1232c3447ec72861ed61dc0420d7fd65d98784440b71169f80086e164d01a74c224413bc71472f9e96038dea9cbf634191a55813a11216

Download Submit
memory/1236-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1236-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2680-51-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-50-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-49-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-48-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download