amadey | fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9

Analysis

max time kernel
132s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe
Size

1.4MB
MD5

1b774c1a9710577583b00fb4049415e3
SHA1

3996022f28d832cf68b00e0c2b24a8db031fcc3b
SHA256

fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9
SHA512

7a47e92c3439a25df8e03910adb8a5fa84a8abb87622d9ddeee6caefd2090ef2dd181872f13d4b1df64222aeaf5355fd1c83ffd1c562c7c5eb530ef836512504
SSDEEP

24576:3e1RCDg+rnLYiMVuMSRSkDRelY9rbXwd+Ntcnl9ibSL0DcUTOjISXR+Bw16G:u1RCDgcnLYiMeeY9PXw4NWnHibY0D1Tc

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

monik

77.91.124.82:19071

Attributes

auth_value
da7d9ea0878f5901f1f8319d34bdccea

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

redline

Botnet

pixelscloud2.0

85.209.176.128:80

Extracted

Family

redline

Botnet

@ytlogsbot

185.216.70.238:37515

Extracted

Family

redline

Botnet

5141679758_99

https://pastebin.com/raw/8baCJyMF

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

AppLaunch.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
3240	schtasks.exe
572	schtasks.exe
5488	schtasks.exe
3808	schtasks.exe
2668	schtasks.exe

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2824-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2824-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2824-46-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2824-48-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-39-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/244-409-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral2/memory/244-499-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe274E.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	274E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	274E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	274E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	274E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	274E.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\176E.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\176E.exe	family_redline
behavioral2/memory/3768-161-0x00000000006F0000-0x000000000072E000-memory.dmp	family_redline
behavioral2/memory/3764-159-0x0000000000B50000-0x0000000000B8E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\35D7.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\37FB.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\35D7.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\37FB.exe	family_redline
behavioral2/memory/1156-222-0x0000000000BC0000-0x0000000000C1A000-memory.dmp	family_redline
behavioral2/memory/256-220-0x00000000006A0000-0x00000000006BE000-memory.dmp	family_redline
behavioral2/memory/3900-219-0x0000000001FB0000-0x000000000200A000-memory.dmp	family_redline
behavioral2/memory/2976-287-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline
behavioral2/memory/5040-286-0x00000000006C0000-0x00000000007DB000-memory.dmp	family_redline
behavioral2/memory/5040-304-0x00000000006C0000-0x00000000007DB000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\35D7.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\35D7.exe	family_sectoprat
behavioral2/memory/256-220-0x00000000006A0000-0x00000000006BE000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5696 netsh.exe

pid	process
5696	netsh.exe

.NET Reactor proctector 22 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3388-169-0x00000000022B0000-0x00000000022D0000-memory.dmp	net_reactor
behavioral2/memory/3388-177-0x00000000024C0000-0x00000000024DE000-memory.dmp	net_reactor
behavioral2/memory/3768-179-0x0000000007760000-0x0000000007770000-memory.dmp	net_reactor
behavioral2/memory/3388-184-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-185-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-187-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-189-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-194-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-198-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-200-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-202-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-212-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-215-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-221-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-227-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-231-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-239-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-236-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-242-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-245-0x00000000024C0000-0x00000000024D8000-memory.dmp	net_reactor
behavioral2/memory/3388-285-0x0000000004AB0000-0x0000000004AC0000-memory.dmp	net_reactor
behavioral2/memory/1156-345-0x0000000007BC0000-0x0000000007BD0000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legota.exe59ED.exeoneetx.exet0207357.exeexplonde.exew0224163.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	59ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	t0207357.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	w0224163.exe

Executes dropped EXE 41 IoCs

Processes:

z3017880.exez0698584.exez1668858.exez4005176.exeq8376205.exer0936516.exes1802947.exet0207357.exeexplonde.exeu6524727.exew0224163.exelegota.exe123B.exeRy5oa5OS.exe14DC.exeUv0XA3vI.exeRW2He0AD.exect2Fd0Ko.exe1fY68mQ1.exe2xK602dY.exe176E.exe274E.exe29FE.exe2E06.exe35D7.exe37FB.exe40A7.exe59ED.exe5CFB.exe31839b57a4f11171d6abc8bbc4451ee4.execacls.exe6568.exe6828.exeoneetx.exelegota.exepowershell.exeexplonde.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeinjector.exewindefender.exe

pid	process
1580	z3017880.exe
2184	z0698584.exe
2852	z1668858.exe
4556	z4005176.exe
4936	q8376205.exe
60	r0936516.exe
5076	s1802947.exe
3900	t0207357.exe
5108	explonde.exe
2264	u6524727.exe
4964	w0224163.exe
3684	legota.exe
3216	123B.exe
3280	Ry5oa5OS.exe
2384	14DC.exe
4100	Uv0XA3vI.exe
2212	RW2He0AD.exe
2004	ct2Fd0Ko.exe
2928	1fY68mQ1.exe
3764	2xK602dY.exe
3768	176E.exe
3388	274E.exe
4404	29FE.exe
3900	2E06.exe
256	35D7.exe
1156	37FB.exe
5040	40A7.exe
412	59ED.exe
4216	5CFB.exe
244	31839b57a4f11171d6abc8bbc4451ee4.exe
2596	cacls.exe
3964	6568.exe
4336	6828.exe
2700	oneetx.exe
4372	legota.exe
5124	powershell.exe
900	explonde.exe
4144	31839b57a4f11171d6abc8bbc4451ee4.exe
5224	csrss.exe
5044	injector.exe
4720	windefender.exe

Loads dropped DLL 4 IoCs

Processes:

2E06.exerundll32.exerundll32.exe

pid process

3900 2E06.exe
3900 2E06.exe
5808 rundll32.exe
6076 rundll32.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

274E.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 274E.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3900	2E06.exe
3900	2E06.exe
5808	rundll32.exe
6076	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	274E.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AppLaunch.exez0698584.exez1668858.exe6828.execsrss.exe123B.exect2Fd0Ko.exez3017880.exeRy5oa5OS.exeRW2He0AD.exe31839b57a4f11171d6abc8bbc4451ee4.exez4005176.exeUv0XA3vI.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0698584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1668858.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\6828.exe'\""	6828.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	123B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ct2Fd0Ko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3017880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ry5oa5OS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	RW2He0AD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4005176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Uv0XA3vI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exeq8376205.exer0936516.exes1802947.exeu6524727.exe40A7.exe

description	pid	process	target process
PID 928 set thread context of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 4936 set thread context of 2608	4936	q8376205.exe	AppLaunch.exe
PID 60 set thread context of 2824	60	r0936516.exe	AppLaunch.exe
PID 5076 set thread context of 1060	5076	s1802947.exe	AppLaunch.exe
PID 2264 set thread context of 3000	2264	u6524727.exe	AppLaunch.exe
PID 5040 set thread context of 2976	5040	40A7.exe	vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4388 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3932 2824 WerFault.exe AppLaunch.exe
3392 3900 WerFault.exe 2E06.exe

pid	process
4388	sc.exe

pid	pid_target	process	target process
3932	2824	WerFault.exe	AppLaunch.exe
3392	3900	WerFault.exe	2E06.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3808 schtasks.exe
2668 schtasks.exe
572 schtasks.exe
5488 schtasks.exe
3240 schtasks.exe

pid	process
3808	schtasks.exe
2668	schtasks.exe
572	schtasks.exe
5488	schtasks.exe
3240	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

pid	process
2608	AppLaunch.exe
2608	AppLaunch.exe
1060	AppLaunch.exe
1060	AppLaunch.exe
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244
3244

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3244
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

1060 AppLaunch.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1472 msedge.exe
1472 msedge.exe
1472 msedge.exe
1472 msedge.exe
1472 msedge.exe
1472 msedge.exe
1472 msedge.exe

pid	process
3244

pid	process
1060	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exe274E.exe35D7.exe37FB.exe5CFB.exe

description	pid	process
Token: SeDebugPrivilege	2608	AppLaunch.exe
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeDebugPrivilege	3388	274E.exe
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeDebugPrivilege	256	35D7.exe
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeDebugPrivilege	1156	37FB.exe
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeShutdownPrivilege	3244
Token: SeCreatePagefilePrivilege	3244
Token: SeDebugPrivilege	4216	5CFB.exe
Token: SeShutdownPrivilege	3244

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.execacls.exe

pid	process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
2596	cacls.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3244

pid	process
3244

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exeAppLaunch.exez3017880.exez0698584.exez1668858.exez4005176.exeq8376205.exer0936516.exes1802947.exet0207357.exe

description	pid	process	target process
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 928 wrote to memory of 692	928	fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe	AppLaunch.exe
PID 692 wrote to memory of 1580	692	AppLaunch.exe	z3017880.exe
PID 692 wrote to memory of 1580	692	AppLaunch.exe	z3017880.exe
PID 692 wrote to memory of 1580	692	AppLaunch.exe	z3017880.exe
PID 1580 wrote to memory of 2184	1580	z3017880.exe	z0698584.exe
PID 1580 wrote to memory of 2184	1580	z3017880.exe	z0698584.exe
PID 1580 wrote to memory of 2184	1580	z3017880.exe	z0698584.exe
PID 2184 wrote to memory of 2852	2184	z0698584.exe	z1668858.exe
PID 2184 wrote to memory of 2852	2184	z0698584.exe	z1668858.exe
PID 2184 wrote to memory of 2852	2184	z0698584.exe	z1668858.exe
PID 2852 wrote to memory of 4556	2852	z1668858.exe	z4005176.exe
PID 2852 wrote to memory of 4556	2852	z1668858.exe	z4005176.exe
PID 2852 wrote to memory of 4556	2852	z1668858.exe	z4005176.exe
PID 4556 wrote to memory of 4936	4556	z4005176.exe	q8376205.exe
PID 4556 wrote to memory of 4936	4556	z4005176.exe	q8376205.exe
PID 4556 wrote to memory of 4936	4556	z4005176.exe	q8376205.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4936 wrote to memory of 2608	4936	q8376205.exe	AppLaunch.exe
PID 4556 wrote to memory of 60	4556	z4005176.exe	r0936516.exe
PID 4556 wrote to memory of 60	4556	z4005176.exe	r0936516.exe
PID 4556 wrote to memory of 60	4556	z4005176.exe	r0936516.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 60 wrote to memory of 2824	60	r0936516.exe	AppLaunch.exe
PID 2852 wrote to memory of 5076	2852	z1668858.exe	s1802947.exe
PID 2852 wrote to memory of 5076	2852	z1668858.exe	s1802947.exe
PID 2852 wrote to memory of 5076	2852	z1668858.exe	s1802947.exe
PID 5076 wrote to memory of 3952	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 3952	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 3952	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 1060	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 1060	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 1060	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 1060	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 1060	5076	s1802947.exe	AppLaunch.exe
PID 5076 wrote to memory of 1060	5076	s1802947.exe	AppLaunch.exe
PID 2184 wrote to memory of 3900	2184	z0698584.exe	t0207357.exe
PID 2184 wrote to memory of 3900	2184	z0698584.exe	t0207357.exe
PID 2184 wrote to memory of 3900	2184	z0698584.exe	t0207357.exe
PID 3900 wrote to memory of 5108	3900	t0207357.exe	explonde.exe
PID 3900 wrote to memory of 5108	3900	t0207357.exe	explonde.exe
PID 3900 wrote to memory of 5108	3900	t0207357.exe	explonde.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe
"C:\Users\Admin\AppData\Local\Temp\fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3017880.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3017880.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0698584.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0698584.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1668858.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1668858.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4005176.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4005176.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8376205.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8376205.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0936516.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0936516.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 540
9⤵
- Program crash
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1802947.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1802947.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0207357.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0207357.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
7⤵
- DcRat
- Creates scheduled task(s)
PID:3240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
7⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4748

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
8⤵
PID:4644

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
8⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:648

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
8⤵
PID:2936

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
8⤵
PID:3200

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:5808

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6524727.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6524727.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0224163.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0224163.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:4616

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4620

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:4956

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:2580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2824 -ip 2824
1⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\123B.exe
C:\Users\Admin\AppData\Local\Temp\123B.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3216

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ry5oa5OS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ry5oa5OS.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uv0XA3vI.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uv0XA3vI.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW2He0AD.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW2He0AD.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2212

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ct2Fd0Ko.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ct2Fd0Ko.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2004

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exe
6⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe
6⤵
- Executes dropped EXE
PID:3764

C:\Users\Admin\AppData\Local\Temp\14DC.exe
C:\Users\Admin\AppData\Local\Temp\14DC.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1615.bat" "
1⤵
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff080446f8,0x7fff08044708,0x7fff08044718
3⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
3⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
3⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
3⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
3⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
3⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
3⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
3⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
3⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
3⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
3⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff080446f8,0x7fff08044708,0x7fff08044718
3⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\176E.exe
C:\Users\Admin\AppData\Local\Temp\176E.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\AppData\Local\Temp\274E.exe
C:\Users\Admin\AppData\Local\Temp\274E.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\AppData\Local\Temp\29FE.exe
C:\Users\Admin\AppData\Local\Temp\29FE.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\AppData\Local\Temp\2E06.exe
C:\Users\Admin\AppData\Local\Temp\2E06.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 804
2⤵
- Program crash
PID:3392

C:\Users\Admin\AppData\Local\Temp\35D7.exe
C:\Users\Admin\AppData\Local\Temp\35D7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:256

C:\Users\Admin\AppData\Local\Temp\37FB.exe
C:\Users\Admin\AppData\Local\Temp\37FB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3900 -ip 3900
1⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\40A7.exe
C:\Users\Admin\AppData\Local\Temp\40A7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\59ED.exe
C:\Users\Admin\AppData\Local\Temp\59ED.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:412

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
PID:244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2016

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4748

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:5224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5124

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:572

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:3236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4944

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5044

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:5488

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:1624

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:4388

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
2⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
4⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:4372

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4580

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
5⤵
PID:2068

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
5⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\5CFB.exe
C:\Users\Admin\AppData\Local\Temp\5CFB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Users\Admin\AppData\Local\Temp\6568.exe
C:\Users\Admin\AppData\Local\Temp\6568.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\6828.exe
C:\Users\Admin\AppData\Local\Temp\6828.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4336

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:5124

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
453bd72fe3f6e36189164571abefed69

SHA1
0f78de33e2908a74bfbfec2f8b383abd497ceca6

SHA256
af4dc76a262722cb046b781e87b8a54388fafc7d58f100b5364fb0b937d9102e

SHA512
0342603635d0107cdca3ea732b47de82ed98e4b10d0a6fc0273aedf8a0344849acf9133a7552a09aa63620800bb57ab9f965b35b082ae59ec1ef4274da6bf32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
661d619adb93c58f8206b13adeb46869

SHA1
cb86addc4efb09907f2857ab62ce4fd662cc77d7

SHA256
d6cc181f278ff72640c14ca3e587deb5359dd8b541890743ba7149167f4dc449

SHA512
49d1581dd2abfb3137c32a91a8b3ab244a8837c55e0564f760eac3c0f60dffcf288afff1eea495668ccb719f33d50592d66d4725825dcbc3eec14d9e19a71ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
10f5b64000466c1e6da25fb5a0115924

SHA1
cb253bacf2b087c4040eb3c6a192924234f68639

SHA256
d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b

SHA512
8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
22abdb43bc757c6f21d87d6392738053

SHA1
6b7b2557c0ac63981c0e986180968aaeac7de780

SHA256
2881c78a10bc04a2f7dc31ede803a7ce9ed7582cc31a5317bd3077796a154681

SHA512
373cd08c45d1bf996bc4b8eb325f8a5ddc1bfe45807d91b9aabcb11379b2d935878646235328b69b11f7092496ebf7b42fd822e43311547922880cbe6e0b1a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ebc2.TMP

Filesize
371B

MD5
3b397cc27836d705cfd171fbed2968b4

SHA1
c34a5d703afa31bfe6503ab7fc55dac39ef31865

SHA256
cd2684998f5231142d43060002716994c4b9db8780a7c142968ebfe692969d7e

SHA512
cfa247aced34d21dae6c5f26a98167f293fe628cc50aa17255ce5c21da76c520620063bb623cdd092e7b7ad457809e0fb6896cd0b10b035fe9bbf3b887620f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ef2d7df819fb21f77e4f6c63d6048b4

SHA1
02815782a3b6afe201dd0febb2c42e80c1273a8c

SHA256
76ed7cf67870cfa0e7b966092b6d0cc88f8b2474595fc1ed0e48a980028f60af

SHA512
9b82fc156de2687ec6e8ba858b3b592ff93371524c6921e8fe6231914cd9135be0605ef9e5c8712ac83d2715db60c15b321410799bf492139cb30d1b643f1ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5bd113b27cf599d1d31e21ddbf0d2a80

SHA1
730597d4c3c7530ca902a94076b04fc8c0c0bc07

SHA256
0c738e1a5a1362b38c4c62362a107694279a9f6dacdbbf824abcf4562759fbfc

SHA512
f7eaabbccaa6543c482226c95195aa634224323bb85154a4e58f3d84de58f10dcc4228027fd723531b86cacfb1ae654f8a1948ba4918aeb578f7c68e55b4981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\123B.exe

Filesize
1016KB

MD5
7aea9c0554d0988a4fff6ac5e6f76458

SHA1
8ef5d7b8cf26ec9e4321bfbd054061a2b2a765a8

SHA256
5f5db827e4b0b622f2570f9d4cabbedfb2b0aab868282eeb5ac9c28276d736b1

SHA512
8a5506ff567da8ca497b5c7e5656171bbcd8b1d7ef52782338b9d62d9428dca4cb9cb3d43eee9430f5f4eee369a31132aa2e44feb43f50d7fefbea1b1b5a5e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\123B.exe

Filesize
1016KB

MD5
7aea9c0554d0988a4fff6ac5e6f76458

SHA1
8ef5d7b8cf26ec9e4321bfbd054061a2b2a765a8

SHA256
5f5db827e4b0b622f2570f9d4cabbedfb2b0aab868282eeb5ac9c28276d736b1

SHA512
8a5506ff567da8ca497b5c7e5656171bbcd8b1d7ef52782338b9d62d9428dca4cb9cb3d43eee9430f5f4eee369a31132aa2e44feb43f50d7fefbea1b1b5a5e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\14DC.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\14DC.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1615.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\176E.exe

Filesize
221KB

MD5
8905918bd7e4f4aeda3a804d81f9ee40

SHA1
3c488a81539116085a1c22df26085f798f7202c8

SHA256
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

SHA512
6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\176E.exe

Filesize
221KB

MD5
8905918bd7e4f4aeda3a804d81f9ee40

SHA1
3c488a81539116085a1c22df26085f798f7202c8

SHA256
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

SHA512
6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\274E.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\274E.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\29FE.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\29FE.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E06.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E06.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E06.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E06.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\35D7.exe

Filesize
95KB

MD5
7f28547a6060699461824f75c96feaeb

SHA1
744195a7d3ef1aa32dcb99d15f73e26a20813259

SHA256
ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff

SHA512
eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

Download Submit
C:\Users\Admin\AppData\Local\Temp\35D7.exe

Filesize
95KB

MD5
7f28547a6060699461824f75c96feaeb

SHA1
744195a7d3ef1aa32dcb99d15f73e26a20813259

SHA256
ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff

SHA512
eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

Download Submit
C:\Users\Admin\AppData\Local\Temp\37FB.exe

Filesize
341KB

MD5
20e21e63bb7a95492aec18de6aa85ab9

SHA1
6cbf2079a42d86bf155c06c7ad5360c539c02b15

SHA256
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17

SHA512
73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\37FB.exe

Filesize
341KB

MD5
20e21e63bb7a95492aec18de6aa85ab9

SHA1
6cbf2079a42d86bf155c06c7ad5360c539c02b15

SHA256
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17

SHA512
73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\40A7.exe

Filesize
1.1MB

MD5
a8eb605b301ac27461ce89d51a4d73ce

SHA1
f3e2120787f20577963189b711567cc5d7b19d4e

SHA256
7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61

SHA512
372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\40A7.exe

Filesize
1.1MB

MD5
a8eb605b301ac27461ce89d51a4d73ce

SHA1
f3e2120787f20577963189b711567cc5d7b19d4e

SHA256
7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61

SHA512
372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ry5oa5OS.exe

Filesize
877KB

MD5
5313a5e74a97d9da5dc1589f2242d6bd

SHA1
5a6637593af2bbac114b070d2ff5e87fdc16f6c9

SHA256
39e3765060e76c654226131298aa099683a7966ece4c9015882e74e5250fe746

SHA512
3e9c4f47b383356da779982534974cb35e65a0dee4b5badcde44b24403353b2a76d2b5b102f933ccd944a644c19ed20c7ef9528dc717fd120111b9d4dad4f2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ry5oa5OS.exe

Filesize
877KB

MD5
5313a5e74a97d9da5dc1589f2242d6bd

SHA1
5a6637593af2bbac114b070d2ff5e87fdc16f6c9

SHA256
39e3765060e76c654226131298aa099683a7966ece4c9015882e74e5250fe746

SHA512
3e9c4f47b383356da779982534974cb35e65a0dee4b5badcde44b24403353b2a76d2b5b102f933ccd944a644c19ed20c7ef9528dc717fd120111b9d4dad4f2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0224163.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0224163.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3017880.exe

Filesize
1017KB

MD5
aea9295802325a93458b48558380d54e

SHA1
d4d3af7d2f60b649d13ecc81438c5c7046a01bb1

SHA256
41b5f4445938b13f2e8da53741af30ecfe3534a529af82e70b40a86d887c6da2

SHA512
f7700416267d4e44126be740fc604d998633dcf0e5549fb0750906f35da2be06928a7a1bdb0a5c5d159f13f84c8581739a6f6b81af72c1fbdecea79c9cc23ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3017880.exe

Filesize
1017KB

MD5
aea9295802325a93458b48558380d54e

SHA1
d4d3af7d2f60b649d13ecc81438c5c7046a01bb1

SHA256
41b5f4445938b13f2e8da53741af30ecfe3534a529af82e70b40a86d887c6da2

SHA512
f7700416267d4e44126be740fc604d998633dcf0e5549fb0750906f35da2be06928a7a1bdb0a5c5d159f13f84c8581739a6f6b81af72c1fbdecea79c9cc23ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6524727.exe

Filesize
392KB

MD5
9abdcb200d5e260de238671feff4f379

SHA1
3e48d28cfeb98ee286bca6bca2a4329809c2887d

SHA256
cdedc59b2ced7c6b04bd8804142fdcea65a508e19738af2e513f8a95c3044396

SHA512
40ee1abc7088d65b0477cce98ada3275b41922794535085946b5d009fa0a0d6d7bff2e95a5acbb540291e0a1172f47b11ae1df10cc21caeb7c87d14c3c857adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6524727.exe

Filesize
392KB

MD5
9abdcb200d5e260de238671feff4f379

SHA1
3e48d28cfeb98ee286bca6bca2a4329809c2887d

SHA256
cdedc59b2ced7c6b04bd8804142fdcea65a508e19738af2e513f8a95c3044396

SHA512
40ee1abc7088d65b0477cce98ada3275b41922794535085946b5d009fa0a0d6d7bff2e95a5acbb540291e0a1172f47b11ae1df10cc21caeb7c87d14c3c857adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0698584.exe

Filesize
756KB

MD5
08abc139032f2fe12cdbd200b32c5164

SHA1
3ddd6986d1d56a1711f0e2ece58884ce629fd7c0

SHA256
dc1054697d8f95aff058a31d57e31b780cd2eb3d0b687bdcae2093ea561fae40

SHA512
5a39b21cbd44b1c4edddf9f33482b853432596676f830919b52db2863c80971ac2bcf2c12a4fd3ac97593e1de46d58d1fa392d3043c194354866f98b29d1a301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0698584.exe

Filesize
756KB

MD5
08abc139032f2fe12cdbd200b32c5164

SHA1
3ddd6986d1d56a1711f0e2ece58884ce629fd7c0

SHA256
dc1054697d8f95aff058a31d57e31b780cd2eb3d0b687bdcae2093ea561fae40

SHA512
5a39b21cbd44b1c4edddf9f33482b853432596676f830919b52db2863c80971ac2bcf2c12a4fd3ac97593e1de46d58d1fa392d3043c194354866f98b29d1a301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uv0XA3vI.exe

Filesize
688KB

MD5
926b635add3c5f7d4ad2ab8bc356a311

SHA1
7e49db1a680c2f8da39ef6e3c8935df3b6236999

SHA256
d0ab3e8358ff02a4129c4ddbca2895a466a90b09d19e5a78882df9c3bc91ebd6

SHA512
a37c6171dfb1e382460d3183ede58353284e1b7af636821677fd078af1038b28f3af43582ba9e427b6ce4371f7f4a18b742aee9f4e3947df145cab178e60d4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uv0XA3vI.exe

Filesize
688KB

MD5
926b635add3c5f7d4ad2ab8bc356a311

SHA1
7e49db1a680c2f8da39ef6e3c8935df3b6236999

SHA256
d0ab3e8358ff02a4129c4ddbca2895a466a90b09d19e5a78882df9c3bc91ebd6

SHA512
a37c6171dfb1e382460d3183ede58353284e1b7af636821677fd078af1038b28f3af43582ba9e427b6ce4371f7f4a18b742aee9f4e3947df145cab178e60d4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0207357.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0207357.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1668858.exe

Filesize
573KB

MD5
e4c6c50d6aedff783cc282f4e8d90790

SHA1
c1bc3bd09cc78e21a5005a9e0222eb20f7dd76c8

SHA256
cbcdd1e0214b0d719782e61b02e6ccb283dea28f72b3447db84370f3db55da1b

SHA512
c46c56a11e4cf043c060089350dea6c8bafffc878804bc8356c72f5bd176e9c19a47b87ad1057db82df47d70465c862134cd3db0c383e33b78daaaed6312fc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1668858.exe

Filesize
573KB

MD5
e4c6c50d6aedff783cc282f4e8d90790

SHA1
c1bc3bd09cc78e21a5005a9e0222eb20f7dd76c8

SHA256
cbcdd1e0214b0d719782e61b02e6ccb283dea28f72b3447db84370f3db55da1b

SHA512
c46c56a11e4cf043c060089350dea6c8bafffc878804bc8356c72f5bd176e9c19a47b87ad1057db82df47d70465c862134cd3db0c383e33b78daaaed6312fc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW2He0AD.exe

Filesize
514KB

MD5
bb2179db24389d64c0698215b7f0a29b

SHA1
25798c35937815d228ad3e1772ed7a26e58c4607

SHA256
0e2b148187781e501ab5d56ae83adf575c643f327f24a3e7ff186516e8072347

SHA512
f6ecd53e13da88e3d431e9fbef6793add79ddfd936b853dbb0c048bafcecb83cc2e4d9d124eaf6916ff1a1d61275f048c061ceade9613eb54051b053189007b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW2He0AD.exe

Filesize
514KB

MD5
bb2179db24389d64c0698215b7f0a29b

SHA1
25798c35937815d228ad3e1772ed7a26e58c4607

SHA256
0e2b148187781e501ab5d56ae83adf575c643f327f24a3e7ff186516e8072347

SHA512
f6ecd53e13da88e3d431e9fbef6793add79ddfd936b853dbb0c048bafcecb83cc2e4d9d124eaf6916ff1a1d61275f048c061ceade9613eb54051b053189007b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1802947.exe

Filesize
248KB

MD5
7d20d12f3d7d36bb025b134d239bdef2

SHA1
0b0e5c4f71153509e283bca5ed98bf499a902cd9

SHA256
583e918ef4aa33e955d5a3429b5469585f484604fbbd1009701826043739c04f

SHA512
855853436f10e4c92c0c632d4a27ffcf61c22aaa7ecb19cfc9236113623e519bcdf4027dfd350e84a683de2faf6c4da0d20eca5269f16601fdd539808e7703ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1802947.exe

Filesize
248KB

MD5
7d20d12f3d7d36bb025b134d239bdef2

SHA1
0b0e5c4f71153509e283bca5ed98bf499a902cd9

SHA256
583e918ef4aa33e955d5a3429b5469585f484604fbbd1009701826043739c04f

SHA512
855853436f10e4c92c0c632d4a27ffcf61c22aaa7ecb19cfc9236113623e519bcdf4027dfd350e84a683de2faf6c4da0d20eca5269f16601fdd539808e7703ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4005176.exe

Filesize
341KB

MD5
8c76945ccd18d349cab0acb10f2bbfff

SHA1
633fcb033390581fb851c05fe8104c6616ce5c93

SHA256
5c088dc4d6435be6210197c3f3d61a6fd77de767f80fecb90de196b93e8bf6ae

SHA512
7e8e5ac7f8fbb710269eaf070a1010f12395c139d3b8a4ebfc920a74144e281e0b3c8842b022c4bce7a08c5ba2bb6fcdd944e98741b12be892ee3631b728d516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4005176.exe

Filesize
341KB

MD5
8c76945ccd18d349cab0acb10f2bbfff

SHA1
633fcb033390581fb851c05fe8104c6616ce5c93

SHA256
5c088dc4d6435be6210197c3f3d61a6fd77de767f80fecb90de196b93e8bf6ae

SHA512
7e8e5ac7f8fbb710269eaf070a1010f12395c139d3b8a4ebfc920a74144e281e0b3c8842b022c4bce7a08c5ba2bb6fcdd944e98741b12be892ee3631b728d516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ct2Fd0Ko.exe

Filesize
319KB

MD5
34a8c968e298e4ce266d7b2ec48f9a23

SHA1
1f92cd167505ecb653720ddd49a8c1a44ec5ef10

SHA256
0cd26f9ed63c6282d5e9e5ad685e7ee5fb7e0c996d60cc26e2178fcd7a3ecfc8

SHA512
5781dd5315c796369a64836be31a63a44e46f2e8644fc750c5324bdbcb113bc7906ceaf8719857b8bec78fc66dfe3e2b71455419b9688c27752f8f74a9b693d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ct2Fd0Ko.exe

Filesize
319KB

MD5
34a8c968e298e4ce266d7b2ec48f9a23

SHA1
1f92cd167505ecb653720ddd49a8c1a44ec5ef10

SHA256
0cd26f9ed63c6282d5e9e5ad685e7ee5fb7e0c996d60cc26e2178fcd7a3ecfc8

SHA512
5781dd5315c796369a64836be31a63a44e46f2e8644fc750c5324bdbcb113bc7906ceaf8719857b8bec78fc66dfe3e2b71455419b9688c27752f8f74a9b693d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8376205.exe

Filesize
229KB

MD5
6737cf5d4192c2c81d007185ea60397d

SHA1
56d5ebd47a6d5e2535614b8f750cadc15aed0821

SHA256
a9641a202d9bb3b71f5012e5ad93bab1f47d650cf7bb20b45ccedbecbcef3d23

SHA512
2f3e27139b4df868ee72d0fb46f8ef4a1556fcde579daa2835f0be89876da0ce315ac44496af0109b834b47f9790e78c7d58c75c55f94c4f19a53bd37fefa0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8376205.exe

Filesize
229KB

MD5
6737cf5d4192c2c81d007185ea60397d

SHA1
56d5ebd47a6d5e2535614b8f750cadc15aed0821

SHA256
a9641a202d9bb3b71f5012e5ad93bab1f47d650cf7bb20b45ccedbecbcef3d23

SHA512
2f3e27139b4df868ee72d0fb46f8ef4a1556fcde579daa2835f0be89876da0ce315ac44496af0109b834b47f9790e78c7d58c75c55f94c4f19a53bd37fefa0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0936516.exe

Filesize
358KB

MD5
94290ce88cbe2d6ead0f01ae2c7f56f7

SHA1
734d733bb4be25c77540868d10f83d5e88ccd83f

SHA256
34c25c812e7c48efb0f4c42acf96217170c75799bd3a86ace5c3c07a8508a3dc

SHA512
21e526944a391181d4d29c81483ffecace208cdb0aa661f9e20f1765dbd516c7e64ffa15e6beefcd65fbef88fafd553f5639312d72db0b9358447ecfcc5c98e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0936516.exe

Filesize
358KB

MD5
94290ce88cbe2d6ead0f01ae2c7f56f7

SHA1
734d733bb4be25c77540868d10f83d5e88ccd83f

SHA256
34c25c812e7c48efb0f4c42acf96217170c75799bd3a86ace5c3c07a8508a3dc

SHA512
21e526944a391181d4d29c81483ffecace208cdb0aa661f9e20f1765dbd516c7e64ffa15e6beefcd65fbef88fafd553f5639312d72db0b9358447ecfcc5c98e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe

Filesize
222KB

MD5
0df006de2f6f07bdc61cc44453af4d77

SHA1
88e2ad6ed6e7f5a281c4cdc56d2f9a50438b33b1

SHA256
f87a3d513f323a929716a900df70b0536a1b5bc87e0039dd6038811c4cc9668e

SHA512
740807b59efe91c4926124c3d424943bada2d8203871cdb2ecab9b5d70d84df8b6142d9fc5aa9f859b29b313657f648fb5da6efa76112023dca400e956d95978

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe

Filesize
222KB

MD5
0df006de2f6f07bdc61cc44453af4d77

SHA1
88e2ad6ed6e7f5a281c4cdc56d2f9a50438b33b1

SHA256
f87a3d513f323a929716a900df70b0536a1b5bc87e0039dd6038811c4cc9668e

SHA512
740807b59efe91c4926124c3d424943bada2d8203871cdb2ecab9b5d70d84df8b6142d9fc5aa9f859b29b313657f648fb5da6efa76112023dca400e956d95978

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lukkw5i2.1e0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
0c459e65bcc6d38574f0c0d63a87088a

SHA1
41e53d5f2b3e7ca859b842a1c7b677e0847e6d65

SHA256
871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4

SHA512
be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
\??\pipe\LOCAL\crashpad_1472_NYNCENDVQBCTFAOQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/244-499-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/244-409-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/244-360-0x0000000004C80000-0x0000000005079000-memory.dmp

Filesize
4.0MB

Download
memory/256-220-0x00000000006A0000-0x00000000006BE000-memory.dmp

Filesize
120KB

Download
memory/256-229-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/256-344-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/256-233-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/256-341-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/412-346-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/412-321-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/412-320-0x0000000000090000-0x00000000004E8000-memory.dmp

Filesize
4.3MB

Download
memory/692-2-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/692-93-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/692-1-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/692-67-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/692-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/692-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1060-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1060-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1060-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1156-345-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/1156-327-0x0000000009C00000-0x0000000009C50000-memory.dmp

Filesize
320KB

Download
memory/1156-237-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/1156-328-0x0000000009CD0000-0x0000000009D46000-memory.dmp

Filesize
472KB

Download
memory/1156-261-0x0000000008550000-0x00000000085B6000-memory.dmp

Filesize
408KB

Download
memory/1156-317-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/1156-224-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/1156-222-0x0000000000BC0000-0x0000000000C1A000-memory.dmp

Filesize
360KB

Download
memory/2608-76-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/2608-68-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/2608-39-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2608-43-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/2824-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2976-313-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/2976-305-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/2976-287-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/3000-85-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3000-105-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3000-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3000-84-0x0000000002CA0000-0x0000000002CA6000-memory.dmp

Filesize
24KB

Download
memory/3000-94-0x00000000058E0000-0x0000000005EF8000-memory.dmp

Filesize
6.1MB

Download
memory/3000-95-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/3000-97-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/3000-96-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3000-98-0x0000000005380000-0x00000000053BC000-memory.dmp

Filesize
240KB

Download
memory/3000-99-0x00000000054F0000-0x000000000553C000-memory.dmp

Filesize
304KB

Download
memory/3000-100-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3244-63-0x0000000003560000-0x0000000003576000-memory.dmp

Filesize
88KB

Download
memory/3388-184-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-176-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3388-242-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-202-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-200-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-266-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3388-198-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-239-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-284-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3388-285-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3388-194-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-231-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-189-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-227-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-187-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-245-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-185-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-236-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-221-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-215-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-178-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3388-169-0x00000000022B0000-0x00000000022D0000-memory.dmp

Filesize
128KB

Download
memory/3388-177-0x00000000024C0000-0x00000000024DE000-memory.dmp

Filesize
120KB

Download
memory/3388-212-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/3388-174-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3764-160-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3764-168-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/3764-243-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3764-283-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/3764-175-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/3764-164-0x0000000007E00000-0x00000000083A4000-memory.dmp

Filesize
5.6MB

Download
memory/3764-159-0x0000000000B50000-0x0000000000B8E000-memory.dmp

Filesize
248KB

Download
memory/3768-179-0x0000000007760000-0x0000000007770000-memory.dmp

Filesize
64KB

Download
memory/3768-246-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3768-162-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3768-161-0x00000000006F0000-0x000000000072E000-memory.dmp

Filesize
248KB

Download
memory/3768-182-0x00000000074C0000-0x00000000074CA000-memory.dmp

Filesize
40KB

Download
memory/3900-219-0x0000000001FB0000-0x000000000200A000-memory.dmp

Filesize
360KB

Download
memory/3900-316-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3900-213-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3900-240-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/3964-353-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/4216-348-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/4216-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5040-304-0x00000000006C0000-0x00000000007DB000-memory.dmp

Filesize
1.1MB

Download
memory/5040-286-0x00000000006C0000-0x00000000007DB000-memory.dmp

Filesize
1.1MB

Download