healer | dcb5fc049c86e199973bd981e93ebce9d49575f000197430637eb8a32437da86

Analysis

max time kernel
76s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.2MB
MD5

f4a7daf100b3e45a6585e83be9df6e17
SHA1

6473370285abb5b2dc4a8d1922a04633d60d7638
SHA256

dcb5fc049c86e199973bd981e93ebce9d49575f000197430637eb8a32437da86
SHA512

3d42a8ed65f8b567e501efba85259f4b58630534f31bc40a433da7ee26c23de14f802bd2205746bf87b5ddd9bedd44fb689f28cefc9b2ee4df8c22a2540a5fce
SSDEEP

24576:cyIbWnfidkI5z7QaYi+3+jDc39URRMW/61wQxEMC5tzFpWb+GMSy2dDuC2DC:LIbOgtQf93+/G9UsW/61wCzgdFqMl2dF

Score

10^/10

healer redline smokeloader breha kukish backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000f0000000231ce-163.dat	healer
behavioral2/files/0x000f0000000231ce-162.dat	healer
behavioral2/memory/1400-172-0x0000000000F00000-0x0000000000F0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/memory/4480-46-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/files/0x0006000000023204-115.dat	family_redline
behavioral2/files/0x0006000000023204-117.dat	family_redline
behavioral2/memory/4780-121-0x0000000000040000-0x000000000007E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	5bq8ZC2.exe

Executes dropped EXE 17 IoCs

pid	Process
3260	PE6yV39.exe
3356	MC9fS29.exe
3720	pW4lR89.exe
2248	1hz42fy9.exe
1644	2mH2607.exe
3124	3tU54SQ.exe
4316	4cf828dD.exe
3492	5bq8ZC2.exe
1556	5DCB.exe
1728	ZK6bX1Dl.exe
1656	mw2iJ3Xe.exe
1292	zb0mB6rR.exe
736	627F.exe
3012	Ga4pH9nL.exe
4372	1Kr70Qv6.exe
4780	2ly017IJ.exe
4852	6CD1.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PE6yV39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	5DCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	mw2iJ3Xe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	zb0mB6rR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	MC9fS29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pW4lR89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZK6bX1Dl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	Ga4pH9nL.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 1676	2248	1hz42fy9.exe	92
PID 3124 set thread context of 4820	3124	3tU54SQ.exe	102
PID 4316 set thread context of 4480	4316	4cf828dD.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4876	2248	WerFault.exe	90
4328	3124	WerFault.exe	98
3660	4316	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	AppLaunch.exe
1676	AppLaunch.exe
4820	AppLaunch.exe
4820	AppLaunch.exe
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4820	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	AppLaunch.exe
Token: SeShutdownPrivilege	3172	Process not Found
Token: SeCreatePagefilePrivilege	3172	Process not Found
Token: SeShutdownPrivilege	3172	Process not Found
Token: SeCreatePagefilePrivilege	3172	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3260	4000	file.exe	87
PID 4000 wrote to memory of 3260	4000	file.exe	87
PID 4000 wrote to memory of 3260	4000	file.exe	87
PID 3260 wrote to memory of 3356	3260	PE6yV39.exe	88
PID 3260 wrote to memory of 3356	3260	PE6yV39.exe	88
PID 3260 wrote to memory of 3356	3260	PE6yV39.exe	88
PID 3356 wrote to memory of 3720	3356	MC9fS29.exe	89
PID 3356 wrote to memory of 3720	3356	MC9fS29.exe	89
PID 3356 wrote to memory of 3720	3356	MC9fS29.exe	89
PID 3720 wrote to memory of 2248	3720	pW4lR89.exe	90
PID 3720 wrote to memory of 2248	3720	pW4lR89.exe	90
PID 3720 wrote to memory of 2248	3720	pW4lR89.exe	90
PID 2248 wrote to memory of 2780	2248	1hz42fy9.exe	91
PID 2248 wrote to memory of 2780	2248	1hz42fy9.exe	91
PID 2248 wrote to memory of 2780	2248	1hz42fy9.exe	91
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 2248 wrote to memory of 1676	2248	1hz42fy9.exe	92
PID 3720 wrote to memory of 1644	3720	pW4lR89.exe	97
PID 3720 wrote to memory of 1644	3720	pW4lR89.exe	97
PID 3720 wrote to memory of 1644	3720	pW4lR89.exe	97
PID 3356 wrote to memory of 3124	3356	MC9fS29.exe	98
PID 3356 wrote to memory of 3124	3356	MC9fS29.exe	98
PID 3356 wrote to memory of 3124	3356	MC9fS29.exe	98
PID 3124 wrote to memory of 4396	3124	3tU54SQ.exe	100
PID 3124 wrote to memory of 4396	3124	3tU54SQ.exe	100
PID 3124 wrote to memory of 4396	3124	3tU54SQ.exe	100
PID 3124 wrote to memory of 2376	3124	3tU54SQ.exe	101
PID 3124 wrote to memory of 2376	3124	3tU54SQ.exe	101
PID 3124 wrote to memory of 2376	3124	3tU54SQ.exe	101
PID 3124 wrote to memory of 4820	3124	3tU54SQ.exe	102
PID 3124 wrote to memory of 4820	3124	3tU54SQ.exe	102
PID 3124 wrote to memory of 4820	3124	3tU54SQ.exe	102
PID 3124 wrote to memory of 4820	3124	3tU54SQ.exe	102
PID 3124 wrote to memory of 4820	3124	3tU54SQ.exe	102
PID 3124 wrote to memory of 4820	3124	3tU54SQ.exe	102
PID 3260 wrote to memory of 4316	3260	PE6yV39.exe	105
PID 3260 wrote to memory of 4316	3260	PE6yV39.exe	105
PID 3260 wrote to memory of 4316	3260	PE6yV39.exe	105
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4316 wrote to memory of 4480	4316	4cf828dD.exe	107
PID 4000 wrote to memory of 3492	4000	file.exe	110
PID 4000 wrote to memory of 3492	4000	file.exe	110
PID 4000 wrote to memory of 3492	4000	file.exe	110
PID 3492 wrote to memory of 1320	3492	5bq8ZC2.exe	111
PID 3492 wrote to memory of 1320	3492	5bq8ZC2.exe	111
PID 3172 wrote to memory of 1556	3172	Process not Found	114
PID 3172 wrote to memory of 1556	3172	Process not Found	114
PID 3172 wrote to memory of 1556	3172	Process not Found	114
PID 1556 wrote to memory of 1728	1556	5DCB.exe	115
PID 1556 wrote to memory of 1728	1556	5DCB.exe	115
PID 1556 wrote to memory of 1728	1556	5DCB.exe	115
PID 1728 wrote to memory of 1656	1728	ZK6bX1Dl.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PE6yV39.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PE6yV39.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MC9fS29.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MC9fS29.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW4lR89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW4lR89.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hz42fy9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hz42fy9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 600
        6⤵
        Program crash
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mH2607.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mH2607.exe
        5⤵
        Executes dropped EXE
        
        PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tU54SQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tU54SQ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2376
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 580
        5⤵
        Program crash
        
        PID:4328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4cf828dD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4cf828dD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 580
      4⤵
      Program crash
      PID:3660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5bq8ZC2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5bq8ZC2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4FE0.tmp\4FE1.tmp\4FE2.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5bq8ZC2.exe"
    3⤵
    PID:1320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:1344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe118646f8,0x7ffe11864708,0x7ffe11864718
        5⤵
        
        PID:2868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13014879008386908823,13960405662003359658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:2008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13014879008386908823,13960405662003359658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        
        PID:788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13014879008386908823,13960405662003359658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        5⤵
        
        PID:2880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13014879008386908823,13960405662003359658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        5⤵
        
        PID:4616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13014879008386908823,13960405662003359658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
        5⤵
        
        PID:2696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe118646f8,0x7ffe11864708,0x7ffe11864718
        5⤵
        
        PID:2924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10797254417949557145,12107446157189357888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        
        PID:4256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10797254417949557145,12107446157189357888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2248 -ip 2248
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3124 -ip 3124
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4316 -ip 4316
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\5DCB.exe
C:\Users\Admin\AppData\Local\Temp\5DCB.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZK6bX1Dl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZK6bX1Dl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mw2iJ3Xe.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mw2iJ3Xe.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zb0mB6rR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zb0mB6rR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ga4pH9nL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ga4pH9nL.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3012
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Kr70Qv6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Kr70Qv6.exe
        6⤵
        Executes dropped EXE
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2ly017IJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2ly017IJ.exe
        6⤵
        Executes dropped EXE
        
        PID:4780

C:\Users\Admin\AppData\Local\Temp\627F.exe
C:\Users\Admin\AppData\Local\Temp\627F.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6445.bat" "
1⤵
PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe118646f8,0x7ffe11864708,0x7ffe11864718
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1460,9360141794422710105,15075125979894690207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
    3⤵
    PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:3584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe118646f8,0x7ffe11864708,0x7ffe11864718
    3⤵
    PID:2928

C:\Users\Admin\AppData\Local\Temp\6CD1.exe
C:\Users\Admin\AppData\Local\Temp\6CD1.exe
1⤵
- Executes dropped EXE
PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1356

C:\Users\Admin\AppData\Local\Temp\6DEC.exe
C:\Users\Admin\AppData\Local\Temp\6DEC.exe
1⤵
PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4852 -ip 4852
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
45fe8440c5d976b902cfc89fb780a578

SHA1
5696962f2d0e89d4c561acd58483b0a4ffeab800

SHA256
f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96

SHA512
efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE0.tmp\4FE1.tmp\4FE2.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DCB.exe

Filesize
1.2MB

MD5
8d6fdc27a6ff2fe99b9e0d7a8e090756

SHA1
fcd7c88721f1053619028275fb09faf68ccf6510

SHA256
1a344bcaed1d7e7a4bd7547a87be36731871c12c6ce22e771b2968eaaceb7ccc

SHA512
dc06be2efba1835a75896944026845613157da8720c3626aa3eab6a1d3300372e785ea7c0972436542dbcd2e21274d8242d509723ba4f382e6e7cc683264583d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DCB.exe

Filesize
1.2MB

MD5
8d6fdc27a6ff2fe99b9e0d7a8e090756

SHA1
fcd7c88721f1053619028275fb09faf68ccf6510

SHA256
1a344bcaed1d7e7a4bd7547a87be36731871c12c6ce22e771b2968eaaceb7ccc

SHA512
dc06be2efba1835a75896944026845613157da8720c3626aa3eab6a1d3300372e785ea7c0972436542dbcd2e21274d8242d509723ba4f382e6e7cc683264583d

Download Submit
C:\Users\Admin\AppData\Local\Temp\627F.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\627F.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\627F.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6445.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CD1.exe

Filesize
1.1MB

MD5
bf075535cc01c5aaf1823039448f623c

SHA1
6190ee29b277e9a0e3256e24a43d90130ef285fc

SHA256
b05d8b1e1cec7c290f130c707a77a960b8bbb47e12da894f6843fcccca45bbb2

SHA512
164ae9aa4426efcdc1f5f9ce320c91d50b0f7a4c5e6d56521e7addd1489b1a9f5c5e10d499b69806de24881f71f33b525766b20534eed4153ff2e70d1d990fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CD1.exe

Filesize
1.1MB

MD5
bf075535cc01c5aaf1823039448f623c

SHA1
6190ee29b277e9a0e3256e24a43d90130ef285fc

SHA256
b05d8b1e1cec7c290f130c707a77a960b8bbb47e12da894f6843fcccca45bbb2

SHA512
164ae9aa4426efcdc1f5f9ce320c91d50b0f7a4c5e6d56521e7addd1489b1a9f5c5e10d499b69806de24881f71f33b525766b20534eed4153ff2e70d1d990fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DEC.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DEC.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5bq8ZC2.exe

Filesize
98KB

MD5
e8215010deaf488e065d82c136e54b15

SHA1
a588ba55f4e46f553ca3f7ab6a51b207d26a150c

SHA256
746c273a9d114abee4c8e0a44efc95a2fee9a909c86c7f3a72208b015b96c2a5

SHA512
787c7624cdf587f8279307ae2d88cbcb87e71428d86db2c246cb03c2df48df54b1d40aeb24d27dac78f0b6853c2b311ca55974727b61472ca40f73c6e712e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5bq8ZC2.exe

Filesize
98KB

MD5
e8215010deaf488e065d82c136e54b15

SHA1
a588ba55f4e46f553ca3f7ab6a51b207d26a150c

SHA256
746c273a9d114abee4c8e0a44efc95a2fee9a909c86c7f3a72208b015b96c2a5

SHA512
787c7624cdf587f8279307ae2d88cbcb87e71428d86db2c246cb03c2df48df54b1d40aeb24d27dac78f0b6853c2b311ca55974727b61472ca40f73c6e712e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PE6yV39.exe

Filesize
1.1MB

MD5
356e5ddc1efb265c417b4e4558c0e9c5

SHA1
4757b34452a70caca7bc4cb382abbc6268545ad6

SHA256
f37262e962c7975f9ec76e4786ec34e52037aaf3a545dd6b4ca778c8199e9d4f

SHA512
cdf1cc43b9ca97f63d97f6c4670d039630c399ecc4b9af8aef9998d3b9111a69fe727fe705a224e490ddfb1a7e41dd52763abf3c74c2a43efe8169636939cb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PE6yV39.exe

Filesize
1.1MB

MD5
356e5ddc1efb265c417b4e4558c0e9c5

SHA1
4757b34452a70caca7bc4cb382abbc6268545ad6

SHA256
f37262e962c7975f9ec76e4786ec34e52037aaf3a545dd6b4ca778c8199e9d4f

SHA512
cdf1cc43b9ca97f63d97f6c4670d039630c399ecc4b9af8aef9998d3b9111a69fe727fe705a224e490ddfb1a7e41dd52763abf3c74c2a43efe8169636939cb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4cf828dD.exe

Filesize
1.1MB

MD5
8e00628319dcc7b11eac81fd7c2f5580

SHA1
fbcddc35b24a9d32583ca3658d89723e7e9189cb

SHA256
66267b25d50909616de4a777e90f236dd33253d94fa3a8ccce9d1ccd437ff371

SHA512
2eb98a2d7adca8e5ca16d732da1d261e95ce14d1e1aa9da030c37fd0699be332045fcb64dda2eb92b8b634732e9b1dce6f7647f4876f072a214e3e73ae528939

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4cf828dD.exe

Filesize
1.1MB

MD5
8e00628319dcc7b11eac81fd7c2f5580

SHA1
fbcddc35b24a9d32583ca3658d89723e7e9189cb

SHA256
66267b25d50909616de4a777e90f236dd33253d94fa3a8ccce9d1ccd437ff371

SHA512
2eb98a2d7adca8e5ca16d732da1d261e95ce14d1e1aa9da030c37fd0699be332045fcb64dda2eb92b8b634732e9b1dce6f7647f4876f072a214e3e73ae528939

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MC9fS29.exe

Filesize
691KB

MD5
35844a38bd2078f1110dc0262a63004b

SHA1
9e4789536bc48d3040ad20e9ab2dc8e905a05c31

SHA256
b986170f7ee5b589640de47a39c42fa9df8af5e8fe95b50a0e55047f396a20eb

SHA512
ae87067ab234c15a31f3c1a3eca3d801e794ca5825336f089eaee7cdba105ea36837d7cfa24257b8831c08568691c89d926b4ee0ffd8773a1b64928a0953b7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MC9fS29.exe

Filesize
691KB

MD5
35844a38bd2078f1110dc0262a63004b

SHA1
9e4789536bc48d3040ad20e9ab2dc8e905a05c31

SHA256
b986170f7ee5b589640de47a39c42fa9df8af5e8fe95b50a0e55047f396a20eb

SHA512
ae87067ab234c15a31f3c1a3eca3d801e794ca5825336f089eaee7cdba105ea36837d7cfa24257b8831c08568691c89d926b4ee0ffd8773a1b64928a0953b7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tU54SQ.exe

Filesize
896KB

MD5
cbd15ea5275211da1d08d905e2cbb926

SHA1
b387b39ff6dd3406f9186caa2b4dcacc10fb7133

SHA256
944347d5eae27df345815d9681939baaed2cf82274ec89259146ac60f9c64a52

SHA512
95f1723c207998e4194a963ac61dad4a13cd9a03b2ed3fe2e2a8766e09961dd016ff1a16abfbc3b981c46d25a5b794f97e9cbd3ac897e84e187e67959b3e6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3tU54SQ.exe

Filesize
896KB

MD5
cbd15ea5275211da1d08d905e2cbb926

SHA1
b387b39ff6dd3406f9186caa2b4dcacc10fb7133

SHA256
944347d5eae27df345815d9681939baaed2cf82274ec89259146ac60f9c64a52

SHA512
95f1723c207998e4194a963ac61dad4a13cd9a03b2ed3fe2e2a8766e09961dd016ff1a16abfbc3b981c46d25a5b794f97e9cbd3ac897e84e187e67959b3e6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\6IT09sV.exe

Filesize
98KB

MD5
0067ff4bf8e387853880a44598991c3a

SHA1
cd29bdb6615e816eaeeb6fdb47b5cea635c7f039

SHA256
f5ada250451101b4bd3845ec164523c8d346da1e75c99753d144edb1198544b1

SHA512
5bdc67ed0a2a037efd93a9abfb1c96429d7b39fddabce2ecc4bd9b420dfbb430fea45ebc7f4416006fd112b3598574aefaf3764151ee39a19365f9e9b701a6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZK6bX1Dl.exe

Filesize
1.1MB

MD5
166ba81604a875ac027668f46cc326bc

SHA1
a9f9ced75de2896145a93b9d8b2e265fc0307462

SHA256
8f105414617889d0d025c464efe056251a7c04bac4fa96f48cbbbde4611d27cd

SHA512
84786344470fc84e0fa8c63b0ffa08a71ae9f041cb0f1c5100816c76460cb80df5239a512640b774f1d8e72338805d7f8914172af9064345b94a11562c8f1e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZK6bX1Dl.exe

Filesize
1.1MB

MD5
166ba81604a875ac027668f46cc326bc

SHA1
a9f9ced75de2896145a93b9d8b2e265fc0307462

SHA256
8f105414617889d0d025c464efe056251a7c04bac4fa96f48cbbbde4611d27cd

SHA512
84786344470fc84e0fa8c63b0ffa08a71ae9f041cb0f1c5100816c76460cb80df5239a512640b774f1d8e72338805d7f8914172af9064345b94a11562c8f1e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW4lR89.exe

Filesize
330KB

MD5
e1ca8607753275ecdab87cae9b42cd8e

SHA1
2c64cec3fbf1815b34bf8068e8dc6193408ce8e3

SHA256
ae8e1d74335e349d50e79f1d5a58cc0f51f03258740d895af60f88eeae6f0f66

SHA512
ede03eb07cd1923e95eec1249c4ecd77e02b7ae9bdefa9b11261fee41358ab63b95ff4c1847907108fe4bdc6517c5cf95c0d5f0ce78572b168a9ce44994bb4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW4lR89.exe

Filesize
330KB

MD5
e1ca8607753275ecdab87cae9b42cd8e

SHA1
2c64cec3fbf1815b34bf8068e8dc6193408ce8e3

SHA256
ae8e1d74335e349d50e79f1d5a58cc0f51f03258740d895af60f88eeae6f0f66

SHA512
ede03eb07cd1923e95eec1249c4ecd77e02b7ae9bdefa9b11261fee41358ab63b95ff4c1847907108fe4bdc6517c5cf95c0d5f0ce78572b168a9ce44994bb4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hz42fy9.exe

Filesize
232KB

MD5
3ff825411b1fe07e712a5dcae34f80eb

SHA1
e3e4358cabfa74d6e36e26754b01ed78434a6877

SHA256
69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

SHA512
325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hz42fy9.exe

Filesize
232KB

MD5
3ff825411b1fe07e712a5dcae34f80eb

SHA1
e3e4358cabfa74d6e36e26754b01ed78434a6877

SHA256
69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

SHA512
325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mH2607.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mH2607.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mw2iJ3Xe.exe

Filesize
925KB

MD5
5ec84ec714aeee52016e475280f202df

SHA1
d3425ffad14a2741cb339da431abc4208262a75c

SHA256
39ca2ac1e7a80b39899f528a7a5d46ff8e7530b06bfc605869db7e92f526c86a

SHA512
deb0099b92134887832118b17d2c5565466c8a5d122e01366c948651d45746a4ce22228016a3816d2130bb0b905b17d04710d70d225909a63e2a9f925021250e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mw2iJ3Xe.exe

Filesize
925KB

MD5
5ec84ec714aeee52016e475280f202df

SHA1
d3425ffad14a2741cb339da431abc4208262a75c

SHA256
39ca2ac1e7a80b39899f528a7a5d46ff8e7530b06bfc605869db7e92f526c86a

SHA512
deb0099b92134887832118b17d2c5565466c8a5d122e01366c948651d45746a4ce22228016a3816d2130bb0b905b17d04710d70d225909a63e2a9f925021250e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\4bH537qj.exe

Filesize
1.1MB

MD5
8e00628319dcc7b11eac81fd7c2f5580

SHA1
fbcddc35b24a9d32583ca3658d89723e7e9189cb

SHA256
66267b25d50909616de4a777e90f236dd33253d94fa3a8ccce9d1ccd437ff371

SHA512
2eb98a2d7adca8e5ca16d732da1d261e95ce14d1e1aa9da030c37fd0699be332045fcb64dda2eb92b8b634732e9b1dce6f7647f4876f072a214e3e73ae528939

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zb0mB6rR.exe

Filesize
514KB

MD5
d24fc153514f465665aeb87afce202e2

SHA1
bebd7242e149c1df0840e0970379591a96a00ddc

SHA256
b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f

SHA512
bbf65202c6001b58bd4fcfb4fbb69368df9befb3015324d4be17a8facd75d535c2ac9a02fcdb1741889fb223b3f8e1b5536cf24f1b1ca661d34fb0fa7a1efe17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\zb0mB6rR.exe

Filesize
514KB

MD5
d24fc153514f465665aeb87afce202e2

SHA1
bebd7242e149c1df0840e0970379591a96a00ddc

SHA256
b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f

SHA512
bbf65202c6001b58bd4fcfb4fbb69368df9befb3015324d4be17a8facd75d535c2ac9a02fcdb1741889fb223b3f8e1b5536cf24f1b1ca661d34fb0fa7a1efe17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ga4pH9nL.exe

Filesize
319KB

MD5
a7b2d6beeb1142a7d4037ffd3422d25d

SHA1
b6056916138807be03d65e08c8fb9398d76fd7b0

SHA256
f0e4aa890c584ad69a47345e1fd364f46c26677a8518da5f2598d5cb5fe68dd4

SHA512
113770c214df95944f1b2bbeac802c3bd4235e3cfb3ff74fdce03449c20bbbbb4b45f74cbc5931ae9a373903c095be7ed22f45e8a8eb140fa69284b5597bf128

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ga4pH9nL.exe

Filesize
319KB

MD5
a7b2d6beeb1142a7d4037ffd3422d25d

SHA1
b6056916138807be03d65e08c8fb9398d76fd7b0

SHA256
f0e4aa890c584ad69a47345e1fd364f46c26677a8518da5f2598d5cb5fe68dd4

SHA512
113770c214df95944f1b2bbeac802c3bd4235e3cfb3ff74fdce03449c20bbbbb4b45f74cbc5931ae9a373903c095be7ed22f45e8a8eb140fa69284b5597bf128

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Kr70Qv6.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Kr70Qv6.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2ly017IJ.exe

Filesize
221KB

MD5
ff4f6299ec97cec525769f1270ecbe33

SHA1
e54fdfb7c21a94e0db907f1b8499a361009daaf3

SHA256
c07b6515162ce6c2aec88dbc20dbed84fd8fd6c7a623df79b423398156600f1c

SHA512
29e52d182c48a10a67bd81a7c8b53b1c4dd7620ddd24a878a02f34a67916309ef96ffc21fbd92dc863e34745dd72acfdda5a24c3ae8bf675352db1d25d2ed117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2ly017IJ.exe

Filesize
221KB

MD5
ff4f6299ec97cec525769f1270ecbe33

SHA1
e54fdfb7c21a94e0db907f1b8499a361009daaf3

SHA256
c07b6515162ce6c2aec88dbc20dbed84fd8fd6c7a623df79b423398156600f1c

SHA512
29e52d182c48a10a67bd81a7c8b53b1c4dd7620ddd24a878a02f34a67916309ef96ffc21fbd92dc863e34745dd72acfdda5a24c3ae8bf675352db1d25d2ed117

Download Submit
memory/1400-178-0x00007FFE0DDB0000-0x00007FFE0E871000-memory.dmp

Filesize
10.8MB

Download
memory/1400-172-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/1676-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1676-29-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1676-45-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/1676-49-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3172-41-0x00000000012B0000-0x00000000012C6000-memory.dmp

Filesize
88KB

Download
memory/4480-61-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

Filesize
40KB

Download
memory/4480-56-0x0000000006DB0000-0x0000000006E42000-memory.dmp

Filesize
584KB

Download
memory/4480-182-0x0000000007030000-0x0000000007040000-memory.dmp

Filesize
64KB

Download
memory/4480-57-0x0000000007030000-0x0000000007040000-memory.dmp

Filesize
64KB

Download
memory/4480-112-0x00000000070F0000-0x000000000712C000-memory.dmp

Filesize
240KB

Download
memory/4480-108-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4480-102-0x0000000007160000-0x000000000726A000-memory.dmp

Filesize
1.0MB

Download
memory/4480-96-0x0000000007E40000-0x0000000008458000-memory.dmp

Filesize
6.1MB

Download
memory/4480-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-122-0x0000000007820000-0x000000000786C000-memory.dmp

Filesize
304KB

Download
memory/4480-47-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4480-50-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4480-51-0x0000000007270000-0x0000000007814000-memory.dmp

Filesize
5.6MB

Download
memory/4780-121-0x0000000000040000-0x000000000007E000-memory.dmp

Filesize
248KB

Download
memory/4780-120-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/4780-133-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/4820-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4820-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4820-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download