amadey | 4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe
Size

1.4MB
MD5

6ecc7b145884dd81bd6c17d6d1b6aab5
SHA1

eef8d323944d78b6ce42592eb6eabf7be7baa50d
SHA256

4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12
SHA512

03bc9ebe4aa2797ceef9f0b331d867364817b49dab0da58ba8a8f1d829b8be625b5020575004b18b66e8a69da5febfeace6ea0a4cfcaa01f440e12308e408809
SSDEEP

24576:D9g4nGttHXCwbUQDV/l3Dpaw4OPOpoJqe2tGv4A1wiAl0Hqych/fLnkkDRMbLstG:Jg4nGKypvPqoQTpA1wPXHSUG

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

redline

Botnet

monik

77.91.124.82:19071

Attributes

auth_value
da7d9ea0878f5901f1f8319d34bdccea

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

pixelscloud2.0

85.209.176.128:80

Extracted

Family

redline

Botnet

@ytlogsbot

185.216.70.238:37515

Extracted

Family

redline

Botnet

5141679758_99

https://pastebin.com/raw/8baCJyMF

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

AppLaunch.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
824	schtasks.exe
4376	schtasks.exe
3724	schtasks.exe

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1044-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1044-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1044-46-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1044-48-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4988-39-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3540-431-0x0000000005100000-0x00000000059EB000-memory.dmp	family_glupteba
behavioral2/memory/3540-505-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral2/memory/3540-550-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

6929.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6929.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6929.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\58DC.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\58DC.exe	family_redline
behavioral2/memory/4476-156-0x0000000000D10000-0x0000000000D4E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kU747NI.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kU747NI.exe	family_redline
behavioral2/memory/4496-187-0x0000000000EF0000-0x0000000000F2E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\8668.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\8919.exe	family_redline
behavioral2/memory/552-234-0x0000000000F40000-0x0000000000F9A000-memory.dmp	family_redline
behavioral2/memory/2268-231-0x00000000001D0000-0x00000000001EE000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\8668.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\8919.exe	family_redline
behavioral2/memory/1736-217-0x0000000000530000-0x000000000058A000-memory.dmp	family_redline
behavioral2/memory/4104-300-0x0000000000A50000-0x0000000000B6B000-memory.dmp	family_redline
behavioral2/memory/4800-318-0x0000000000800000-0x000000000083E000-memory.dmp	family_redline
behavioral2/memory/4104-325-0x0000000000A50000-0x0000000000B6B000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8668.exe	family_sectoprat
behavioral2/memory/2268-231-0x00000000001D0000-0x00000000001EE000-memory.dmp	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\8668.exe	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5420 netsh.exe

pid	process
5420	netsh.exe

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/1280-161-0x0000000002130000-0x0000000002150000-memory.dmp	net_reactor
behavioral2/memory/1280-186-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor
behavioral2/memory/1280-188-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-197-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-189-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-200-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-209-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-214-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-218-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-229-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-237-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-240-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-244-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-246-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-254-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-267-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-269-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-259-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor
behavioral2/memory/1280-222-0x0000000004990000-0x00000000049A8000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t0724857.exeexplonde.exew1478869.exelegota.exeA231.exeoldplayer.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	t0724857.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	w1478869.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	A231.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	oldplayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 40 IoCs

Processes:

z8078722.exez4447024.exez6499612.exez5631295.exeq2169569.exer6387888.exes4205589.exet0724857.exeexplonde.exeu2580906.exew1478869.exelegota.exe5436.exe555F.exeIc3us2jg.exefn7bG8Vn.exeGY6HT9lI.exeOZ6Du5cj.exe1Ob09tq1.exe58DC.exe6929.exe6A14.exe2kU747NI.exe6FC2.exelegota.exe8668.exe8919.exeexplonde.exe909C.exeA231.exeA83D.exe31839b57a4f11171d6abc8bbc4451ee4.exeB09A.exeB30C.exeoldplayer.exeoneetx.exelegota.exeexplonde.exeoneetx.exe31839b57a4f11171d6abc8bbc4451ee4.exe

pid	process
4968	z8078722.exe
3216	z4447024.exe
4468	z6499612.exe
3176	z5631295.exe
3328	q2169569.exe
4272	r6387888.exe
4408	s4205589.exe
2712	t0724857.exe
1824	explonde.exe
572	u2580906.exe
4420	w1478869.exe
3936	legota.exe
2540	5436.exe
2732	555F.exe
4248	Ic3us2jg.exe
4004	fn7bG8Vn.exe
1800	GY6HT9lI.exe
4572	OZ6Du5cj.exe
2800	1Ob09tq1.exe
4476	58DC.exe
1280	6929.exe
440	6A14.exe
4496	2kU747NI.exe
1736	6FC2.exe
1652	legota.exe
2268	8668.exe
552	8919.exe
1972	explonde.exe
4104	909C.exe
4628	A231.exe
3504	A83D.exe
3540	31839b57a4f11171d6abc8bbc4451ee4.exe
4508	B09A.exe
4316	B30C.exe
4852	oldplayer.exe
3104	oneetx.exe
5684	legota.exe
5704	explonde.exe
5744	oneetx.exe
5812	31839b57a4f11171d6abc8bbc4451ee4.exe

Loads dropped DLL 4 IoCs

Processes:

6FC2.exerundll32.exerundll32.exe

pid process

1736 6FC2.exe
1736 6FC2.exe
5844 rundll32.exe
5784 rundll32.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

6929.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 6929.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1736	6FC2.exe
1736	6FC2.exe
5844	rundll32.exe
5784	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6929.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z6499612.exeOZ6Du5cj.exeB30C.exeIc3us2jg.exefn7bG8Vn.exeGY6HT9lI.exeAppLaunch.exez8078722.exez4447024.exez5631295.exe5436.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6499612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	OZ6Du5cj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\B30C.exe'\""	B30C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ic3us2jg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fn7bG8Vn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	GY6HT9lI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8078722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4447024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z5631295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5436.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exeq2169569.exer6387888.exes4205589.exeu2580906.exe909C.exe

description	pid	process	target process
PID 552 set thread context of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 3328 set thread context of 4988	3328	q2169569.exe	AppLaunch.exe
PID 4272 set thread context of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4408 set thread context of 4932	4408	s4205589.exe	AppLaunch.exe
PID 572 set thread context of 2208	572	u2580906.exe	AppLaunch.exe
PID 4104 set thread context of 4800	4104	909C.exe	vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3928 1044 WerFault.exe AppLaunch.exe
4240 1736 WerFault.exe 6FC2.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

pid	pid_target	process	target process
3928	1044	WerFault.exe	AppLaunch.exe
4240	1736	WerFault.exe	6FC2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4376 schtasks.exe
3724 schtasks.exe
824 schtasks.exe

pid	process
4376	schtasks.exe
3724	schtasks.exe
824	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

pid	process
4988	AppLaunch.exe
4988	AppLaunch.exe
4932	AppLaunch.exe
4932	AppLaunch.exe
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3160
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

4932 AppLaunch.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe

pid	process
3160

pid	process
4932	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exe6929.exe8668.exe8919.exeA83D.exe

description	pid	process
Token: SeDebugPrivilege	4988	AppLaunch.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeDebugPrivilege	1280	6929.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeDebugPrivilege	2268	8668.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeDebugPrivilege	552	8919.exe
Token: SeDebugPrivilege	3504	A83D.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exeoldplayer.exe

pid	process
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
4852	oldplayer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3160

pid	process
3160

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exeAppLaunch.exez8078722.exez4447024.exez6499612.exez5631295.exeq2169569.exer6387888.exes4205589.exet0724857.exe

description	pid	process	target process
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 552 wrote to memory of 2192	552	4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe	AppLaunch.exe
PID 2192 wrote to memory of 4968	2192	AppLaunch.exe	z8078722.exe
PID 2192 wrote to memory of 4968	2192	AppLaunch.exe	z8078722.exe
PID 2192 wrote to memory of 4968	2192	AppLaunch.exe	z8078722.exe
PID 4968 wrote to memory of 3216	4968	z8078722.exe	z4447024.exe
PID 4968 wrote to memory of 3216	4968	z8078722.exe	z4447024.exe
PID 4968 wrote to memory of 3216	4968	z8078722.exe	z4447024.exe
PID 3216 wrote to memory of 4468	3216	z4447024.exe	z6499612.exe
PID 3216 wrote to memory of 4468	3216	z4447024.exe	z6499612.exe
PID 3216 wrote to memory of 4468	3216	z4447024.exe	z6499612.exe
PID 4468 wrote to memory of 3176	4468	z6499612.exe	z5631295.exe
PID 4468 wrote to memory of 3176	4468	z6499612.exe	z5631295.exe
PID 4468 wrote to memory of 3176	4468	z6499612.exe	z5631295.exe
PID 3176 wrote to memory of 3328	3176	z5631295.exe	q2169569.exe
PID 3176 wrote to memory of 3328	3176	z5631295.exe	q2169569.exe
PID 3176 wrote to memory of 3328	3176	z5631295.exe	q2169569.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3328 wrote to memory of 4988	3328	q2169569.exe	AppLaunch.exe
PID 3176 wrote to memory of 4272	3176	z5631295.exe	r6387888.exe
PID 3176 wrote to memory of 4272	3176	z5631295.exe	r6387888.exe
PID 3176 wrote to memory of 4272	3176	z5631295.exe	r6387888.exe
PID 4272 wrote to memory of 556	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 556	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 556	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4272 wrote to memory of 1044	4272	r6387888.exe	AppLaunch.exe
PID 4468 wrote to memory of 4408	4468	z6499612.exe	s4205589.exe
PID 4468 wrote to memory of 4408	4468	z6499612.exe	s4205589.exe
PID 4468 wrote to memory of 4408	4468	z6499612.exe	s4205589.exe
PID 4408 wrote to memory of 4932	4408	s4205589.exe	AppLaunch.exe
PID 4408 wrote to memory of 4932	4408	s4205589.exe	AppLaunch.exe
PID 4408 wrote to memory of 4932	4408	s4205589.exe	AppLaunch.exe
PID 4408 wrote to memory of 4932	4408	s4205589.exe	AppLaunch.exe
PID 4408 wrote to memory of 4932	4408	s4205589.exe	AppLaunch.exe
PID 4408 wrote to memory of 4932	4408	s4205589.exe	AppLaunch.exe
PID 3216 wrote to memory of 2712	3216	z4447024.exe	t0724857.exe
PID 3216 wrote to memory of 2712	3216	z4447024.exe	t0724857.exe
PID 3216 wrote to memory of 2712	3216	z4447024.exe	t0724857.exe
PID 2712 wrote to memory of 1824	2712	t0724857.exe	explonde.exe
PID 2712 wrote to memory of 1824	2712	t0724857.exe	explonde.exe
PID 2712 wrote to memory of 1824	2712	t0724857.exe	explonde.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe
"C:\Users\Admin\AppData\Local\Temp\4466dd262c1b9e1de87dca2488fe5348744987e61417079e89aa2f8636ee9e12.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8078722.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8078722.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4447024.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4447024.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6499612.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6499612.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5631295.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5631295.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2169569.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2169569.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6387888.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6387888.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 540
9⤵
- Program crash
PID:3928

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4205589.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4205589.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0724857.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0724857.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
7⤵
- DcRat
- Creates scheduled task(s)
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
7⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4548

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
8⤵
PID:1776

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
8⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2176

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
8⤵
PID:3512

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
8⤵
PID:412

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:5784

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2580906.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2580906.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1478869.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1478869.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4420

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:1668

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4444

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:5080

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:4768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1044 -ip 1044
1⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\5436.exe
C:\Users\Admin\AppData\Local\Temp\5436.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ic3us2jg.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ic3us2jg.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn7bG8Vn.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn7bG8Vn.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4004

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY6HT9lI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY6HT9lI.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\OZ6Du5cj.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\OZ6Du5cj.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4572

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ob09tq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ob09tq1.exe
6⤵
- Executes dropped EXE
PID:2800

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kU747NI.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kU747NI.exe
6⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\555F.exe
C:\Users\Admin\AppData\Local\Temp\555F.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\57D1.bat" "
1⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb8da46f8,0x7ffcb8da4708,0x7ffcb8da4718
3⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16149550482647866929,8696530183984022509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
3⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16149550482647866929,8696530183984022509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb8da46f8,0x7ffcb8da4708,0x7ffcb8da4718
3⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
3⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
3⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:8
3⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:3
3⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3204 /prefetch:2
3⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
3⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
3⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
3⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
3⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
3⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
3⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
3⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14895092521651660214,2402998998416631202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
3⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\58DC.exe
C:\Users\Admin\AppData\Local\Temp\58DC.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\6929.exe
C:\Users\Admin\AppData\Local\Temp\6929.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\6A14.exe
C:\Users\Admin\AppData\Local\Temp\6A14.exe
1⤵
- Executes dropped EXE
PID:440

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\6FC2.exe
C:\Users\Admin\AppData\Local\Temp\6FC2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 792
2⤵
- Program crash
PID:4240

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Users\Admin\AppData\Local\Temp\8668.exe
C:\Users\Admin\AppData\Local\Temp\8668.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Local\Temp\8919.exe
C:\Users\Admin\AppData\Local\Temp\8919.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1736 -ip 1736
1⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\909C.exe
C:\Users\Admin\AppData\Local\Temp\909C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\A231.exe
C:\Users\Admin\AppData\Local\Temp\A231.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4628

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:5812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:5340

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
PID:4944

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:4500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4852

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
4⤵
PID:4420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1224

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:5316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5304

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:5404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5508

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
5⤵
PID:5540

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
5⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\A83D.exe
C:\Users\Admin\AppData\Local\Temp\A83D.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Local\Temp\B09A.exe
C:\Users\Admin\AppData\Local\Temp\B09A.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\B30C.exe
C:\Users\Admin\AppData\Local\Temp\B30C.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4316

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5684

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:5704

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6351be8b63227413881e5dfb033459cc

SHA1
f24489be1e693dc22d6aac7edd692833c623d502

SHA256
e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b

SHA512
66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0af6f7b6cc9a326fc30ba8d823b21e9

SHA1
448625e006dd303243017a575ac83f700efd388e

SHA256
1264124d723019c2b14acb4363cc62b70f970bd0dbfe5b6a8304acd51127fcf6

SHA512
5a67fc65ea90f6e631ee03d45a40fd8b61cfb04689ee6ba122e19102fc0421f58c0782a3f32239b658674efa78f5de8be804d89bf2b63009b392fdbe90588be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b28b1c653d747f5fc9426b1e59fc690

SHA1
0c544ece8d11c840f18197fe799088de7919f34f

SHA256
bedfd26a375cec85aeb764d3d9f58fab31534a58534c9c583c7cfacd76a1a7de

SHA512
0c2fd44bb4676400f65a142491c53a1356350ea2fd4de9f3abda4b803ca2fc055f4eacb6edb97117ca4f18ad4e762d318f7002701d057b94c722f9d7a383d5b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
699e3636ed7444d9b47772e4446ccfc1

SHA1
db0459ca6ceeea2e87e0023a6b7ee06aeed6fded

SHA256
9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a

SHA512
d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
862B

MD5
e2840234739be48117a41d509bcc6357

SHA1
7055026906e45edca065af6ca5f8bb343ef338d5

SHA256
86dd3276481de4e5828806835f888332063548c1681dcfb4f0db3d60cbc3c17e

SHA512
403a80a1cd89acf488caea7cdf910e03af113d5ddf35eedf854b72b212cd83899443df285055ee73e3a4bcedff2893ae788dc3ac2d10f93126880c5f7ffeac48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593e09.TMP

Filesize
862B

MD5
cbb44fdf93c1097f7ce1e12a287896bc

SHA1
be9803eaf9fd0d0a5cd0edc5b1e2439859e6ce8d

SHA256
bd6fe20b2b145a8c9d509a7808a02187a88beecf989dfa5c53d367854ceede4a

SHA512
321dc837ebfffb1ee62c8ce790fbf3fb391af2ac539681d37537d090c58deb9223e669334c8963fb8b7543aac13b2d775ee1f2634d4d2eb26b3c2cd9c29a8bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d8805cbffefc0ab4d01389d3848038ff

SHA1
c8121199981a7aba5d497b1c188de3e5ce9daad2

SHA256
c108e77f40e57075fafd404f179f9518a726d0e97197649a395350ffca03832e

SHA512
1a60a495e4f55535a1f7d2d64199ee67c04c662e9c8eeab99c2d6c1fe6ab53b4b9eca68d16f8a11ea1fb686774477652226f20067d17fcb64cdb5e98493d4be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54dedf0e40b220968abf505a076c5ff1

SHA1
f5bcaaec1426d627bc75b6255c341a0c0af3d23e

SHA256
d10689c574d37ebd122edfbf82d6346e9d8dad52c2288f3814aed454b14ed7fc

SHA512
738738e465e43e006ceb2bec7d3fcca448fe5e3b42c563763302020172c74f7d3b2eb82b6204025f9056a47a06a1979d4b6542bed60d4d83989cbc6c3e295765

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\5436.exe

Filesize
1016KB

MD5
21375d68a2dd2c31cab2aacbe9bdc256

SHA1
804439cc211d8976f13ad5754bcb83642fc5d150

SHA256
af91fcd98a57fbcaedcdb9a7db1083ece0de3c8b3fde609bf0eb74d9e4ee858a

SHA512
36a38cfae09a7cc3b6b1fe6eed238c6e3cf34e921efa5898dffd39911c85d543aa504d2497ce51a1ab6dc7ce79ae3672f71d2c4bce0610a5b8e03a2a6a7baffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5436.exe

Filesize
1016KB

MD5
21375d68a2dd2c31cab2aacbe9bdc256

SHA1
804439cc211d8976f13ad5754bcb83642fc5d150

SHA256
af91fcd98a57fbcaedcdb9a7db1083ece0de3c8b3fde609bf0eb74d9e4ee858a

SHA512
36a38cfae09a7cc3b6b1fe6eed238c6e3cf34e921efa5898dffd39911c85d543aa504d2497ce51a1ab6dc7ce79ae3672f71d2c4bce0610a5b8e03a2a6a7baffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\555F.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\555F.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D1.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\58DC.exe

Filesize
221KB

MD5
8905918bd7e4f4aeda3a804d81f9ee40

SHA1
3c488a81539116085a1c22df26085f798f7202c8

SHA256
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

SHA512
6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\58DC.exe

Filesize
221KB

MD5
8905918bd7e4f4aeda3a804d81f9ee40

SHA1
3c488a81539116085a1c22df26085f798f7202c8

SHA256
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

SHA512
6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\6929.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6929.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A14.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A14.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FC2.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FC2.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FC2.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FC2.exe

Filesize
434KB

MD5
16028051f2cff284062da8666b55f3be

SHA1
ba3f5f9065ecb57c0f1404d5e1751a9512844d1c

SHA256
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0

SHA512
a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8668.exe

Filesize
95KB

MD5
7f28547a6060699461824f75c96feaeb

SHA1
744195a7d3ef1aa32dcb99d15f73e26a20813259

SHA256
ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff

SHA512
eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

Download Submit
C:\Users\Admin\AppData\Local\Temp\8668.exe

Filesize
95KB

MD5
7f28547a6060699461824f75c96feaeb

SHA1
744195a7d3ef1aa32dcb99d15f73e26a20813259

SHA256
ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff

SHA512
eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

Download Submit
C:\Users\Admin\AppData\Local\Temp\8919.exe

Filesize
341KB

MD5
20e21e63bb7a95492aec18de6aa85ab9

SHA1
6cbf2079a42d86bf155c06c7ad5360c539c02b15

SHA256
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17

SHA512
73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\8919.exe

Filesize
341KB

MD5
20e21e63bb7a95492aec18de6aa85ab9

SHA1
6cbf2079a42d86bf155c06c7ad5360c539c02b15

SHA256
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17

SHA512
73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ic3us2jg.exe

Filesize
877KB

MD5
bc7f5fb416d59e8f02f0f9b349cbeecc

SHA1
b5b9c5ab31a10af76b1a3195266b863ae6ea0424

SHA256
0248e98140f88f660033bdd137791ee9ab9796e25bc327722a9334e709e15c21

SHA512
3310d0ca79d80b94496f1bab9f40a2152916e6a92357aef5e798d1941fd1eba221dfd18cfaa20bce78ab0f1258985938360b2108c30ddb7dcf5ec8d5e2a54b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ic3us2jg.exe

Filesize
877KB

MD5
bc7f5fb416d59e8f02f0f9b349cbeecc

SHA1
b5b9c5ab31a10af76b1a3195266b863ae6ea0424

SHA256
0248e98140f88f660033bdd137791ee9ab9796e25bc327722a9334e709e15c21

SHA512
3310d0ca79d80b94496f1bab9f40a2152916e6a92357aef5e798d1941fd1eba221dfd18cfaa20bce78ab0f1258985938360b2108c30ddb7dcf5ec8d5e2a54b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1478869.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1478869.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8078722.exe

Filesize
1018KB

MD5
88208846b4d7d2ee968937f5181174eb

SHA1
796f7d6011713c3d2d2828a7968ed64da5738f23

SHA256
b00410bd85d0b73b14713763bcc5c45e09c01c342a033e67dccc047c8dfb9edf

SHA512
0a55ac1dc050815a122c51a8129793c60c7ba5c015b2a8d64232d946560a168cd82ba427bd6c56dcc63b1bceb29c6c3e78707dd6073caffcaa3f4ef16b78b21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8078722.exe

Filesize
1018KB

MD5
88208846b4d7d2ee968937f5181174eb

SHA1
796f7d6011713c3d2d2828a7968ed64da5738f23

SHA256
b00410bd85d0b73b14713763bcc5c45e09c01c342a033e67dccc047c8dfb9edf

SHA512
0a55ac1dc050815a122c51a8129793c60c7ba5c015b2a8d64232d946560a168cd82ba427bd6c56dcc63b1bceb29c6c3e78707dd6073caffcaa3f4ef16b78b21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2580906.exe

Filesize
392KB

MD5
4377e7365e320a5180d0a4c9a14beb77

SHA1
77197a08b239b5d3f8812ae05744aefb5580373e

SHA256
8480c11376b78dea0c7ee0d9ca78d51e98a3ed51a519a3c1ae200195ef2c3431

SHA512
dbe9aad8d79830e1a380739343d90ac512af734bb18b305535564b00455887b176f608acdea3f125a6a9f823f3e2a01b744a19e688a01de7060fdff9aa5bd775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2580906.exe

Filesize
392KB

MD5
4377e7365e320a5180d0a4c9a14beb77

SHA1
77197a08b239b5d3f8812ae05744aefb5580373e

SHA256
8480c11376b78dea0c7ee0d9ca78d51e98a3ed51a519a3c1ae200195ef2c3431

SHA512
dbe9aad8d79830e1a380739343d90ac512af734bb18b305535564b00455887b176f608acdea3f125a6a9f823f3e2a01b744a19e688a01de7060fdff9aa5bd775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4447024.exe

Filesize
754KB

MD5
3767ea316b36e110acefc0595ecef23a

SHA1
1537f034be744e8233b5e16a029439a4aba6c293

SHA256
83187889bcd19410aa1fbc7e7f64e3362f35abf62b5cacb00009fd2c144330d6

SHA512
f1813b349223d9f2dfd91147a23ba6a752aa08e0cd3612a7763c503273c1ef6fe5ded85841cb5cc1302873fb5e629267690970a4bd1163356721153e1fe12aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4447024.exe

Filesize
754KB

MD5
3767ea316b36e110acefc0595ecef23a

SHA1
1537f034be744e8233b5e16a029439a4aba6c293

SHA256
83187889bcd19410aa1fbc7e7f64e3362f35abf62b5cacb00009fd2c144330d6

SHA512
f1813b349223d9f2dfd91147a23ba6a752aa08e0cd3612a7763c503273c1ef6fe5ded85841cb5cc1302873fb5e629267690970a4bd1163356721153e1fe12aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn7bG8Vn.exe

Filesize
688KB

MD5
f030cdddb2ed64131acce8bd40ea68c7

SHA1
bd214504740c46f0056ca8010e68a9d98a079678

SHA256
06cf5449bb643266f2c81c45cd6b9e10f4070a4c30b9a4c82cac600c38bfa8c1

SHA512
e3519e7f8d66bcfc0b76c65c918d05f1637c658a6e515e5bc82ce5b484b3c2635a047f5ae6e4d1b8dcaaa79e3404e6ec718574b81238516d9dc808592e5c9a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn7bG8Vn.exe

Filesize
688KB

MD5
f030cdddb2ed64131acce8bd40ea68c7

SHA1
bd214504740c46f0056ca8010e68a9d98a079678

SHA256
06cf5449bb643266f2c81c45cd6b9e10f4070a4c30b9a4c82cac600c38bfa8c1

SHA512
e3519e7f8d66bcfc0b76c65c918d05f1637c658a6e515e5bc82ce5b484b3c2635a047f5ae6e4d1b8dcaaa79e3404e6ec718574b81238516d9dc808592e5c9a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0724857.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0724857.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6499612.exe

Filesize
571KB

MD5
374c2535835bbccf169659313e0428c3

SHA1
c4d4f3eb57f31a0936fb5d652105b0e6bcd95bfd

SHA256
2d4a03f24cabc64eb7d1b6352af39a4c5faf1f1df99bc682423ea13d306b1bef

SHA512
d28501720ec2990abf5f5e93b76ec29cdb0dde0c0ac783ab42082f7fbe38f84c23760149b9197d278a1d6ebd895f1595121b6404e500766c01f9eacf22da42cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6499612.exe

Filesize
571KB

MD5
374c2535835bbccf169659313e0428c3

SHA1
c4d4f3eb57f31a0936fb5d652105b0e6bcd95bfd

SHA256
2d4a03f24cabc64eb7d1b6352af39a4c5faf1f1df99bc682423ea13d306b1bef

SHA512
d28501720ec2990abf5f5e93b76ec29cdb0dde0c0ac783ab42082f7fbe38f84c23760149b9197d278a1d6ebd895f1595121b6404e500766c01f9eacf22da42cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY6HT9lI.exe

Filesize
514KB

MD5
371069691875ec24c015aa2c319148eb

SHA1
82018a580ec8e6f7a9ca00601037fc9096c36949

SHA256
8546264aa156731577373f4890e14d600717d9152c3bb36cd2b3f9dc735bbc1f

SHA512
ded8456264dc564fa14137c8c679452230dcea477e8f639ed9b99b69e587d25e684c43ca7b443029d507e99171dc202c23da8f32bc72155ac44b137401bd8a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY6HT9lI.exe

Filesize
514KB

MD5
371069691875ec24c015aa2c319148eb

SHA1
82018a580ec8e6f7a9ca00601037fc9096c36949

SHA256
8546264aa156731577373f4890e14d600717d9152c3bb36cd2b3f9dc735bbc1f

SHA512
ded8456264dc564fa14137c8c679452230dcea477e8f639ed9b99b69e587d25e684c43ca7b443029d507e99171dc202c23da8f32bc72155ac44b137401bd8a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4205589.exe

Filesize
248KB

MD5
07b6a14a23639cbd7bdeacdbe2879d3b

SHA1
15297f0d835062db6e679f30b0f4ab75c55c1cc1

SHA256
e852d15fc758b9ee6bf5ffaf09d8b8373c6ee7f6372194d857f1986227aa64c1

SHA512
1e6a9241f1bd1ecbe205a22fec9242b854dd8c6490deb6070d8a7e3c7990d054969c9878afc90f36275bcb91b77b7823108044e95c4e4931fc7be74d21ae4512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4205589.exe

Filesize
248KB

MD5
07b6a14a23639cbd7bdeacdbe2879d3b

SHA1
15297f0d835062db6e679f30b0f4ab75c55c1cc1

SHA256
e852d15fc758b9ee6bf5ffaf09d8b8373c6ee7f6372194d857f1986227aa64c1

SHA512
1e6a9241f1bd1ecbe205a22fec9242b854dd8c6490deb6070d8a7e3c7990d054969c9878afc90f36275bcb91b77b7823108044e95c4e4931fc7be74d21ae4512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5631295.exe

Filesize
339KB

MD5
ea907ae86affd1c35ed4b19a2b374ece

SHA1
516573baf47af4118f00148300f6153a1bfce33d

SHA256
a30c68ffb11144970973fb666d02159a09f919925024c2c27b210e091f699129

SHA512
2d57bbebaffe76d84347bfa4652fc52a30bac12bc7c14171f78b9c91d3f5dc6d0165a56d13c35b1be785790e924010d9d142e8e89b94553e6e2e8c0fe9c00cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5631295.exe

Filesize
339KB

MD5
ea907ae86affd1c35ed4b19a2b374ece

SHA1
516573baf47af4118f00148300f6153a1bfce33d

SHA256
a30c68ffb11144970973fb666d02159a09f919925024c2c27b210e091f699129

SHA512
2d57bbebaffe76d84347bfa4652fc52a30bac12bc7c14171f78b9c91d3f5dc6d0165a56d13c35b1be785790e924010d9d142e8e89b94553e6e2e8c0fe9c00cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\OZ6Du5cj.exe

Filesize
319KB

MD5
2ec9d2831c671dd9f57c6b24abce0feb

SHA1
62992b2dab815ecf015af18589afc89a8688aafb

SHA256
cbf3f03b1d96508e37dd985b8dcbd05a5ce08d40eaee9b62b59ebb8e35c7b333

SHA512
a3c74aa1fc6ffe8d016359dd11caf559c7ca3fdbce757511e22b6cf49fd5920c9e94561a0dbc563aabafe4e5eb4ee459a4f220d99381ec1887acd39fc5b0125e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\OZ6Du5cj.exe

Filesize
319KB

MD5
2ec9d2831c671dd9f57c6b24abce0feb

SHA1
62992b2dab815ecf015af18589afc89a8688aafb

SHA256
cbf3f03b1d96508e37dd985b8dcbd05a5ce08d40eaee9b62b59ebb8e35c7b333

SHA512
a3c74aa1fc6ffe8d016359dd11caf559c7ca3fdbce757511e22b6cf49fd5920c9e94561a0dbc563aabafe4e5eb4ee459a4f220d99381ec1887acd39fc5b0125e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2169569.exe

Filesize
229KB

MD5
5c4e7231a636745f6587930853044d6a

SHA1
bfae70df144db4f284b32a4445cf94f7608722b3

SHA256
f9d448cac29898464d774d7a9161f008af3f75daf7caa96b2f4682674b45c363

SHA512
adb60a0cd219e071ebd224cdbc9f1b072525fc50628a0b7e99c7ff2de3ea3b9fe74e5f0452983c89ecbe1c86be6a412c4848338f0add54e525a1968a65318168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2169569.exe

Filesize
229KB

MD5
5c4e7231a636745f6587930853044d6a

SHA1
bfae70df144db4f284b32a4445cf94f7608722b3

SHA256
f9d448cac29898464d774d7a9161f008af3f75daf7caa96b2f4682674b45c363

SHA512
adb60a0cd219e071ebd224cdbc9f1b072525fc50628a0b7e99c7ff2de3ea3b9fe74e5f0452983c89ecbe1c86be6a412c4848338f0add54e525a1968a65318168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6387888.exe

Filesize
358KB

MD5
c9b50746cb7954ae1555337e0e7e1fd3

SHA1
56a12b7efbab415ba754db9dfb846145416515dd

SHA256
4c3bcd804de899879f04d0728d04e4f6716d0dd7ee41c2129ea715c78d01aada

SHA512
c23da8843b6904c9954e105e5c567dd79e268bed6b6023857861c019ed375f06340ac45883edab6229388655a91e1794b05c503352887e2f8ac861c436ac0d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6387888.exe

Filesize
358KB

MD5
c9b50746cb7954ae1555337e0e7e1fd3

SHA1
56a12b7efbab415ba754db9dfb846145416515dd

SHA256
4c3bcd804de899879f04d0728d04e4f6716d0dd7ee41c2129ea715c78d01aada

SHA512
c23da8843b6904c9954e105e5c567dd79e268bed6b6023857861c019ed375f06340ac45883edab6229388655a91e1794b05c503352887e2f8ac861c436ac0d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ob09tq1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ob09tq1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ob09tq1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kU747NI.exe

Filesize
222KB

MD5
8786b553f0d9355dbf9726c50d6b121b

SHA1
b6a58f34d2268de1efc8a3bfbaa04afb6095cb68

SHA256
d9d25ced5a3ca046454b919a2f8e4e176a985f5052551e913aae28935a93702a

SHA512
787a26568612d43a2aabff59c1b62be69d36775c18205e314dbd978421ab1b296ceb65d934833998089727b57100f69cf2343d3ad98b62d94d9f526e2e8bad98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kU747NI.exe

Filesize
222KB

MD5
8786b553f0d9355dbf9726c50d6b121b

SHA1
b6a58f34d2268de1efc8a3bfbaa04afb6095cb68

SHA256
d9d25ced5a3ca046454b919a2f8e4e176a985f5052551e913aae28935a93702a

SHA512
787a26568612d43a2aabff59c1b62be69d36775c18205e314dbd978421ab1b296ceb65d934833998089727b57100f69cf2343d3ad98b62d94d9f526e2e8bad98

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_warjomdo.hk0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
0c459e65bcc6d38574f0c0d63a87088a

SHA1
41e53d5f2b3e7ca859b842a1c7b677e0847e6d65

SHA256
871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4

SHA512
be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
\??\pipe\LOCAL\crashpad_464_XWWGYJUHLGEHIVPF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/552-234-0x0000000000F40000-0x0000000000F9A000-memory.dmp

Filesize
360KB

Download
memory/552-243-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/552-407-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/552-278-0x00000000088D0000-0x0000000008936000-memory.dmp

Filesize
408KB

Download
memory/552-341-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/552-232-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1044-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1044-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1044-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1044-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-181-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1280-164-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1280-184-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/1280-188-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-259-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-197-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-222-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-189-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-200-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-209-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-172-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/1280-201-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/1280-269-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-267-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-273-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/1280-214-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-218-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-166-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/1280-229-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-186-0x0000000004990000-0x00000000049AE000-memory.dmp

Filesize
120KB

Download
memory/1280-161-0x0000000002130000-0x0000000002150000-memory.dmp

Filesize
128KB

Download
memory/1280-299-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/1280-237-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-240-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-254-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-246-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1280-244-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/1736-241-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1736-217-0x0000000000530000-0x000000000058A000-memory.dmp

Filesize
360KB

Download
memory/1736-210-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1736-330-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-86-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2192-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2192-69-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2192-2-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2192-1-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2192-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2208-91-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/2208-90-0x0000000005E30000-0x0000000006448000-memory.dmp

Filesize
6.1MB

Download
memory/2208-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2208-77-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2208-76-0x0000000005610000-0x0000000005616000-memory.dmp

Filesize
24KB

Download
memory/2208-92-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/2208-94-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/2208-95-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/2208-96-0x0000000005850000-0x000000000589C000-memory.dmp

Filesize
304KB

Download
memory/2208-99-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2208-100-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/2268-414-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/2268-378-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2268-238-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2268-231-0x00000000001D0000-0x00000000001EE000-memory.dmp

Filesize
120KB

Download
memory/3160-85-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

Filesize
88KB

Download
memory/3504-421-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/3504-420-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3504-426-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3540-550-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3540-425-0x0000000004CF0000-0x00000000050F8000-memory.dmp

Filesize
4.0MB

Download
memory/3540-505-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3540-431-0x0000000005100000-0x00000000059EB000-memory.dmp

Filesize
8.9MB

Download
memory/4104-325-0x0000000000A50000-0x0000000000B6B000-memory.dmp

Filesize
1.1MB

Download
memory/4104-300-0x0000000000A50000-0x0000000000B6B000-memory.dmp

Filesize
1.1MB

Download
memory/4476-213-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/4476-167-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/4476-165-0x0000000007AC0000-0x0000000007B52000-memory.dmp

Filesize
584KB

Download
memory/4476-156-0x0000000000D10000-0x0000000000D4E000-memory.dmp

Filesize
248KB

Download
memory/4476-162-0x0000000007F90000-0x0000000008534000-memory.dmp

Filesize
5.6MB

Download
memory/4476-155-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4476-180-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4496-179-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4496-187-0x0000000000EF0000-0x0000000000F2E000-memory.dmp

Filesize
248KB

Download
memory/4496-277-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4496-324-0x0000000007DC0000-0x0000000007DD0000-memory.dmp

Filesize
64KB

Download
memory/4508-408-0x00000000002E0000-0x000000000044F000-memory.dmp

Filesize
1.4MB

Download
memory/4508-551-0x0000000002B80000-0x0000000002C01000-memory.dmp

Filesize
516KB

Download
memory/4628-335-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4628-413-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4628-326-0x00000000008B0000-0x0000000000D08000-memory.dmp

Filesize
4.3MB

Download
memory/4800-362-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4800-327-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4800-318-0x0000000000800000-0x000000000083E000-memory.dmp

Filesize
248KB

Download
memory/4932-89-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4932-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4932-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4988-93-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4988-98-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4988-43-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4988-39-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download