amadey | a83d81f6e0b7706587f29ef2bda4c8c89f72a5a127ca64862f4e090604d2a9dd

Analysis

max time kernel
230s
max time network
241s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.5MB
MD5

daf26bcb3ccb1f3d876781ebef95dcdb
SHA1

840c421cd4a1ac1fa3627025ca97831ba4d48a82
SHA256

a83d81f6e0b7706587f29ef2bda4c8c89f72a5a127ca64862f4e090604d2a9dd
SHA512

bad93fcbd3db21215a9650bea7c82f7dc27fc2f2c548dc9fc2ff629e2c54affe32875f8d2ea51cbebcbb3799bd44baf5810105e8862a536bd1f141399cd6094d
SSDEEP

49152:R/mWAasP6FUWFDVaWrv1bi9abtEXHELByR:Zmt6FVg6li9abtckLA

Score

10^/10

amadey redline smokeloader zgrat grome kinza backdoor evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/5296-227-0x0000000000700000-0x0000000000AE0000-memory.dmp	family_zgrat_v1

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	E9CE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	E9CE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	E9CE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	E9CE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	E9CE.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral1/memory/4744-64-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/files/0x0003000000022453-95.dat	family_redline
behavioral1/files/0x0003000000022453-96.dat	family_redline
behavioral1/memory/1040-145-0x0000000000650000-0x00000000006AA000-memory.dmp	family_redline
behavioral1/files/0x0006000000022e20-164.dat	family_redline
behavioral1/files/0x0006000000022e20-175.dat	family_redline
behavioral1/memory/4900-180-0x00000000005D0000-0x000000000060E000-memory.dmp	family_redline
behavioral1/memory/1040-225-0x0000000000400000-0x000000000047E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
432	tl2rr67.exe
3572	sp6AN18.exe
2360	Ra5dp80.exe
1464	Jm9yR81.exe
4080	ma2hN49.exe
4272	1ic81nX3.exe
3000	2kT7076.exe
1152	3SR76gY.exe
4892	4TR553Bw.exe
1944	5Mv3sr9.exe
3484	8004.exe
4256	A521.exe
3940	sd2dz5xN.exe
1592	BFAF.exe
4020	rh5hV3ak.exe
1128	E9CE.exe
4456	iH8ar5tB.exe
3728	11F.exe
5040	Kf7Bg7lj.exe
1040	96D.exe
3500	1nc20Cg8.exe
4900	2BK204fg.exe
2432	2E4C.exe
3436	61A2.exe
5296	9092.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	E9CE.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ma2hN49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	rh5hV3ak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	Kf7Bg7lj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	iH8ar5tB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tl2rr67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sp6AN18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ra5dp80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Jm9yR81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	8004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	sd2dz5xN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\61A2.exe'\""	61A2.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4272 set thread context of 5008	4272	1ic81nX3.exe	97
PID 3000 set thread context of 1044	3000	2kT7076.exe	102
PID 4892 set thread context of 4744	4892	4TR553Bw.exe	109
PID 3500 set thread context of 504	3500	1nc20Cg8.exe	132

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4300	1044	WerFault.exe	102
1896	1044	WerFault.exe	102
4236	504	WerFault.exe	132

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SR76gY.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SR76gY.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SR76gY.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	3SR76gY.exe
1152	3SR76gY.exe
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3380	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1152	3SR76gY.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	AppLaunch.exe
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeDebugPrivilege	1128	E9CE.exe
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3380	Process not Found
3380	Process not Found
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 432	1764	file.exe	88
PID 1764 wrote to memory of 432	1764	file.exe	88
PID 1764 wrote to memory of 432	1764	file.exe	88
PID 432 wrote to memory of 3572	432	tl2rr67.exe	90
PID 432 wrote to memory of 3572	432	tl2rr67.exe	90
PID 432 wrote to memory of 3572	432	tl2rr67.exe	90
PID 3572 wrote to memory of 2360	3572	sp6AN18.exe	92
PID 3572 wrote to memory of 2360	3572	sp6AN18.exe	92
PID 3572 wrote to memory of 2360	3572	sp6AN18.exe	92
PID 2360 wrote to memory of 1464	2360	Ra5dp80.exe	93
PID 2360 wrote to memory of 1464	2360	Ra5dp80.exe	93
PID 2360 wrote to memory of 1464	2360	Ra5dp80.exe	93
PID 1464 wrote to memory of 4080	1464	Jm9yR81.exe	95
PID 1464 wrote to memory of 4080	1464	Jm9yR81.exe	95
PID 1464 wrote to memory of 4080	1464	Jm9yR81.exe	95
PID 4080 wrote to memory of 4272	4080	ma2hN49.exe	96
PID 4080 wrote to memory of 4272	4080	ma2hN49.exe	96
PID 4080 wrote to memory of 4272	4080	ma2hN49.exe	96
PID 4272 wrote to memory of 5096	4272	1ic81nX3.exe	98
PID 4272 wrote to memory of 5096	4272	1ic81nX3.exe	98
PID 4272 wrote to memory of 5096	4272	1ic81nX3.exe	98
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4272 wrote to memory of 5008	4272	1ic81nX3.exe	97
PID 4080 wrote to memory of 3000	4080	ma2hN49.exe	99
PID 4080 wrote to memory of 3000	4080	ma2hN49.exe	99
PID 4080 wrote to memory of 3000	4080	ma2hN49.exe	99
PID 3000 wrote to memory of 2864	3000	2kT7076.exe	101
PID 3000 wrote to memory of 2864	3000	2kT7076.exe	101
PID 3000 wrote to memory of 2864	3000	2kT7076.exe	101
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 3000 wrote to memory of 1044	3000	2kT7076.exe	102
PID 1464 wrote to memory of 1152	1464	Jm9yR81.exe	103
PID 1464 wrote to memory of 1152	1464	Jm9yR81.exe	103
PID 1464 wrote to memory of 1152	1464	Jm9yR81.exe	103
PID 1044 wrote to memory of 4300	1044	AppLaunch.exe	105
PID 1044 wrote to memory of 4300	1044	AppLaunch.exe	105
PID 1044 wrote to memory of 4300	1044	AppLaunch.exe	105
PID 2360 wrote to memory of 4892	2360	Ra5dp80.exe	106
PID 2360 wrote to memory of 4892	2360	Ra5dp80.exe	106
PID 2360 wrote to memory of 4892	2360	Ra5dp80.exe	106
PID 4892 wrote to memory of 4628	4892	4TR553Bw.exe	108
PID 4892 wrote to memory of 4628	4892	4TR553Bw.exe	108
PID 4892 wrote to memory of 4628	4892	4TR553Bw.exe	108
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109
PID 4892 wrote to memory of 4744	4892	4TR553Bw.exe	109

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tl2rr67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tl2rr67.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp6AN18.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp6AN18.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra5dp80.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra5dp80.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jm9yR81.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jm9yR81.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ma2hN49.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ma2hN49.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ic81nX3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ic81nX3.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kT7076.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kT7076.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 540
        9⤵
        Program crash
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 540
        9⤵
        Program crash
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SR76gY.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SR76gY.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TR553Bw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TR553Bw.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4628
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Mv3sr9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Mv3sr9.exe
      4⤵
      Executes dropped EXE
      PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1044 -ip 1044
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\8004.exe
C:\Users\Admin\AppData\Local\Temp\8004.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3484
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sd2dz5xN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sd2dz5xN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\rh5hV3ak.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\rh5hV3ak.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\iH8ar5tB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\iH8ar5tB.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Kf7Bg7lj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Kf7Bg7lj.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1nc20Cg8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1nc20Cg8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 540
        8⤵
        Program crash
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2BK204fg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2BK204fg.exe
        6⤵
        Executes dropped EXE
        
        PID:4900

C:\Users\Admin\AppData\Local\Temp\A521.exe
C:\Users\Admin\AppData\Local\Temp\A521.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BE28.bat" "
1⤵
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    PID:660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:4168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
    3⤵
    PID:5628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
    3⤵
    PID:5740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:5788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
    3⤵
    PID:5800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
    3⤵
    PID:6108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
    3⤵
    PID:6100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14482809364593079267,6984938834293594906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
    3⤵
    PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
  2⤵
  PID:2848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
  2⤵
  PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
  2⤵
  PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
  2⤵
  PID:2900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
  2⤵
  PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  PID:1196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef2cf46f8,0x7ffef2cf4708,0x7ffef2cf4718
    3⤵
    PID:1724

C:\Users\Admin\AppData\Local\Temp\BFAF.exe
C:\Users\Admin\AppData\Local\Temp\BFAF.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\E9CE.exe
C:\Users\Admin\AppData\Local\Temp\E9CE.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Users\Admin\AppData\Local\Temp\11F.exe
C:\Users\Admin\AppData\Local\Temp\11F.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Users\Admin\AppData\Local\Temp\96D.exe
C:\Users\Admin\AppData\Local\Temp\96D.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 504 -ip 504
1⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\2E4C.exe
C:\Users\Admin\AppData\Local\Temp\2E4C.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Users\Admin\AppData\Local\Temp\61A2.exe
C:\Users\Admin\AppData\Local\Temp\61A2.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3436

C:\Users\Admin\AppData\Local\Temp\9092.exe
C:\Users\Admin\AppData\Local\Temp\9092.exe
1⤵
- Executes dropped EXE
PID:5296

C:\Users\Admin\AppData\Local\Temp\EC30.exe
C:\Users\Admin\AppData\Local\Temp\EC30.exe
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd3131fec41ccc1ae2b805fdfc50ef5f

SHA1
07f1c14c8468b331f09ba1c27ea6698f1aca5fbc

SHA256
55ee6b962e48fa9162fc811a7458d5eaaf485d20ac76d15d2ea2a5b7a2372242

SHA512
162eb80405b9daf024c70662fcd0398c9697d9a2f7f5d4ecc449224d88bd9554652d5156d7ec655611012df881d565be1f35504ddcb1d2a8997c101bdd82a6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
f028aebe58637697709f799148c13e78

SHA1
fb1cf54ef4d71a302a296221782e006299c3cd03

SHA256
72f63850afc2702d1e6c1320e382d03ab50ca4c49d2b9bf48b809d29dc25b963

SHA512
b64f2f33ca72121167ec1b2705f194af62b1b771267b459dc7ba1d600a3d9595666e1abcddb1702020a59ba4657f0f8c71c7d3e37b9dbf8ae171181dcf2d97ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\11F.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\11F.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E4C.exe

Filesize
12.4MB

MD5
5ecdb2a8aac9f2e84464ed7be9b1ac9a

SHA1
799373fab86e27c2fd582386bcea4d1ccae4bc62

SHA256
c3847002a8cd53999920d0024658212061b4173877e1afb61126543e1a17172c

SHA512
f1201840fcefed009c941b4061dae92e17fb48275ec5ae4a0207746b1da03af9900795c22a0e1bc57a05595c0f0f637796710038e601d971ef7488d85334e7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E4C.exe

Filesize
12.4MB

MD5
5ecdb2a8aac9f2e84464ed7be9b1ac9a

SHA1
799373fab86e27c2fd582386bcea4d1ccae4bc62

SHA256
c3847002a8cd53999920d0024658212061b4173877e1afb61126543e1a17172c

SHA512
f1201840fcefed009c941b4061dae92e17fb48275ec5ae4a0207746b1da03af9900795c22a0e1bc57a05595c0f0f637796710038e601d971ef7488d85334e7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A2.exe

Filesize
10KB

MD5
395e28e36c665acf5f85f7c4c6363296

SHA1
cd96607e18326979de9de8d6f5bab2d4b176f9fb

SHA256
46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa

SHA512
3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A2.exe

Filesize
10KB

MD5
395e28e36c665acf5f85f7c4c6363296

SHA1
cd96607e18326979de9de8d6f5bab2d4b176f9fb

SHA256
46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa

SHA512
3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

Download Submit
C:\Users\Admin\AppData\Local\Temp\8004.exe

Filesize
1.5MB

MD5
4b258c58d4500eadcb896fe3bfb49ad1

SHA1
b447cf456a55aefc20b33314dc5e243cd5a58675

SHA256
bfdd99ff589b9644be3f692cabcef1954e607debd304552eacb9c16975f47715

SHA512
6c555c85247d12c657d30bec0398dc4ba58b7c7bbe53ae52d8d45e0ed8e8536397e6088f288bce417b098919868fb5a00b4ceb50ff03570dd1252301aae36bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8004.exe

Filesize
1.5MB

MD5
4b258c58d4500eadcb896fe3bfb49ad1

SHA1
b447cf456a55aefc20b33314dc5e243cd5a58675

SHA256
bfdd99ff589b9644be3f692cabcef1954e607debd304552eacb9c16975f47715

SHA512
6c555c85247d12c657d30bec0398dc4ba58b7c7bbe53ae52d8d45e0ed8e8536397e6088f288bce417b098919868fb5a00b4ceb50ff03570dd1252301aae36bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\96D.exe

Filesize
490KB

MD5
317c1da3d49d534fdde575395da84879

SHA1
ac0b1640dfe3aa2e6787e92d2d78573b64882226

SHA256
72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48

SHA512
ceb5c2182566b632490910c5e7a23533f05465c3a63c24b19cb88352f018dcd8fe0d54c5f8c9681f591e240b846867984afa547b361f9196dbb23e25a7642d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\96D.exe

Filesize
490KB

MD5
317c1da3d49d534fdde575395da84879

SHA1
ac0b1640dfe3aa2e6787e92d2d78573b64882226

SHA256
72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48

SHA512
ceb5c2182566b632490910c5e7a23533f05465c3a63c24b19cb88352f018dcd8fe0d54c5f8c9681f591e240b846867984afa547b361f9196dbb23e25a7642d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\A521.exe

Filesize
182KB

MD5
e561df80d8920ae9b152ddddefd13c7c

SHA1
0d020453f62d2188f7a0e55442af5d75e16e7caf

SHA256
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

SHA512
a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A521.exe

Filesize
182KB

MD5
e561df80d8920ae9b152ddddefd13c7c

SHA1
0d020453f62d2188f7a0e55442af5d75e16e7caf

SHA256
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

SHA512
a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE28.bat

Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFAF.exe

Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFAF.exe

Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9CE.exe

Filesize
11KB

MD5
d2ed05fd71460e6d4c505ce87495b859

SHA1
a970dfe775c4e3f157b5b2e26b1f77da7ae6d884

SHA256
3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f

SHA512
a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9CE.exe

Filesize
11KB

MD5
d2ed05fd71460e6d4c505ce87495b859

SHA1
a970dfe775c4e3f157b5b2e26b1f77da7ae6d884

SHA256
3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f

SHA512
a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tl2rr67.exe

Filesize
1.4MB

MD5
dfb21f015dce8c92929fb362871fd864

SHA1
12711ad64af03d297806a296c7cf4721d4114253

SHA256
b28b62b25ead20a098c1d96f5803a26c95416c62a14467999ebbc0bff4967e56

SHA512
93ce34485da9d72f962be58dc2ec9d739859842afcfc936831b18340de9505de57a6219da6f1d24eaba2b6e0a0a520b862247c2384d660dd38707187c5d20812

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tl2rr67.exe

Filesize
1.4MB

MD5
dfb21f015dce8c92929fb362871fd864

SHA1
12711ad64af03d297806a296c7cf4721d4114253

SHA256
b28b62b25ead20a098c1d96f5803a26c95416c62a14467999ebbc0bff4967e56

SHA512
93ce34485da9d72f962be58dc2ec9d739859842afcfc936831b18340de9505de57a6219da6f1d24eaba2b6e0a0a520b862247c2384d660dd38707187c5d20812

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp6AN18.exe

Filesize
1.2MB

MD5
705e1f6f819cff1705edf70a68e1f2e2

SHA1
7e75c649f989698bb72020d261a2f3b1c32110c6

SHA256
767165b6836647756e90679f96620427c8d6e58c72e620c792cbe20444b3f8f7

SHA512
cb3b5be52dfd1089eadac29485a68fe2a668beefeaf0df1609a5911ce502acaafac3fad05374fe621fa9e45c5b5e62a1585f2996adbc78044063eebcd3142dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp6AN18.exe

Filesize
1.2MB

MD5
705e1f6f819cff1705edf70a68e1f2e2

SHA1
7e75c649f989698bb72020d261a2f3b1c32110c6

SHA256
767165b6836647756e90679f96620427c8d6e58c72e620c792cbe20444b3f8f7

SHA512
cb3b5be52dfd1089eadac29485a68fe2a668beefeaf0df1609a5911ce502acaafac3fad05374fe621fa9e45c5b5e62a1585f2996adbc78044063eebcd3142dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Mv3sr9.exe

Filesize
220KB

MD5
c74b32a2554a6eb5a484749e37c7c7c0

SHA1
22e96d68b0c5efdc33b099b3cec451dce27585cf

SHA256
5368955c72cfc610f78877602aa7f9fe1d5abaf252cfb3f480645948a221910a

SHA512
ab666635beefda058c068ff8702c495cf6985f0621fe5ae61573ab63880aa2efa58f13d46fe953dcdae1988a1bff2f8bb14e449c36666f069f8ba4fd2a330222

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Mv3sr9.exe

Filesize
220KB

MD5
c74b32a2554a6eb5a484749e37c7c7c0

SHA1
22e96d68b0c5efdc33b099b3cec451dce27585cf

SHA256
5368955c72cfc610f78877602aa7f9fe1d5abaf252cfb3f480645948a221910a

SHA512
ab666635beefda058c068ff8702c495cf6985f0621fe5ae61573ab63880aa2efa58f13d46fe953dcdae1988a1bff2f8bb14e449c36666f069f8ba4fd2a330222

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra5dp80.exe

Filesize
1.0MB

MD5
72d5d9d00920b063e62b74fc6dcbbb43

SHA1
8707ac88c7db83308755d1b8a7a1d1c51a775073

SHA256
1aa13961eeef2e47df003490f345a4389ed7ebf98e8dbac8c571732daaf42b22

SHA512
914030fe0769da04f30d816e246f2d88e5e7249aa34034cb5c47aa388255e7defe9875b5e43f3495b73581d4a4493f056a3062287caba6c4f289d929aaf30aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra5dp80.exe

Filesize
1.0MB

MD5
72d5d9d00920b063e62b74fc6dcbbb43

SHA1
8707ac88c7db83308755d1b8a7a1d1c51a775073

SHA256
1aa13961eeef2e47df003490f345a4389ed7ebf98e8dbac8c571732daaf42b22

SHA512
914030fe0769da04f30d816e246f2d88e5e7249aa34034cb5c47aa388255e7defe9875b5e43f3495b73581d4a4493f056a3062287caba6c4f289d929aaf30aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TR553Bw.exe

Filesize
1.1MB

MD5
c3887d30ef6b8a84af2ea0eae8c94564

SHA1
2d13b0ff3764541efc2842eb9df500e52b0fecdd

SHA256
cc3695af9a99c669580c3b020e1501cd5c0d193f72c038722adfe028ec812486

SHA512
b9553a772637bcfd00b71847020ebf1eef1fb68f48dedc5da7178a55450b44d18a9ec77559339ff4066f6851dd069e05e504b9f22e56de8ad3c89409b5cf3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TR553Bw.exe

Filesize
1.1MB

MD5
c3887d30ef6b8a84af2ea0eae8c94564

SHA1
2d13b0ff3764541efc2842eb9df500e52b0fecdd

SHA256
cc3695af9a99c669580c3b020e1501cd5c0d193f72c038722adfe028ec812486

SHA512
b9553a772637bcfd00b71847020ebf1eef1fb68f48dedc5da7178a55450b44d18a9ec77559339ff4066f6851dd069e05e504b9f22e56de8ad3c89409b5cf3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jm9yR81.exe

Filesize
646KB

MD5
bcb8f0d19d2e5c0693f77169d456d8a6

SHA1
304b178f4feb3850ed86a2ebb0c7bddbeb3305f4

SHA256
9e73686492b505ca589952de2164829ba3554beb266029537998b536f595bbff

SHA512
ba3022c2c0daba8ea1c3fa5f4940c090a7d088da7771f9b4d54bd46421db90aae3b76004a5708eef6ed76846ec187d47347bfbdcc56ed32fcefcf2807ac9fa1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jm9yR81.exe

Filesize
646KB

MD5
bcb8f0d19d2e5c0693f77169d456d8a6

SHA1
304b178f4feb3850ed86a2ebb0c7bddbeb3305f4

SHA256
9e73686492b505ca589952de2164829ba3554beb266029537998b536f595bbff

SHA512
ba3022c2c0daba8ea1c3fa5f4940c090a7d088da7771f9b4d54bd46421db90aae3b76004a5708eef6ed76846ec187d47347bfbdcc56ed32fcefcf2807ac9fa1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SR76gY.exe

Filesize
30KB

MD5
9743fb5a2db2b63b292fddd06dafaa0d

SHA1
7e2855821ec541698b168a189a9c824226db2f23

SHA256
abb5d3e2d32b9875bf4d4622462eefb3a6abbc83ff7399eff05fa8936227e4a8

SHA512
294eead4c82be411294fe8f94a363f33692a829602038e2d05c5407e5068677e164fbb5f35dd6d5e60de92d33c335678f87047e335cb02464433b41bec71323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SR76gY.exe

Filesize
30KB

MD5
9743fb5a2db2b63b292fddd06dafaa0d

SHA1
7e2855821ec541698b168a189a9c824226db2f23

SHA256
abb5d3e2d32b9875bf4d4622462eefb3a6abbc83ff7399eff05fa8936227e4a8

SHA512
294eead4c82be411294fe8f94a363f33692a829602038e2d05c5407e5068677e164fbb5f35dd6d5e60de92d33c335678f87047e335cb02464433b41bec71323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ma2hN49.exe

Filesize
521KB

MD5
df5b26ec4bbc3d0e367cf8b7b08e6d87

SHA1
0672383c364c508b99901e1290e98750684a986e

SHA256
8fa3cabb1bcf8c3d1f9b6292ce6d3e68355bd9eb6b449ba3cad3557080819428

SHA512
5415723290b513f90879f556bee6eb277443f90733643e820a49ac044dacafc2a066ef9798d62ba2c7dca833dda2b3cdf336b4fb2a964364a7a664f682f218fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ma2hN49.exe

Filesize
521KB

MD5
df5b26ec4bbc3d0e367cf8b7b08e6d87

SHA1
0672383c364c508b99901e1290e98750684a986e

SHA256
8fa3cabb1bcf8c3d1f9b6292ce6d3e68355bd9eb6b449ba3cad3557080819428

SHA512
5415723290b513f90879f556bee6eb277443f90733643e820a49ac044dacafc2a066ef9798d62ba2c7dca833dda2b3cdf336b4fb2a964364a7a664f682f218fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sd2dz5xN.exe

Filesize
1.3MB

MD5
a07cba160ea432c98f8ea4fae6585c56

SHA1
15ff35ff759f3c3ac70567e80a1574574561d346

SHA256
37e7ab5e85d003f763d2d005d4e11dfd10a23900895acf6b0145425617831148

SHA512
33a2916e5088110c39260fc04bb3a9eb99db25468fee5a5f5da67d5a15acc1fa99d3ad7e613c1c70505d3ec24c256386a199a2c5aa56f8efc39d9d9504ad2d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\sd2dz5xN.exe

Filesize
1.3MB

MD5
a07cba160ea432c98f8ea4fae6585c56

SHA1
15ff35ff759f3c3ac70567e80a1574574561d346

SHA256
37e7ab5e85d003f763d2d005d4e11dfd10a23900895acf6b0145425617831148

SHA512
33a2916e5088110c39260fc04bb3a9eb99db25468fee5a5f5da67d5a15acc1fa99d3ad7e613c1c70505d3ec24c256386a199a2c5aa56f8efc39d9d9504ad2d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ic81nX3.exe

Filesize
878KB

MD5
3ad195cd256042f654bbba6804f0deca

SHA1
24eff43ebefcaf2928d695fa6885fbeb918dea5e

SHA256
5f64f3c6415b3c1ea845dbade03308cae0b66368a48b9b26c32894a5f78b6854

SHA512
ef85be80453cc326e87ee55f988cdf96d29b8576eeecafa59983e86df73f16bdcc8aecd752c49cf3bbfbc27230af6ab2cb312e4e602bcc782f8037254c534d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ic81nX3.exe

Filesize
878KB

MD5
3ad195cd256042f654bbba6804f0deca

SHA1
24eff43ebefcaf2928d695fa6885fbeb918dea5e

SHA256
5f64f3c6415b3c1ea845dbade03308cae0b66368a48b9b26c32894a5f78b6854

SHA512
ef85be80453cc326e87ee55f988cdf96d29b8576eeecafa59983e86df73f16bdcc8aecd752c49cf3bbfbc27230af6ab2cb312e4e602bcc782f8037254c534d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kT7076.exe

Filesize
1.1MB

MD5
7194b189d2091f282eba72fb2b833dc7

SHA1
e80dc7af2800553dd4bf04aeb5118d1fb04d6aaa

SHA256
cf2f678acd3b0980492036ea7a0715080c638b96d38225a6a1b48799fe4a91ee

SHA512
854eafbab017cb59c1f872e73036739c3c834eed7135a4d340246a19572d3c2f3230bc5c5eda690fddb9c9ebc5514d5c5907217b9b1563fe9071302bc0b324df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2kT7076.exe

Filesize
1.1MB

MD5
7194b189d2091f282eba72fb2b833dc7

SHA1
e80dc7af2800553dd4bf04aeb5118d1fb04d6aaa

SHA256
cf2f678acd3b0980492036ea7a0715080c638b96d38225a6a1b48799fe4a91ee

SHA512
854eafbab017cb59c1f872e73036739c3c834eed7135a4d340246a19572d3c2f3230bc5c5eda690fddb9c9ebc5514d5c5907217b9b1563fe9071302bc0b324df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\5kM45VH.exe

Filesize
220KB

MD5
fb149182814ace043bb334a678a2f47d

SHA1
a13ed592c48bd58ae273b5daa142f7d3ef7dd126

SHA256
cad438e51b669c308cc91e65db4ac2b93deaa56d89dea156fcd1428ea209a2ab

SHA512
ccb28d5d46b08943ead9ee328055d6414b299a7a1440cca1ae36191f3ae2e7bf06385cd843c40e43b5f7de8a7f6a1178bbc260e9381a62c3b1427ec8e298e8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\rh5hV3ak.exe

Filesize
1.1MB

MD5
beb88d84bbd5d5ff525c86a9ee66b935

SHA1
c7db4cae26415d79faa08c8282dda3112ba0a785

SHA256
d0702346250c6daea171b274e9e2ba671c2a9ddbbc378eb6495e6bb375cb8dad

SHA512
d9a7db6665682ddeff804759536dd595398db854bb643299f849109e3ec74ab0fad74cb6c86da0c222461fb3ea99ce9bdba5962d35917242c190568bbc341cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\rh5hV3ak.exe

Filesize
1.1MB

MD5
beb88d84bbd5d5ff525c86a9ee66b935

SHA1
c7db4cae26415d79faa08c8282dda3112ba0a785

SHA256
d0702346250c6daea171b274e9e2ba671c2a9ddbbc378eb6495e6bb375cb8dad

SHA512
d9a7db6665682ddeff804759536dd595398db854bb643299f849109e3ec74ab0fad74cb6c86da0c222461fb3ea99ce9bdba5962d35917242c190568bbc341cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\4Fp599cC.exe

Filesize
1.1MB

MD5
c3887d30ef6b8a84af2ea0eae8c94564

SHA1
2d13b0ff3764541efc2842eb9df500e52b0fecdd

SHA256
cc3695af9a99c669580c3b020e1501cd5c0d193f72c038722adfe028ec812486

SHA512
b9553a772637bcfd00b71847020ebf1eef1fb68f48dedc5da7178a55450b44d18a9ec77559339ff4066f6851dd069e05e504b9f22e56de8ad3c89409b5cf3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\iH8ar5tB.exe

Filesize
758KB

MD5
0467cffd83ce10c462e5ae849f91db86

SHA1
14e1c4b7340d4acc836e40684caed4433350067c

SHA256
df09ebbbad2d59b584012a73306112b916588f4d3ae47948142ac0fb6f57e5e1

SHA512
5c2f39b2e22d351c91f7d578b9bb638ae765443dbd9665cc58f46394f2d4e8a44e03659640c2489a54769645ebb7314fe9d66fe2a220eccc8bf1293fca17f988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\iH8ar5tB.exe

Filesize
758KB

MD5
0467cffd83ce10c462e5ae849f91db86

SHA1
14e1c4b7340d4acc836e40684caed4433350067c

SHA256
df09ebbbad2d59b584012a73306112b916588f4d3ae47948142ac0fb6f57e5e1

SHA512
5c2f39b2e22d351c91f7d578b9bb638ae765443dbd9665cc58f46394f2d4e8a44e03659640c2489a54769645ebb7314fe9d66fe2a220eccc8bf1293fca17f988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\3ml4LR87.exe

Filesize
183KB

MD5
80c5d0a805c767817517f62c38cbe004

SHA1
d8eeb48585786482e27f1b0fde24336545d3e53c

SHA256
ccaf30bd2116e4b8c87098b47fe110ca1b50f0e3f22aeeeaac10f7ba277c211b

SHA512
23663263bfb68c415ace2f0843c0457fd202c38c2491c8b00e70ce681f095930f90669f5b3487af9ba26cd7179077638b7ad965e43b199ffabdb06c9a58cd8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Kf7Bg7lj.exe

Filesize
562KB

MD5
dc39a0406017eb9a1512d817519c8516

SHA1
a16c32984806f73952457c3927417c3ac21ef418

SHA256
9d0c76dfab79687d1d06be6ac1afffed0c8f4cef47071ece4ba65e99d7b82148

SHA512
4c3dfc8490cfd193e3843ab2715b555beed7d0aee88974232dc77c28851f1ed7ccba0d7851fda9b5573c00fd29f004ee197eb62e5f8c8b6f888041026a20c1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Kf7Bg7lj.exe

Filesize
562KB

MD5
dc39a0406017eb9a1512d817519c8516

SHA1
a16c32984806f73952457c3927417c3ac21ef418

SHA256
9d0c76dfab79687d1d06be6ac1afffed0c8f4cef47071ece4ba65e99d7b82148

SHA512
4c3dfc8490cfd193e3843ab2715b555beed7d0aee88974232dc77c28851f1ed7ccba0d7851fda9b5573c00fd29f004ee197eb62e5f8c8b6f888041026a20c1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1nc20Cg8.exe

Filesize
1.1MB

MD5
0da012e2eb44b0140dfddc94c6517f6c

SHA1
5eb46d280592bb76e36ebcac8ed0699088705ed0

SHA256
666dde5266aad024ca3b13dffc8dfad935cadb2878e12e00867e24bb79086f3a

SHA512
15cbc857eb879d1d8f35f617fcad8cad83e38b9efb79f3f24b0349976c190e47a2d2dcf5aee32cdbfa0ec34672fd2a28da6ed2a8bbf639f39d60c3465612b4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1nc20Cg8.exe

Filesize
1.1MB

MD5
0da012e2eb44b0140dfddc94c6517f6c

SHA1
5eb46d280592bb76e36ebcac8ed0699088705ed0

SHA256
666dde5266aad024ca3b13dffc8dfad935cadb2878e12e00867e24bb79086f3a

SHA512
15cbc857eb879d1d8f35f617fcad8cad83e38b9efb79f3f24b0349976c190e47a2d2dcf5aee32cdbfa0ec34672fd2a28da6ed2a8bbf639f39d60c3465612b4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2BK204fg.exe

Filesize
222KB

MD5
d958815e6b347a8e0f9483bbce3f74a3

SHA1
5ac2d1e1c6a9bb288f407f365f8abade8628e323

SHA256
453730466ce535a5390e38b9ec6dd0f78bed7477d31ba05d7dd9e873e4194fb8

SHA512
45d5920da870a3a53d80c1f5f9ca7f5a3fbde18b1221820cd804c51d9b470ca095be9b409611355b30ad83d0040a82823266bc4bcf728d1a8193ef6cc857ec76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2BK204fg.exe

Filesize
222KB

MD5
d958815e6b347a8e0f9483bbce3f74a3

SHA1
5ac2d1e1c6a9bb288f407f365f8abade8628e323

SHA256
453730466ce535a5390e38b9ec6dd0f78bed7477d31ba05d7dd9e873e4194fb8

SHA512
45d5920da870a3a53d80c1f5f9ca7f5a3fbde18b1221820cd804c51d9b470ca095be9b409611355b30ad83d0040a82823266bc4bcf728d1a8193ef6cc857ec76

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
c74b32a2554a6eb5a484749e37c7c7c0

SHA1
22e96d68b0c5efdc33b099b3cec451dce27585cf

SHA256
5368955c72cfc610f78877602aa7f9fe1d5abaf252cfb3f480645948a221910a

SHA512
ab666635beefda058c068ff8702c495cf6985f0621fe5ae61573ab63880aa2efa58f13d46fe953dcdae1988a1bff2f8bb14e449c36666f069f8ba4fd2a330222

Download Submit
memory/504-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/504-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/504-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-145-0x0000000000650000-0x00000000006AA000-memory.dmp

Filesize
360KB

Download
memory/1040-141-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1040-225-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1040-172-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1044-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-165-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1128-114-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1128-115-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1152-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1152-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1592-173-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1592-108-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1592-119-0x0000000007180000-0x0000000007212000-memory.dmp

Filesize
584KB

Download
memory/2432-181-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/2432-183-0x00000000005B0000-0x0000000001222000-memory.dmp

Filesize
12.4MB

Download
memory/3380-56-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/4744-113-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/4744-70-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4744-65-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4744-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-180-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/4900-179-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5008-109-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5008-60-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5008-46-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5008-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5296-227-0x0000000000700000-0x0000000000AE0000-memory.dmp

Filesize
3.9MB

Download
memory/5296-241-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download