amadey | 59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a

Analysis

max time kernel
200s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 21:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe
Size

1.5MB
MD5

4672c56171b13fb407ebcb88d7266da2
SHA1

718665a6cadd69020526f6f5dc829538943399c5
SHA256

59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a
SHA512

f8c6dfd2a5362a387f92ad6e99bbc44665daac137bf0a6377fe75ce76909b8ce3fc8d34a76f4cbec73d54f308365a722ca7f5836e5c028e87e4afc1897821fd9
SSDEEP

24576:tynHBcQLZtlGcFrsq07jzY89fXDtMW6feye92d7B7ppv//qtQ:InKuZtlLFrSPMSbqHaEd17pxqt

Score

10^/10

amadey redline sectoprat smokeloader @ytlogsbot kedru pixelnew2.0 plost backdoor evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 13 IoCs

resource	yara_rule
behavioral1/memory/3292-64-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x0009000000022e05-94.dat	family_redline
behavioral1/files/0x0009000000022e05-93.dat	family_redline
behavioral1/memory/3360-188-0x00000000020A0000-0x00000000020FA000-memory.dmp	family_redline
behavioral1/memory/1308-187-0x0000000002080000-0x00000000020BE000-memory.dmp	family_redline
behavioral1/files/0x0006000000022e2c-202.dat	family_redline
behavioral1/files/0x0007000000022e30-210.dat	family_redline
behavioral1/files/0x0006000000022e2c-206.dat	family_redline
behavioral1/memory/5340-220-0x0000000000DE0000-0x0000000000E1C000-memory.dmp	family_redline
behavioral1/files/0x0007000000022e30-224.dat	family_redline
behavioral1/memory/5396-225-0x0000000000F80000-0x0000000000F9E000-memory.dmp	family_redline
behavioral1/memory/3360-239-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline
behavioral1/memory/1308-242-0x0000000000400000-0x0000000000461000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022e30-210.dat	family_sectoprat
behavioral1/files/0x0007000000022e30-224.dat	family_sectoprat
behavioral1/memory/5396-225-0x0000000000F80000-0x0000000000F9E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	5FS5rp2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	C5AC.exe

Executes dropped EXE 24 IoCs

pid	Process
4544	mB0VM03.exe
2212	av6BX80.exe
1120	ep8EI07.exe
4620	xu1QG53.exe
60	CD2ku36.exe
4092	1Xo50eQ2.exe
3264	2KQ1174.exe
1052	3uw44EQ.exe
3344	4Dq932qH.exe
1092	5FS5rp2.exe
2316	57EA.exe
3800	9D32.exe
4340	A717.exe
4680	ER2Br3vR.exe
4068	lQ1QV3MX.exe
5080	LO5sO1Qu.exe
4064	C5AC.exe
3360	2011.exe
4704	GY9vm5Jn.exe
1308	2293.exe
2600	1uK34mz7.exe
5340	2CW116vK.exe
5396	2D90.exe
5876	54D0.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	57EA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	ER2Br3vR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mB0VM03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	av6BX80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ep8EI07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	xu1QG53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	CD2ku36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	lQ1QV3MX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	LO5sO1Qu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	GY9vm5Jn.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 1488	4092	1Xo50eQ2.exe	96
PID 3264 set thread context of 2744	3264	2KQ1174.exe	98
PID 3344 set thread context of 3292	3344	4Dq932qH.exe	105
PID 2600 set thread context of 1696	2600	1uK34mz7.exe	129

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2380	2744	WerFault.exe	98
5276	1696	WerFault.exe	129

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uw44EQ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uw44EQ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uw44EQ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1052	3uw44EQ.exe
1052	3uw44EQ.exe
3320	Process not Found
3320	Process not Found
1488	AppLaunch.exe
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3320	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1052	3uw44EQ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	AppLaunch.exe
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3320	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4544	3704	59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe	88
PID 3704 wrote to memory of 4544	3704	59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe	88
PID 3704 wrote to memory of 4544	3704	59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe	88
PID 4544 wrote to memory of 2212	4544	mB0VM03.exe	90
PID 4544 wrote to memory of 2212	4544	mB0VM03.exe	90
PID 4544 wrote to memory of 2212	4544	mB0VM03.exe	90
PID 2212 wrote to memory of 1120	2212	av6BX80.exe	91
PID 2212 wrote to memory of 1120	2212	av6BX80.exe	91
PID 2212 wrote to memory of 1120	2212	av6BX80.exe	91
PID 1120 wrote to memory of 4620	1120	ep8EI07.exe	92
PID 1120 wrote to memory of 4620	1120	ep8EI07.exe	92
PID 1120 wrote to memory of 4620	1120	ep8EI07.exe	92
PID 4620 wrote to memory of 60	4620	xu1QG53.exe	93
PID 4620 wrote to memory of 60	4620	xu1QG53.exe	93
PID 4620 wrote to memory of 60	4620	xu1QG53.exe	93
PID 60 wrote to memory of 4092	60	CD2ku36.exe	94
PID 60 wrote to memory of 4092	60	CD2ku36.exe	94
PID 60 wrote to memory of 4092	60	CD2ku36.exe	94
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 4092 wrote to memory of 1488	4092	1Xo50eQ2.exe	96
PID 60 wrote to memory of 3264	60	CD2ku36.exe	97
PID 60 wrote to memory of 3264	60	CD2ku36.exe	97
PID 60 wrote to memory of 3264	60	CD2ku36.exe	97
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 3264 wrote to memory of 2744	3264	2KQ1174.exe	98
PID 4620 wrote to memory of 1052	4620	xu1QG53.exe	99
PID 4620 wrote to memory of 1052	4620	xu1QG53.exe	99
PID 4620 wrote to memory of 1052	4620	xu1QG53.exe	99
PID 1120 wrote to memory of 3344	1120	ep8EI07.exe	104
PID 1120 wrote to memory of 3344	1120	ep8EI07.exe	104
PID 1120 wrote to memory of 3344	1120	ep8EI07.exe	104
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 3344 wrote to memory of 3292	3344	4Dq932qH.exe	105
PID 2212 wrote to memory of 1092	2212	av6BX80.exe	107
PID 2212 wrote to memory of 1092	2212	av6BX80.exe	107
PID 2212 wrote to memory of 1092	2212	av6BX80.exe	107
PID 3320 wrote to memory of 2316	3320	Process not Found	109
PID 3320 wrote to memory of 2316	3320	Process not Found	109
PID 3320 wrote to memory of 2316	3320	Process not Found	109
PID 3320 wrote to memory of 2264	3320	Process not Found	110
PID 3320 wrote to memory of 2264	3320	Process not Found	110
PID 3320 wrote to memory of 3800	3320	Process not Found	112
PID 3320 wrote to memory of 3800	3320	Process not Found	112
PID 3320 wrote to memory of 3800	3320	Process not Found	112

C:\Users\Admin\AppData\Local\Temp\59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe
"C:\Users\Admin\AppData\Local\Temp\59883ae20fa980ea8d07c4810c772846f2557f4aadbcd8f8b5dc90b28c54f62a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mB0VM03.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mB0VM03.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\av6BX80.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\av6BX80.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ep8EI07.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ep8EI07.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xu1QG53.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xu1QG53.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CD2ku36.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CD2ku36.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xo50eQ2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xo50eQ2.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2KQ1174.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2KQ1174.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 540
        9⤵
        Program crash
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3uw44EQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3uw44EQ.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Dq932qH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Dq932qH.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3344
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5FS5rp2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5FS5rp2.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2744 -ip 2744
1⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\57EA.exe
C:\Users\Admin\AppData\Local\Temp\57EA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2316
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ER2Br3vR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ER2Br3vR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lQ1QV3MX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lQ1QV3MX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LO5sO1Qu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LO5sO1Qu.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\GY9vm5Jn.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\GY9vm5Jn.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4704
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1uK34mz7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1uK34mz7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 200
        8⤵
        Program crash
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2CW116vK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2CW116vK.exe
        6⤵
        Executes dropped EXE
        
        PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5A3D.bat" "
1⤵
PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
    3⤵
    PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
    3⤵
    PID:832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
    3⤵
    PID:5452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
    3⤵
    PID:5420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
    3⤵
    PID:6028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:5272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13130670963549718812,6630238923330860628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
    3⤵
    PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
  2⤵
  PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
  2⤵
  PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
  2⤵
  PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
  2⤵
  PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
  2⤵
  PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
    3⤵
    PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  PID:5444

C:\Users\Admin\AppData\Local\Temp\9D32.exe
C:\Users\Admin\AppData\Local\Temp\9D32.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\A717.exe
C:\Users\Admin\AppData\Local\Temp\A717.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Users\Admin\AppData\Local\Temp\C5AC.exe
C:\Users\Admin\AppData\Local\Temp\C5AC.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4064

C:\Users\Admin\AppData\Local\Temp\2011.exe
C:\Users\Admin\AppData\Local\Temp\2011.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Users\Admin\AppData\Local\Temp\2293.exe
C:\Users\Admin\AppData\Local\Temp\2293.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1696 -ip 1696
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2D90.exe
C:\Users\Admin\AppData\Local\Temp\2D90.exe
1⤵
- Executes dropped EXE
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff865d846f8,0x7ff865d84708,0x7ff865d84718
1⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\54D0.exe
C:\Users\Admin\AppData\Local\Temp\54D0.exe
1⤵
- Executes dropped EXE
PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2011.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\2011.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\2293.exe

Filesize
378KB

MD5
1eaba90935d3a7527d556866647b55e1

SHA1
56a5ca57b3eac1f9859fb117f7de341da8bc3638

SHA256
294a60b31d75b260b6f2f8a14291173fd652578e7037d7b02bb42d884ff55314

SHA512
a1897a437d0a7fa5431854cb03db9cbb4e819429c50c05a3008225c89ff9cf6b24c09b64f2e99a0e3da3df02d25cadb7e71db97deec558bb47ac9d6b94285e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2293.exe

Filesize
378KB

MD5
1eaba90935d3a7527d556866647b55e1

SHA1
56a5ca57b3eac1f9859fb117f7de341da8bc3638

SHA256
294a60b31d75b260b6f2f8a14291173fd652578e7037d7b02bb42d884ff55314

SHA512
a1897a437d0a7fa5431854cb03db9cbb4e819429c50c05a3008225c89ff9cf6b24c09b64f2e99a0e3da3df02d25cadb7e71db97deec558bb47ac9d6b94285e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D90.exe

Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D90.exe

Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\54D0.exe

Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\54D0.exe

Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\57EA.exe

Filesize
1.5MB

MD5
07bfc73fca915525fbdfcb74f0d676e0

SHA1
7c24c1eaa2336e1c045c1c5e74ab989876f32e50

SHA256
0f4af09d614af139b34b972c69e89ce80826139e576928ff841e05818321ba8d

SHA512
f726ca94b7d30edf8496920a8507545a44535c4298ebe2b63631d024566fb1c0e1a6802eb78d19f90879adfd00a0e8dc55dec3db37168b7ac295940248e8d5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\57EA.exe

Filesize
1.5MB

MD5
07bfc73fca915525fbdfcb74f0d676e0

SHA1
7c24c1eaa2336e1c045c1c5e74ab989876f32e50

SHA256
0f4af09d614af139b34b972c69e89ce80826139e576928ff841e05818321ba8d

SHA512
f726ca94b7d30edf8496920a8507545a44535c4298ebe2b63631d024566fb1c0e1a6802eb78d19f90879adfd00a0e8dc55dec3db37168b7ac295940248e8d5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A3D.bat

Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D32.exe

Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D32.exe

Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A717.exe

Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\A717.exe

Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5AC.exe

Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5AC.exe

Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mB0VM03.exe

Filesize
1.4MB

MD5
028781d95a6ca8ffcec3da334500fc30

SHA1
2a2d665ba02cf056f177a02b6b3317f7ab2185e5

SHA256
d5b1156acd07845c44b01a69a0efe4065438db934aa75c1459602fc3abb2e7f6

SHA512
2fd8787d5a0635a5ae590c779dde2b05280137956eeb200601a0d1379223368cef8eb51ecf3560a5491418f791d7df48c70592ba6c9c274bae38fccaafd4eca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mB0VM03.exe

Filesize
1.4MB

MD5
028781d95a6ca8ffcec3da334500fc30

SHA1
2a2d665ba02cf056f177a02b6b3317f7ab2185e5

SHA256
d5b1156acd07845c44b01a69a0efe4065438db934aa75c1459602fc3abb2e7f6

SHA512
2fd8787d5a0635a5ae590c779dde2b05280137956eeb200601a0d1379223368cef8eb51ecf3560a5491418f791d7df48c70592ba6c9c274bae38fccaafd4eca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\av6BX80.exe

Filesize
1.2MB

MD5
d5f09f30da5968c259a33fdbc600fb28

SHA1
1aaaead6e0d3fda7e3bd670e31ad9342edee0df5

SHA256
fdf4a071f676891c8e0c3ca4869d5e9006ab47f60184b5e82bedb0adffa79775

SHA512
71a5ef5784c58880eb7aaf628501fb45a71ad6c123078d99f77dfef76a2770bd66833caddd227572f28efdd6c8f066382c4b80d70fc96da4729848c6c9b69fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\av6BX80.exe

Filesize
1.2MB

MD5
d5f09f30da5968c259a33fdbc600fb28

SHA1
1aaaead6e0d3fda7e3bd670e31ad9342edee0df5

SHA256
fdf4a071f676891c8e0c3ca4869d5e9006ab47f60184b5e82bedb0adffa79775

SHA512
71a5ef5784c58880eb7aaf628501fb45a71ad6c123078d99f77dfef76a2770bd66833caddd227572f28efdd6c8f066382c4b80d70fc96da4729848c6c9b69fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5FS5rp2.exe

Filesize
222KB

MD5
09e250c43beb744346132545525cdb67

SHA1
cff752d7319ea1824e508711096b05275b1a574e

SHA256
1dee2933db9f6392fa635c867f0cf870b001f995a7469dac894fa3741a239ed3

SHA512
286b699624f037dceef799d3abb07e1219951c4357044235eb0b9c491bbe462a229d7f75939ef7d6d7569d21323f3deea09422acbb7cbb868494281fa190a6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5FS5rp2.exe

Filesize
222KB

MD5
09e250c43beb744346132545525cdb67

SHA1
cff752d7319ea1824e508711096b05275b1a574e

SHA256
1dee2933db9f6392fa635c867f0cf870b001f995a7469dac894fa3741a239ed3

SHA512
286b699624f037dceef799d3abb07e1219951c4357044235eb0b9c491bbe462a229d7f75939ef7d6d7569d21323f3deea09422acbb7cbb868494281fa190a6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ep8EI07.exe

Filesize
1.0MB

MD5
767921b138b0672e928a342a9176a0bf

SHA1
1cca44621b74cb05ef13987ff9de6f59da0bcdbb

SHA256
9d053bd363444abfaeeea852516ba7236393f63c8e6f62df4149334a9c73d225

SHA512
310c9172619111a6a8d891848c53f95923c03017ccdbff9b28c21c28930eacbfbf0c2a1fec33c2e8366b3291660d030e3b07087601c6b4f6fe104994fb4ab73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ep8EI07.exe

Filesize
1.0MB

MD5
767921b138b0672e928a342a9176a0bf

SHA1
1cca44621b74cb05ef13987ff9de6f59da0bcdbb

SHA256
9d053bd363444abfaeeea852516ba7236393f63c8e6f62df4149334a9c73d225

SHA512
310c9172619111a6a8d891848c53f95923c03017ccdbff9b28c21c28930eacbfbf0c2a1fec33c2e8366b3291660d030e3b07087601c6b4f6fe104994fb4ab73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Dq932qH.exe

Filesize
1.1MB

MD5
2fb90eb607288e31d400fdcce31a979f

SHA1
990076794adb997989dd8fe99efd28d6d38c3978

SHA256
d7e950a3283f624e2edf352ffd9cb2d4547c0615a238327e306a39e465d83fde

SHA512
b09b4dfcf12f555fbf0de8f7cac172f6cd0038df75e3632968c9295a87f7427722a7ce8fc840103af2211daf8ab2cf687ca6bdcf3b6e30d25838c24593db6c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Dq932qH.exe

Filesize
1.1MB

MD5
2fb90eb607288e31d400fdcce31a979f

SHA1
990076794adb997989dd8fe99efd28d6d38c3978

SHA256
d7e950a3283f624e2edf352ffd9cb2d4547c0615a238327e306a39e465d83fde

SHA512
b09b4dfcf12f555fbf0de8f7cac172f6cd0038df75e3632968c9295a87f7427722a7ce8fc840103af2211daf8ab2cf687ca6bdcf3b6e30d25838c24593db6c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xu1QG53.exe

Filesize
639KB

MD5
cc708599234046981ec99a63297db1e9

SHA1
532e215a13d141e88a4f06c2c2e17f4157b146de

SHA256
54a3e7c637dca1d940c095ad479e32ae1c88952d1edc8cc33f37a4a29d732b84

SHA512
bbf6280c37045beb70db981752fd123f7c9c2c53671266ccd64bebfa3cfc0995be772db8c88d3aa35fb14f6a33dc32f7ec9c61520ef34104776d39fb9a51137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xu1QG53.exe

Filesize
639KB

MD5
cc708599234046981ec99a63297db1e9

SHA1
532e215a13d141e88a4f06c2c2e17f4157b146de

SHA256
54a3e7c637dca1d940c095ad479e32ae1c88952d1edc8cc33f37a4a29d732b84

SHA512
bbf6280c37045beb70db981752fd123f7c9c2c53671266ccd64bebfa3cfc0995be772db8c88d3aa35fb14f6a33dc32f7ec9c61520ef34104776d39fb9a51137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3uw44EQ.exe

Filesize
31KB

MD5
85d8e7254d9d9ad37795a95824d253f2

SHA1
213c0e3b61f4c377cd360cba24c673e5d929741f

SHA256
1bb2dc7b0d4afbeb4b675002fab482f3ee9ac920f74b4db3e5f2ef03d6f17c94

SHA512
fdf9d0a1638e5074853e53edab3feff1117856f6aeca45f11b891ae8da017e1470fdcbbd0803542eccebbfdc290a37c218b0ae0953f448727e66a7baca8227b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3uw44EQ.exe

Filesize
31KB

MD5
85d8e7254d9d9ad37795a95824d253f2

SHA1
213c0e3b61f4c377cd360cba24c673e5d929741f

SHA256
1bb2dc7b0d4afbeb4b675002fab482f3ee9ac920f74b4db3e5f2ef03d6f17c94

SHA512
fdf9d0a1638e5074853e53edab3feff1117856f6aeca45f11b891ae8da017e1470fdcbbd0803542eccebbfdc290a37c218b0ae0953f448727e66a7baca8227b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CD2ku36.exe

Filesize
515KB

MD5
bc52941b3012274459cdb2dc6fef5c88

SHA1
dbd4696c1ca3715ebbc73c6e0b9965dc180c2e3d

SHA256
27a64a78def721903a3a4c0f5e7742cb929b3e558e3f1889092be5ec4b69f9b3

SHA512
9d50bd0682d295323954e6223543ab16fc33a44623f9818ba2250efbfeffb0548a88ecb50a20eb3bd4e981e84730d6b22ae98bc18cec602dfdacde9dcf103a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CD2ku36.exe

Filesize
515KB

MD5
bc52941b3012274459cdb2dc6fef5c88

SHA1
dbd4696c1ca3715ebbc73c6e0b9965dc180c2e3d

SHA256
27a64a78def721903a3a4c0f5e7742cb929b3e558e3f1889092be5ec4b69f9b3

SHA512
9d50bd0682d295323954e6223543ab16fc33a44623f9818ba2250efbfeffb0548a88ecb50a20eb3bd4e981e84730d6b22ae98bc18cec602dfdacde9dcf103a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ER2Br3vR.exe

Filesize
1.3MB

MD5
4898e0cf3b222787fcfb396c550a6d9a

SHA1
7e105b4c6d754ed3853c795abcbf33b6196ace5e

SHA256
2ea3650923b0c06c69db7153f708b4d56516ec53848537eb040efe5b63b0053c

SHA512
8cd56792688aa64d57892df26f651a78b11b89d3d6befac4246c4dec134091eac28961a531d436043abd245bdf98ebd474246d8e939a4889f796a2ac68e86cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ER2Br3vR.exe

Filesize
1.3MB

MD5
4898e0cf3b222787fcfb396c550a6d9a

SHA1
7e105b4c6d754ed3853c795abcbf33b6196ace5e

SHA256
2ea3650923b0c06c69db7153f708b4d56516ec53848537eb040efe5b63b0053c

SHA512
8cd56792688aa64d57892df26f651a78b11b89d3d6befac4246c4dec134091eac28961a531d436043abd245bdf98ebd474246d8e939a4889f796a2ac68e86cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xo50eQ2.exe

Filesize
869KB

MD5
8d44db248f8055e2625823a5a86bc0eb

SHA1
f4ac0f1925528df3b6991a15e02ca838b73e9a8e

SHA256
c75ad0cca1e96221572928c725e7169615b29d6dbb9794011385471c0994a024

SHA512
caf6791aca293d5c6e3e2170f71b31ecd07b7618c3d738b99fdca55354f94fd448f7e47ef2bb415ecc0ab9469d4956de6fc1e85ba38d0a2ee3343fd3d6ceaf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Xo50eQ2.exe

Filesize
869KB

MD5
8d44db248f8055e2625823a5a86bc0eb

SHA1
f4ac0f1925528df3b6991a15e02ca838b73e9a8e

SHA256
c75ad0cca1e96221572928c725e7169615b29d6dbb9794011385471c0994a024

SHA512
caf6791aca293d5c6e3e2170f71b31ecd07b7618c3d738b99fdca55354f94fd448f7e47ef2bb415ecc0ab9469d4956de6fc1e85ba38d0a2ee3343fd3d6ceaf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2KQ1174.exe

Filesize
1.0MB

MD5
380008444e3cf370d4b57a5415833587

SHA1
f195a2d2fab8eaf29fbd91d949d683f0d21ef74a

SHA256
8804f2032f38bbe2f6630ccaab27e12e0046d5d12fa39b2fbcbb76479b901461

SHA512
9bb0b4bba83698b0631402e2bd5e47389977168d390b2d4fa19f0cdbc6797b561f817de7b5a5928baaf7d5fa624dd97e3aa444062b013847a1f0785c0ab5919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2KQ1174.exe

Filesize
1.0MB

MD5
380008444e3cf370d4b57a5415833587

SHA1
f195a2d2fab8eaf29fbd91d949d683f0d21ef74a

SHA256
8804f2032f38bbe2f6630ccaab27e12e0046d5d12fa39b2fbcbb76479b901461

SHA512
9bb0b4bba83698b0631402e2bd5e47389977168d390b2d4fa19f0cdbc6797b561f817de7b5a5928baaf7d5fa624dd97e3aa444062b013847a1f0785c0ab5919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lQ1QV3MX.exe

Filesize
1.1MB

MD5
a8965dd9245cb266eb130cb517d47b4e

SHA1
50dcd0234206235ac45ad6fe0e280bad924bb561

SHA256
bd6393eaeffe0e984f7a193af449d2168ab57fefdaba330c51d442d20477f64f

SHA512
37f64869977da9c01013ad0d0c4ee81fed5955b2bfecf05c0b4306fac67681b97a045612defe84d93cde07e61ebe2dd74bb37b8f08b178fce8455a7499d510d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\lQ1QV3MX.exe

Filesize
1.1MB

MD5
a8965dd9245cb266eb130cb517d47b4e

SHA1
50dcd0234206235ac45ad6fe0e280bad924bb561

SHA256
bd6393eaeffe0e984f7a193af449d2168ab57fefdaba330c51d442d20477f64f

SHA512
37f64869977da9c01013ad0d0c4ee81fed5955b2bfecf05c0b4306fac67681b97a045612defe84d93cde07e61ebe2dd74bb37b8f08b178fce8455a7499d510d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LO5sO1Qu.exe

Filesize
753KB

MD5
60946505991016ff525b86b8edfbd17e

SHA1
a12d841347d7cd0bf875d1185d9390343aa0c394

SHA256
71948607fe49a6ea0873bd3cb185e2f2dd4a48960dd222ad4285c4503cd34ea8

SHA512
7f500d84367b09039c98a411120a6890a5e00bbbd3794f0604bb9857ea968f3410d833939c8576af0258318d6c0805608a9f462de00a7fb7a9446f3dd8149591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LO5sO1Qu.exe

Filesize
753KB

MD5
60946505991016ff525b86b8edfbd17e

SHA1
a12d841347d7cd0bf875d1185d9390343aa0c394

SHA256
71948607fe49a6ea0873bd3cb185e2f2dd4a48960dd222ad4285c4503cd34ea8

SHA512
7f500d84367b09039c98a411120a6890a5e00bbbd3794f0604bb9857ea968f3410d833939c8576af0258318d6c0805608a9f462de00a7fb7a9446f3dd8149591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\3cY1MS07.exe

Filesize
180KB

MD5
88020d3f60190179b9ffbb0b43b1eb08

SHA1
3889dfd2d3104a11bd4d8ee5500af24aa1529a05

SHA256
90507e5e15806255589f446f0d08cfd5d75be7389b7c13cccf224955807303de

SHA512
02193467699b58605af8bcf18b05d66a5da6926641e3adc901d3eec205ef76102ed6b4be88fc82dddc9a22bdbb86f22c06829a9af4261da3e41be0e90d45bc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\GY9vm5Jn.exe

Filesize
558KB

MD5
2fdddcfff62faa130fac485cbf25e3f2

SHA1
23e8e42796b97d391ed821cf608ca665f26cecad

SHA256
c514c38d289d17ba460236b7063101c2bdae7ac1fdbaa914edb7728180443115

SHA512
db437c1462ba0bb5942aec9d87fb0b3749a1be29f7cdc25c95491681dcdee8bdeeb74042d1d650ffacdee68b1f5e3192e8c1114830f88d4218f59f69de5b1481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\GY9vm5Jn.exe

Filesize
558KB

MD5
2fdddcfff62faa130fac485cbf25e3f2

SHA1
23e8e42796b97d391ed821cf608ca665f26cecad

SHA256
c514c38d289d17ba460236b7063101c2bdae7ac1fdbaa914edb7728180443115

SHA512
db437c1462ba0bb5942aec9d87fb0b3749a1be29f7cdc25c95491681dcdee8bdeeb74042d1d650ffacdee68b1f5e3192e8c1114830f88d4218f59f69de5b1481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1uK34mz7.exe

Filesize
1.0MB

MD5
62d3c2b68a4240e60af10de18686641b

SHA1
2e935e69cad70cfdadb509288c7615715ea1ece4

SHA256
218064d27cb940fe8b24e42fb73e5bae3d575d0b0991001119276982f8eefd17

SHA512
9a7d49ecd89c125b0531ec06a8d27b8156a4e5eafbb15662a2afeb14dd7b8cc31da6b34fdf946d173491f47116ff21f102a7cbc9ae723e90448d9e8bcd495684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1uK34mz7.exe

Filesize
1.0MB

MD5
62d3c2b68a4240e60af10de18686641b

SHA1
2e935e69cad70cfdadb509288c7615715ea1ece4

SHA256
218064d27cb940fe8b24e42fb73e5bae3d575d0b0991001119276982f8eefd17

SHA512
9a7d49ecd89c125b0531ec06a8d27b8156a4e5eafbb15662a2afeb14dd7b8cc31da6b34fdf946d173491f47116ff21f102a7cbc9ae723e90448d9e8bcd495684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2CW116vK.exe

Filesize
219KB

MD5
ac33ae5cd68ef74812709ff301a78f0e

SHA1
2957f137ab4f1152336f706e5bf38bf364b03e53

SHA256
429edb4bf1365e63e5531e39b8cd93d9216882498d09da0111330a975f5e1f1e

SHA512
3ece0cb00b8ae314b74024b5b3da36501d648b241ca30a9b422ddbd3a5bf31044f01bbb2a1fd3f7b11329f6c2058ade331f086a644ef072be2ee16199c0c5eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2CW116vK.exe

Filesize
219KB

MD5
ac33ae5cd68ef74812709ff301a78f0e

SHA1
2957f137ab4f1152336f706e5bf38bf364b03e53

SHA256
429edb4bf1365e63e5531e39b8cd93d9216882498d09da0111330a975f5e1f1e

SHA512
3ece0cb00b8ae314b74024b5b3da36501d648b241ca30a9b422ddbd3a5bf31044f01bbb2a1fd3f7b11329f6c2058ade331f086a644ef072be2ee16199c0c5eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
09e250c43beb744346132545525cdb67

SHA1
cff752d7319ea1824e508711096b05275b1a574e

SHA256
1dee2933db9f6392fa635c867f0cf870b001f995a7469dac894fa3741a239ed3

SHA512
286b699624f037dceef799d3abb07e1219951c4357044235eb0b9c491bbe462a229d7f75939ef7d6d7569d21323f3deea09422acbb7cbb868494281fa190a6fe

Download Submit
memory/1052-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1052-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-164-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1308-245-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1308-242-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1308-198-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1308-187-0x0000000002080000-0x00000000020BE000-memory.dmp

Filesize
248KB

Download
memory/1488-46-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1488-58-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1488-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1488-95-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1696-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-65-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3292-92-0x0000000007E40000-0x0000000007ED2000-memory.dmp

Filesize
584KB

Download
memory/3292-69-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3292-130-0x00000000080A0000-0x00000000080B0000-memory.dmp

Filesize
64KB

Download
memory/3292-196-0x00000000080A0000-0x00000000080B0000-memory.dmp

Filesize
64KB

Download
memory/3292-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3292-78-0x0000000008210000-0x00000000087B4000-memory.dmp

Filesize
5.6MB

Download
memory/3320-56-0x0000000003370000-0x0000000003386000-memory.dmp

Filesize
88KB

Download
memory/3360-228-0x0000000007770000-0x0000000007782000-memory.dmp

Filesize
72KB

Download
memory/3360-188-0x00000000020A0000-0x00000000020FA000-memory.dmp

Filesize
360KB

Download
memory/3360-207-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3360-208-0x0000000007AF0000-0x0000000008108000-memory.dmp

Filesize
6.1MB

Download
memory/3360-246-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3360-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3360-239-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3360-238-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/4064-197-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4064-129-0x0000000000630000-0x00000000012C0000-memory.dmp

Filesize
12.6MB

Download
memory/4064-136-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4340-133-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/4340-170-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4340-97-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4340-115-0x00000000074E0000-0x00000000074EA000-memory.dmp

Filesize
40KB

Download
memory/5340-237-0x0000000007BB0000-0x0000000007BC0000-memory.dmp

Filesize
64KB

Download
memory/5340-220-0x0000000000DE0000-0x0000000000E1C000-memory.dmp

Filesize
240KB

Download
memory/5340-229-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/5340-247-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/5396-234-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/5396-225-0x0000000000F80000-0x0000000000F9E000-memory.dmp

Filesize
120KB

Download
memory/5396-248-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download