redline | 16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74

Analysis

max time kernel
110s
max time network
135s
platform
windows7_x64
resource
win7v20201028
submitted
07-01-2021 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atikmdag-patcher 1.4.8.exe
Size

3.3MB
MD5

e0b3da406726f5b5636600fd5dad46e1
SHA1

b31d2916c200e2b1672ce2d0080a23d4e77e5092
SHA256

16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
SHA512

98920dcc4fa7d2b111f408ed27ccafd1aaa19ebf0ef57f8b0a36bd7c305339101c22d5d2d7689417f70aafbf6e878d2c660736c3b7905622962d33ca4d5ee48c

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/740-89-0x00000000000F0000-0x0000000000116000-memory.dmp	family_redline
behavioral1/memory/740-92-0x00000000000F0000-0x0000000000116000-memory.dmp	family_redline
behavioral1/memory/740-93-0x00000000000F0000-0x0000000000116000-memory.dmp	family_redline

Executes dropped EXE 12 IoCs

Processes:

atikmdag-patcher 1.4.8.tmpatikmdag-patcher 1.4.8.tmpatikmdag-patcher 1.4.8.exehalving.exeClient-built05.exeredich05.exemsdtc.comcsrss.commsdtc.comcsrss.comRegAsm.exeRegAsm.exe

pid	process
1484	atikmdag-patcher 1.4.8.tmp
2028	atikmdag-patcher 1.4.8.tmp
316	atikmdag-patcher 1.4.8.exe
608	halving.exe
1192	Client-built05.exe
1676	redich05.exe
1536	msdtc.com
1448	csrss.com
1904	msdtc.com
1560	csrss.com
1988	RegAsm.exe
740	RegAsm.exe

Drops startup file 1 IoCs

Processes:

csrss.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TWLwDfGlRU.url csrss.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TWLwDfGlRU.url	csrss.com

Loads dropped DLL 15 IoCs

Processes:

atikmdag-patcher 1.4.8.exeatikmdag-patcher 1.4.8.exeatikmdag-patcher 1.4.8.tmphalving.execmd.execmd.exemsdtc.comcsrss.comcsrss.comRegAsm.exemsdtc.comRegAsm.exe

pid	process
740	atikmdag-patcher 1.4.8.exe
2012	atikmdag-patcher 1.4.8.exe
2028	atikmdag-patcher 1.4.8.tmp
2028	atikmdag-patcher 1.4.8.tmp
608	halving.exe
608	halving.exe
608	halving.exe
1444	cmd.exe
1572	cmd.exe
1536	msdtc.com
1448	csrss.com
1560	csrss.com
1988	RegAsm.exe
1904	msdtc.com
740	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client-built05.exeredich05.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Client-built05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Client-built05.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	redich05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	redich05.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 checkip.amazonaws.com
16 ip-api.com

flow	ioc
22	checkip.amazonaws.com
16	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

csrss.commsdtc.com

description	pid	process	target process
PID 1560 set thread context of 1988	1560	csrss.com	RegAsm.exe
PID 1904 set thread context of 740	1904	msdtc.com	RegAsm.exe

Drops file in Program Files directory 6 IoCs

Processes:

atikmdag-patcher 1.4.8.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
File opened for modification	C:\Program Files (x86)\My Program\doks.dll	atikmdag-patcher 1.4.8.tmp
File opened for modification	C:\Program Files (x86)\My Program\halving.exe	atikmdag-patcher 1.4.8.tmp
File created	C:\Program Files (x86)\My Program\is-A7RJU.tmp	atikmdag-patcher 1.4.8.tmp
File created	C:\Program Files (x86)\My Program\is-5LGSL.tmp	atikmdag-patcher 1.4.8.tmp
File created	C:\Program Files (x86)\My Program\is-9BQKH.tmp	atikmdag-patcher 1.4.8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

652 tasklist.exe
1380 tasklist.exe

pid	process
652	tasklist.exe
1380	tasklist.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

halving.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	halving.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	halving.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	halving.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2016 PING.EXE
1732 PING.EXE
1988 PING.EXE
520 PING.EXE
784 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

atikmdag-patcher 1.4.8.tmpRegAsm.exe

pid process

2028 atikmdag-patcher 1.4.8.tmp
2028 atikmdag-patcher 1.4.8.tmp
740 RegAsm.exe
740 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

atikmdag-patcher 1.4.8.exe

pid process

316 atikmdag-patcher 1.4.8.exe

pid	process
2016	PING.EXE
1732	PING.EXE
1988	PING.EXE
520	PING.EXE
784	PING.EXE

pid	process
2028	atikmdag-patcher 1.4.8.tmp
2028	atikmdag-patcher 1.4.8.tmp
740	RegAsm.exe
740	RegAsm.exe

pid	process
316	atikmdag-patcher 1.4.8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	652	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe
Token: SeDebugPrivilege	1988	RegAsm.exe
Token: SeDebugPrivilege	740	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

atikmdag-patcher 1.4.8.tmp

pid process

2028 atikmdag-patcher 1.4.8.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1988 RegAsm.exe

pid	process
2028	atikmdag-patcher 1.4.8.tmp

pid	process
1988	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

atikmdag-patcher 1.4.8.exeatikmdag-patcher 1.4.8.tmpatikmdag-patcher 1.4.8.exeatikmdag-patcher 1.4.8.tmphalving.exeClient-built05.execmd.exeredich05.exe

description	pid	process	target process
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 740 wrote to memory of 1484	740	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 1484 wrote to memory of 2012	1484	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2012 wrote to memory of 2028	2012	atikmdag-patcher 1.4.8.exe	atikmdag-patcher 1.4.8.tmp
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 316	2028	atikmdag-patcher 1.4.8.tmp	atikmdag-patcher 1.4.8.exe
PID 2028 wrote to memory of 608	2028	atikmdag-patcher 1.4.8.tmp	halving.exe
PID 2028 wrote to memory of 608	2028	atikmdag-patcher 1.4.8.tmp	halving.exe
PID 2028 wrote to memory of 608	2028	atikmdag-patcher 1.4.8.tmp	halving.exe
PID 2028 wrote to memory of 608	2028	atikmdag-patcher 1.4.8.tmp	halving.exe
PID 608 wrote to memory of 1192	608	halving.exe	Client-built05.exe
PID 608 wrote to memory of 1192	608	halving.exe	Client-built05.exe
PID 608 wrote to memory of 1192	608	halving.exe	Client-built05.exe
PID 608 wrote to memory of 1192	608	halving.exe	Client-built05.exe
PID 1192 wrote to memory of 1936	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1936	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1936	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1936	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1020	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1020	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1020	1192	Client-built05.exe	cmd.exe
PID 1192 wrote to memory of 1020	1192	Client-built05.exe	cmd.exe
PID 1020 wrote to memory of 292	1020	cmd.exe	certutil.exe
PID 1020 wrote to memory of 292	1020	cmd.exe	certutil.exe
PID 1020 wrote to memory of 292	1020	cmd.exe	certutil.exe
PID 1020 wrote to memory of 292	1020	cmd.exe	certutil.exe
PID 1020 wrote to memory of 1572	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1572	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1572	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1572	1020	cmd.exe	cmd.exe
PID 608 wrote to memory of 1676	608	halving.exe	redich05.exe
PID 608 wrote to memory of 1676	608	halving.exe	redich05.exe
PID 608 wrote to memory of 1676	608	halving.exe	redich05.exe
PID 608 wrote to memory of 1676	608	halving.exe	redich05.exe
PID 1676 wrote to memory of 2016	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 2016	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 2016	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 2016	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 1160	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 1160	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 1160	1676	redich05.exe	cmd.exe
PID 1676 wrote to memory of 1160	1676	redich05.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe
"C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\is-1GFPV.tmp\atikmdag-patcher 1.4.8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1GFPV.tmp\atikmdag-patcher 1.4.8.tmp" /SL5="$6015A,2708435,780800,C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe
"C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe" /VERYSILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\is-2LUCJ.tmp\atikmdag-patcher 1.4.8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2LUCJ.tmp\atikmdag-patcher 1.4.8.tmp" /SL5="$60130,2708435,780800,C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe
"C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe" C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:316

C:\Program Files (x86)\My Program\halving.exe
"C:\Program Files (x86)\My Program\halving.exe" C:\Program Files (x86)\My Program\halving.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Temp\Client-built05.exe
"C:\Users\Admin\AppData\Local\Temp/Client-built05.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c tMWFlQWvE
7⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode 29-8 4-30 & cmd < 4-30
7⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\certutil.exe
certutil -decode 29-8 4-30
8⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
- Loads dropped DLL
PID:1572

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq srvpost.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\find.exe
find /I /N "srvpost.exe"
9⤵
PID:1560

C:\Windows\SysWOW64\PING.EXE
ping -n 1 DKMlq.DKMlq
9⤵
- Runs ping.exe
PID:1988

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vZAGTxNgCQogDNXksHGwtqRbI$" 0-89
9⤵
PID:912

C:\Windows\SysWOW64\certutil.exe
certutil -decode 81-00 c
9⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com
csrss.com c
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com c
10⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1560

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
9⤵
- Runs ping.exe
PID:520

C:\Users\Admin\AppData\Local\Temp\redich05.exe
"C:\Users\Admin\AppData\Local\Temp/redich05.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c JzSkcm
7⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode 47-9 0-2 & cmd < 0-2
7⤵
PID:1160

C:\Windows\SysWOW64\certutil.exe
certutil -decode 47-9 0-2
8⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
- Loads dropped DLL
PID:1444

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq srvpost.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\find.exe
find /I /N "srvpost.exe"
9⤵
PID:1836

C:\Windows\SysWOW64\PING.EXE
ping -n 1 QeXciln.QeXciln
9⤵
- Runs ping.exe
PID:1732

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^OvXsTjYBzSkLLH$" 70-1
9⤵
PID:1060

C:\Windows\SysWOW64\certutil.exe
certutil -decode 52-3 x
9⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com
msdtc.com x
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com x
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1904

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe"
12⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
13⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
9⤵
- Runs ping.exe
PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe

MD5
5616e95156f37d4445947144eb72d84b

SHA1
2ce32920b08f8b6a0959905010b3699fa9111f28

SHA256
f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434

SHA512
27f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e

Download Submit
C:\Program Files (x86)\My Program\doks.dll

MD5
c6702334a6112ad712f069db24d4a189

SHA1
f033f867483e775d78890f3756f74d3ea8ae06f7

SHA256
20e4004423a22a01ffcbb682d3aaf5a64f141359ae5054fdaeaddd57763c4463

SHA512
fc5683ef35f7a50a8cd4d71ef5b58ab96ea5b49dfeda7d1bdeb639e43ccfbb140367eaccaa4d5c216763baf7b0e1f5fd34cf70058c244256a88b094dcd95e21f

Download Submit
C:\Program Files (x86)\My Program\halving.exe

MD5
3240e627a478914f4717e6e7f95a2840

SHA1
4d22ca0eeaf29e799ad805069032239cc1ab68aa

SHA256
5a461e74d35ea294f94a0846272e38d9bdcadfd1f418f65d007c83caa5b3f695

SHA512
6578bb2c3cabe469a6f8470f77a2708d77231c936dffb090e01eb45d41fcc023cb08d0edef0041c5687a09ce19f3dc09f0d290e8884df8331d74465581be03b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built05.exe

MD5
8a0454c21101a349fcc76b0e5423bf2c

SHA1
b1624cef34918e16e34ab77102ab5f8ebcec104c

SHA256
c20153399d14cfb549cef31c155d3f301ed02328089051788b4d177bb620e158

SHA512
6a9f1f421a9714ec0d827ed3db872b72e8f76290c9c2b201e0cad3f7874a3435ff98d750556e38a266b37f190a7c0ae0f251048f0aa3ad879134eeb22d10c1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0-89

MD5
f7635640adab84190c9649ebb5f958b3

SHA1
cf4a7aa3fda00d9a4c87811851e74a7550ac9759

SHA256
0fbade9af269c899e6fdfb069bbcfa46108246e97986f5b11bf823b7a5a14c4d

SHA512
498568194fc9d7f4ee8ad00bf47175210dd2aefd43ffa5e959b60476d3273c4e6aaf0931630aa37c0076508da5c971eb6a2149ff9b8e58e85780030c5deffe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\29-8

MD5
0854073f746922767c984586ad1735d1

SHA1
77cea603cf07c7c615691b9d15a2bd2e3968de43

SHA256
d7964cc24082582c8d3eaa1899088c4a029f82f8fa2c9a8154cd96a76365e90d

SHA512
71133f207c479ee028dc2b813a72ccd96bd87cb2b944e75d1eca7f7bc4eae504d50adf3c799d1d719bdb02eb881179564f80b5b3818bb95266ee49593859be03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4-30

MD5
2953f9cf7b76c2559860750a1da68fc7

SHA1
b7aae7babd6539301c8d4371324c043837c7fe20

SHA256
5420118a2bcce594ab54d9dce741750204c0e08d3d80ad1000a85b52f8818231

SHA512
77a11862ec24307e9adefa95a91e7b8b239a565a043ea29df4a57adbba100d0582fffb3a35f8cd710a0d6ae4567cdc1c2d4eceab0b1af7f5f0be39e51e326142

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\81-00

MD5
8f3f2b87be4b00ffba95295a921f1ce1

SHA1
52e3767b9625d0fddf09c8c0011ecdfc04f3996e

SHA256
9cff61b181a2ca4ab15463e8ca1e367c3933cb661ec3488844ae7dceee0b4302

SHA512
9f0a71bf0a830ea81494453a7ca9139512030f5714ceae25a1d6c39d10bdc563863f2d580f4e23e8d714cc99804052a6cd1fc7fa25906c1e5c2c150e050a0afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\99-17

MD5
12951aa98f9bfd6011531b1de01c7956

SHA1
1b13d120ffff81b688ecb69e013877aededc2674

SHA256
a256bf53a755d74509e7a748a3b1672feab02ba592cfbde9a2b1524708158611

SHA512
1c3411c3959d689001e1d403236abd28aad3e670056899a2dc145fd30ca90aa0dd78ed570e3f7d0668753b1c7b74556b50f10f0aa60924f43945938000ca5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c

MD5
6891c4ba201fb488804a41711820f630

SHA1
cce795ee2c925d88517d7c98497522446feeea89

SHA256
1446712a553a3d695620706217a9dbf105736902babc3fa934c1e387fe88647c

SHA512
e66ba48a1d7ef0dfed4c53bfb0a59585364f522b9e37844a89729750795d51181fdbf9b1abe3c435fc8776b0030f1b86c5cf0e7188d121eda2e39b9e3d064f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\0-2

MD5
9e9e579004636ffd07f72ab966db8928

SHA1
3bef13b2ec06a8f07d31d0cd3f538ed9ba8e01c0

SHA256
b17288b2cc26c2f8f02bad14c5de8974adf542230c8fe7ab1d7c39e09e848764

SHA512
29f00d6f787ecd75c793615015754c726dce41465432f08049bde42c5ae85f609faa80b26cf0f37788d0b04e827a2c51e0584cfb86bea25728a48f1aa6724258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\33-95

MD5
bef31f8d0b7398e2bf390e39a0852131

SHA1
a254b81a9299cf95b20107513521e656dc0d00e0

SHA256
05f8126aa8cd9e8baa046c422caafa0c5744ceb27ac0a99bb7e97bfcf60ea7b1

SHA512
97f5e165ef04155761499b07c55ca8f9c199ed8d8f68981b21a740b5d295df48977f41c8a6bc1575008e1a655951b4d33cefe61ff513a789a9a1ccd6b04b1e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47-9

MD5
9750d5aaa9d4bd0bea34cdf1660018a1

SHA1
682142dc9c50d73995bf28795591b9fa6ee9870e

SHA256
c424ffa1d1676a438baedf2f2de7f5dcc3d2785bac7bb41ee708dcbe179062fe

SHA512
4a32d94d6fa25102558c15aaad989b856d2ffe848b0205506e8d92bbca6c43427d4f3827ace9f0e3f9b4d04506b35310b23ccd064af2fdead787ce4f3eaf10fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\52-3

MD5
7dae844a7c377a94ba33e6506213529e

SHA1
7ccd648153b58403fa0cec2b13c608fb0974cd9c

SHA256
0706ed31aa94aa68a7008ab4d29553c8688df6d069c442c9f639d72f32b447a7

SHA512
69085f2ff7b94db7bd4594ff06559e72c286da0f70cdaee38c2be9a3c4d3ccb79aef46d215235dcac4d8a05fb23b6fcf66c0486b12a5b095fe0886244f4fd0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70-1

MD5
aabf266d5914d17c9aaadd5dcfa8f174

SHA1
ae47a31716568b07d7b7c478d2a63673d1626cad

SHA256
e67670cfc1d03275bda8af6f71efc3684085fc041de753b88b3720cd06d3f195

SHA512
c96232053d0c6945c93297bb4cdaf68dc9a3addcafae3245475b06d0c68bf4ec441fb4097c5d6717275da30f1bdd96b8d894820a7875ded8ba8629e4369a13d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x

MD5
7f39224e4a4a19ec07c56df38463e976

SHA1
3cf172ece10334eec425c05cfd543bef4ccef1c7

SHA256
736827c1144483b42c2022ee15c11f58aabbd7bc8e1b0c1b58461e29dd660b4c

SHA512
fd48e99b96e7baa71331569f81952ed0832825ed02e3da18e870c7b20881a0963a76a9e424daef1ce22443fe6164957beb265ee1a545acfc2f46315d8f52e1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1GFPV.tmp\atikmdag-patcher 1.4.8.tmp

MD5
db27920346f23c1d742ec0722426417e

SHA1
adf18d452653e13ab5518706ea9c4c492a46f4f7

SHA256
a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5

SHA512
43f57a95c574c92d8d73f9767844681e1a45c7def5dc79848d357a1cf437b7874325af12b72c226fcdd109a9f8824c4e735d515d04b7fa65186604309dad10e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2LUCJ.tmp\atikmdag-patcher 1.4.8.tmp

MD5
db27920346f23c1d742ec0722426417e

SHA1
adf18d452653e13ab5518706ea9c4c492a46f4f7

SHA256
a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5

SHA512
43f57a95c574c92d8d73f9767844681e1a45c7def5dc79848d357a1cf437b7874325af12b72c226fcdd109a9f8824c4e735d515d04b7fa65186604309dad10e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\redich05.exe

MD5
70e61a744203fafecf36f1625f2bdc87

SHA1
4b4e3d5e95f410f3635c8966ac6fe084fd912206

SHA256
2d093a1168906e981e3cb1f6ef6a1f40aa57bbba0b25f09c2542df5f068fccff

SHA512
921651c390f9a1550d3326a3d532be19eb6515b2ea682bb5fc15beaa73d29af3bd0f581898e80a7ed8bf986c0b0ae3115ecd3593a56f49c91d6e850b723cbdae

Download Submit
\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe

MD5
5616e95156f37d4445947144eb72d84b

SHA1
2ce32920b08f8b6a0959905010b3699fa9111f28

SHA256
f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434

SHA512
27f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e

Download Submit
\Program Files (x86)\My Program\doks.dll

MD5
c6702334a6112ad712f069db24d4a189

SHA1
f033f867483e775d78890f3756f74d3ea8ae06f7

SHA256
20e4004423a22a01ffcbb682d3aaf5a64f141359ae5054fdaeaddd57763c4463

SHA512
fc5683ef35f7a50a8cd4d71ef5b58ab96ea5b49dfeda7d1bdeb639e43ccfbb140367eaccaa4d5c216763baf7b0e1f5fd34cf70058c244256a88b094dcd95e21f

Download Submit
\Program Files (x86)\My Program\halving.exe

MD5
3240e627a478914f4717e6e7f95a2840

SHA1
4d22ca0eeaf29e799ad805069032239cc1ab68aa

SHA256
5a461e74d35ea294f94a0846272e38d9bdcadfd1f418f65d007c83caa5b3f695

SHA512
6578bb2c3cabe469a6f8470f77a2708d77231c936dffb090e01eb45d41fcc023cb08d0edef0041c5687a09ce19f3dc09f0d290e8884df8331d74465581be03b0

Download Submit
\Users\Admin\AppData\Local\Temp\Client-built05.exe

MD5
8a0454c21101a349fcc76b0e5423bf2c

SHA1
b1624cef34918e16e34ab77102ab5f8ebcec104c

SHA256
c20153399d14cfb549cef31c155d3f301ed02328089051788b4d177bb620e158

SHA512
6a9f1f421a9714ec0d827ed3db872b72e8f76290c9c2b201e0cad3f7874a3435ff98d750556e38a266b37f190a7c0ae0f251048f0aa3ad879134eeb22d10c1c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\csrss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\msdtc.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\is-1GFPV.tmp\atikmdag-patcher 1.4.8.tmp

MD5
db27920346f23c1d742ec0722426417e

SHA1
adf18d452653e13ab5518706ea9c4c492a46f4f7

SHA256
a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5

SHA512
43f57a95c574c92d8d73f9767844681e1a45c7def5dc79848d357a1cf437b7874325af12b72c226fcdd109a9f8824c4e735d515d04b7fa65186604309dad10e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-2LUCJ.tmp\atikmdag-patcher 1.4.8.tmp

MD5
db27920346f23c1d742ec0722426417e

SHA1
adf18d452653e13ab5518706ea9c4c492a46f4f7

SHA256
a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5

SHA512
43f57a95c574c92d8d73f9767844681e1a45c7def5dc79848d357a1cf437b7874325af12b72c226fcdd109a9f8824c4e735d515d04b7fa65186604309dad10e5

Download Submit
\Users\Admin\AppData\Local\Temp\redich05.exe

MD5
70e61a744203fafecf36f1625f2bdc87

SHA1
4b4e3d5e95f410f3635c8966ac6fe084fd912206

SHA256
2d093a1168906e981e3cb1f6ef6a1f40aa57bbba0b25f09c2542df5f068fccff

SHA512
921651c390f9a1550d3326a3d532be19eb6515b2ea682bb5fc15beaa73d29af3bd0f581898e80a7ed8bf986c0b0ae3115ecd3593a56f49c91d6e850b723cbdae

Download Submit
memory/292-25-0x0000000000000000-mapping.dmp

Download
memory/316-10-0x0000000000000000-mapping.dmp

Download
memory/520-62-0x0000000000000000-mapping.dmp

Download
memory/596-48-0x0000000000000000-mapping.dmp

Download
memory/608-18-0x0000000000400000-0x00000000006EA000-memory.dmp

Filesize
2.9MB

Download
memory/608-17-0x000000006EB80000-0x000000006EC70000-memory.dmp

Filesize
960KB

Download
memory/608-13-0x0000000000000000-mapping.dmp

Download
memory/652-38-0x0000000000000000-mapping.dmp

Download
memory/740-93-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/740-85-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/740-89-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/740-92-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/740-95-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/780-19-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

Filesize
2.5MB

Download
memory/784-61-0x0000000000000000-mapping.dmp

Download
memory/856-98-0x0000000000000000-mapping.dmp

Download
memory/912-45-0x0000000000000000-mapping.dmp

Download
memory/1020-24-0x0000000000000000-mapping.dmp

Download
memory/1060-44-0x0000000000000000-mapping.dmp

Download
memory/1160-33-0x0000000000000000-mapping.dmp

Download
memory/1192-21-0x0000000000000000-mapping.dmp

Download
memory/1380-40-0x0000000000000000-mapping.dmp

Download
memory/1444-37-0x0000000000000000-mapping.dmp

Download
memory/1448-57-0x0000000000000000-mapping.dmp

Download
memory/1448-55-0x0000000000000000-mapping.dmp

Download
memory/1448-34-0x0000000000000000-mapping.dmp

Download
memory/1484-3-0x0000000000000000-mapping.dmp

Download
memory/1536-56-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x0000000000000000-mapping.dmp

Download
memory/1560-39-0x0000000000000000-mapping.dmp

Download
memory/1560-71-0x0000000000000000-mapping.dmp

Download
memory/1572-28-0x0000000000000000-mapping.dmp

Download
memory/1676-30-0x0000000000000000-mapping.dmp

Download
memory/1732-43-0x0000000000000000-mapping.dmp

Download
memory/1836-41-0x0000000000000000-mapping.dmp

Download
memory/1904-65-0x0000000000000000-mapping.dmp

Download
memory/1936-23-0x0000000000000000-mapping.dmp

Download
memory/1988-79-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1988-83-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-42-0x0000000000000000-mapping.dmp

Download
memory/1988-80-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1988-76-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1988-75-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/2000-49-0x0000000000000000-mapping.dmp

Download
memory/2012-5-0x0000000000000000-mapping.dmp

Download
memory/2016-32-0x0000000000000000-mapping.dmp

Download
memory/2016-99-0x0000000000000000-mapping.dmp

Download
memory/2028-7-0x0000000000000000-mapping.dmp

Download