3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1

Analysis

max time kernel
184s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe
Size

1.1MB
MD5

f04dbe32033708ece2d788c6bb7247df
SHA1

0bee01d2f17f8b40947f5bec0c8ac364836e8359
SHA256

3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1
SHA512

f6218bb00630ce91fc8b25fd17f8029078344735895175f6e603d0273326b67e4ea68a22a103faf8c078d92b14e8cc9ed72dfa24f17734c6fe5901727b2a95ba
SSDEEP

24576:FIF6nnjqKoeM+lgkRW6RXjnV6HJfzag4DiD8csEwq:FIojqKoeM+lxjnON4DiDhwq

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

mCrIua.exefile.exedyzyu.exedyzyu.exe

pid process

2984 mCrIua.exe
5004 file.exe
4664 dyzyu.exe
4264 dyzyu.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4444-139-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/4444-141-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/4444-142-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/4444-145-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\file.exe	upx
C:\Users\Admin\AppData\Local\Temp\file.exe	upx
behavioral2/memory/4444-154-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe	upx
C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe	upx
behavioral2/memory/4664-160-0x0000000000400000-0x0000000000409000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe	upx
behavioral2/memory/4664-168-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dyzyu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\Currentversion\Run	dyzyu.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	dyzyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihvoeti = "C:\\Users\\Admin\\AppData\\Roaming\\Pizo\\dyzyu.exe"	dyzyu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mCrIua.exesvchost.exe

description	pid	process	target process
PID 2984 set thread context of 4444	2984	mCrIua.exe	svchost.exe
PID 4444 set thread context of 5004	4444	svchost.exe	file.exe
PID 4444 set thread context of 4264	4444	svchost.exe	dyzyu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Privacy	file.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	file.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mCrIua.exesvchost.exedyzyu.exe

pid	process
2984	mCrIua.exe
2984	mCrIua.exe
2984	mCrIua.exe
2984	mCrIua.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4444	svchost.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe
4264	dyzyu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exe

description	pid	process
Token: SeSecurityPrivilege	5004	file.exe
Token: SeSecurityPrivilege	5004	file.exe
Token: SeSecurityPrivilege	5004	file.exe
Token: SeSecurityPrivilege	5004	file.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

mCrIua.exe

pid process

2984 mCrIua.exe
2984 mCrIua.exe
2984 mCrIua.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

mCrIua.exe

pid process

2984 mCrIua.exe
2984 mCrIua.exe
2984 mCrIua.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exedyzyu.exe

pid process

4444 svchost.exe
4664 dyzyu.exe

pid	process
4444	svchost.exe
4664	dyzyu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exemCrIua.exesvchost.exefile.exedyzyu.exe

description	pid	process	target process
PID 208 wrote to memory of 2984	208	3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe	mCrIua.exe
PID 208 wrote to memory of 2984	208	3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe	mCrIua.exe
PID 208 wrote to memory of 2984	208	3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe	mCrIua.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 2984 wrote to memory of 4444	2984	mCrIua.exe	svchost.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 4444 wrote to memory of 5004	4444	svchost.exe	file.exe
PID 5004 wrote to memory of 4664	5004	file.exe	dyzyu.exe
PID 5004 wrote to memory of 4664	5004	file.exe	dyzyu.exe
PID 5004 wrote to memory of 4664	5004	file.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4444 wrote to memory of 4264	4444	svchost.exe	dyzyu.exe
PID 4264 wrote to memory of 2436	4264	dyzyu.exe	sihost.exe
PID 4264 wrote to memory of 2436	4264	dyzyu.exe	sihost.exe
PID 4264 wrote to memory of 2436	4264	dyzyu.exe	sihost.exe
PID 4264 wrote to memory of 2436	4264	dyzyu.exe	sihost.exe
PID 4264 wrote to memory of 2436	4264	dyzyu.exe	sihost.exe
PID 4264 wrote to memory of 2572	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 2572	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 2572	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 2572	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 2572	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 2784	4264	dyzyu.exe	taskhostw.exe
PID 4264 wrote to memory of 2784	4264	dyzyu.exe	taskhostw.exe
PID 4264 wrote to memory of 2784	4264	dyzyu.exe	taskhostw.exe
PID 4264 wrote to memory of 2784	4264	dyzyu.exe	taskhostw.exe
PID 4264 wrote to memory of 2784	4264	dyzyu.exe	taskhostw.exe
PID 4264 wrote to memory of 2648	4264	dyzyu.exe	Explorer.EXE
PID 4264 wrote to memory of 2648	4264	dyzyu.exe	Explorer.EXE
PID 4264 wrote to memory of 2648	4264	dyzyu.exe	Explorer.EXE
PID 4264 wrote to memory of 2648	4264	dyzyu.exe	Explorer.EXE
PID 4264 wrote to memory of 2648	4264	dyzyu.exe	Explorer.EXE
PID 4264 wrote to memory of 3076	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 3076	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 3076	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 3076	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 3076	4264	dyzyu.exe	svchost.exe
PID 4264 wrote to memory of 3276	4264	dyzyu.exe	DllHost.exe
PID 4264 wrote to memory of 3276	4264	dyzyu.exe	DllHost.exe
PID 4264 wrote to memory of 3276	4264	dyzyu.exe	DllHost.exe
PID 4264 wrote to memory of 3276	4264	dyzyu.exe	DllHost.exe
PID 4264 wrote to memory of 3276	4264	dyzyu.exe	DllHost.exe
PID 4264 wrote to memory of 3388	4264	dyzyu.exe	StartMenuExperienceHost.exe
PID 4264 wrote to memory of 3388	4264	dyzyu.exe	StartMenuExperienceHost.exe
PID 4264 wrote to memory of 3388	4264	dyzyu.exe	StartMenuExperienceHost.exe
PID 4264 wrote to memory of 3388	4264	dyzyu.exe	StartMenuExperienceHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3388

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1236

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe
"C:\Users\Admin\AppData\Local\Temp\3e6a8e670992d9b688acc11e592a680be09b90e76fe1f35b4fae9f1a890fccd1.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mCrIua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\mCrIua.exe" "ajKngw"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
5⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe
"C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf18f3fff.bat"
6⤵
PID:2980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2728

C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe
"C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2784

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4556

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3864

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ajKngw

Filesize
4KB

MD5
c72f0e9201f975b017d0ecb370f172b2

SHA1
055ccfcc330e2bd280163d3036ba0ca9029fa2be

SHA256
f495d4ec68fb70a3796ce65c54408ec4335fc21e08f4dc8660705abcb8d365af

SHA512
33dda037ca3e9c2baf3ebdc70397a9066094a6f2cc98cf2d85950802e25615adeaf8e2318d5b0a3e3affe740d7d2447ee8db8d2d07738d54247396f265f4dbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\byUYEq.exe

Filesize
102KB

MD5
7c7abfa050c3b5180643f8a0a9f3f3e8

SHA1
e1f7a7d6dadf1e21fcb8b3d182ec122bf4f2ebe9

SHA256
bd478d83cc9d86980e921863f5b66a4969d1838119f94649e8dcbcf22a90d9f3

SHA512
c0efc56ae261ddffddc3bbdede296f3c206d1fcca6c626bd180fa9f19cc60cd1f208fa47f13e917ab282e00025b1cf7634d044a04a494c9c758e3441000056f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mCrIua.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mCrIua.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nRCTSt.txt

Filesize
545KB

MD5
38b7bf3099f53aec709af76ba5772db3

SHA1
c41f90219d850bb6c89e7fe0c8f4385633ca87cb

SHA256
7a2b61b4972ef955c9e5bd576223ca7d2b9418b492fbb8466bdc4e505b022421

SHA512
9ccf025d140a074858bb42d0c8b82bde6ad3f141743232f87649c765a4f05b24866f62b176e9a2412ce360dac0e47e711073b0e8be0c2f550bbb4ac68add8d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
7KB

MD5
291c207bceae5da0ddba97910c15178d

SHA1
28cb32a9ca3dacdf01fdfed50e8581b2bffe9763

SHA256
446697fe75ca428e41f97201707f1b8eabd3bf80ed4867c8d3148c01256a93c9

SHA512
999c5e8c07857619d91d820f0d298725c45cc93726990c34aa742bbbd7efa8bdaf30b7657a736b53b189e0efdd105f28c515f790e7e8f74329b72e0783193dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
7KB

MD5
291c207bceae5da0ddba97910c15178d

SHA1
28cb32a9ca3dacdf01fdfed50e8581b2bffe9763

SHA256
446697fe75ca428e41f97201707f1b8eabd3bf80ed4867c8d3148c01256a93c9

SHA512
999c5e8c07857619d91d820f0d298725c45cc93726990c34aa742bbbd7efa8bdaf30b7657a736b53b189e0efdd105f28c515f790e7e8f74329b72e0783193dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.txt

Filesize
43B

MD5
77d8cd0aa96b29698031ed00a8c4a961

SHA1
6a27aa235072c4aae43b9445fb086f8cddd989d3

SHA256
b809f37c9113e2e39e790a2f8bc03b7a01bfb971fb34e3fe22f89192adcc2583

SHA512
64826acfe93b794267eb0c2ce5209c9ec1be01135b5ea51bdb5d1df9a1a125d5cb1b105a2aa7e033cd149c0955e5061bace35de8422bb8d41ab144bfb42be095

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
7c7abfa050c3b5180643f8a0a9f3f3e8

SHA1
e1f7a7d6dadf1e21fcb8b3d182ec122bf4f2ebe9

SHA256
bd478d83cc9d86980e921863f5b66a4969d1838119f94649e8dcbcf22a90d9f3

SHA512
c0efc56ae261ddffddc3bbdede296f3c206d1fcca6c626bd180fa9f19cc60cd1f208fa47f13e917ab282e00025b1cf7634d044a04a494c9c758e3441000056f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.txt

Filesize
545KB

MD5
38b7bf3099f53aec709af76ba5772db3

SHA1
c41f90219d850bb6c89e7fe0c8f4385633ca87cb

SHA256
7a2b61b4972ef955c9e5bd576223ca7d2b9418b492fbb8466bdc4e505b022421

SHA512
9ccf025d140a074858bb42d0c8b82bde6ad3f141743232f87649c765a4f05b24866f62b176e9a2412ce360dac0e47e711073b0e8be0c2f550bbb4ac68add8d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpf18f3fff.bat

Filesize
187B

MD5
b0201baf6974864f390f8f0656ba151e

SHA1
1e82892fdd4f439f1365b4558c4c646095d5b12c

SHA256
e583b4a88f81c53b110cd0506e8c9333a0646eacf87af53960b1d93d9a912d3a

SHA512
7b1e307ae829998c687693fe1fde5fdbd7e553a351dea58028d6b9dd9381696c70d29130d6cd6c49cbdfc97a4df993cc10d1fdf932dcc0a3a51d5652130011f1

Download Submit
C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe

Filesize
7KB

MD5
813fd46220e0bfab0997102cb830f82c

SHA1
6e0a74fbb1b8d04705725877678b9aed0a54313b

SHA256
6c907d8f11ed045dfae8d36835e7b87c73719529f61b4fecb450305d50a67e34

SHA512
bbb5d4c889409398f4da19683b95aeacb8f9ef6011e9691412f92c2c61bff07768073843423363fe8b800fc1a5667bb7d6cb2d5523737ff25f20c35c6ea6c7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe

Filesize
7KB

MD5
813fd46220e0bfab0997102cb830f82c

SHA1
6e0a74fbb1b8d04705725877678b9aed0a54313b

SHA256
6c907d8f11ed045dfae8d36835e7b87c73719529f61b4fecb450305d50a67e34

SHA512
bbb5d4c889409398f4da19683b95aeacb8f9ef6011e9691412f92c2c61bff07768073843423363fe8b800fc1a5667bb7d6cb2d5523737ff25f20c35c6ea6c7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Pizo\dyzyu.exe

Filesize
7KB

MD5
813fd46220e0bfab0997102cb830f82c

SHA1
6e0a74fbb1b8d04705725877678b9aed0a54313b

SHA256
6c907d8f11ed045dfae8d36835e7b87c73719529f61b4fecb450305d50a67e34

SHA512
bbb5d4c889409398f4da19683b95aeacb8f9ef6011e9691412f92c2c61bff07768073843423363fe8b800fc1a5667bb7d6cb2d5523737ff25f20c35c6ea6c7ae

Download Submit
memory/2980-171-0x0000000000000000-mapping.dmp

Download
memory/2980-175-0x0000000001480000-0x00000000014BB000-memory.dmp

Filesize
236KB

Download
memory/2984-132-0x0000000000000000-mapping.dmp

Download
memory/4264-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4264-163-0x0000000000000000-mapping.dmp

Download
memory/4444-142-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4444-169-0x0000000005100000-0x000000000513B000-memory.dmp

Filesize
236KB

Download
memory/4444-154-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4444-138-0x0000000000000000-mapping.dmp

Download
memory/4444-139-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4444-141-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4444-145-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4664-160-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4664-155-0x0000000000000000-mapping.dmp

Download
memory/4664-168-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5004-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5004-170-0x00000000021A0000-0x00000000021DB000-memory.dmp

Filesize
236KB

Download
memory/5004-148-0x0000000000000000-mapping.dmp

Download
memory/5004-172-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5004-173-0x00000000021A0000-0x00000000021DB000-memory.dmp

Filesize
236KB

Download
memory/5004-149-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5004-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download