amadey | 3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

explorhe.exe
Size

790KB
MD5

b7668e16e00cfa7aab4fd5833311a9d3
SHA1

81f2ecd89774c56e0cc9cdb9dfe273df76dfefa7
SHA256

3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366
SHA512

7e2146e5e8b28830208a92ddcb57075fd0e046856c0564e3faf5f0d71a6dbe5454c16b45664da4277de795eb53f1be447de4aae2a0a5a0d12eefe9d5be6d96e4
SSDEEP

12288:r9SJ++jmIFElFpRqH1YWGn1Io7YNQZDzdYD/jGW/nSkxgsDggauUPnIpm68fuvQR:r0g9/nREmWGn/wQFRHW/nSkx4dk4qo

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Extracted

Family

redline

Botnet

@Pixelscloud

94.156.65.198:13781

Extracted

Family

redline

Botnet

Legaa

185.172.128.33:38294

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1048-253-0x0000000000400000-0x0000000000458000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3632-618-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/4004-105-0x0000000004910000-0x0000000004950000-memory.dmp	family_redline
behavioral2/memory/4004-108-0x0000000004F90000-0x0000000004FCE000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
behavioral2/memory/3176-150-0x0000000000490000-0x00000000004E2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
behavioral2/memory/2324-203-0x0000000000A30000-0x0000000000A82000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe	family_redline
behavioral2/memory/4384-225-0x0000000000B80000-0x0000000000BD2000-memory.dmp	family_redline
behavioral2/memory/1048-253-0x0000000000400000-0x0000000000458000-memory.dmp	family_redline
behavioral2/memory/3656-386-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2556-844-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2556-847-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2556-861-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.execmd.exe

flow pid process

78 2196 rundll32.exe
44 1276 cmd.exe
46 1276 cmd.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4896 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
78	2196	rundll32.exe
44	1276	cmd.exe
46	1276	cmd.exe

pid	process
4896	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iojmibhyhiws.exeMiner-XMR1.exeiojmibhyhiws.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Miner-XMR1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Miner-XMR1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

latestrocki.exenszAA1E.tmpexplorhe.exeexplorhe.exe31839b57a4f11171d6abc8bbc4451ee4.exelegnew.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	latestrocki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	nszAA1E.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	31839b57a4f11171d6abc8bbc4451ee4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	legnew.exe

Executes dropped EXE 32 IoCs

Processes:

explorhe.exe322321.exejsc.exelegnew.exe31839b57a4f11171d6abc8bbc4451ee4.exems_updater.exeqemu-ga.exedata.exe2024.execrypteddaisy.exelatestrocki.execmd.exetoolspub1.exerty25.exeBroomSetup.exerdx1122.exenszAA1E.tmp31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeSetupPowerGREPDemo.exeinjector.exeMiner-XMR1.exeiojmibhyhiws.exeflesh.exeexplorhe.exezonak.exewindefender.exewindefender.exeiojmibhyhiws.exeiojmibhyhiws.exeexplorhe.exe

pid	process
1136	explorhe.exe
864	322321.exe
2324	jsc.exe
4004	legnew.exe
3716	31839b57a4f11171d6abc8bbc4451ee4.exe
3176	ms_updater.exe
4856	qemu-ga.exe
4704	data.exe
4384	2024.exe
3012	crypteddaisy.exe
4008	latestrocki.exe
1276	cmd.exe
3212	toolspub1.exe
3716	31839b57a4f11171d6abc8bbc4451ee4.exe
4396	rty25.exe
2640	BroomSetup.exe
5088	rdx1122.exe
1504	nszAA1E.tmp
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3312	csrss.exe
4444	SetupPowerGREPDemo.exe
3740	injector.exe
3236	Miner-XMR1.exe
1388	iojmibhyhiws.exe
1996	flesh.exe
4604	explorhe.exe
3068	zonak.exe
464	windefender.exe
3584	windefender.exe
4924	iojmibhyhiws.exe
3836	iojmibhyhiws.exe
2288	explorhe.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.execmd.exenszAA1E.tmpdata.exe

pid process

2196 rundll32.exe
1276 cmd.exe
1276 cmd.exe
1504 nszAA1E.tmp
1504 nszAA1E.tmp
4704 data.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2196	rundll32.exe
1276	cmd.exe
1276	cmd.exe
1504	nszAA1E.tmp
1504	nszAA1E.tmp
4704	data.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeexplorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000498001\\zonak.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

Conhost.exepowershell.exepowershell.exepowershell.exepowershell.exeMsBuild.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	MsBuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

explorhe.exezonak.exe

pid	process
1136	explorhe.exe
1136	explorhe.exe
1136	explorhe.exe
1136	explorhe.exe
1136	explorhe.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe
1136	explorhe.exe
3068	zonak.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

jsc.exe322321.execrypteddaisy.exerdx1122.exedata.exeiojmibhyhiws.exeiojmibhyhiws.exeiojmibhyhiws.exeSetupPowerGREPDemo.exe

description	pid	process	target process
PID 2324 set thread context of 4976	2324	jsc.exe	RegAsm.exe
PID 864 set thread context of 2324	864	322321.exe	jsc.exe
PID 3012 set thread context of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 5088 set thread context of 3656	5088	rdx1122.exe	RegAsm.exe
PID 4704 set thread context of 2452	4704	data.exe	MsBuild.exe
PID 1388 set thread context of 3500	1388	iojmibhyhiws.exe	conhost.exe
PID 1388 set thread context of 2556	1388	iojmibhyhiws.exe	conhost.exe
PID 4924 set thread context of 4448	4924	iojmibhyhiws.exe	conhost.exe
PID 3836 set thread context of 4940	3836	iojmibhyhiws.exe	conhost.exe
PID 4444 set thread context of 1328	4444	SetupPowerGREPDemo.exe	calc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

380 sc.exe
1244 sc.exe
1940 sc.exe
4140 sc.exe
3468 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3024 3212 WerFault.exe toolspub1.exe
2900 1504 WerFault.exe nszAA1E.tmp

pid	process
380	sc.exe
1244	sc.exe
1940	sc.exe
4140	sc.exe
3468	sc.exe

pid	pid_target	process	target process
3024	3212	WerFault.exe	toolspub1.exe
2900	1504	WerFault.exe	nszAA1E.tmp

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nszAA1E.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nszAA1E.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nszAA1E.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4996 schtasks.exe
2348 schtasks.exe
4840 schtasks.exe
924 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4716 timeout.exe

pid	process
4996	schtasks.exe
2348	schtasks.exe
4840	schtasks.exe
924	schtasks.exe

pid	process
4716	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exewindefender.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exeMsBuild.exeConhost.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsBuild.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsBuild.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsBuild.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MsBuild.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsBuild.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsBuild.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

legnew.exeRegAsm.exeRegAsm.exejsc.exe2024.exetoolspub1.exepowershell.exenszAA1E.tmp31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exeMsBuild.exeRegAsm.exeConhost.exe

pid	process
4004	legnew.exe
4976	RegAsm.exe
4976	RegAsm.exe
4976	RegAsm.exe
4976	RegAsm.exe
4976	RegAsm.exe
4976	RegAsm.exe
4976	RegAsm.exe
1048	RegAsm.exe
1048	RegAsm.exe
2324	jsc.exe
2324	jsc.exe
2324	jsc.exe
2324	jsc.exe
2324	jsc.exe
2324	jsc.exe
4384	2024.exe
4384	2024.exe
2324	jsc.exe
4384	2024.exe
4384	2024.exe
4384	2024.exe
4384	2024.exe
3212	toolspub1.exe
3212	toolspub1.exe
4384	2024.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
1504	nszAA1E.tmp
1504	nszAA1E.tmp
3716	31839b57a4f11171d6abc8bbc4451ee4.exe
3716	31839b57a4f11171d6abc8bbc4451ee4.exe
624	powershell.exe
624	powershell.exe
624	powershell.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
3632	31839b57a4f11171d6abc8bbc4451ee4.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe
2936	MsBuild.exe
2936	MsBuild.exe
2936	MsBuild.exe
3656	RegAsm.exe
3656	RegAsm.exe
3656	RegAsm.exe
3656	RegAsm.exe
4972	Conhost.exe
4972	Conhost.exe
4972	Conhost.exe
3656	RegAsm.exe
3656	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

legnew.exeRegAsm.exeRegAsm.exejsc.exe2024.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exeMsBuild.exeConhost.exeRegAsm.exepowershell.execsrss.execonhost.exeflesh.exesc.execonhost.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	4004	legnew.exe
Token: SeDebugPrivilege	4976	RegAsm.exe
Token: SeDebugPrivilege	1048	RegAsm.exe
Token: SeDebugPrivilege	2324	jsc.exe
Token: SeDebugPrivilege	4384	2024.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	3716	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	3716	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2936	MsBuild.exe
Token: SeDebugPrivilege	4972	Conhost.exe
Token: SeDebugPrivilege	3656	RegAsm.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeSystemEnvironmentPrivilege	3312	csrss.exe
Token: SeLockMemoryPrivilege	2556	conhost.exe
Token: SeDebugPrivilege	1996	flesh.exe
Token: SeSecurityPrivilege	4140	sc.exe
Token: SeSecurityPrivilege	4140	sc.exe
Token: SeLockMemoryPrivilege	4448	conhost.exe
Token: SeLockMemoryPrivilege	4940	conhost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

explorhe.exeexplorhe.exeBroomSetup.exeexplorhe.exezonak.exeexplorhe.exe

pid process

4712 explorhe.exe
1136 explorhe.exe
2640 BroomSetup.exe
4604 explorhe.exe
3068 zonak.exe
2288 explorhe.exe

pid	process
4712	explorhe.exe
1136	explorhe.exe
2640	BroomSetup.exe
4604	explorhe.exe
3068	zonak.exe
2288	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorhe.exeexplorhe.exejsc.exe31839b57a4f11171d6abc8bbc4451ee4.exelegnew.exe322321.execrypteddaisy.exelatestrocki.exe

description	pid	process	target process
PID 4712 wrote to memory of 1136	4712	explorhe.exe	explorhe.exe
PID 4712 wrote to memory of 1136	4712	explorhe.exe	explorhe.exe
PID 4712 wrote to memory of 1136	4712	explorhe.exe	explorhe.exe
PID 1136 wrote to memory of 4996	1136	explorhe.exe	schtasks.exe
PID 1136 wrote to memory of 4996	1136	explorhe.exe	schtasks.exe
PID 1136 wrote to memory of 4996	1136	explorhe.exe	schtasks.exe
PID 1136 wrote to memory of 864	1136	explorhe.exe	322321.exe
PID 1136 wrote to memory of 864	1136	explorhe.exe	322321.exe
PID 1136 wrote to memory of 2324	1136	explorhe.exe	jsc.exe
PID 1136 wrote to memory of 2324	1136	explorhe.exe	jsc.exe
PID 1136 wrote to memory of 2324	1136	explorhe.exe	jsc.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 2324 wrote to memory of 4976	2324	jsc.exe	RegAsm.exe
PID 1136 wrote to memory of 4004	1136	explorhe.exe	legnew.exe
PID 1136 wrote to memory of 4004	1136	explorhe.exe	legnew.exe
PID 1136 wrote to memory of 4004	1136	explorhe.exe	legnew.exe
PID 1136 wrote to memory of 3716	1136	explorhe.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1136 wrote to memory of 3716	1136	explorhe.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1136 wrote to memory of 3716	1136	explorhe.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3716 wrote to memory of 3176	3716	31839b57a4f11171d6abc8bbc4451ee4.exe	ms_updater.exe
PID 3716 wrote to memory of 3176	3716	31839b57a4f11171d6abc8bbc4451ee4.exe	ms_updater.exe
PID 3716 wrote to memory of 3176	3716	31839b57a4f11171d6abc8bbc4451ee4.exe	ms_updater.exe
PID 4004 wrote to memory of 4856	4004	legnew.exe	qemu-ga.exe
PID 4004 wrote to memory of 4856	4004	legnew.exe	qemu-ga.exe
PID 1136 wrote to memory of 4704	1136	explorhe.exe	data.exe
PID 1136 wrote to memory of 4704	1136	explorhe.exe	data.exe
PID 1136 wrote to memory of 4704	1136	explorhe.exe	data.exe
PID 864 wrote to memory of 2324	864	322321.exe	jsc.exe
PID 864 wrote to memory of 2324	864	322321.exe	jsc.exe
PID 864 wrote to memory of 2324	864	322321.exe	jsc.exe
PID 864 wrote to memory of 2324	864	322321.exe	jsc.exe
PID 864 wrote to memory of 2324	864	322321.exe	jsc.exe
PID 1136 wrote to memory of 4384	1136	explorhe.exe	2024.exe
PID 1136 wrote to memory of 4384	1136	explorhe.exe	2024.exe
PID 1136 wrote to memory of 4384	1136	explorhe.exe	2024.exe
PID 1136 wrote to memory of 3012	1136	explorhe.exe	crypteddaisy.exe
PID 1136 wrote to memory of 3012	1136	explorhe.exe	crypteddaisy.exe
PID 1136 wrote to memory of 3012	1136	explorhe.exe	crypteddaisy.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 3012 wrote to memory of 1048	3012	crypteddaisy.exe	RegAsm.exe
PID 1136 wrote to memory of 2196	1136	explorhe.exe	rundll32.exe
PID 1136 wrote to memory of 2196	1136	explorhe.exe	rundll32.exe
PID 1136 wrote to memory of 2196	1136	explorhe.exe	rundll32.exe
PID 1136 wrote to memory of 4008	1136	explorhe.exe	latestrocki.exe
PID 1136 wrote to memory of 4008	1136	explorhe.exe	latestrocki.exe
PID 1136 wrote to memory of 4008	1136	explorhe.exe	latestrocki.exe
PID 4008 wrote to memory of 1276	4008	latestrocki.exe	cmd.exe
PID 4008 wrote to memory of 1276	4008	latestrocki.exe	cmd.exe
PID 4008 wrote to memory of 1276	4008	latestrocki.exe	cmd.exe
PID 4008 wrote to memory of 3212	4008	latestrocki.exe	toolspub1.exe
PID 4008 wrote to memory of 3212	4008	latestrocki.exe	toolspub1.exe
PID 4008 wrote to memory of 3212	4008	latestrocki.exe	toolspub1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\explorhe.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:4996

C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
"C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe"
3⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
"C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
- Executes dropped EXE
PID:4856

C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe"
3⤵
PID:3716

C:\Users\Admin\AppData\Roaming\ms_updater.exe
"C:\Users\Admin\AppData\Roaming\ms_updater.exe"
4⤵
- Executes dropped EXE
PID:3176

C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
"C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
"C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2196

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 352
5⤵
- Program crash
PID:3024

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4972

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:3016

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:3740

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:924

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:464

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\nszAA1E.tmp
C:\Users\Admin\AppData\Local\Temp\nszAA1E.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 2312
6⤵
- Program crash
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nszAA1E.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:2068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
"C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4444

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
4⤵
PID:2092

C:\Windows\SysWOW64\calc.exe
C:\Windows\SysWOW64\calc.exe
4⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:3236

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"
4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
PID:1276

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:1244

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:1940

C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe
"C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3212 -ip 3212
1⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
2⤵
PID:2716

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
3⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1504 -ip 1504
1⤵
PID:4896

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1388

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3500

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4924

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3836

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3584

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
167KB

MD5
4d19cffabd787f033f9f456e4205be61

SHA1
a97c77224a2c5fba7850cd45183ce5dac7cf63c2

SHA256
5eb3c7d96d59fed9c3f879620c6d213abf3b7323c87613321fde7512865f01d6

SHA512
258eafef36415804f4e5a595d843f3824288eed326c4578b13ce893a45357ac5bd84b0698b9c85ad11520244dce0bf2940fbdd5a44d96e87884f9d2013158c40

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
98KB

MD5
783c4a83f5c55fea835052710ed6fdbb

SHA1
9ea90d7b6d41d40ffa6700d51caa408983a6a853

SHA256
5de9aab0b88534d2d6a3e7dfaedf18fae1b49801b96c64337bf7286f1d3b9ed6

SHA512
1f74470594ce3eb0c9d2a5c17515e8660a5f71d8403fae29374a51185594270bac93a24f62ca117d731f82d791651e4832cca4fca92a09476ccf4a642c0a1da6

Download Submit
C:\ProgramData\mozglue.dll
Filesize
17KB

MD5
cd847bd8982f0ead55cf5b7e7490a6c4

SHA1
e4c8e695a5cde7c93e046ecc226270a02db24005

SHA256
08ab9d97ee242158872675085233af46ebabe60386fcd0d9acd0804bf6f29e98

SHA512
19ae2d18f7e569c4ba5cae82a9c881ae0c142b8640e3e5019d56e5c3fc53eabd32f9e220f58159f7ac6c753b33269a7d9b697eb4e41ae1c34546971d81189208

Download Submit
C:\ProgramData\mozglue.dll
Filesize
14KB

MD5
ac92b9e0330c1b65da3be12a6004d190

SHA1
d24f12a504ac1638a5bb87863a96727b20b9bd1d

SHA256
d9a6c030ae208ea1ea43bad7300e388d449e2952c88d9fc142f5d04291a3aed5

SHA512
6dff31fe63ee96c76e1149070c7dd7bf0c6bc2e471e63993491c925f7d2e4a290f5d569dbbdef7e8f18f01ed1b265e443ba3fe17c97b1023b94e8834c745dabf

Download Submit
C:\ProgramData\nss3.dll
Filesize
33KB

MD5
5b3c79dd7babd26f55995d45d240bdd4

SHA1
e0f54f7ffd7130354593b6b7b601b8358ec1aa4f

SHA256
4a34ad763f67f2a89d6a0146eaebd8ba9aa8cb868abb55d7a5fe40b1705a06da

SHA512
1be9ef70c3ac71b6fd8d77945e52da0c3a7c4fa1325fe6ec730a3b362f5fae2e9d7614c2694eee8ad08c11f1133b240172d82970a4a82100da859f130575c42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
Filesize
332KB

MD5
7fe410507a4f46b2a4f3751883e58fd8

SHA1
5ae226c66d2dcbe1810a9eaa6054586285097972

SHA256
ed1e8a42be49a4068d0041315aa697247bf889877259098f01ad9f5322af8cfb

SHA512
a62ffc825a7741ff0fedf6bf0209b2b1c63e0d30be5d3d3d3ba10f36472e2d80aacaa0dfb4a7fd57d2ca3f423ccb36b9b8ed68baab45191e339af4e2ee3b41c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
Filesize
243KB

MD5
5fc325b5da53c8d46beb9ec31855f460

SHA1
380b63ea7d82b983a43ec75f141115fc5883812a

SHA256
352ef984d44509155177a5bc42c14e871e336e3cb6deeda63e52da1abb305cb4

SHA512
a6bb95fb2879d598f910304764e0be80acaa567d0e541ee18f7426fb4f988fcd848323caecbd9c1d01d28d159a1bac6fb535d51d201d3fb2b1fd19354471c7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
Filesize
341KB

MD5
ece8e2177083eefb49d5e0185b899b93

SHA1
ea29f48483d95897da5af016c47ca99f825871cd

SHA256
5e88119a34553c24625c42dbbb35b9c969a051a54478ab9227dac4ce720a703e

SHA512
4cd4a45cba10387b7e977ca05a3f44efb0ed3911cbd22d2ec00d9e24a9d0e0a424727ddfee9aec71454fb52f0d85f6a42b95656ef232e0538e18d97a5f32646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
Filesize
269KB

MD5
2f5c0e357533b2a27d7b3d4d0bb71122

SHA1
459bafef35c676edace90ee8dae2b6b655cea7b6

SHA256
6e6587854195067a07694ced8487860f4808431e9d4d70a4f034d1348779b804

SHA512
8229dd8d137030c981541869bc30d4d2770bb5e03a63b3658aeb6217574be2261489ef691d88dbed6383f310e7db33ff5028855c196d3dd73c8494276d118a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
Filesize
77KB

MD5
5bc01181ad89a1c2e11dc013714ddee3

SHA1
6b0592437b7c76771a88e623ab262fbfe931f757

SHA256
8c95b89369e9a8f65d1093c1b35b11d33e729fc4d304cb744aec952cd75b0733

SHA512
4b3890d129b7562ae3355352eb22905d9910a5d5ae8aebbf51fd697b85d45bbd3f15f87c4a7d3d446990257343f904d27ad3ca29ff04adea0fd23d78a1253ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
Filesize
187KB

MD5
112ddec60fc1f209e8bac5d85261df2e

SHA1
3c140e31e064cf70fbcdc8ffbc407a849747edf0

SHA256
99600682229c3ca2bac7529c9cd94a7443e3c53f66fcf82a4b350dd6bc15329b

SHA512
dc2dcc62fc6665e2fde1ad4b1792286627b2a5878e01f8b5cf76dd464686f92990ea66ec23c62822ee1a69e8ef6bbfcd91981c998bc36a97b4bcdef4433cf5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
Filesize
179KB

MD5
e987f2318288c184bb4c1fa820aa5d88

SHA1
621e26921fb8b484e7264d67d7171308b8cc6c50

SHA256
0b3eea2472a2a81818ee9dd758de567ffe597bb19e3629083bbdfcc1b3039bd6

SHA512
69cebc7693b4644426f6e6b852ec5addbd163c728ed3ee74af594dd07d5f6aadabf730fa4fa7abc46c6f358da4bc4606f1939c79e69233b60c580e87624b53ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
Filesize
149KB

MD5
6a614ac7c66d7d770ebfe151b12b8fbb

SHA1
c0abf1374394c44ffb04c4b173172e6d2b74647f

SHA256
2f3be7176e3202ad3168b38e489d8c6e0bad52cc8504086471378eeb64ce8077

SHA512
ec626c29ac1c609bfed2c89827f6c109fc1a6b4c2647af156fad46462b015cdcfd38bd8c6d20358c247321b8549b0d89e665a16b5f09306eb6bc1de3785a7c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
Filesize
176KB

MD5
601ae5154384ed8adc71d95031b2d4a5

SHA1
97e55ea9031c3836d712856fc22fb4bed17bbc71

SHA256
8fe2e94b4cf77e88139810b10a0a3ac916bbb895f35fa7edccbc87ee6497e9f9

SHA512
796ef91829570f01525c5d7a785fae94e9033e424955e5a961d639fe327d8231f460b2af5005a2ae2ba20bfdaccb865a21d4a6ea27774e696667672216c2a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
Filesize
230KB

MD5
ce431e6a51c92d97eb2f437d2ebd04fc

SHA1
735386886573e1b35a374602cadbd2d34cd93c98

SHA256
ef17adf313cbfd9c1f710ed14d4042368bd82a98e0861969bff3233bb08a21cf

SHA512
b7e1b0d09a13e0235154d686eeb43f6b1e87510fd479ecb882dda23b7a57b7882bb9a785dabdb2eb5fe83a04de3272178cc90dd189fa27a58601ec9dd94a70fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
Filesize
282KB

MD5
91900e9a7f48b77d14f1441ad6c8865b

SHA1
669e8774b04ee1bb4f2e006c14cd639857e68c13

SHA256
6ac7d80f68fd47ed1a93e9a5848cbb15ee9a68e311ba36eb1e4d81163483827a

SHA512
14e5489a51f13eabcf894612c2eb96fd1e408807b848ad12b4d46530106a2ba3b3a2f553fa46554e05040ee46f72c5db76ab9ac819ee54ba9129ba9a9884cf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
Filesize
365KB

MD5
ae9e6469ededb5abf5baeaae06250363

SHA1
47d5e7b1f8b604e975b360478f2aa92fa0b562c7

SHA256
6c21c3fb24a807e86446c15ce51ef7071460e8cec312d1e9526f7ef5010d1672

SHA512
14517aebc7779adab57f60a8e09cf7008932a2f15e7d190e3c8e340575c18a4736bb7ecbd98361ae93311e402a5b3d287db052dd0922f8f05dcc0544f68dd5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
Filesize
245KB

MD5
5cfb12e68ed0f6417c6f399b3914a98d

SHA1
474997e5952d7bcc017de1b592fcdf8f378519dc

SHA256
a87801668b16af6a27f6353b9125e34e6ed2f1c9e69bbd11213959320cf54921

SHA512
fd95808f80086d3c9a74c3a0f0245d26d730a888fce24ede82f0415b6c9a0191bcaf0ea8e3f195b7564dcb960b49dde682c0c155c6e970ab6270abfb446ea518

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
Filesize
117KB

MD5
1980039045774687f208fad48c53cf47

SHA1
0d598129524cddc9ee4f06edad61d6a4e5763663

SHA256
56585e8470916d2a064ba36783d86f6de681bfee010d0ae4d57ac5be2782898e

SHA512
894731d75b449fa9ade04c1de4c68febe19cbe5d49e0b577707e0a45d600d0cf5b7c7b079ca678a14274a895d23e394effd63deef539384498ffdb0fd7eb3477

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
Filesize
376KB

MD5
5b8afdbe975381391a73bd3d431c3e77

SHA1
8128acaf424188ff3bc87dd3ba3a71ee9fe33b3e

SHA256
674584cc65902ea8754821a390d0bf68bf5f8a9665d11af28a35efe2d024e47f

SHA512
91c92605ecdd193dd1ad11328e5f72c1c19ab1f808944f1f41bc031cca9933d4ce14351ad781fff8d26d963b90d93683898d34d1f8d607828e907f8923691896

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
Filesize
387KB

MD5
c0101a931d5c1b6e60167ab326c2b49d

SHA1
cff1f5af8ab8095552a85d1d56c375efc90720d7

SHA256
bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75

SHA512
77d179d7a3a787c2422b755ddd45241ba90e28fe79ffe2bea93cc2c4bb6aa247d98822d8e526e55b437cbe353bbaf058b8fac26ee6974710452a0d8a4bf6e836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
Filesize
137KB

MD5
18630403f1eb14df337aa08ffe552e6a

SHA1
d7d791437db0f3d445d45342f047d765ea0fef62

SHA256
28cc2b64d86666389d0cb30b7638a47f7f9101d2123333aec5851d201b005133

SHA512
c7c527f77e624d452f650e6d0f4e7b65694152719d80d3d044591b0e179040c507ecec0451f02fe42ad5d155fffcf9f5b0f9d970fabed539f34196e6d66674c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
Filesize
191KB

MD5
477c50e7a22158bc458316fa978a3df1

SHA1
e7bf5cebe3ea7dbaf55fa4732271f2adbd1871b4

SHA256
3baeaed9b0bd3aefda8f071672f1c211933be46ec920feda8e8cf5e5611b41d8

SHA512
5f703d908f0db945a092c07464204783f81daf0eab7cf5ea2462542ea22eeb2a706a3ac2e80ead8cfde8f0e291f7266a6e9a9b2b12c52312bad50674b697591b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
Filesize
109KB

MD5
d860961e1ef6dc1aec143bbf18dc9857

SHA1
ad00bcdbe9708ab4063b0d21872875cb6ca90d4d

SHA256
2a2a59a408bb46db9ada02c11726feee142b2c1b14ec6a15e91b87a467c82d60

SHA512
49a8338ec53bcbd4c01d5921744d775084f86f8026966a0d560e46cfa12b01b3488e4ab9fe7e1f2dbdffa88cf990e3419a5fae97a0020f556cbccfe6c35a7233

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
Filesize
189KB

MD5
ccc78ad1d1d880609cb04512631d28ef

SHA1
191af0ae50144741c35cfe90f0d595093d7668c6

SHA256
d815fb214902d65cf2ad7efa52f58663c9ce252fbbe14f9a24a9a5885110cb67

SHA512
343619fbcffc6d4f60d380fa98f68624397a81417079c7f9a5f9b480e78aa03faf450ff551e6ff2451fdb911ba5e56c6e7933634b0f3a9ba43621bda8ec03437

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
Filesize
187KB

MD5
2cda0f9b6d9c26aed62f4b90d9186f73

SHA1
628093f09f4582aadbdad5a4c9444367c5c376a4

SHA256
94096e69916d0e85796eef2935fa613713af58ffa54fc4dc832165b4e661a71a

SHA512
8746bfa54d9613b33844dd0d441f32743600abac1e31ec11ff1db4c639de1a9921f521e8308125ca9e4fa8a61b2e1e6cfd5746922d27f4fd071943f0d47c7f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
Filesize
173KB

MD5
e13340c2291d5a56823bc52cf7126252

SHA1
3576ddf176664025d236023b9ea97f99fe015999

SHA256
193b536563e5df5a89c455e57a0416b5e49440e40d71ae536180a68e7f224057

SHA512
4c9ee716661e9f407233a06a11ad8095a7dc1bf60cadff698e2858d83383ee9d5dc205b37b78a3293d33d4abb9a81fd0a9dc9c1831dd8d94a742fbda73dd3dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
Filesize
231KB

MD5
e68fd144ca8eef9118467e185cf58202

SHA1
424fd60f51abb6408ca3ea357239a44d95348183

SHA256
5696dc15fb96504654a873a3afccc73ad390c515e1b32c26825af3c27af4fc4b

SHA512
18e62ee427c0cc22113d701b89a5e130239b61f70a1aa6a33f62afff568c4171b7762b00358e8977b313ce66a371980c2d8391ca5d121dc6b6a20c3c83d249b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
Filesize
99KB

MD5
71beec25802df2ba1113828ff471ca64

SHA1
758993b45f4ebb5f333f90d154ad155a6d85dfb2

SHA256
2757edd5b2859823cc600755a75fbd046c4de3f7b83b2071a7abc34b27d0568b

SHA512
817606178b0df3fd0b61c335c76b852329366a3eae3aabb30d3cd6a0d6236b2c5c0f0896f2b595b8ab74f8bf4c53be9522394940d2e1be8fa4349b7d4c49a51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
Filesize
77KB

MD5
0fc1279f91d69e7ccd1e8c0e66796aa5

SHA1
8d2905c9ebf548d9ea6a4b3c8a5fa5d262b186e7

SHA256
478e78cc01f125feab6d38984e9ad5626ca5332a46de8f9437f5846ea58adc4a

SHA512
41a50dfaad9d71966dd26ce6e9922a75c67f2e521286c0281a5157e8b19e30055a5894b9ddd678dda1002c723da3b0648b0d6ae1b0d552c761c75fda429aa4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
Filesize
72KB

MD5
726cfe0937622779ba557b80710ca786

SHA1
b0e4a9dc2a1e33992a9eb4402c466dc4c2dce823

SHA256
2ba83c94c752daab3e0aa2ffe061b5efbfb5236f0016d0004af1396fccd0fd05

SHA512
540d0697dd15d187144fb1f95271a834597957e44ab14f1461df5efaaffe0719dee81137c525914edfccdad76dd3972bb1a83b97a7d9a4b455dcfaa7f9db4a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
Filesize
38KB

MD5
6253b6b65646bd5c4d0e586b0ee73b08

SHA1
c4b58642134b09cf86d7b8216b889528c1106fd2

SHA256
fe3c9cb4413175d618ea9a5897befef3f24b3dd0e973090396506041c4a69b7e

SHA512
be32e812dc2f593d7f406127669b5f1bef5bba2714901a9752f92a276a9eb4c1bec7d60388a52a9fa4c2d9885b3b78d708adf4b25047617de46f94a72c920385

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
Filesize
78KB

MD5
56a24e694008a1de05cbb7ae87217795

SHA1
4737990838d3e8585328063efa1d8b1fb1216b3e

SHA256
9349945ac6374c24c5e228c5c9e60672de5a571a0eda1b25d9b3642bd7ab3111

SHA512
fa25a073ce7e84b07fc111a29fb3d157a93979cb8cfa6d1b2a43ecb4c173e068a58d9b189d418940064d81330c4af74c64fc101c437c7eb27ed6685b6768177b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
Filesize
41KB

MD5
0695aaa8f6ef8cc5b0be0b98c4b13859

SHA1
4a83095e7610dbc2012d65b43a54b4dc90faf90b

SHA256
82d6efdd0d595937ea62a7077708762825d8c654ad41ea66352411808989f405

SHA512
351f170860874849b68524d91d5047d1cc92c4f3946db748b0055868aa0d5b8e25921d00a34c5d1372fe8d7e38d888d8c64d1b7859e257579bd7a645a9ecaefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
Filesize
115KB

MD5
e2f6db9fa8ce0e8e6e4b2e8989e54ad9

SHA1
e550dc09c8279a49d9c83a11e5cb45e9befd6ea6

SHA256
514519261dd8298fa9a985cb7d5ec937e13beb564fb5a6cfdad7f407aa27753b

SHA512
1744e539dfcc1ee023fe72722b46710b48eb2a3552f0cd860f4651b5b92d2c0e5addac67118658a1bdb94577419382ccf71ad4855db28fa65fd4740bf78ed791

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
Filesize
108KB

MD5
b4682093db224b9682679d50cbe6234a

SHA1
12e22be248e2a0865975218e75ddfc5df85bd778

SHA256
a75100099a225273213011fba5cb8417ac134b2b45c48a69bd0eb95429dad54e

SHA512
4fe156b85e2e742d520fd8723ddb984b7b52bf34a8dc236882edb8811dfcc21d20aa18ce24a561f6e1828930d95776854dcf9dd7fcbbc873f6512dcf4525a4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe
Filesize
57KB

MD5
04b603b706948e587931de68ba157c3b

SHA1
1ef35fca3f4bd9d6bb2993ae17d339e3821f2eb0

SHA256
14092cbd7b009f55555c52d482ebcd782a6f4abbcf7561363b43167ed0dd3b62

SHA512
70b398c71059be59f4c34946c674c95a711f9c902f40bd2df47be49159b5b15d8907417f6167dd78f6dc267783dc76b6259b51072c6af06eb0f7deb9e22bfb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
40KB

MD5
63d5e1690e4786b440409f4ea4c6ecc7

SHA1
32b14f432e27e3162e081ff7ef3d9fa66b5b9362

SHA256
0b97af695b7eadbfa8ab367bf3770e1f89ce9c7672aa13c869889850afd3456e

SHA512
cde2d823a7d90631fa6a7ff17f694c58ad0a49de58172047200b43dfd4c54521ad26a57b324108daec73e407c604ed0e6c93b550d99af29d25571a8009ea0a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
85KB

MD5
24c090c62f788b77204a7f90f9fb6240

SHA1
3d4b483e88bc63ca15d27d7fd7a600efe2cccc78

SHA256
07ca896d1fcefa9ccfc86ee4e140f7530c5c165462d28e435f3079c569e1cf18

SHA512
dd480cdde10fb6360981dbefe01f1d53ac54b2b76f6622de53f307fab6f9579d188367f50921cef4768ccf61a113a5be38b340d45100b9807fb72d8a2e852cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
120KB

MD5
81a31978e9c895d3eceeb12192b83390

SHA1
55caaf992b5d27e34d88b15e7c73f050be213e47

SHA256
34f155d405d5651cbbc3011e69b1eabfa9320b6dc5423ba5019a0c3740697c72

SHA512
58fd0db7c81d94b5d5e66d713c4f60813120cad665bd51a083a1bcc1c95aba12f0e29d0e29c4f4aad8a3bc0faca715133e1d3c5d676ecf6a3ce6eb4fbcb5c8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
221KB

MD5
a650c5f82817ad5f9a5afa4cba2d8c38

SHA1
42fffb6880d255c81bc1f64b7e5082879fc6f15c

SHA256
5677d392dba6edda7a5c490d37e3ef7f0e7d5650e418cf5a9a07b3bda4d6c3b8

SHA512
6a75bac5afbf3ad41db3ba8c419348c6c16af8062daea23bc3005820b758125e14e0c705e2f597ef572db9397d10641816b5ae89ed680b4f590f624b22c223b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
48KB

MD5
80950e987b41e92aa5b2c99ef75ffb70

SHA1
3b6c8111387831cdf919f0f15438321a136d6e67

SHA256
77abb41d94132ba76df2b824bacebb5e24339c8c3f1884ffb7e4b077d0613618

SHA512
a6eedbcf6270bdf6c11e249eeaac53d870f21b54c51cf5f6f459a1d40e0088082d5a64683c836106da9c92f7f4f0eaaaf3f83f44c5014921279bbb49d8702c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
64KB

MD5
af5378f5bfc5300b59a3c52b51fd151f

SHA1
6d59d16d09ba9868e70ecc78965c3aabf8c992ee

SHA256
efdb5133f78f0f5239f2fff7fb00944a0867e6b41b8c64306e40414e97f04ed0

SHA512
8db2cf6cac9b88fdd945f95e722308152be1d7c8088579d95ed8207c0beb21e34fc0188b995d00bae9dc3c896a3c6fede2d2d433e1044d9e9ba931e04f4568b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
66KB

MD5
80f33c01d5faa2559661f81fa7a117f8

SHA1
95d50b925849a01a8768b7a3de8f3efef6ae7be3

SHA256
35f06bcaba482d5e93458f7f9b56e0cef7a8b97e80a17ff3bc310651386afb70

SHA512
cbd88d0c890068d96bdf593a247637f7e1da15522e2ede4447a7cdee253bd555f2adb3796ef1ae4923218173a4feaf17602a9226b1bc674b81a4ed065397f201

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
93KB

MD5
2efef5306a0f2b18d2e4c48d8e58ff98

SHA1
ab510e57b1f7dab922c02e31db78649b823c9124

SHA256
8a57871faa5e3a9c289b1625eddda5dc429ac9384bef97d77ea152946a9d66e4

SHA512
143a2deab90ab3a36208c60cad79d6435825b504e19d59f6fdd3af8359bf8b5d686ad3b655276b4c0df66acd74ce8b13000b3432ad4c7a3b9f7870eb6622adcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
114KB

MD5
b767f6d3bc333fa99d79c5afd10b0db7

SHA1
33ec8cad5cf1561dd108d163cc978c5f8c55bd7c

SHA256
069e035033c13c4389b51c9691a631e9eed9892b4460e37f75f5c74564d48606

SHA512
568eff64ebe8f9f4c6b94ccbd3f14097f810440dda9f59b2fddc2e92baa1819fc96005f1cb3386da3bf67e563d5d2563d2da043269376b38c929715563dc2704

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1oavjhu.hiu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
31KB

MD5
51ec7b589f288426aa48d156897dfe83

SHA1
26833712761f6c38c1865891e06234835536a852

SHA256
d33fe00e136e04a41cf3f634765927f3e06a5562ab840a4ea09c50346d3cf8e6

SHA512
39f2c0ba262abdbc5cee378c9dfe820e58c4d6ab337b1b56580145713ba9640ef7618bc72cc8dce859dd6279ae67eaffd964e7f593b9872b41cdec71dca5418e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
33KB

MD5
18c1e853ef10bdaa7bd1af0ea13ab7ab

SHA1
1c90a2516b5f9a222480eb67b5806164439996e2

SHA256
5d72481f6a0ead5dd9e676af33ab9ebce6fb5d7f884958d905222b37e39772f3

SHA512
91d0731fcc9b891293cb2e4dc6acda145c09a8df9acc961b2b1e7980ad160d27f5c0111d2754c71d5e7e2a5d4e70d675a6eeed77be635842d94bef8f97613f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
498KB

MD5
cefa5c566be85b7f8f8cb67bcdac8408

SHA1
9bb85bfde33125e5e458f2e9f9870c26c1a8d65b

SHA256
b19c92ee6d46cb6a77679e3a4795fe76565f6f65f29b1ca32353dd63c2e4b9ff

SHA512
764b9c27c42bc6c76472b030c191cf380d86095026937dcab5a202a13794433d84e24f849080ee8631486abaea469a584e9dc287949f76e4df51c7d07705468b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
554KB

MD5
318c1c11510ec25b0d065f06c24c857a

SHA1
e5606d00ea131e176f8fa0cd06a21d1f07503b76

SHA256
7e0b0db256e5bddd5c1433424598d31792b3d919a9e83c9e8bb99dad11407438

SHA512
291ce81a9edfa8a8d864552905af227f15d61d6bfaf646af026dff71085d9011d86dc83ba4523060ce85a77690235dbcd2e047d9056c6b01c8819a481f979ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
652KB

MD5
79b5c0beb9bd566351baa6db46e9dc9c

SHA1
0b6c774b0c6c6424626feea6aedc6972bcbb998a

SHA256
af95d67d672bbf418581aea15bd8f9a3214b18816fa3fc570e198a7dbee0e38d

SHA512
99519f3578bfe13e19d2f62a7bc50c0afd13aaa24117fdece927b40b02b1bac4c7559e3332db89c034e904204bcb922ffbc76f9a6898908cb9ca04f633cf3bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
108KB

MD5
f4c2a043307cbda025d0221047a17ebb

SHA1
c4777cb4b649b2819cf4aaf5cefe4ba650aaa23d

SHA256
7430c03df7f22570d8ace3128a4214f9e9f2f8767fe70f8c41ccddc3881c3b19

SHA512
34193c42ebd0d680a2675958f20692dac0ca4db94659c3adf83a9b6fe35b2438ec1a9bd689efd91572d3e35bc86733e5f358d231de6630a53d8f956f05107c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA625.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA625.tmp\INetC.dll
Filesize
1KB

MD5
c7ae096c02849c7eeb07623b18de8a59

SHA1
9f57c75aa9f96121413a793d356d876a09f564ca

SHA256
711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0

SHA512
2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAA1E.tmp
Filesize
106KB

MD5
4e7ec06e60594c86f18fcebfe22da18c

SHA1
db254213b90854e32b94f35974609d00e8915787

SHA256
8d9f1041cf60316d703517f7053a449d4139c5271ffa7a324129ab3871183e7b

SHA512
586ebc296ab2bdaecbda33cf3f8e88f45a61a8e97e8750472ab68b0d02a34edb04e1b64f3f3f88bd06f28c3f2b2a5b48e5f379e10135f9cbe5f026ad080f69e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAA1E.tmp
Filesize
133KB

MD5
32a581375e37ac074f3ffaf99579b5e4

SHA1
595d1a3daa8fb90d1ceda8d10a961088b2c06928

SHA256
b6b05ac200d8feeea4b88ec3d36ab776db195073b9d113173d533061d7ee0f3f

SHA512
3e7580b2cde3e84b8214ffedb1acfc23241d78c137d5ac3500ff50f7b0c3dfdcd44865da1764c76988f7382b060143c5acdb8256f83b293f27eaaf4c6095d21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
144KB

MD5
8376cdbd5b59da0905f3606379ba5fa3

SHA1
79ce04ef487cbb6f83e6e9c3eda01061cb6e4488

SHA256
6f53431380b750f6ab2fa51419d6ca7c8394de8bbc7a3c942958657684463f6f

SHA512
aebafe88ab0d6f672e08fc67a9af6ca3f0c092bc7592ee98c89a5eda72162e93055bd0fb1721fa09ec8da3a1bf591299df6af828edfa6cf6965e356afb59a1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
57KB

MD5
78394ad4787f4e98965fbbb62d079fef

SHA1
2bf8bc202db6b9dbf03e2b852645947e216f0c23

SHA256
437fa9b74ff9727c08e8c2dd997f9a36229948d4d4f04f06c8816b2fbceabe5c

SHA512
27621d6b4421e5ab8d2cf9c31be6b626f649b5d30caff6274c9fa02bb244a4f94a036f2083722b030dada67f84bbcb4a5d769925ec30f4a81fcec87fe40b98eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
68KB

MD5
38eb33e82f09911dc42dffd4c22b3281

SHA1
541672de70ed1277956b5a01f94283c840e987bc

SHA256
63434eb650428e9764d0cb7a6fc2efa7b8a0edf90e30b0b85faa6a74b53fee0b

SHA512
200a853591be2ff8a0cb313e5a4b1c4d47ab133048d4e56ffad1d29fe653c259968b430b3b8d38c69f39ec1bf933f2db6a923f2424edb1b020536c089523f762

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
171KB

MD5
95e1487cfa0da158c864368dcb49175a

SHA1
8b4940f7db1e92a1958e92f4e07a7e7b5d5ec67c

SHA256
09d71e8c2a892cee75ae48367dfebed3ef34a0ece826b1afbcbcd52c5a5e0789

SHA512
a864611dfee9af1534853b9df133d5972bf33b015d19fcb56a4e73f978404e117962af926caf77b292a408f1b721860ffcd2a35379d8bd317e06191afef3ece7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
123KB

MD5
89060907009a73af156cd8fea7eb3ac4

SHA1
8545c5ff6d9236dbba8737fbffeed0c8d70023df

SHA256
06f177aefcb72ebae47b15079749b84cdb6e977f1584762b586f577da337029e

SHA512
e40513f84359b9f9413507d1d08abc548c586f79bb185259e00715e30c01826e5851cf6854da26e9cc306c2ae71824b13945c01031cd85eb39e92f8c03c44ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
113KB

MD5
2bade33edd6663cdc473c5f60826432d

SHA1
c2a90152e082892d868231fdd2ec73581a257b20

SHA256
d79f85145a4a8b50a08d8b7aba6c6e6426080248cd0d68f3c482cf2c8bef48d7

SHA512
e48f6b5c1b2458f2f7784346ec7be51306e16d5412ee96676a3f2d1cf4007ec000ec5a8266a412e932af012e803cb716ae90d60d94154ce76ddafe09c68b1b8d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
84KB

MD5
63a7f15a224605735ed6d33b033507e1

SHA1
92d6185fd0307c1d4ba9d8562d54607aec1e34c5

SHA256
6fa0268434834e310d449335d5a190d758e0c21a57dbc07c21727145bf6dfedb

SHA512
bbf5e6f8b432cbd0084a07709ebaa294f60fed06cd1ef52bd90d7389cdf3f7e5f18f3803c99e9cec8b16f46f6c1158f169c2778b0cfa940f68440c3fccde653f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
4KB

MD5
9b361529dc165e534afb5a640267bb3d

SHA1
59ae316dc133035c4ea53e2810cc515ab0d51972

SHA256
401abe1e094b01644a68ab8e88f89a41cb23f88bdbbe2d23297a7d1b607c6050

SHA512
d756e62cabda4cc99e96dbeeed39d991d4d849c73cf4691bb9af7882e0cf46e0af35341ff818eaa294ad771929d2ccfc06527b26636825edf7d11f9c2daf0141

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\ms_tool.exe
Filesize
89KB

MD5
e9639c3b83fd70c88792ab702d738d07

SHA1
9542934e27f2541da6e6a4aca69879011b063f29

SHA256
8237163b9d075e0ab0c77457d2fd426d17c230c8731a6237c1755e04b40519db

SHA512
f58905ef892ea6ac18d3467ae2106cc462f427bd1538ced99ef59e4ffaf979f18fa1ab6f9bf08951df8efa912896d8ec7611a33fe1304976f6bd1e55a82286bf

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
149KB

MD5
5488217779304d10452976a1566ec474

SHA1
6859c8c839d830b74252a3a92e0faf8508165701

SHA256
82917b6a3884d2718aa52e41a8b3c2b2a71901de400c8c2d12cb4bb0053361e1

SHA512
bd63cc9e7a7f9fcc520e30a293b34cd89f2c61968909e7de866fd379f22bc238761ed3ac0d56658e0dd90ee27b452f79b786ca3323462424f071064b9ee61d87

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
46KB

MD5
a0377410b7e3d06d5079c2bda1a94243

SHA1
338b5e8a81f7684893bf0d239378336d84f22025

SHA256
af5698e361ae340bb4056bc6eb8b819fe00c27227d39b0476139ffa1b52371b9

SHA512
057b274e4ca6ea057445251ac341d4a979bc02a7d2fa0ae55ed854fc905eb3253e10c9f1f359a02d1f7f2e4f4b420374f7be23da4fcddabe4fec95f354bad55f

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
66KB

MD5
3fb5d2edab97a7d9a893179be898e356

SHA1
01ba0ab2024a85db2c01efb1a56581d94a72f5f8

SHA256
593678bcd1d16e00a2a416545e47d7141e1d54d4849ec9858863ffc0542107d8

SHA512
dbb9c2a362ec2de4ae3c3fe3b6406a3f26d4cb74062b76e92b3c9c3a7992ab2569926399aebfb534be948d734eba363a013e6fcd3579b87530ceb846b2683bba

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
3cd74959cf5520be16bfa4f3a22153e5

SHA1
e07f08989e630383cc2f296d7de2b52baf361416

SHA256
f05d17a497ecaf3b8ddc4feff8bb741776155c1a2b133a1a99f9bc87f00e38df

SHA512
3edc55226d9ab1b906b5a9eb982b6d22907eb6ecf5883ddf35acc2f023f6ed76d27575ced59de8923e274385e0ba04af3fb70649499ef61666de5d723f391d8b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ca7d6045d714a6dd49da898be2d2a0b0

SHA1
b71869471ba25968eecc10c0e69999f52334cd16

SHA256
5388c373ed1daaad40022891dea84aaf777e226aaeb1afcbb44acc03d4b946b5

SHA512
d3806e07d7d3285952dde2aedb6eb7b57a519281f59507c1210f471e276b5726be524fe61f8c8e03b6964e19d6f6a055680a6c608aebfc16afcc0f158f8a41f0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f8d5033ad2e223d637b0954f079ad862

SHA1
492bef25a6f67f6afdbaf2683cc5aa411ad45e4b

SHA256
d13adbb513f1de5838f3ef049f39f4b2313a86263fb4be4a5788c60b283e3355

SHA512
af21d7360165470018956402e2694087d382c2887af3c219ae9e1c3f593011fbcfc0f265f781a3fed4a7b0cac97344306e630fb82fc966ef2b499ebaa0470885

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
8f5013b764a6ffb1c134644df1a05bda

SHA1
7c2eb620843ec2e34d57fccce1349bf599bcb48f

SHA256
69bbdfc1f02ab0fadc41d3c806469f7387e8c938ace0197c818168918a9a55f4

SHA512
1943356cc8d494cca689bfe37e7c27aadebdd3c17bf6e1b5eef0c4471d23cc9b524efe384723cee0f17b392ea431a1fd510f47dd9b2b010f4f3385cb62cdc5fe

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
d5a4f9f4ec9d5fe457a76b153c575a06

SHA1
237a60daef593e41e7e511d672e9b69c7f508fc3

SHA256
738be71b1bc016e77631aec608cc2caa184e0ac7e22e9a240ab49da8e19e14bf

SHA512
dbcd64f9d20e7ab1a43d723633578e60d9c0de6aa80d7bdc34e104e83fa622aef66f55bb89c1be60a45ae23f007512c71ba1c651f5ffc0ae66cd58be9bba2059

Download Submit
C:\Windows\rss\csrss.exe
Filesize
88KB

MD5
736b1babf3475d162781719128edc659

SHA1
427e70f4acd7f9e981080c3aebd14396c74c2efe

SHA256
d234ccf4f76121b0a51b6fa09bab5c93c5b5a7d10fbf1db0831290c52d3cbd31

SHA512
a586495ea0ea776bae97a7b171cfcbb99b3d68d74a160c71198d89ccaab158c821bf8735faf84dfbb488e7a40c7d77ee2a95f5d8d6de2a04ea936781a03904e6

Download Submit
C:\Windows\rss\csrss.exe
Filesize
53KB

MD5
2a01a3caa9b05e0edd1ac02a02c7f52f

SHA1
cc9f19149c45905e38fbbaf10ff85c3c5c82e547

SHA256
7f0a2655d68c70351628751e9b8f3049ca17a146cc5fdff604b676cd28247198

SHA512
e229f234cdec12a312a09f50736c1bfe87ce9aca9dc6d89331018198ea814edd72674cdd3404176f50ea046bc812488e3ccd4c1516f3cd64e7025def2570f324

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
54ef66a2354691f7925f15eb520a888e

SHA1
a36036aef8f690db5612eb2326a9015e94e9c43f

SHA256
0f6a105fc2a026f60919579108e06a9f7c38f22ca4e4284a6a23eeebb453ef83

SHA512
33184e1aa8a6dedf2e6d69e315cfc59ab6ab32cc94861931a23104a02e8c02ac009d02196530caff0fba359ece52b725c511b36d36492e22238dbd447e9ffa85

Download Submit
memory/864-204-0x00007FF6C7A70000-0x00007FF6C7D05000-memory.dmp

Filesize
2.6MB

Download
memory/1048-253-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-259-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1048-260-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/1048-262-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/1136-17-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1136-177-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1136-110-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1136-471-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1136-16-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1136-274-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1136-751-0x0000000000360000-0x0000000000768000-memory.dmp

Filesize
4.0MB

Download
memory/1388-860-0x00007FF75C510000-0x00007FF75CF4D000-memory.dmp

Filesize
10.2MB

Download
memory/1504-482-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1504-775-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/1504-643-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2324-276-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/2324-296-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2324-75-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/2324-203-0x0000000000A30000-0x0000000000A82000-memory.dmp

Filesize
328KB

Download
memory/2324-70-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/2324-178-0x00000000031B0000-0x00000000051B0000-memory.dmp

Filesize
32.0MB

Download
memory/2324-76-0x00000000031B0000-0x00000000051B0000-memory.dmp

Filesize
32.0MB

Download
memory/2324-205-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/2324-68-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/2324-67-0x0000000000EF0000-0x0000000000F4A000-memory.dmp

Filesize
360KB

Download
memory/2452-797-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2452-793-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2556-858-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-863-0x0000019698C20000-0x0000019698C40000-memory.dmp

Filesize
128KB

Download
memory/2556-841-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-846-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-842-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-844-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-845-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-847-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-848-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-843-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2556-861-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2640-601-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3012-246-0x0000000000FA0000-0x0000000001008000-memory.dmp

Filesize
416KB

Download
memory/3012-257-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/3012-251-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/3012-248-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/3012-258-0x0000000003420000-0x0000000005420000-memory.dmp

Filesize
32.0MB

Download
memory/3176-152-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3176-250-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/3176-151-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/3176-252-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3176-150-0x0000000000490000-0x00000000004E2000-memory.dmp

Filesize
328KB

Download
memory/3236-828-0x00007FF65F3C0000-0x00007FF65FDFD000-memory.dmp

Filesize
10.2MB

Download
memory/3312-806-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3500-832-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3500-834-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3500-835-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3500-836-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3500-837-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3500-840-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3632-618-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3656-386-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3716-598-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4004-116-0x00000000070C0000-0x0000000007282000-memory.dmp

Filesize
1.8MB

Download
memory/4004-176-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4004-105-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/4004-106-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4004-111-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/4004-108-0x0000000004F90000-0x0000000004FCE000-memory.dmp

Filesize
248KB

Download
memory/4004-107-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/4004-109-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/4004-117-0x0000000007290000-0x00000000077BC000-memory.dmp

Filesize
5.2MB

Download
memory/4004-115-0x00000000069E0000-0x0000000006A30000-memory.dmp

Filesize
320KB

Download
memory/4004-112-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4004-113-0x0000000006330000-0x00000000063A6000-memory.dmp

Filesize
472KB

Download
memory/4004-114-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/4008-300-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4008-297-0x0000000000D70000-0x00000000013F0000-memory.dmp

Filesize
6.5MB

Download
memory/4384-227-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/4384-226-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4384-225-0x0000000000B80000-0x0000000000BD2000-memory.dmp

Filesize
328KB

Download
memory/4384-298-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4444-831-0x00007FF681C90000-0x00007FF6829F1000-memory.dmp

Filesize
13.4MB

Download
memory/4704-275-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4704-201-0x00000000008E0000-0x0000000000EE8000-memory.dmp

Filesize
6.0MB

Download
memory/4704-202-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/4704-200-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4712-2-0x00000000004D0000-0x00000000008D8000-memory.dmp

Filesize
4.0MB

Download
memory/4712-0-0x00000000004D0000-0x00000000008D8000-memory.dmp

Filesize
4.0MB

Download
memory/4712-1-0x00000000004D0000-0x00000000008D8000-memory.dmp

Filesize
4.0MB

Download
memory/4712-13-0x00000000004D0000-0x00000000008D8000-memory.dmp

Filesize
4.0MB

Download
memory/4856-175-0x0000000000010000-0x0000000000018000-memory.dmp

Filesize
32KB

Download
memory/4856-261-0x00007FFDA5F20000-0x00007FFDA69E1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-180-0x00007FFDA5F20000-0x00007FFDA69E1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-81-0x0000000006530000-0x0000000006B48000-memory.dmp

Filesize
6.1MB

Download
memory/4976-179-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4976-78-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4976-91-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/4976-229-0x0000000073180000-0x0000000073930000-memory.dmp

Filesize
7.7MB

Download
memory/4976-79-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4976-77-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4976-80-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/4976-92-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/4976-93-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/4976-95-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/4976-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download