amadey | 99215ca6eef63aa9399c52e6579aad4caf12bdce85d327a1591fab6e1c223b8b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe
Size

791KB
MD5

633c983c901941da05e19f89ca8e9d33
SHA1

82bc062a291c45b6e4ede5bf3bffbf85029d07d1
SHA256

5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608
SHA512

8090fe04a680a7d9a7d782120f65f2b81ce7b25ba42937f7e561bfaf9a228d05a8dfa35659704c3933ca4394cdbffae791f09ed43e49f2fb62ea84bcda4391f4
SSDEEP

12288:7UStB7HU0I9Qnjo7YNQKeS2YcKify3iHTr4cnSr3/35elqxHGIF3S:TBPCQn8wQLsiK3IHDnQ3v0lql9Fi

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Extracted

Family

redline

Botnet

@Pixelscloud

94.156.65.198:13781

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

redline

Botnet

Legaa

185.172.128.33:38294

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4444-251-0x0000000000400000-0x0000000000458000-memory.dmp	family_zgrat_v1
behavioral2/memory/5260-832-0x00000000009E0000-0x0000000000A3A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2584-579-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/6076-725-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1588-69-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/4892-103-0x0000000002360000-0x00000000023A0000-memory.dmp	family_redline
behavioral2/memory/4892-105-0x0000000004A00000-0x0000000004A3E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
behavioral2/memory/1184-148-0x0000000000E40000-0x0000000000E92000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe	family_redline
behavioral2/memory/4992-220-0x0000000000AD0000-0x0000000000B22000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe	family_redline
behavioral2/memory/2036-224-0x0000000001370000-0x00000000013C2000-memory.dmp	family_redline
behavioral2/memory/4444-251-0x0000000000400000-0x0000000000458000-memory.dmp	family_redline
behavioral2/memory/4708-369-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5224-822-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5224-824-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5224-828-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5224-831-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5224-836-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5224-826-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5224-825-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

113 5704 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5348 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
113	5704	rundll32.exe

pid	process
5348	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Miner-XMR1.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Miner-XMR1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Miner-XMR1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsp9FEC.tmp5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exeexplorhe.exenewbuild.exelegnew.exelatestrocki.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	nsp9FEC.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	newbuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	legnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	latestrocki.exe

Executes dropped EXE 32 IoCs

Processes:

explorhe.exemousocoreworker.execrypted.exelegnew.exenewbuild.exems_updater.exedata.exeqemu-ga.exe2024.execrypteddaisy.exelatestrocki.exeInstallSetup7.exetoolspub1.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exerdx1122.exensp9FEC.tmpnsp9FEC.tmp31839b57a4f11171d6abc8bbc4451ee4.exeSetupPowerGREPDemo.execsrss.exeMiner-XMR1.exeiojmibhyhiws.exeinjector.exeflesh.exezonak.exepixelcloudnew2.exewindefender.exewindefender.exeexplorhe.exeexplorhe.exe

pid	process
2332	explorhe.exe
2232	mousocoreworker.exe
3548	crypted.exe
4892	legnew.exe
2056	newbuild.exe
1184	ms_updater.exe
1596	data.exe
4940	qemu-ga.exe
4992	2024.exe
948	crypteddaisy.exe
4076	latestrocki.exe
1412	InstallSetup7.exe
4660	toolspub1.exe
2584	31839b57a4f11171d6abc8bbc4451ee4.exe
4560	BroomSetup.exe
1436	rty25.exe
3248	rdx1122.exe
5160	nsp9FEC.tmp
5264	nsp9FEC.tmp
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
5668	SetupPowerGREPDemo.exe
5896	csrss.exe
6136	Miner-XMR1.exe
2496	iojmibhyhiws.exe
2564	injector.exe
5260	flesh.exe
5180	zonak.exe
3456	pixelcloudnew2.exe
5448	windefender.exe
5644	windefender.exe
5560	explorhe.exe
3996	explorhe.exe

Loads dropped DLL 6 IoCs

Processes:

InstallSetup7.exerundll32.exensp9FEC.tmpdata.exe

pid process

1412 InstallSetup7.exe
1412 InstallSetup7.exe
5704 rundll32.exe
5264 nsp9FEC.tmp
5264 nsp9FEC.tmp
1596 data.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1412	InstallSetup7.exe
1412	InstallSetup7.exe
5704	rundll32.exe
5264	nsp9FEC.tmp
5264	nsp9FEC.tmp
1596	data.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exeexplorhe.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000498001\\zonak.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exeiojmibhyhiws.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	iojmibhyhiws.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

Processes:

explorhe.exezonak.exeexplorhe.exe

pid	process
2332	explorhe.exe
2332	explorhe.exe
2332	explorhe.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
3996	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe
5180	zonak.exe
2332	explorhe.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

crypted.exemousocoreworker.execrypteddaisy.exerdx1122.exensp9FEC.tmpiojmibhyhiws.exedata.exe

description	pid	process	target process
PID 3548 set thread context of 1588	3548	crypted.exe	sihclient.exe
PID 2232 set thread context of 2036	2232	mousocoreworker.exe	jsc.exe
PID 948 set thread context of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 3248 set thread context of 4708	3248	rdx1122.exe	RegAsm.exe
PID 5160 set thread context of 5264	5160	nsp9FEC.tmp	nsp9FEC.tmp
PID 2496 set thread context of 3816	2496	iojmibhyhiws.exe	conhost.exe
PID 2496 set thread context of 5224	2496	iojmibhyhiws.exe	conhost.exe
PID 1596 set thread context of 5424	1596	data.exe	MsBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4884 sc.exe
4104 sc.exe
5424 sc.exe
5324 sc.exe
3772 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2068 4660 WerFault.exe

pid	process
4884	sc.exe
4104	sc.exe
5424	sc.exe
5324	sc.exe
3772	sc.exe

pid	pid_target	process
2068	4660	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsp9FEC.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsp9FEC.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsp9FEC.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2176 schtasks.exe
5412 schtasks.exe
5600 schtasks.exe
5516 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3728 timeout.exe

pid	process
2176	schtasks.exe
5412	schtasks.exe
5600	schtasks.exe
5516	schtasks.exe

pid	process
3728	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exeiojmibhyhiws.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	iojmibhyhiws.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	iojmibhyhiws.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	iojmibhyhiws.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	iojmibhyhiws.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	iojmibhyhiws.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	iojmibhyhiws.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iojmibhyhiws.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

legnew.exesihclient.exeRegAsm.exetoolspub1.exejsc.exepowershell.exensp9FEC.tmp31839b57a4f11171d6abc8bbc4451ee4.exe2024.exepowershell.exeRegAsm.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exeiojmibhyhiws.exepowershell.exepowershell.exe

pid	process
4892	legnew.exe
4892	legnew.exe
1588	sihclient.exe
1588	sihclient.exe
1588	sihclient.exe
1588	sihclient.exe
1588	sihclient.exe
1588	sihclient.exe
1588	sihclient.exe
4444	RegAsm.exe
4444	RegAsm.exe
4660	toolspub1.exe
4660	toolspub1.exe
2036	jsc.exe
2036	jsc.exe
5396	powershell.exe
5396	powershell.exe
5396	powershell.exe
5264	nsp9FEC.tmp
5264	nsp9FEC.tmp
2584	31839b57a4f11171d6abc8bbc4451ee4.exe
2584	31839b57a4f11171d6abc8bbc4451ee4.exe
4992	2024.exe
4992	2024.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
2036	jsc.exe
2036	jsc.exe
2036	jsc.exe
2036	jsc.exe
2036	jsc.exe
4992	2024.exe
4992	2024.exe
4992	2024.exe
4992	2024.exe
4992	2024.exe
4708	RegAsm.exe
4708	RegAsm.exe
4708	RegAsm.exe
4708	RegAsm.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
6076	31839b57a4f11171d6abc8bbc4451ee4.exe
4708	RegAsm.exe
4708	RegAsm.exe
5840	powershell.exe
5840	powershell.exe
5840	powershell.exe
4708	RegAsm.exe
2496	iojmibhyhiws.exe
2496	iojmibhyhiws.exe
2496	iojmibhyhiws.exe
5884	powershell.exe
5884	powershell.exe
5884	powershell.exe
5948	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

legnew.exesihclient.exeRegAsm.exejsc.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exe2024.exepowershell.exeRegAsm.exepowershell.exeiojmibhyhiws.exepowershell.exepowershell.exepowershell.execsrss.execonhost.exeflesh.exesc.exepixelcloudnew2.exe

description	pid	process
Token: SeDebugPrivilege	4892	legnew.exe
Token: SeDebugPrivilege	1588	sihclient.exe
Token: SeDebugPrivilege	4444	RegAsm.exe
Token: SeDebugPrivilege	2036	jsc.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	2584	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2584	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	4992	2024.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4708	RegAsm.exe
Token: SeDebugPrivilege	5840	powershell.exe
Token: SeDebugPrivilege	2496	iojmibhyhiws.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeSystemEnvironmentPrivilege	5896	csrss.exe
Token: SeLockMemoryPrivilege	5224	conhost.exe
Token: SeDebugPrivilege	5260	flesh.exe
Token: SeSecurityPrivilege	3772	sc.exe
Token: SeSecurityPrivilege	3772	sc.exe
Token: SeDebugPrivilege	3456	pixelcloudnew2.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exeexplorhe.exeBroomSetup.exezonak.exeexplorhe.exeexplorhe.exe

pid	process
4864	5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe
2332	explorhe.exe
4560	BroomSetup.exe
5180	zonak.exe
5560	explorhe.exe
3996	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exeexplorhe.execrypted.exenewbuild.exelegnew.exemousocoreworker.execrypteddaisy.exelatestrocki.exe

description	pid	process	target process
PID 4864 wrote to memory of 2332	4864	5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe	explorhe.exe
PID 4864 wrote to memory of 2332	4864	5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe	explorhe.exe
PID 4864 wrote to memory of 2332	4864	5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe	explorhe.exe
PID 2332 wrote to memory of 2176	2332	explorhe.exe	schtasks.exe
PID 2332 wrote to memory of 2176	2332	explorhe.exe	schtasks.exe
PID 2332 wrote to memory of 2176	2332	explorhe.exe	schtasks.exe
PID 2332 wrote to memory of 2232	2332	explorhe.exe	mousocoreworker.exe
PID 2332 wrote to memory of 2232	2332	explorhe.exe	mousocoreworker.exe
PID 2332 wrote to memory of 3548	2332	explorhe.exe	crypted.exe
PID 2332 wrote to memory of 3548	2332	explorhe.exe	crypted.exe
PID 2332 wrote to memory of 3548	2332	explorhe.exe	crypted.exe
PID 3548 wrote to memory of 1196	3548	crypted.exe	RegAsm.exe
PID 3548 wrote to memory of 1196	3548	crypted.exe	RegAsm.exe
PID 3548 wrote to memory of 1196	3548	crypted.exe	RegAsm.exe
PID 3548 wrote to memory of 3168	3548	crypted.exe	RegAsm.exe
PID 3548 wrote to memory of 3168	3548	crypted.exe	RegAsm.exe
PID 3548 wrote to memory of 3168	3548	crypted.exe	RegAsm.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 3548 wrote to memory of 1588	3548	crypted.exe	sihclient.exe
PID 2332 wrote to memory of 4892	2332	explorhe.exe	legnew.exe
PID 2332 wrote to memory of 4892	2332	explorhe.exe	legnew.exe
PID 2332 wrote to memory of 4892	2332	explorhe.exe	legnew.exe
PID 2332 wrote to memory of 2056	2332	explorhe.exe	newbuild.exe
PID 2332 wrote to memory of 2056	2332	explorhe.exe	newbuild.exe
PID 2332 wrote to memory of 2056	2332	explorhe.exe	newbuild.exe
PID 2056 wrote to memory of 1184	2056	newbuild.exe	ms_updater.exe
PID 2056 wrote to memory of 1184	2056	newbuild.exe	ms_updater.exe
PID 2056 wrote to memory of 1184	2056	newbuild.exe	ms_updater.exe
PID 2332 wrote to memory of 1596	2332	explorhe.exe	data.exe
PID 2332 wrote to memory of 1596	2332	explorhe.exe	data.exe
PID 2332 wrote to memory of 1596	2332	explorhe.exe	data.exe
PID 4892 wrote to memory of 4940	4892	legnew.exe	qemu-ga.exe
PID 4892 wrote to memory of 4940	4892	legnew.exe	qemu-ga.exe
PID 2332 wrote to memory of 4992	2332	explorhe.exe	2024.exe
PID 2332 wrote to memory of 4992	2332	explorhe.exe	2024.exe
PID 2332 wrote to memory of 4992	2332	explorhe.exe	2024.exe
PID 2232 wrote to memory of 2036	2232	mousocoreworker.exe	jsc.exe
PID 2232 wrote to memory of 2036	2232	mousocoreworker.exe	jsc.exe
PID 2232 wrote to memory of 2036	2232	mousocoreworker.exe	jsc.exe
PID 2232 wrote to memory of 2036	2232	mousocoreworker.exe	jsc.exe
PID 2232 wrote to memory of 2036	2232	mousocoreworker.exe	jsc.exe
PID 2332 wrote to memory of 948	2332	explorhe.exe	crypteddaisy.exe
PID 2332 wrote to memory of 948	2332	explorhe.exe	crypteddaisy.exe
PID 2332 wrote to memory of 948	2332	explorhe.exe	crypteddaisy.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 948 wrote to memory of 4444	948	crypteddaisy.exe	RegAsm.exe
PID 2332 wrote to memory of 4076	2332	explorhe.exe	latestrocki.exe
PID 2332 wrote to memory of 4076	2332	explorhe.exe	latestrocki.exe
PID 2332 wrote to memory of 4076	2332	explorhe.exe	latestrocki.exe
PID 4076 wrote to memory of 1412	4076	latestrocki.exe	InstallSetup7.exe
PID 4076 wrote to memory of 1412	4076	latestrocki.exe	InstallSetup7.exe
PID 4076 wrote to memory of 1412	4076	latestrocki.exe	InstallSetup7.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe
"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2176

C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
"C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe"
3⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
"C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Roaming\ms_updater.exe
"C:\Users\Admin\AppData\Roaming\ms_updater.exe"
4⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
"C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:5424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
"C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5396

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2496

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5948

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:5992

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:2564

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5516

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:5448

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5160

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp" & del "C:\ProgramData\*.dll"" & exit
7⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5704

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
"C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"
3⤵
- Executes dropped EXE
PID:5668

C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:6136

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"
4⤵
PID:6016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:4104

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:5424

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:5324

C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe
"C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5180

C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 220
1⤵
- Program crash
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4660 -ip 4660
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
2⤵
PID:5228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
3⤵
- Creates scheduled task(s)
PID:5412

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:5380

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5348

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv rvViOhNg1UCCFnraEXtuJg.0.2
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3816

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:3728

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:3268

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5644

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5560

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
279KB

MD5
b46971f3901385029a4565d85b8ab50e

SHA1
4b00ffc3163395b343f7ade552b4bedd12160325

SHA256
34d93e4900bb3619304981c96495c09cab7035ad1619847e222b890a1c7f8c0e

SHA512
8a9a297b7c4b4fe267f07efce98f6b634a007478d003e3cc2d0e87b0866c65f787327effc48a2b6ce08d255aed047b2542fa08e8332cb83557e33c4a81531f47

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
78KB

MD5
c16871896bf076a6ab982e6a208c03b6

SHA1
63c73d0b8a08bf7720122f49674bcd7871fd312b

SHA256
50e8c4db8563a180005662b1df703607e76fd52dd32ba09485d760d6994219cc

SHA512
aeb244218866d012c4532a36d30f5a1254164e9ddcd8c83ddc3f3ea43a018b75213695fea4a0807843ef46cf6c80496c97f8f31a45f5bf5a6a0418ffa3bc35df

Download Submit
C:\ProgramData\mozglue.dll
Filesize
121KB

MD5
ace16e765ad1a43e2bc687ba67e3629f

SHA1
5ce1c5740d564fa542a7135339037dde49a12e2a

SHA256
b8a3c0d9d8af6b5ee6143fb17c7498bb8f36d67ae7f0e7dce8ee10d442820016

SHA512
99d2071b625fb7c9a060b184134c7ad3ad93a42d63c3db044a85c51fcec31c539dfebbb01ff25769dc5d0799897634f9bb4dd30288eb1584e3a9b6f03aa74540

Download Submit
C:\ProgramData\nss3.dll
Filesize
127KB

MD5
b51c30b4004d8c5c1e2e2409ac6495b5

SHA1
270df3d99046e7608e74eff4b77bfb277559159f

SHA256
62d55299a85df829bee3e7eccc4d70fd17f0001d5c24d5ad0436f874ee43849e

SHA512
610ecc122565e0a567ac08d600bb01beec3bdd3cb733f54cfb61d8365bff385477c55d4627683a1fcebb4e01b29efe054bc91ac202b5749481a24815b81bb357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
Filesize
17KB

MD5
8d5ed9630b0aad76bea937c8008a1aa9

SHA1
a384063bc10511f303a0d3d401f9293b8ffb74f2

SHA256
7c12a86a9e69241ae6bc099c3c6d157b9f2cbe999f375af0ed867511cce5e964

SHA512
a6e30e26d3ef70be2927f7b8a012fe3f325f9861bae5afa58875f2f3818f67b6b90e0c9c52b4cafc0c2f2ef94519a9b236847cfb5edc6ca6e6bd23f6d0ada77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
Filesize
1.2MB

MD5
4c374666fd80d3f3b1e63fd12c1e7cc2

SHA1
ec23cac925bed1561e5fc84aeb62de12c2b6ce47

SHA256
f5f2788fd885a48eb38517740e34e1c015d8f1215f763c7c95c5a4712118ae26

SHA512
8279260af7ba234549b7ecfa42edd393621ec18fb0ec635eb2d8311c4259f5c2a2b0b9b55fc39c6b8b7821b25ab2b89efb4fd5c9550fe97c69680d4b54639e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
Filesize
341KB

MD5
ece8e2177083eefb49d5e0185b899b93

SHA1
ea29f48483d95897da5af016c47ca99f825871cd

SHA256
5e88119a34553c24625c42dbbb35b9c969a051a54478ab9227dac4ce720a703e

SHA512
4cd4a45cba10387b7e977ca05a3f44efb0ed3911cbd22d2ec00d9e24a9d0e0a424727ddfee9aec71454fb52f0d85f6a42b95656ef232e0538e18d97a5f32646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
Filesize
68KB

MD5
5afd0abdf589796afa275e234eb5dd48

SHA1
c05882e170685c8f88cc37d87579e0d2cf72bf72

SHA256
40bdacfeb06cb0572685662768030d9b93fc7c9a2e12b981c2f1ab46e230b654

SHA512
74099012026c1cfea5f200976ca01886a159d7596de32e22a24a0be2ea749d9498ad64ee1ecbaa83b4e8f414fee0ae099ee42fee89329ccfe8072f48767eb361

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
Filesize
35KB

MD5
dad914c1b058745ec0a8689f307f5e78

SHA1
84351cbb84c016623de9d1a0029963a7ce601c27

SHA256
eec48de4cbc210718fe28d0c19f42765fc7c2c40fd9b01f50c25c12df757ffcf

SHA512
0f72b65f000fc249b8bf37410f692da808710a08d19bbe219a11de6076da133c3e01d13554041d39b78960511612b9482e0ebeb414aebfa64fe0eb552a3c14a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
Filesize
113KB

MD5
d9a805f6e7cbbd52c0f47e1a364fda73

SHA1
6c06acccf19f8d31b6e99f1937e3b757baaa5ded

SHA256
12a870f240ce1e870ed51d932bd0982b49777db3aeea03ab69c4ff6df28d3e07

SHA512
7825a747e99b68ed14d641cd29cd462b32f111c61d893fafecb7d1a04ebc81ccb39f3c70bb441a33009236129ac07e19de7e73968052d915072c0fbdc24c5a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
Filesize
509KB

MD5
9cab7da3713242cdfc416453f5cc59de

SHA1
0ec38a077cb0cc483af1a875595aefc4d58bf96d

SHA256
8eb9aea356218ac085f60ed399e65d27104f7dff92705ff4e195c4aaff99c6ca

SHA512
d6a64c28649d6f5410f1c0644a6b2c4630fb641cc81e93576a917b661dd79d8446f296a12470f49ccc81d0a1883b0b561d155edc8e5f825026f3861b492b2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
Filesize
186KB

MD5
faa5da3bb93a6ed8770e8371dcb4dc12

SHA1
6a513e5d2cc8c45dc42b7ec8f26e41707171a33c

SHA256
6bd95134220fe1a713b11af95c0247d96f0cb65eaffb9560b253a5629262490d

SHA512
326a51bd5d9b4164b739da914c942332a9811857efdbc5a8bb51e08d0595f7c2e9400f772ade74e1206466fdc4558d8683ba4386e20f0fa556348acfdd87ec9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
Filesize
125KB

MD5
343b40d00a1621d19638756a62381efb

SHA1
08870501ebb777b5c535788bf811658ddcfc4d69

SHA256
18a278964513e4cd912ec696c181762a1026c48a898a09c0dbae94a808686c64

SHA512
00ee5027ef2fb7a4a9eed46eb0c3524f9a1fc7daf69f531d80141d9e48f13a37d63fd77d87f8c9150b029aa1c64cd79bdcb94da4ba7ca9fe6feee0d03657d38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
Filesize
441KB

MD5
f41dfce8b4a263aa727d32ba103efadd

SHA1
708599d7c7c6c6fb24add223c0e0fa5172248f83

SHA256
08add940e5dddd664ee956c1fe862ce31b76cfec406c2749b0393636a41bc270

SHA512
4aa527487193d7dcaf84e7fe8219ad045fd0e0539169ad1b6db203decbecad04fea517bd885d5ef231660190c821416153cdbcc7e9e3cd8287a4111862f16d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
Filesize
533KB

MD5
9e42c76613c4f79a87125f4bc435d599

SHA1
4181d508ff7191f7b66cbf4a407c8ada176b1c98

SHA256
228b36d9dba0433a8e7f9324cb70ca6e7297ab013f394b6b63555633a26f9b30

SHA512
71b7fac3caabc25676465337c86545b20e94c6ecef6b7e592fed0e8a84896b61ce55463801b89fcd8cbf2ff029e928b327db574e95e5984cbfd0994394c53b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
Filesize
529KB

MD5
2a2005551903c809e2bbb6d69f361833

SHA1
4c7947f868a4ce9d8295970ee750dd3689966d88

SHA256
e4b0cb8718d4261e3f23a025354320d2088b6eb8c7ae4badfab77969c5f18af1

SHA512
a1937a38e30ae1057126a208ee2c552d2db0c04936d338d123e1eaa5d3e7c1051dc72b7a107028a60b17fc177a5d602036d5ad3f896f4c9a66f7bf3a526d7ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
Filesize
163KB

MD5
8a81072aced17c4b3680dc4b58337e23

SHA1
d4b99132345ee8295ff73f0f294888554bbd405d

SHA256
bdcec318453b16d38a5fec9bfa1cec1dc40399a53819a87b2c366f26f73b599c

SHA512
9fac1d53cb82268859278468c2b5dd817f996c877bc575909b093b17da323ea96b74c8ded713bcdebe1943e203e2d5b35889b9ba95e700920a411be98f0e49c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
Filesize
144KB

MD5
3c88e52acad3ff4b6409f546263af199

SHA1
5a851373f0e587a3a72b1b38d0402ef34b3150e5

SHA256
767d57e798c1a436a82f4238312b154a2ce2c01a013170d82049257ba915f65a

SHA512
28db4881cd2b19434930e1b3ce633b1a9860d2b556de6dd48e1a7839ae89ea624fde4a4654fe371ed6b59ae3f538fc1fd512806604f2f8796b3d58fa8ae496eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
Filesize
146KB

MD5
8693fc1c13ab5e40a13edff8f59b223b

SHA1
1bd7b93349d848fa5749e4abe2d7a66d2e2a67cf

SHA256
82254b5c975192f973d941572d18bbf09e396ca696bf40210f5d39848935f4fd

SHA512
a3bf239c3b96c0e2736015a07ab4e5ce3085408cfb8c4c188762308b530cef60a364143769e4d15b17125d5d0b6e46d764c55eeeae681e52ebc3880a1735629b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
Filesize
230KB

MD5
8012b988154b498d8f197cc70a1ef0f4

SHA1
8ab61e32fde0b2fcfa853f6fe09b6156ce9e56ce

SHA256
d7b4944562a290b58469dfbb5d12b097d1001e2895aef47fb31d00965a076931

SHA512
4e796b880c39f94ba799dbf716971ab230433fb5af8637fd455268c4a528becd38c70ecabb3c86826185c3879bf74274bf1fec1fc93420980c51c8eb87fdf370

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
Filesize
156KB

MD5
0a5d951dc2c8e0df209f1bbfa4bfb21b

SHA1
6ed881e541041f8dd3866a8d75e512aea0b9197a

SHA256
f54d7a0c85094f12a8a6f519b75a99f91e402777aa735e3697c4b9c2fefcc181

SHA512
072c623eec195ba79f29265fd7e69cde6532dbaecd9bc4bfbd4776c1b9f763111834992bb7cbf938ae3292a0dc3780e9a7a4ba6c98337cc1acf1b5c7204e9c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
Filesize
219KB

MD5
7743521c4822424b9b2ad8ee9a571e1e

SHA1
d9c46a01e793a15c685f1f1a27ea4c2aae8f6dcf

SHA256
c771287b428f4f3421740744756df2ed7a753276adcafb9f3ecc61ea476e3d40

SHA512
de973085a1801dc71ca15f446ba4c02972420c5d60a2ed9d1e8a5cd2806d07bf28a86cb0d24b2b90d79a9a31f4b72488b826d235183d57fee41635e42b172e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
Filesize
149KB

MD5
3c3a96368474d263f5ea019bb148f2e2

SHA1
59df3f80c5bf185c4614b6bd1fdbdd9ba98a70ff

SHA256
1c951cc45d6d7c65d8986608fc122707c5b514d02c35dda902d07b1d3ff30dc9

SHA512
43ff378600b9feda6a5b71e025932a207bed40483421a7c5a4ab0f00b1f7f2d538dfee72cf1259253cc357da8f00fe62d1a6f00f01473694cb636b5e2783d574

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
Filesize
124KB

MD5
1d24f60f35a9eed03b162c1a217bcfb4

SHA1
6e02b81826873c0da073454c4405782051caad77

SHA256
f8c9a3651c2a36bddad283697b5b0125d7117d9721745263913e8fb214118283

SHA512
53c2d2ca5be30405dda254c2bab497f048e0b215e8fe130ebd6e9e0f09294209c57502dd77068c7264da619225792bfb376ad2ae9175a49c18164cc6f238f6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
Filesize
273KB

MD5
e4c746348135449eae9c34f8323e5428

SHA1
ce8a89cf9b4c040a15e50b4b64c1e10a64369d52

SHA256
2fefe3df9f5827e3158c1c1fff8f9eee5c3fa764d3ac357936103ee9563d501d

SHA512
637b2d85259188bacb820c5460cbef826e857e0f9b22750de9446211a626313c86a4d92dcefabfc30f82a8d4f6dcd459be261d92b47b5e78f52b2f75b8342530

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
Filesize
182KB

MD5
a2730f3c9afc9ba81e578c5862c93001

SHA1
d0c27e6658447fbc982d065eb900e1eec97c54ef

SHA256
981d5a305f4c82ebf1d4173444ba41154a6f3e7f5c5603af416bea6d6ca12425

SHA512
c9b33fd1bbd5df1a4484ddb9429e131e8ec98d3580d7754da9440dae8d9aff1c077f2596fc0ec23d9dcb599f04bfde2d29c862f9eb3fd45e942d42addf345da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
Filesize
243KB

MD5
e660771c8bfe53518fcbcde2dff47c0e

SHA1
2f49d6ed75c0914b13fd428b1673eb48467aa4f9

SHA256
564512baafa7cf6cd77bab29945e71b002f3138036fd10293e5248c0954337c9

SHA512
a8efcbe6e8c03af26b006f31e4ad39c4a5038c6dcabfa4c4f771ea7e7d923507f037b53f2b3e038336eae234537203d6b3e9a344cf29dc833f57f1e8e9fc174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
Filesize
64KB

MD5
2bff5115aa3a009aa0d90677aa73a71f

SHA1
39685afb06a3a437c500c7ea296932c558303388

SHA256
16a764e826d188da4bdbf6a1733e436e0c2849eadb04248cdb2e56ce1116b433

SHA512
a1f90a4b19a83f48038f63a7bc82c4c350d52391142e5a85ffe91163df6d887eba44d966b4c43c8e8b3ec067e6cc85db50876f09d4cee5de0a3b4cff2b97b7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
Filesize
91KB

MD5
a478923284e88a0b46af24fcca5d12ef

SHA1
50e37a058f40999216433f6fe86fecac0073f067

SHA256
94cb07e77e64bff7e1d66776c8a14a1c10b99cb270b6e78ff255c1a501c0615d

SHA512
ebc6637b40afbc3f53a60a4f2fe8aef6451424783ce398d26edd6143e7d309facc42e0d05112475b3d952b3e063f0db6990a809b52fbd06e6bacd7ae8729b9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
Filesize
70KB

MD5
f5f55289d85b4d67e705a53a0620cc37

SHA1
a3b8a2d21fb294766011a3afb537402749b6cdd2

SHA256
4b6d2d829badfe4ba981a3bc4043574f4e95581f959b04f7a3ddfb82ee80f8a9

SHA512
59750d8b200fc40f51157efaf9801a18a1eea6ae9a4b32527a0fd771fa12524bd56537738d436992fa6481c5a78a1fdbb4a33d050aa850e0d0542ad02d416bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
Filesize
98KB

MD5
fa94dfb98f4c4382ef4ded21cd3d7023

SHA1
aed003c4cef4dc1a2ba9fd137dfb4c9d0c559421

SHA256
286593fead42a5c9b4f5649947352ef37a6e8e5e8482b9a5e0ada13b6ef1d1cd

SHA512
1af7f0e1ae10f642fe390b5b6b2b80e8d83709ad24722cddca0b315c94f4f6aecbec76461e0ff33140f28a5b893c45faef1bd0992b7f3ccdbf6aa95c023771bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
Filesize
134KB

MD5
316c40e6d840592dd0bb5aab9b6b2db3

SHA1
158d51d041e2260321b14778f239d8d661de0cb7

SHA256
dc1daf0c4b2013926c09c37e740510ae97a7159dbc32710896d9e520e3c6852f

SHA512
295cc85eaf682e9bcccb5674427e503cc3f40da2062982f7cb8a03258cd26f8d814952f68ce5e2c55185d547e497705f460c95fcd84e329d02e48d02431a760b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
Filesize
85KB

MD5
a6a3c76741891c58bbfebec613ffc257

SHA1
29cd4d8d855d4966053fd353dc371f535492a90f

SHA256
cc1524855615ff43d5412aa52d3e042cc64bfe461f94d9c5a56f78cc0cf5ebdf

SHA512
09cbbc6a5e8abfe3be1aa408d59e316ba2d4cf4e5ab388f08f7409bb6637e682f4a34a2d08ea238e35f7e3b4c076ed47c5a4062bdd00b46b2f80efe073c326b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
Filesize
62KB

MD5
2575c6611c94b447a7bb5696b1adfa1e

SHA1
182e2fdf174e754bb865ca9e705ade42799a1a19

SHA256
11538a63306920993b96d0dfb2d73cf8569f75d8ade3007da2926585d8b6b673

SHA512
ee12ceecc9ce877735179192555cd347e0d96c784b1ef99a54e50268b3f503850890be5b4ccc66ef68d419219cbcf5ffec5c051acfa4b8c65e2952259e899660

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
Filesize
260KB

MD5
e32006f145039c6ba4a879eb8213a88a

SHA1
d06d885effdbe6514d24c0d33394d5bbe234771a

SHA256
80549cc2164f1b3d4141b1b13ce17042c0f71c17a5e23d5149b5b623c87891c0

SHA512
7ca3f0adeb4252af317e7d35369082f7229fda5a39a8de71d66cf6cfffb1112e8caabd63d78789ca92957d91905385273a5a46fb567841abb9dd4f0b3335fabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
Filesize
332KB

MD5
b53745ea7d40e840b8a05308ea236707

SHA1
2f87c0d2137486ed131c9dfeedbb014526ee5406

SHA256
f521ccc01a4853c53fa90172df92fb731ab625e176b97f40d00998de2bd6c7b6

SHA512
cd273d84786e2b1db21cf048069bf63c36572c53cc0ba4c9746fe9b9ba5a637bc5493be4e736e2a94dc6aac87116672ed8623d4ed4a9a17651b71a67b9787e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
Filesize
201KB

MD5
eb2af295a6a5f8f2f281f0f3b22dc80d

SHA1
f9985d1c44263e89c86289e8d774b3a277e34dc2

SHA256
c57ca044090ab5b8192c091244cf88d6c66e377af61f96cf3e6ba07c59822919

SHA512
62b32a53e427893550b8acf2b9af22863eb1ca61772a453e5dfd9865f4b4a52a48eb9ef09fa2d6364d64ce43197a4302207a53655101e7b3b2a90275d5179360

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe
Filesize
1KB

MD5
24e058c9c9902c772471c3280431f510

SHA1
314c21c9135f5c2fa76babd52ac7519ebfbb0176

SHA256
65495dc1e4d554d49f35e8f65cba9dc6feca263eae355304b6d22e9dcd07af39

SHA512
b005d12ec28ee09f6093ab5c352096d4ce647a9e1278362af24078a779dc499740e1b5da2147efec992c3076c00ad478f0ad1df5ea395280fe4e38018a921de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe
Filesize
24KB

MD5
90545bedf42c17674f2a8e9b6dfbb50a

SHA1
5fa2df335f6a5b33717de64b7496feb9d1b01694

SHA256
53d720e1314fbd54b79ada0afe6a75e14e48e501583868d05a82350f6ab1f557

SHA512
33b975515456ee1cc6e6f321972c44683e95bcfbbcec36e2792a19e89e119d9f32be68df0ac47772bfdc56f784fc03a10e80af05f7ecca1886ff55b285c884e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
154KB

MD5
7d7bd18e7b132670a1bc101437dac26b

SHA1
de74700742904966645530328ea0cf81629b472d

SHA256
b831b62279d598b3447bcb8f5c85baeb426bbce2358a6e6217022f6e2c0b7879

SHA512
9f360c563f4e6ca7fac5aff6f6900b29d4c9e81e694be972f8fa8fcd58b9626b210f47cb670fa2f3cb3b91d264dcd4d342b21f0e4074010fd3c6893cd7f12166

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
53KB

MD5
abdbc17e4495780a3905abacc9f96f18

SHA1
e9dac12503a223532286b748fa53bff8725dfb86

SHA256
542474aa4e04ce767c0eeb16961aae2a6f279272daea9ce9cb9948bf3132f38b

SHA512
a83e4be8c4113f5eac9945d69147dd839df652c538769d8c4f204c864cf9ff0500692c5b6d31a877bbc6b6ee1cd6f17f835e815b105eb3a671b45c1342f79fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
187KB

MD5
4c32362fb51825667d5972cae30d33f1

SHA1
b6102964ecdeac0e0447756ddb5decb1597a12af

SHA256
d5342b0851bec4f7871100558db7de18c64e4212ff19af51c35007678e8faca9

SHA512
f0475e31c3c73ebb6010f99e749d9ced75a75064a70fae5b5d6a7518b1aabaf6ac19f09cfac5ce7e945cbd82edccd6c9459349dc7e8ee93c0dc30adf0e0c0f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
10KB

MD5
9f6fb901936025f40517c8ae6b55924d

SHA1
4a773cd966d3a4fd53d1d290c9dda04145ed5f91

SHA256
28efb145b6391e2a5646ad54ffda05f552beabd3ff8415cd9b14781e0646fffe

SHA512
a95e5eb9dfa623c8d1aeea4e040559bdddf0460e798e20e8c69f07afd8ad7b56a01d9c9fe8609efd6c005fd7198a5d97af306c48c72c8c44a2c3420b02e3efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
131KB

MD5
b399f5e227591bf3df4e0527e781d308

SHA1
8c2f3b02a2a5a5e185aa27b45f53bdc3fb8c80e0

SHA256
215ce80936c60b578c1a4a458289d32e9d30dfc3f446768e42d7fcb5e375664f

SHA512
f8c9d607a3c40159f4e431ebe59ed497db09f6298ab72cc43645149bed1863c456f498edae42db56d4770ca3296b58c41dd741bc303a59d20cff0a6fa75f3107

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
430KB

MD5
3124cab2fcb69e98e2daf40f87a1b631

SHA1
dde9cfb0dd07e25bc5c993c2e6870d2cb714b247

SHA256
57a42bd71a3f39e1d7849b92ed05f8ed53f5a64fe7eeb0aac5d8371e2dcedb6b

SHA512
32eec8e39730108dea14ec81b7cc595c4e0403ded2263c7152a65a003218c36886f3464747431a741ff3d2a0bcf8ff5a0510421651688be321ff075f5b481805

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
183KB

MD5
39bfa7ac284abd2170579ff0cbf4df07

SHA1
dbe239f5489b5ff7b3b18675eeb324b41122fdc9

SHA256
127c01dc19f54347ca4daea88c3fba0545f54b03ab829d756f6e9abcea90ac12

SHA512
f1ebe8884b3a3c0f7840b1f1ce50de9e1e8287b74f19045e35a5b264b749c9d034426d18c98624f33d9c5b8fe5bdb258f34b1d4395bb642e1bdef40afbb4eede

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
145KB

MD5
be3db74fa2b8975b403c99aaaf7c0441

SHA1
f04097079bc70690c3e455d7bde1360e792daa08

SHA256
a87f4c2172f8861fff002afe34ee8b56d2a03393adb3a60da2d1a583a2b98803

SHA512
b48646bf9bbd5ff66b6e4c9b3a6092d836c1d1224db3a250627ec53d6ce2c80ce22a1538e47824a6b7e98f37dfc4c296975f17a223bbea34bb78edfee1e3ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
29KB

MD5
26ad53f2518f3e78d38db279aa3a3b1c

SHA1
0d6899be0557e073b142246ceb14695f62600f38

SHA256
5709694642727f8370ecf595ee0155a2d2bb40d0d85477394b8e1634041f4e07

SHA512
dc0277324288dfaea8b9d152790c8a472ebb2c3c23344b12a35f02c5043fd4b6570f4e1f39041498aa06c8211a918906a420fd4a48213d27820f1bf69ae71933

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idny5mpc.3hm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
176KB

MD5
b9dae1fb40aea1cffb7301a4e077ba1e

SHA1
f5cd9d6bec2f697287822f3653f6cbe74fde02fe

SHA256
a0c2c839b0c126da45f1f1674cd9c6bd6072fe5d518c7c12dfa4c3a2ffcc6af1

SHA512
8c383297007ccd46c9ea605a4287838c7499cf42547701a707c275b7acc849343210329939ac4e39e1aa344cecb2000b6e327ff3d45ecfeb71679778bff829b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
188KB

MD5
74f193141ff6098db4f5e6d367866c8f

SHA1
87f6602c2da8f2cb0a5f371d2423fca687b9ad09

SHA256
5fe1e6799f75d9e825ccc76544050d814d6220314babad1e7917477fe12b8063

SHA512
90690dba6078b2d95294a9d1f38b1e38cbe143dd5097c863850d46d181a63119efa1a3e9cb460b5251d9f50289966853e49fd7b95915f188be29ac6fcd3a5f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
127KB

MD5
eb333f172f23ebd178501b307f202134

SHA1
08d1a9a9bb95486c2144b8a93110fee5e60e7130

SHA256
a4a9256d58bf34ec02afa89c0c453c32b81ee19326e29dd2006813544f486bc4

SHA512
0e0a0bb7b00f91db2b611058365ac6b8a54cc05568dc8aeed48f9e95615fd3e487d5e8d24e38090ef458cce23cff32f641ca39fc8d391eb8442394edaef195d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
188KB

MD5
8844d90c795f320af90151cc7b3e8e22

SHA1
300fe3c5209cf18772be5e43212b0f2495cedd7b

SHA256
1beb32f2d0a2eecc655c3f4a9ae6e686e6362d462d54140069610d2281cfb5fe

SHA512
efbd7c94149430e4e578c9d603d6dbc0a1fcbc42ba96a0be7620ae7934ad72933cb3d3ff2c5afddcd6218a3ce7d1b6f989f9def2e781bd769ed926164d5a9151

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
292KB

MD5
f0f040aac317339e457924378d7036c5

SHA1
c12561eeb011a9baae2288ca81e604d04841dc3b

SHA256
13d6eedae7c789ecc9d77304fff86fc6f2df37fb28c22fae3e54d86842d1bea1

SHA512
fbc9bfe5eb7c9956f1d85c71e163ff1f598e69d33ccf30e207581b4fe95f03a9d8372e1514c711c26cdd0f8fabeba307cfbb4241f00d7771bc8a0f3d35f6890a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9ACB.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
Filesize
191KB

MD5
fc6a9813f06f1c902a37eebc04196dcf

SHA1
036f73c992e8cc94c2046d1c0a5557ab3989ed6e

SHA256
aef00576dbafaf09aecb2d50cdcb3fd21376ad7654e1c4a5b818718e46d82243

SHA512
d35bef501f691b20728c8ea7fc70ceb36c1fe22a15cfa134d26b5d662b8f5ca6e915eb1082f04fee4d18835fd05075773b3f7bb299addfce80cf242ad104eacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
Filesize
114KB

MD5
71f64c0d200dacb7070d47cac70ffe12

SHA1
1daabdb499dc711d68965fbd43a81d3dcc76f63e

SHA256
2480a7ee456117028b70a6e37febd0abe5ba79b9dbece5e74dff4f6a28b7e7ec

SHA512
84ce6cffcce286a6e99633d5193c9044160f71d9c9a40d8889851caad912cd0805069eb1d36fdff04523d4f9c1318fce3f1010f4fa48db66c5950f5cc818d680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
Filesize
230KB

MD5
556bcc07d119b54c0416768a7037eac7

SHA1
2d1cad0906753e017ed8494617c0184e751219f1

SHA256
a20e4c11c4761572b1ae83ff068a7aae4da7f804e7ad14353a2cc28ebe2cca32

SHA512
d1f1f10bbc36a9d2a923f7cf9043cc407ec649b2c9763785d1142191e21d653a0caa2db391745c48feda365540705f14ca5bab1fbb7789698188a02dfbf78550

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
143KB

MD5
ce009f0680a40acc686b8c0f2f31f61d

SHA1
8999433edbe645a3aac4b4776fd94856f86cba98

SHA256
73aa7d77c173000f4083d50606ca6cf3c71faa204e53910655693f0a3aef246d

SHA512
f3845d6406175cf4cd30c3ab4316d9390015bd21bd36238e1b522e0957bd071aeb111a012388adcb9cc4d2b02f27351010a18586bb5c2d14c8513feff82fa980

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
57KB

MD5
78394ad4787f4e98965fbbb62d079fef

SHA1
2bf8bc202db6b9dbf03e2b852645947e216f0c23

SHA256
437fa9b74ff9727c08e8c2dd997f9a36229948d4d4f04f06c8816b2fbceabe5c

SHA512
27621d6b4421e5ab8d2cf9c31be6b626f649b5d30caff6274c9fa02bb244a4f94a036f2083722b030dada67f84bbcb4a5d769925ec30f4a81fcec87fe40b98eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
32KB

MD5
1d58ff4ec15af321934e53d037a423ba

SHA1
2c4afd59880e889ab6dce065996792299aff96a9

SHA256
1f1d8c38526673a2c4eecc63c7beb858665444fdccd8ab5e472202ab1a950d97

SHA512
a602d9411e453c50faca4e2ac330d3cf9db829930e398bc2344f494859b63db0f94dfbc4c3d47bed10d938747654a2a17a4f47426c2a6b9bbfca0060bc73066b

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
272KB

MD5
43c66bb7924057abaf91e8ac6cc54072

SHA1
d05479ac2b8016f9435a75c5ec9506ff42b56563

SHA256
35852b3d65c820d9d95c4b5105b5f8ace19a951932111c8b6929b0651591288c

SHA512
69b9b5d98e2d098cd48c645bd0dab4dbeadac1614a9e3e373c03c4c171a676188a2874524b2231404b18c742d144d1f4f7722f44daeb4da733eafd42c17d1f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
101KB

MD5
0c42f46dcf1a569710e97ba682312c4d

SHA1
696c8842c252915c58411a0b11a5744058604ba1

SHA256
975794ad879e756f3682e62c325fdb7850373f9dbe414ed55a8e52593fdbae49

SHA512
ad2bb1783ff97fe0e02f5dfd138d8bcd56dc7eaa669d0a494da61658435cf09ee44fe3fd2aff9a17c107fee88e73f6694f34e19dbcb88d29f36db70457a09990

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\ms_tool.exe
Filesize
117KB

MD5
02aaf9ca1fea131617439290cdd02fda

SHA1
2ec756e4ed1a66f944f0a780e903b66f86433de3

SHA256
0c31969fea39ca5bc586cce2d78610db6e7974ce5151d424f75152ed93afc0c5

SHA512
7ef57094a147ba515942a2afe8fb81783959684cb54a034add13edb1a13331233e9a6d9be683f1e8f9af9ff726d528a55b0014faed261b6dc6663e121c41bee8

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
191KB

MD5
95fc2737ab13f70835a03fe2fc322fb9

SHA1
d1058c7a7f8fd8e065cb2ac4c43dda5890d566a1

SHA256
71667514d0ac30838264265cab7ac706d1a0c63b532c57841a2aefe29eafd900

SHA512
3c1544bb4bf8ab9fc9c9ce3453f7065a718a64cd9b74e675ca178001d69d3a1a5896c7fbd29ba1d0937a687549982dd2b0c3710b14b02ee548496a844d3dfc5a

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
146KB

MD5
68170840ada51291a1b5d81bb0e0b1ba

SHA1
7d2424047126c61d77519f057dcd7ec8e587270f

SHA256
e9389524608a627a41ac061a7cc3b705fa562cf889a72fdb413b3a2120f879b1

SHA512
bf8a1df5d806a37776e2d7ee4adb1765389d4c62d927786e1277fda64a5773fe7b2d5460a928a832847646930deca19a8c84e7578ba9045fc04748923ca23fd8

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
247KB

MD5
1742329c3caa2d4a3786a45e0cdf9887

SHA1
f7f77ceed58e2bda7e421dfcc2fbc21d9cfccca5

SHA256
f13490640de8281eea567545a98b060f006712fc979614776278a48ae0837dc2

SHA512
9c3615d2f66af5981d14d72e9b689713a542e09aeba649dc34710be6fae1556b64da6f5d3fa26f3a104bdf97dce8c72f9b75eeda3dd1ece7620aa5f7669bfdf3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
cf22b3e5d2535f6b798496e4b5e2c9a6

SHA1
8d46f261fdba0bb205bee025c39a15acffe49505

SHA256
4925deadd57c68d6571c3ed856b80c2b715b8a6b13ed6fd9fd38f090b546dff9

SHA512
db546a5658f591596797863e999c2d0a112af74df595201b00eb968bb13b065436164c393f85e031c93cfdec36d9ccbba405899c416c1a0a5a044b4f41e8eb40

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f1978340315c52c98bcaa56ff57705a5

SHA1
feb35e555068ab97ab32af17484c378b40459816

SHA256
760c880c9634acdcf93e67442910fc7187202d507b49b304587442d9b2edeb44

SHA512
e3bec039960201e7bb2d9724ab5f1fe586ff95fa664b631b7524e699dc22083d332e80e9d7911a8e87c2373af3a407124ae0bdcb3c2c8d8f8b8aafe111313aaf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
33bd19375a87d3fc0903572a927d91fa

SHA1
3fc20287dbc49ddad57766e6c4e02bdddab9b56c

SHA256
f9e60bf48b8250f33069cab67d435df6ddaec85d576b082733885f05f21ba168

SHA512
75da77f8aff4a18278ba2bc07b184e8849ec9af626eca083fc6a1bea4a62aa3cf7318432b6e41f24caf4d358def9e53899a2119b72a391e3d0cb0ddf9a0302c8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
e02980e43ec9a22a0553c1a4eecb9932

SHA1
578c315cf25b6b48f55796a88a72ea93a66773c9

SHA256
298a7059c00d3e7cb2fdff2603337fcd9c4cbafe2546580bc444cd23b96e7e97

SHA512
f512e903d410358829d81ca69e932ce843d0197a30fe95e942572b1a1141cdd74d6193f8e34d0a63958bd0b7c774078695db7fe85398a815eafe36a250c05dc1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
0f8ef5395f959be9c10ab7d881470dd0

SHA1
6231a703b0b77190a67f161adce374d0bc6801e3

SHA256
523184bf3a0d17712b2b853c9af893a5e7ee12c74af05f91c922fbad2231b348

SHA512
9ae6f3b6ea0d053bbe9987dffe6824b1d4319e1e0f89bbc9a62de87e63da4f6e24e86abdd51afa35bc438def0079eefc4f8d7113ab04385f9590b1295121b48a

Download Submit
C:\Windows\rss\csrss.exe
Filesize
144KB

MD5
dec2f70e1b89b47071883e3871f8571c

SHA1
1f7d245252d9074ef39e078a84cbdd9692bd3560

SHA256
d87f8c04c809e453b9d6f611f21692e418715abbf7c04bc799c4f0691f68cddf

SHA512
55230d64fa818cafa44441d5121e8903dfa52495e3972b3bd0b319a001222af67999942cdec6b6b4b55ca08a98d154344975fb975378496d74531d6440cede15

Download Submit
C:\Windows\rss\csrss.exe
Filesize
90KB

MD5
a6d9c3f8d46431df33dbe03165f3755d

SHA1
2c1aa23563ba01afa1efd1d537b0109bcea873ce

SHA256
eed160f7a6edcdee857bb9b021c02995222dbda9a31ae8678dd95f4faa1f85c4

SHA512
6cec5a6fb535c979bc1dfb6a0d791fc47718103dcc1d94c3275bf81ad0a8b7963ea64c7cd4ea5b304690d5df8b82d4ee5d0ecb1abf8217f379a0f4d89e51a197

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
8c36cdedb21883bff86e082a57ed1639

SHA1
5114ce74a63ca7f5c381786fa19b51d4b6de2e78

SHA256
0c46fd38bdae3cf9f5bc062173966770e843001d337b94af5c2cc7b20c61de77

SHA512
ed83f24476a17213a4e1147cde59885e55c1b593ed237aa7d2354d2485873edd87c3dca4177686630764be594b13dbaabdd659a65357f5f5854fdba1b16bb1fa

Download Submit
memory/948-244-0x0000000000030000-0x0000000000098000-memory.dmp

Filesize
416KB

Download
memory/948-245-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/948-254-0x0000000002200000-0x0000000004200000-memory.dmp

Filesize
32.0MB

Download
memory/948-256-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/948-249-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/1184-150-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/1184-250-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/1184-248-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/1184-148-0x0000000000E40000-0x0000000000E92000-memory.dmp

Filesize
328KB

Download
memory/1184-152-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/1588-77-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/1588-76-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/1588-73-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/1588-90-0x0000000005C50000-0x0000000005C62000-memory.dmp

Filesize
72KB

Download
memory/1588-69-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1588-221-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/1588-99-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

Filesize
304KB

Download
memory/1588-259-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/1588-91-0x0000000005CB0000-0x0000000005CEC000-memory.dmp

Filesize
240KB

Download
memory/1588-226-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/1588-75-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/1588-78-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/1588-89-0x0000000006370000-0x000000000647A000-memory.dmp

Filesize
1.0MB

Download
memory/1588-88-0x0000000006990000-0x0000000006FA8000-memory.dmp

Filesize
6.1MB

Download
memory/1596-183-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/1596-185-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/1596-184-0x0000000000670000-0x0000000000C78000-memory.dmp

Filesize
6.0MB

Download
memory/1596-260-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/2036-224-0x0000000001370000-0x00000000013C2000-memory.dmp

Filesize
328KB

Download
memory/2036-227-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/2232-225-0x00007FF676DF0000-0x00007FF677085000-memory.dmp

Filesize
2.6MB

Download
memory/2332-643-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2332-149-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2332-15-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2332-182-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2332-16-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2332-151-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2332-388-0x0000000000D00000-0x0000000001108000-memory.dmp

Filesize
4.0MB

Download
memory/2496-837-0x00007FF7F08E0000-0x00007FF7F131D000-memory.dmp

Filesize
10.2MB

Download
memory/2584-579-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3548-74-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/3548-67-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/3548-65-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/3548-71-0x0000000002590000-0x0000000004590000-memory.dmp

Filesize
32.0MB

Download
memory/3548-64-0x0000000000130000-0x000000000018A000-memory.dmp

Filesize
360KB

Download
memory/3816-820-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3816-816-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3816-814-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3816-811-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3816-806-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3816-808-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4076-281-0x0000000000840000-0x0000000000EC0000-memory.dmp

Filesize
6.5MB

Download
memory/4076-284-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/4444-257-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/4444-251-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4444-255-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4560-580-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4660-302-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/4708-369-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4864-1-0x0000000000090000-0x0000000000498000-memory.dmp

Filesize
4.0MB

Download
memory/4864-2-0x0000000000090000-0x0000000000498000-memory.dmp

Filesize
4.0MB

Download
memory/4864-0-0x0000000000090000-0x0000000000498000-memory.dmp

Filesize
4.0MB

Download
memory/4864-13-0x0000000000090000-0x0000000000498000-memory.dmp

Filesize
4.0MB

Download
memory/4892-110-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4892-108-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4892-103-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/4892-199-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/4892-128-0x0000000008220000-0x000000000874C000-memory.dmp

Filesize
5.2MB

Download
memory/4892-122-0x0000000006B60000-0x0000000006BB0000-memory.dmp

Filesize
320KB

Download
memory/4892-123-0x0000000008050000-0x0000000008212000-memory.dmp

Filesize
1.8MB

Download
memory/4892-109-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4892-112-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/4892-104-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/4892-107-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4892-106-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4892-111-0x0000000006370000-0x00000000063E6000-memory.dmp

Filesize
472KB

Download
memory/4892-105-0x0000000004A00000-0x0000000004A3E000-memory.dmp

Filesize
248KB

Download
memory/4940-280-0x00007FF85EE30000-0x00007FF85F8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-200-0x00007FF85EE30000-0x00007FF85F8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-198-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

Filesize
32KB

Download
memory/4992-282-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/4992-220-0x0000000000AD0000-0x0000000000B22000-memory.dmp

Filesize
328KB

Download
memory/4992-222-0x0000000072DE0000-0x0000000073590000-memory.dmp

Filesize
7.7MB

Download
memory/4992-223-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/5224-825-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-841-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-822-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-828-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-830-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-826-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-824-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-821-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-829-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-831-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-836-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-840-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5224-839-0x000001ADF61C0000-0x000001ADF61E0000-memory.dmp

Filesize
128KB

Download
memory/5260-832-0x00000000009E0000-0x0000000000A3A000-memory.dmp

Filesize
360KB

Download
memory/5264-640-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/5264-503-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5264-385-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/5264-394-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/6076-725-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6136-789-0x00007FF71A5B0000-0x00007FF71AFED000-memory.dmp

Filesize
10.2MB

Download