amadey | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

Resubmissions

24-01-2024 18:01

240124-wlzj7sehd6 10

23-01-2024 16:21

240123-ttm52acff5 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06437ffb6c87f69539842cd536e78d3.exe
Size

791KB
MD5

b06437ffb6c87f69539842cd536e78d3
SHA1

6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256

38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512

b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10
SSDEEP

24576:v/pYwErMbvMnTwQmBaWnBCqKZoYI81IuZ:H6wErMLMnTlmBaWntKZYuZ

Score

10^/10

amadey glupteba redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders)livetraffic discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.113.35.45:38357

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

@Pixelscloud

94.156.66.203:13781

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.176:13781

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3164-62-0x0000000004F00000-0x0000000004FFC000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-63-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-64-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-66-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-68-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-70-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-74-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-72-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-76-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-78-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-88-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-86-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-84-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-82-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-80-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-92-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-102-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-108-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-114-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-116-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-118-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-112-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-131-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-120-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-110-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-106-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-104-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-100-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-98-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-96-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-94-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3164-90-0x0000000004F00000-0x0000000004FF7000-memory.dmp	family_zgrat_v1
behavioral2/memory/3252-551-0x0000000001120000-0x000000000117A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2356-683-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1652-179-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/444-272-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe	family_redline
behavioral2/memory/3632-314-0x0000000000DA0000-0x0000000000DF4000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe	family_redline
behavioral2/memory/2356-683-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

101 3524 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2804 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
101	3524	rundll32.exe

pid	process
2804	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Conhost.exeZjqkz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zjqkz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zjqkz.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeb06437ffb6c87f69539842cd536e78d3.exeexplorhe.exeZjqkz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b06437ffb6c87f69539842cd536e78d3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Zjqkz.exe

Executes dropped EXE 32 IoCs

Processes:

explorhe.exerback.exeZjqkz.exegold1234.exeRegAsm.exepixelcloudnew2.exeflesh.exeqemu-ga.exestore.exeleg221.exepowershell.exeInstallSetup7.exeConhost.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exeleg221.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeConhost.exeZjqkz.exekskskfsf.exepixellslsss.exeinjector.exeZjqkz.exensbBB64.tmpexplorhe.exewindefender.exewindefender.exeexplorhe.exe

pid	process
4428	explorhe.exe
2796	rback.exe
3164	Zjqkz.exe
2036	gold1234.exe
2356	RegAsm.exe
3632	pixelcloudnew2.exe
3252	flesh.exe
2544	qemu-ga.exe
2544	qemu-ga.exe
4968	store.exe
3664	leg221.exe
4744	powershell.exe
4912	InstallSetup7.exe
3680	Conhost.exe
4456	31839b57a4f11171d6abc8bbc4451ee4.exe
1648	BroomSetup.exe
2128	rty25.exe
4496	leg221.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
2968	csrss.exe
1332	Conhost.exe
2656	Zjqkz.exe
4984	kskskfsf.exe
2008	pixellslsss.exe
1504	injector.exe
3904	Zjqkz.exe
2656	Zjqkz.exe
3576	nsbBB64.tmp
1004	explorhe.exe
4120	windefender.exe
4940	windefender.exe
3504	explorhe.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exeInstallSetup7.exestore.exe

pid process

3524 rundll32.exe
4912 InstallSetup7.exe
4912 InstallSetup7.exe
4912 InstallSetup7.exe
4968 store.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3524	rundll32.exe
4912	InstallSetup7.exe
4912	InstallSetup7.exe
4912	InstallSetup7.exe
4968	store.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe31839b57a4f11171d6abc8bbc4451ee4.exeZjqkz.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clnt = "C:\\Users\\Admin\\AppData\\Roaming\\clnt.exe"	Zjqkz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exeConhost.exepowershell.exesc.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	sc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

Processes:

explorhe.exerback.exe

pid	process
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe
4428	explorhe.exe
2796	rback.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

gold1234.exeRegAsm.exeqemu-ga.exeZjqkz.exeZjqkz.exestore.exe

description	pid	process	target process
PID 2036 set thread context of 1652	2036	gold1234.exe	RegAsm.exe
PID 2356 set thread context of 444	2356	RegAsm.exe	RegAsm.exe
PID 2544 set thread context of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2656 set thread context of 644	2656	Zjqkz.exe	conhost.exe
PID 2656 set thread context of 4032	2656	Zjqkz.exe	conhost.exe
PID 3164 set thread context of 2656	3164	Zjqkz.exe	Zjqkz.exe
PID 4968 set thread context of 3048	4968	store.exe	MsBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2188 sc.exe
3628 sc.exe
3272 sc.exe
4340 sc.exe
5000 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3384 3680 WerFault.exe toolspub1.exe
4484 3576 WerFault.exe nsbBB64.tmp

pid	process
2188	sc.exe
3628	sc.exe
3272	sc.exe
4340	sc.exe
5000	sc.exe

pid	pid_target	process	target process
3384	3680	WerFault.exe	toolspub1.exe
4484	3576	WerFault.exe	nsbBB64.tmp

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Conhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Conhost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Conhost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Conhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsbBB64.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsbBB64.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsbBB64.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2936 schtasks.exe
4808 schtasks.exe
2092 schtasks.exe
2256 schtasks.exe

pid	process
2936	schtasks.exe
4808	schtasks.exe
2092	schtasks.exe
2256	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Conhost.exesc.exewindefender.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegAsm.exeRegAsm.exeflesh.exepowershell.exeRegAsm.exeleg221.exeConhost.exepowershell.exeleg221.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exeConhost.exepowershell.exesc.exeConhost.exeZjqkz.exepowershell.exe

pid	process
2356	RegAsm.exe
2356	RegAsm.exe
444	RegAsm.exe
444	RegAsm.exe
3252	flesh.exe
3252	flesh.exe
444	RegAsm.exe
444	RegAsm.exe
444	RegAsm.exe
444	RegAsm.exe
444	RegAsm.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
3664	leg221.exe
3664	leg221.exe
3680	Conhost.exe
3680	Conhost.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
4496	leg221.exe
4496	leg221.exe
4456	31839b57a4f11171d6abc8bbc4451ee4.exe
4456	31839b57a4f11171d6abc8bbc4451ee4.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
2764	Conhost.exe
2764	Conhost.exe
2764	Conhost.exe
4744	powershell.exe
4744	powershell.exe
4744	powershell.exe
2188	sc.exe
2188	sc.exe
2188	sc.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
1332	Conhost.exe
1332	Conhost.exe
1332	Conhost.exe
1332	Conhost.exe
1332	Conhost.exe
2656	Zjqkz.exe
2656	Zjqkz.exe
3864	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Zjqkz.exeRegAsm.exeRegAsm.exeflesh.exepowershell.exeRegAsm.exeleg221.exepowershell.exeleg221.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exeConhost.exepowershell.exesc.execonhost.exepowershell.execsrss.exeZjqkz.exepixellslsss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	3164	Zjqkz.exe
Token: SeDebugPrivilege	2356	RegAsm.exe
Token: SeDebugPrivilege	444	RegAsm.exe
Token: SeDebugPrivilege	3252	flesh.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	1652	RegAsm.exe
Token: SeDebugPrivilege	3664	leg221.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	4496	leg221.exe
Token: SeDebugPrivilege	4456	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	4456	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2764	Conhost.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	2188	sc.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeLockMemoryPrivilege	4032	conhost.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeSystemEnvironmentPrivilege	2968	csrss.exe
Token: SeDebugPrivilege	2656	Zjqkz.exe
Token: SeDebugPrivilege	2008	pixellslsss.exe
Token: SeSecurityPrivilege	5000	sc.exe
Token: SeSecurityPrivilege	5000	sc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exerback.exeBroomSetup.exeexplorhe.exeexplorhe.exe

pid process

836 b06437ffb6c87f69539842cd536e78d3.exe
4428 explorhe.exe
2796 rback.exe
1648 BroomSetup.exe
1004 explorhe.exe
3504 explorhe.exe

pid	process
836	b06437ffb6c87f69539842cd536e78d3.exe
4428	explorhe.exe
2796	rback.exe
1648	BroomSetup.exe
1004	explorhe.exe
3504	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exegold1234.exeRegAsm.exeqemu-ga.exeZjqkz.exe

description	pid	process	target process
PID 836 wrote to memory of 4428	836	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 836 wrote to memory of 4428	836	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 836 wrote to memory of 4428	836	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 4428 wrote to memory of 2256	4428	explorhe.exe	schtasks.exe
PID 4428 wrote to memory of 2256	4428	explorhe.exe	schtasks.exe
PID 4428 wrote to memory of 2256	4428	explorhe.exe	schtasks.exe
PID 4428 wrote to memory of 2796	4428	explorhe.exe	rback.exe
PID 4428 wrote to memory of 2796	4428	explorhe.exe	rback.exe
PID 4428 wrote to memory of 2796	4428	explorhe.exe	rback.exe
PID 4428 wrote to memory of 3164	4428	explorhe.exe	Zjqkz.exe
PID 4428 wrote to memory of 3164	4428	explorhe.exe	Zjqkz.exe
PID 4428 wrote to memory of 3164	4428	explorhe.exe	Zjqkz.exe
PID 4428 wrote to memory of 2036	4428	explorhe.exe	gold1234.exe
PID 4428 wrote to memory of 2036	4428	explorhe.exe	gold1234.exe
PID 4428 wrote to memory of 2036	4428	explorhe.exe	gold1234.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 2036 wrote to memory of 1652	2036	gold1234.exe	RegAsm.exe
PID 4428 wrote to memory of 2356	4428	explorhe.exe	RegAsm.exe
PID 4428 wrote to memory of 2356	4428	explorhe.exe	RegAsm.exe
PID 4428 wrote to memory of 2356	4428	explorhe.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 2356 wrote to memory of 444	2356	RegAsm.exe	RegAsm.exe
PID 4428 wrote to memory of 3632	4428	explorhe.exe	pixelcloudnew2.exe
PID 4428 wrote to memory of 3632	4428	explorhe.exe	pixelcloudnew2.exe
PID 4428 wrote to memory of 3632	4428	explorhe.exe	pixelcloudnew2.exe
PID 4428 wrote to memory of 3252	4428	explorhe.exe	flesh.exe
PID 4428 wrote to memory of 3252	4428	explorhe.exe	flesh.exe
PID 4428 wrote to memory of 3252	4428	explorhe.exe	flesh.exe
PID 4428 wrote to memory of 2544	4428	explorhe.exe	qemu-ga.exe
PID 4428 wrote to memory of 2544	4428	explorhe.exe	qemu-ga.exe
PID 4428 wrote to memory of 2544	4428	explorhe.exe	qemu-ga.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 2544 wrote to memory of 2356	2544	qemu-ga.exe	RegAsm.exe
PID 3164 wrote to memory of 4728	3164	Zjqkz.exe	powershell.exe
PID 3164 wrote to memory of 4728	3164	Zjqkz.exe	powershell.exe
PID 3164 wrote to memory of 4728	3164	Zjqkz.exe	powershell.exe
PID 2356 wrote to memory of 2544	2356	RegAsm.exe	qemu-ga.exe
PID 2356 wrote to memory of 2544	2356	RegAsm.exe	qemu-ga.exe
PID 4428 wrote to memory of 3524	4428	explorhe.exe	rundll32.exe
PID 4428 wrote to memory of 3524	4428	explorhe.exe	rundll32.exe
PID 4428 wrote to memory of 3524	4428	explorhe.exe	rundll32.exe
PID 4428 wrote to memory of 4968	4428	explorhe.exe	store.exe
PID 4428 wrote to memory of 4968	4428	explorhe.exe	store.exe
PID 4428 wrote to memory of 4968	4428	explorhe.exe	store.exe
PID 4428 wrote to memory of 3664	4428	explorhe.exe	leg221.exe
PID 4428 wrote to memory of 3664	4428	explorhe.exe	leg221.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2256

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
4⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
3⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"
3⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"
3⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3524

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
3⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:2968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:2188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:2336

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:1504

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:4120

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:748

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 348
5⤵
- Program crash
PID:3384

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4912

C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp
C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1288
6⤵
- Program crash
PID:4484

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
3⤵
PID:1332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Drops file in System32 directory
- Launches sc.exe
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
4⤵
PID:2744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:3628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:3272

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4340

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
3⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3680 -ip 3680
1⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
2⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
3⤵
- Creates scheduled task(s)
PID:2936

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:4776

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2804

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:2656

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:644

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
1⤵
PID:2004

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4940

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
240KB

MD5
91e7798e348f0d9557dc0b435eac3ad3

SHA1
7a714e3b7c1831fbed3d940cb3d0b38a8fb83282

SHA256
8ba70d9ff11b6c268fb6e93fe4155036eba3ccc1781dc0046152733204d5cef2

SHA512
0e642e1a6d5cf016c863cb7eb412c158e2e690d9fa066feda5b9b5988c62c17393b98841a8920fa6f00692cf7739558a59467922d51605cc84da3b4ba233028b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
207KB

MD5
ceb172f1cf7e2fe24bc8d3568d286cff

SHA1
2c71951192f03489b7db53bb3f697a3a7bf7b705

SHA256
1f2447f5f5aef2557d7822943254b30126ae27d7fb1bce6427a375d661427407

SHA512
a54e1ba75144d87cd58b0a48d07ae9e8d8b162db2c0efd22fdd1fab917ae29c13a589928009e60c8716b351d8539433b754037357bb07c986b0166b7338a1c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1dfbfa155719f83b510b162d53402188

SHA1
5b77bb156fff78643da4c559ca920f760075906c

SHA256
b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831

SHA512
be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log
Filesize
2KB

MD5
cad4caba9aaab897691a633527fd5cc8

SHA1
b3e4fc90c296f60de8a70dd1ca52c88b22311fb9

SHA256
38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e

SHA512
57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
Filesize
1.2MB

MD5
3df45d19c8990f36b70095db310a1722

SHA1
cc0bce2c34216bf8e3844982ebd2c97133f6862b

SHA256
3eb37a66747b4e3420c08292be12c1206dd63cd3a0d489fab02fd087a6fd299b

SHA512
f427d873d120cbc332c7b92bd6e055bc1f2f3668bdcba2f106f4391d0b94d5f4f88d1fc076cfccfa5ebc8e556dce0c50e263ac5a42abbe7613b1accca23d5cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
Filesize
971KB

MD5
3ef515bb081e3a8546a39219bf1310a4

SHA1
65b19bc8100f6b67368c46b33d39ef441aaeaeb0

SHA256
9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394

SHA512
22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
Filesize
289KB

MD5
9c23c0dec00a22ac717b3b347926f3bf

SHA1
0d06e1e27797cfafe0401956c3c9ad0a8c1bb5c1

SHA256
186a66ccd81df989981e24fea1111a1ea404bb12dc9a31767c095e3f70e62597

SHA512
e4b714b601fbb95946a63b364745d7e624d6a5882932a0a1db6e64ca841342d8b3b83f8fb89a3f38bc86f4079a070dc57b8f5b3e683a3457a686e1ab447c5212

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
Filesize
55KB

MD5
1e5569ff11938998364fd08ad50f3e95

SHA1
8dd9b73282fc7c6d4d935234b4ea0af44a6f8e9b

SHA256
4436e32f76af61465e1b7f19df5f0e651a995543c8dbb8fec2eab343ebf62620

SHA512
9dbd4b68025964923b4ff5dae14e0464fa957425d3094ad9f15cc2f1995551bdaa1f3ee13680e4cd367c41bc7c0722cba592911a1b1d9fc030bce37d02476be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
Filesize
129KB

MD5
88f9faa4ded1d919a3e59609c6de913d

SHA1
0762f6882acb0ce10369a01b5d0ff54296123fca

SHA256
6dcfdca6ea6f69812ecefdc63d46b4a1effcf72a53defe05cb941831fd4e355f

SHA512
4b1ebdb00ee98a8edfddd04efc385bbb559caf85cb8e43b09af64ebc68b612ad6c69e46bca3a152eb407180e141a1f76b6672bf2c77babf74869f23b687f0472

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
Filesize
234KB

MD5
5b97d7769e17c999933f74a789646679

SHA1
ccb46ca4ffa661f16356a3b6d31480fc6a39466c

SHA256
a5858c766febc33ca10fcc36a2c25cc67a8c6160151cfc9e3f622f5790c0741a

SHA512
44dd0e00a8ddff68b18f1b091c1284397600efc5eef27e2fde9f5f9a28ad5d8915ac883af2675bb8ec668d7c60fbe50be66e054c9297b6e566a0f07667ebdac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
Filesize
239KB

MD5
06112fe709368a565861d30429cb6cb9

SHA1
1daf4391e10bf64e8aaadc7072f841026d2ad781

SHA256
ae4365d7635d602cb6aadff13b228631a3baa69f2eed485c4ea3282e8dd3dd8f

SHA512
7d30351c0fcb02d958c6a479fa04f0c04bd63133715b151b638aaa6e308e82d0e6d9806970c614d432dd89741d70db67099394116666b797bc4a27f754cb3b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
Filesize
194KB

MD5
6ada80146cbe71a083293db409c5dcbf

SHA1
5ac169c7100c2f82ba09b71d4ebca71bb36c01f8

SHA256
696cda73056273607321d64e920cb9f2bc8cff907d0d5d933c4ebbc42535885b

SHA512
620e19c188cea724f7cdeb648800eaf489288d42ea996a355d5e530e98a6976e9212f84b2ab0acb8ef1b5a0eb327186fc29f90e300fd1de682d519bbc4a45e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
Filesize
57KB

MD5
d97033bf19d63a7812a8c1e8bac31e35

SHA1
4b6a34daabfab8f77cedaa2f2c62ac2d500c3861

SHA256
a1dda0bd6342520ce6798b0a0acecd0e62556dea47dce390d9cbf6b4a698d60f

SHA512
fb72816bd1ba110bb5cf78baa92754beceb7c9a62726b77c3ac89be80abdc22574f88319b2db859a00b94818e2bd21b9514ce3e190adcce7370be213097ad4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
Filesize
37KB

MD5
a64582fa6f9d706812e490bcb32b681e

SHA1
2d80b80f2b6f2502e15ff64df43fb53cb69949ca

SHA256
65478137bcd3e4141c8c592d4eaa632f1532758dc95d42f893bcdb934d6468fb

SHA512
78153457a843e235330cf04d3923d6c65e8c22a8939707a8332e21d0203170332aafcb9668fa871d22379214bacbaade61a656e30f06b83259e1f3c2bf214f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
Filesize
7KB

MD5
6f194111ad5f8dee8be5e872c3d9be4d

SHA1
468efdd5d718d35c91e154882f269141b4fd2833

SHA256
4d54eaf06b7b67cf40c73a1584c9f7990c2b39b903298c4e4e28202614bd6276

SHA512
869c29c1d83825b7fc99f7475d3f312785339c202722a135b42dbfa79f4247a05d5fb6462f360ca1eeeb62cc1f97a3e05c1c86905298c3d1a6d77c519221d1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
Filesize
259KB

MD5
b78fb21c7830f530ecd1d3ceaa2a9402

SHA1
39bb3a77ef52a612360936bb8f28d05c3e8d12ef

SHA256
e01823a22f0240fa81b68a42c78a36ef7693799719688f9a9cf19393d7733078

SHA512
ae2266fc35bbf11b709b4f1745b057ac5cdf0c1203fe28df90eb6e07319caf365b489ae18dcf3fcc9c37cf13c1d1c07fd067cad123643b7fb2fbd4d8b662527f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
Filesize
115KB

MD5
7f1d299d10be362c989c48ad7b7bd607

SHA1
2a56c75cd7ef2a6226215e24578adae089362eb5

SHA256
a74f642db8c259687f860c325ab66ee7884c87b7f4d4b990ab74fd91e605013a

SHA512
e3c93ba02fc3a26e9df0bee4bcee67251c16f20be5a02164ebdab35da6c02bae2eceded0f349c602929e621713b0ef0d2b303d729ef96189bf895ae45c7db97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
Filesize
212KB

MD5
a220d711a686988c5b0e89166eed2e0a

SHA1
5d7ed1406277bc0ca09ef569edda2eb08b55730f

SHA256
3d08ee58bda062a65abaced0d99154d5d6ef93d78c23658c5238f59afbd9f3b7

SHA512
ea27aa81b1e58acbb33dee178bde737fa0fa26db4ff937305958ba5d318621650e703cfd374687f42bae1015f43391d8255f912a828e74bd26e0e659f4afe282

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
Filesize
158KB

MD5
8353c8e2769ef6959b1fe147d3e98ee6

SHA1
0d9009a0a7c2913a7a3092d9a83a26d4b9ae57b2

SHA256
bc901189d6c1079ba4d70dab59f77472d7b03bec807e5cca73848c67c7f3ac87

SHA512
f2838eccd8a1910bf46b46e21c24a0ca459944d46c0b7e4f1486c9663e493ce9842aa8634ca052623a4ae512ddd8337035ce45ab23335df69e3dc89252222c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
Filesize
107KB

MD5
cc6a3528ebceb669bc5158b1e8806365

SHA1
89fa8e786cd888b144a925d7c1480ddb6796ffe4

SHA256
7959ca325a4208c6e07c7a77ca64f9cf9d9851d56418d68f83609a69727e3317

SHA512
d9583379e9ea5eae553cca20df520b545118a06622995bbbc24d8c08e826a72ca205d40590799034de32327dba53178c3a7e4017c95c96fdea9e8fcd1d3af36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
Filesize
95KB

MD5
1bf77200320ce12125247fa912480682

SHA1
3f95b18cecf96da962415c7faed37d6d7890013e

SHA256
b06dff73ce191b9ad5614ce509aba79828bee1d2933aa7fd32019e7fc48a303a

SHA512
02e310e26ce229a00f07a47b2a91878eb0c3a14af04db5bdfa86b32b7dc158da39f9d133ac1b6551d9e5f2bd019caeea1b20a34c12583d9c1a0461db08b50164

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
Filesize
122KB

MD5
44ffa844b490732f3c13d4ab996b3fdd

SHA1
e6fb8c2a9baa37bc9f2b10497356be583e448f0b

SHA256
e3a7d660ed8ae56501f00052ddc0130df09da7f479dbc62bd7225cb013d4c7c7

SHA512
b351d7a77b0edbecb91f1ebbb65916ddfd3378735c3d2464fd66cb0c71b9c65621b6440e1e809814d4be5ba3d0e372de48478d0d0718e301b26883a5cc2e836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
Filesize
32KB

MD5
8c4b42ca740a2f0fb25370ecb15bd004

SHA1
6a909b17e241d36aed4d26acc2b057b9fc9bbbe0

SHA256
3ef7669f648554fa7e7c89834128d1a52ddf52fd630745205fb1f4f224b31bea

SHA512
b20dc75759f97874c2915cf2b9c872d973a0a23d39e49bcfd22b001fa583d3e54f1d27065d895f472a95d1fe7c6b077faf75e37dfcd08423fb18fc07f3747689

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
Filesize
47KB

MD5
265399833c2416bb831d7e8a0bb54d8e

SHA1
75a00c73c9bbcaa30991e042ba88f40fdff5dfb4

SHA256
d782b4698a16399849ed12c46dcde2fa295c5f0db3561eac42607116059c8751

SHA512
ad18030601c737c0af65cd46285dfcf83bde47655f30778a12ab0de9ce694607a1eab2c473650511cc068ef8ee4d5efcdba4cb05a647b7db5a6ccbe76ef6dd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
Filesize
198KB

MD5
ae47a2bf3df0762ebdfa13e53ff7f4ad

SHA1
71d5088f0743b2b9c28cb191b58b0c0a0c5fba59

SHA256
f10c5cbcd62dc107c5ddb3ef27f3b237005ca402891e4aa02d8069ba7521153e

SHA512
6fe3877dd48154d4bf90c7cc4f1d79282f2cb2367fdb4dfd2d42aaea0b258e80493010350c6f4ae379849aed7c12f2930d6ecd874d603da5ce7059d3c66ba8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
Filesize
120KB

MD5
e737c486e1ff2cb34baca33f949b4aa4

SHA1
ba8f8fcf7f150583209f038ba9ffe7fc55854ae4

SHA256
192c5a87ee22bd28d58f8c232840509c00d7079a08826cef32306db7c14c1d39

SHA512
d0eb9a65d350db32da070c4dd079c4432df2ec81e08d903b91a22782a1a750fe452a0585b64284e87cde59a6e9bdbf33f33b0f595b9e42ede126b844a2f2e8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
Filesize
141KB

MD5
ed164a472a75ec2563845f999d78e5f1

SHA1
e3708f6cab757ff669d58fc7df533e09dab8a046

SHA256
0841ec4dfcc4252d3e1cc3d2e68bbc75e2d308eb875e43bd94d344828e7d8dee

SHA512
01af685ac374555b4c73983d7f466d962a45199fdfd8ca78497d4f65acfa1d1dc95653d5a7315b34b3ef3f4bc0effee29debd6972df6125e83a448c7fc762b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
165KB

MD5
1c030911418dad5c97202d830fd9ea3c

SHA1
5870bf6fe2f4c00a4a296e501f3bd290ef223206

SHA256
dc6b43d41f061601181684c15018a14126b9a2497d9bba90d5d953bf89212341

SHA512
b0133faa5d2867f0ff6b6d7f45498a1d96ba4d57486739a5e09a144315c4352d73652afb0f0cf0d5181bb6baacdfe84c1192df6feebc548da7dbc4bbba6ab72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
118KB

MD5
c147d4ddf54c858ee51fbc03d7087a6e

SHA1
0f603086a2498f345ec6f79204e757d05996229f

SHA256
6907faa9ad60300ac0c0c9e74fe57557b7bb570c00acca716578f450d077080a

SHA512
6e153f7597a7aa144b0fbb96792810ca57179aa7e7399ad42f08a9c1dd1bd2b3db274a95bae9518f5ca5946a74ccf069a0d52d2d74db41187a44af5e9c9f1671

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
57KB

MD5
e901b6e2715aabb0f6325b4f4bd7ce97

SHA1
b96e3fa2d22daa576b85ae3d5b759e8a514a0ba8

SHA256
cb1dd6537a8ea6df81b2d9b2832d1809a0b164bf535016c05b0c00d6aa3805f5

SHA512
2aa63fb1481dfcb45d8b913ae2dff2f037256c71b71360b98de5b042bfee0d4ebbb3ce15dadd806f2fd38b135d0be809b2aa69c797c7f0e34258b37bfacae6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
Filesize
281KB

MD5
68db7c53da79e753aa3a2925b8a8c0ad

SHA1
71afb05bb91250fd0af11a63ba73d48b59db1b52

SHA256
82ac70b200fad9c84896317b466a397c8260d4ed8af5e6e6f387cc9ec596adb7

SHA512
4be2e409c77e986673cb616e6b84770af2da2ed85ecde8b3e9952346a8b187281ee6a98b56a35384331c70cc55fd9ecf375413d36af0d966f579d5fd1eec2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
121KB

MD5
57ecbc598b77d793223e056248dc769d

SHA1
53fe54c55108421fe1d4336f8512627699f1bb2a

SHA256
c62bdef7da02c8fb7a04badab5182d1fd867022dff40169a00aa8454675be8d4

SHA512
f270ea17e71ce6c816d9bae4cc44043da7bc665359b74fc7194221dc7c965bc174d1098c4a8208ac06ae0869d13f63a6ca5f9c38db7572458b9910d293bbe6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
401KB

MD5
045091a8be6add4d196a2e65878246b3

SHA1
b2d8d8b4e59c071d9adf4a6c22f6de7d02f440be

SHA256
876c87f7d210a3655c07488b84cba1553fce5d90951b91479cedad7507492e0a

SHA512
5b74252945b7642832ff1c9be04d0168f90e5b2e1e638992e0307fa44128fb7f3693c27100aa1556ff63461609e66b2ed5c6a5c14a62f87cf94f585451403bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
197KB

MD5
cc868817838921d9d6ef6a4b0b3ab330

SHA1
01a8c62e4b6b715052b7ddeb42290f3bf951b3cd

SHA256
cd4980867d89f76af2ceb44555f5d484bf4969e4ad547f7afbfeb6694c91ced4

SHA512
60907548bfbb6e4fce3bbb3b656a2191b08e58ead4ea74fe0e3871e809f788ea324ad65ffc224baf30e68161deeb372ec17f7b04ae9901bf5401a6d64a715ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
160KB

MD5
ff244b13307f50837a4dad053227fdff

SHA1
37344f6d9003fac3e16e6e6aac91c74da1f24119

SHA256
b0a2df0d29071c29d403658c5be40762248990016e74812fdafb5fa8e10837fc

SHA512
e6d52ac6cada1f3d5298705d6d4410c6377bcdc9699059c48c49f8f64edf1ccb0fd59acd689b403dfb4874401678bc9b738a36206a88fcc8a68472d0877b71b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
103KB

MD5
21a8c542428828a5e6a1cb034a44fed0

SHA1
844fb1c927eda73d1a8f612be9ad2269c2b410d9

SHA256
58fd67dc7b2bd50109bf21c72203288cb4d385a85661fc9f45d0b3591984ce3a

SHA512
85f0a2793e267566408ecf36405011d0549d8c1e2aa65b1be2f4a0aaca57e8f1743993536efaa84989a7a60907a8690b156664708345c8c411e426cfbf502670

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
117KB

MD5
5e40035a409cb817b6bfbd533d4f4b45

SHA1
be427862e4392cd41ead4136265cb6b30e113c38

SHA256
a2435879ecfad2aa3f24d8fe8a4e54e213b5bee7864b009ec9efe892db4033ef

SHA512
d811c77692c4252c01a8d89e8659d03464099d7f0934c4351d2b73474b6daefde0a80e8187b43fa610a02c6cd9187a1efc33b31d46183e53e1ab90615166c5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
181KB

MD5
ef189d3e909148c06a72a6075f3fbfcc

SHA1
961c815e77626031d67e01986dd56b8dc6c43d9d

SHA256
58ab3bde91496302ef9ccf6ddd1dae1dbdfe9efd6c1eee0361500550fcf8cee2

SHA512
b7275fec86ab75f74ff64946da78818359a5459466eba0c5aa594ec1cf5a0819057b3f7283d2b064336ed3b51d85b0d05bc7913b16b1653ef82522b863761a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
277KB

MD5
0b978dec75094e8e0478e6f226cac3b9

SHA1
3eec4fe1be8cfe5ff755cb7626260bd622486bec

SHA256
c306fb42c268916b874630f47cf40e52afe510f8ff80e73a4a6e7f60d8058f63

SHA512
0166d7d1f520fc77fe4a6f0c669202866b8c3ff8a82de94b4227c156707a173116f50a4df0e0383d1389eb780b53ba80eb42b88281825ef6c21e74ebbf0fd920

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
192KB

MD5
07b763680e3e7d02028925fccad83d9e

SHA1
8756ec9a734e82e5ec9ec29625f81c56273103ea

SHA256
b0ee37a3b91c1ae0d535802e51980b4a3e45b00ae27b04c9fd929d9e71543c2d

SHA512
400e342402b3e4290e9463472cdb10c7f54cba83ff3b399702eec14870fe26bf8f002b5b3998fc0f32ebbae563d527fd36bc54e22f41611a7103d213df4a62bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1KB

MD5
60bb0bd7d015ed25f7b8aef1b41bf2ba

SHA1
c93ef1b5066d2fff7a95839e29bb59de211aba25

SHA256
c7aa7af9101cae3e29fc822fe45c0eff63993d8f790fbb5efbd284627ff195f9

SHA512
5b9bb6be682d54c15d70bc7c9b9aaac49f9b78e9a8eb0b52eb9bec2c1eed2c4e88201e3694bfea0af113b0df1bb2a31f86bb1a0be48c7d67ccebbc8daf292688

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
345KB

MD5
08a1082b60d408553022d9d5b4e1fd30

SHA1
382dac8c7192f4c502de8e30b39780c6616e41f9

SHA256
60168cd51d0121ecc0cdb2926c3810ab848aa9f7dd809efc0b819197f2fb86ec

SHA512
cb62cd554074a5f64d43233ab8ee18838283a706bbc70da40e64d15661c36258e18c959f5cbf07ee0c89eb5f2de7850f9b85516dda52d9be4e58d98b9c6d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
480KB

MD5
78aafdef87391a876cd8172d47de9f8f

SHA1
1bf8a0380cd9fd75e228048526d88453b37ab06c

SHA256
9681c13f447a25b207dface0ca068a45d6d48e9a713430ac0975eb4e09b31478

SHA512
c754f03f91b2335fcde8baa4940c5d04d263aee44824555ea001fafbea20c78b22265b436bb146fe7fe7e1f6d0f2a7b6355ae03a61fc92e98dc4eecbce3b309e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
147KB

MD5
480c3a1d6df37e4ae5b5eafb0ed80c12

SHA1
0ade00ceb9b9370ef6a65f0e61f1b90f822ae963

SHA256
14ca1347341b34d72f518a91fc6c6e44f82a8529a61f7958ec99ecda5c7609c2

SHA512
f1dd0276434985f5eace431bd8112e003b0d7df52792c27141093b875592c980f8c98047b5de78610ee0c910ea0502320cb7a4b683b31b330f7b094776291164

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
391KB

MD5
d3e91fda39ad32d80ce0144761ce551a

SHA1
adb9ddae5f34c19ed48391007f1b4c74cd1e2b54

SHA256
60f04a05a1d37f202f2573292518725aa6668cc841294a023bfc65c69bc4c112

SHA512
fdc6d1cca2242fabc8308c62e51cf384542b86c69fa2b3f01b5347b86846cdf622fbcd56fb9577ba6175a2ee8968d7d2a176ce83d0cba342262b4718df11edef

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
68KB

MD5
adc3814753fe3cf73c5781987041ad0c

SHA1
a29ceb7cb7703e46f7d415163e76b4433bd05c8a

SHA256
8dd28ef8a1feefbdb775b9ea44e2df11da89de9dae5597310437d038ea67e2c7

SHA512
fcc5297d68522dc3a63ad3abf2b70ebac65e98126163321a42b0da7a99f8713040f685c8a4342e8732f2ad5a430345731fa2866b660cf2e468fce5a9ac791715

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
464KB

MD5
c68e8643d21a9339eb6bf4ca1949754d

SHA1
732d205bab5415dd28ba4f85d3e81f19147eb392

SHA256
2ab5f18b67a0eb16d16e42a33b4f6e3fb930d737d165006a4843e898fe03b0d1

SHA512
bba219d2b7c701d4386e7f5e8692304ef6e1ae83220e495a2b05c78af85aa98cd6097c5fa95080b305c3b2ae320bf75447649a4f8a6811389daaf2c9c27facfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
43KB

MD5
ec5fd22808f4554866061e41bf071e6c

SHA1
b7e658ca59fbfa2336701a948d27fcebea34e1e2

SHA256
8cbb960e261dd948a89a430dfb5d545cc07245e8abfdf0b513ca3b86196913c9

SHA512
5221600a51660e23063c1443eb6169fbf01378d3422646f9f5e1980bf704f1a09586714e92eeef8ce0ad8e5564d95e59dbf5e819fd7fc5512106357e8b98b9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2w5jlcwv.eeo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
175KB

MD5
87c2ae7aa92502ae81e7b3ff7509d206

SHA1
83b5cc7d9b1a2b1cce7a02968242c746cec125e9

SHA256
cc0d77af967e19775fb7b7cafe53287035953f11c79b704e9685fdc3c1af622c

SHA512
205b1165d462d0864217edc00a0ca13c60a3cb63e12a9aa2d84083153ddb21eeee92b2df96c4202cf235888a3b759cb83f89a3b7d771a811d25733f885dacfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
271KB

MD5
22acd3ae0414e0a7a311ae73cf8fcb06

SHA1
aea663fe67da569920f008925a5d940fe0adaad9

SHA256
f9794d31cd1fafc3f98162ed7a1f0a7f241bdeac9596f4b3093a7c4251e5b336

SHA512
23f332007180687a68dbb7e066a694d2acdb426f2b28e7703c93010e25d5dbb1c4a5de612c085dd15e0755ed97832784027224b2651ae24df3d1da3a948f92e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
b06437ffb6c87f69539842cd536e78d3

SHA1
6799f24d5ff74fe1a045ea9845704bbbd1c818f6

SHA256
38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

SHA512
b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB78A.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
313KB

MD5
be5dd8b7ee665c298c372c4883c3c15e

SHA1
f996f23d5a9d9702e564b94a658dddba4e185660

SHA256
ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098

SHA512
6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
230KB

MD5
219e7425b61f8b9f627e1a4659901f2d

SHA1
651ef7d25f58ddcc3d71d2d43078a9112929cde9

SHA256
137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9

SHA512
70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
48KB

MD5
329081245e83f9387da2e284d5c8c6cf

SHA1
286a52cf2d20ba51efe84a7499f1f501d1789154

SHA256
972d80dcb8e91e80a1e66fa2667b840d86e3a6222d4a3f8df21a46b56f3497a2

SHA512
fe7c9efab86cb896155a180c3bd11bee41ba58cafca3a0943695e9e3bc5a55adabae48ec23efa1595253e832a7b60768dcc0d96150f43cd02082c2635e423dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
68KB

MD5
b7b784828073fb2829cf2dfd17cd01d7

SHA1
4fad5ae0e40a0e5577ef39f29724d55b8def36d6

SHA256
e0a224372aaeea2acb735e99022a71b1b473df36da489058ea93633043b3002f

SHA512
3fc5bf39968788c43634cad3562ddd44a03e66c76e2137b966c11311065938b8893d62051a482e6d18bc23c75921c34ba4e61d0decbff1506401bb7159145ffc

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
16KB

MD5
893768341f0cde691bd48819c3557a41

SHA1
f06f6a21dfafa040a1547a8da25ae5c1448a08c0

SHA256
9572f0fb80ae5bc3bd77c99818eaaad43d7f5157c92603e826e10001a9d4c155

SHA512
192519080b9deeb87e560522bf28d11db5416c68cf44b1a89b6b4485de5825864b9ea1666c345a7cb8407d052362f741d5baca81773cf78ca81c8cff86733f14

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
42KB

MD5
25b38c1cf0b5c28b8d5afd1746c9e88c

SHA1
399fa10f09ff0e4ea66b5ad5e3d44dc54ae63a0e

SHA256
856e11537eac11974df7e2dc362c5bd6979a3a616ccf939afbc3b84dea4d339f

SHA512
27e88a4e9ba5010f9967491076980303ca4767096aef96dd33d5fe75933f73c175922fe5b450c04135551b037949ff1238616371fa97def743b84bae52661850

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
57KB

MD5
908ac3bcf77f46b96f3685f39d71bf9a

SHA1
1a408996005baa68467289aab892d341d3f9583f

SHA256
a19387eb71ef611f0a4ea1c98eafb670bfe50ed7792bbc6c53621bd973fde5a2

SHA512
b97ec257ebfc828622512d9f67456b9119d0eeab1d30338d57a86746935c09ef3c245ef514518278052f5004d8eab04a2cfbc14b5aa9c8cbf4a2a67a95eb7552

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
71173f23ae22ec1b6dc5bfae7caf4f22

SHA1
c6b401463f4b84660bb96885948c3f420a1197aa

SHA256
a21f5423fcc148b39d13ec7161d6aa9d197c1fa06b426b0b93791e3766ce0892

SHA512
193ac643ad1a2e4a7b1df666b7324ed96f62a416e82827a4f71452a7933ad1c49a2a93c2d122a2add97e5a1c40655553ca65fe9d344e69ca3d756fbf1a0aabf7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
cc12ea1bd2448437b58b90e4f0b2c164

SHA1
7cb8351edd38dd3639bae269bb7dd38628a4fd74

SHA256
20b6beb65d25af203a6401f2825e6a2343b3b49f9c86ef691f3d228619b299d6

SHA512
e1e546ef726338a9e267d2c2d4c41dbaf3e71a68169d5f6f26a33f518b67b5ba0fe37a9a6e5eb1cad33cb3c473590558db84b20463b5863cadc1d1015a764176

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d2b2fdb2043e2415684cf24034aaf130

SHA1
804327ae0ef497644384211c8c74a0c34c04748e

SHA256
252dd2efa9b80025a9828495d44092be2a270a680bce8c1f78e168e47be358d0

SHA512
5758340d3f98e8de3f35ee43ea165cb228b1392ba20399e456105ddc45fd928e19d186caf38df27f96f0c3e7f3640fc5cdeacdf2d758d266a8f3c4fc924f0c03

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
55ab88977cd3466b0affd372c9cda3f3

SHA1
fd5183b5ba087e51c457666823374769bc86463e

SHA256
18f991191b7ea4118f83b0cb4e648f5552d33e0b0bc118e58a2ed2db36a04449

SHA512
1ae7fd62efba9a5a0f448faaebc7f3278c60c4dd4c043f5409d6086ac1a29cb6cfeef45f6e232899f3772f05d68379e79f5dce913436755a9621363e2a7927f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f0ccb5263368da32a9ccf21b88e4136d

SHA1
9916792c3f9e064486a787f4f43d3f547cbb9af6

SHA256
d665fadff48f92632e871f88a991c7dd5df16dcc424ae617919b784cb816fabf

SHA512
bb7d72ea54efdd3dfcb91d26123467948525de33da0c59884c92684a9c1d9a64185ae27d75da9fa1c65f1a6fbac9607bbc389cc80cfb8a869b2bfe0edfd0741c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
288KB

MD5
c48a9726fbe0cbf1ff1fc34234c6f8d2

SHA1
d85f68b140d6cc4a0940b97f7bbc2f91589af9ff

SHA256
f70d670b433b02657fef04cb8d1c5669d42beb07928275b5de4cceb6cc645c17

SHA512
d6ccbb835729c465e2c2c2f9ea29e54981afe9e647a3b7fe8bdc7ce7165abf2c4675cac8c42f63a42c45cf7cd4b0bacbed5baa4121f88dfd58bc7b89814a15a6

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
85adfc825e1e654524565fa313b7ddbd

SHA1
f92418c2f842c6441dc00eea517edae7a3989aef

SHA256
980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089

SHA512
e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

Download Submit
memory/444-272-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/444-290-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/444-1166-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/444-1033-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/836-0-0x00000000000A0000-0x00000000004A8000-memory.dmp

Filesize
4.0MB

Download
memory/836-1-0x00000000000A0000-0x00000000004A8000-memory.dmp

Filesize
4.0MB

Download
memory/836-13-0x00000000000A0000-0x00000000004A8000-memory.dmp

Filesize
4.0MB

Download
memory/836-2-0x00000000000A0000-0x00000000004A8000-memory.dmp

Filesize
4.0MB

Download
memory/1652-231-0x0000000006860000-0x0000000006E78000-memory.dmp

Filesize
6.1MB

Download
memory/1652-199-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1652-250-0x00000000083D0000-0x000000000841C000-memory.dmp

Filesize
304KB

Download
memory/1652-245-0x0000000008380000-0x00000000083BC000-memory.dmp

Filesize
240KB

Download
memory/1652-234-0x0000000008210000-0x000000000831A000-memory.dmp

Filesize
1.0MB

Download
memory/1652-236-0x0000000008320000-0x0000000008332000-memory.dmp

Filesize
72KB

Download
memory/1652-179-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1652-186-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/1652-189-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/1652-196-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1652-561-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/1652-180-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2036-181-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2036-175-0x0000000003300000-0x0000000005300000-memory.dmp

Filesize
32.0MB

Download
memory/2036-157-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2036-164-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/2036-156-0x0000000000FA0000-0x0000000001004000-memory.dmp

Filesize
400KB

Download
memory/2356-690-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2356-262-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/2356-278-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2356-683-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2356-273-0x0000000003160000-0x0000000005160000-memory.dmp

Filesize
32.0MB

Download
memory/2356-687-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2356-778-0x0000000007E60000-0x000000000838C000-memory.dmp

Filesize
5.2MB

Download
memory/2356-251-0x0000000000E90000-0x0000000000EE6000-memory.dmp

Filesize
344KB

Download
memory/2356-254-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2356-775-0x0000000007760000-0x0000000007922000-memory.dmp

Filesize
1.8MB

Download
memory/2356-745-0x0000000006FC0000-0x0000000007010000-memory.dmp

Filesize
320KB

Download
memory/2544-668-0x00000000001B0000-0x000000000021C000-memory.dmp

Filesize
432KB

Download
memory/2544-691-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2544-685-0x0000000002430000-0x0000000004430000-memory.dmp

Filesize
32.0MB

Download
memory/2544-672-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/2544-673-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2796-265-0x0000000000580000-0x0000000000A63000-memory.dmp

Filesize
4.9MB

Download
memory/2796-36-0x0000000000580000-0x0000000000A63000-memory.dmp

Filesize
4.9MB

Download
memory/3164-86-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-110-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-291-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3164-1169-0x00000000050D0000-0x000000000511C000-memory.dmp

Filesize
304KB

Download
memory/3164-70-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-1168-0x0000000005040000-0x00000000050D4000-memory.dmp

Filesize
592KB

Download
memory/3164-74-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-84-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-82-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-1167-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3164-277-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/3164-80-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-92-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-102-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-108-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-66-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-59-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/3164-58-0x0000000000450000-0x000000000054A000-memory.dmp

Filesize
1000KB

Download
memory/3164-60-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3164-72-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-90-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-114-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-116-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-118-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-112-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-61-0x0000000004E00000-0x0000000004EFC000-memory.dmp

Filesize
1008KB

Download
memory/3164-62-0x0000000004F00000-0x0000000004FFC000-memory.dmp

Filesize
1008KB

Download
memory/3164-63-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-88-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-94-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-96-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-98-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-131-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-64-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-120-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-76-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-78-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-100-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-104-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-106-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3164-68-0x0000000004F00000-0x0000000004FF7000-memory.dmp

Filesize
988KB

Download
memory/3252-629-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/3252-551-0x0000000001120000-0x000000000117A000-memory.dmp

Filesize
360KB

Download
memory/3252-556-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/3252-558-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3252-697-0x00000000066D0000-0x0000000006746000-memory.dmp

Filesize
472KB

Download
memory/3252-701-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/3632-318-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3632-310-0x0000000072B20000-0x00000000732D0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-314-0x0000000000DA0000-0x0000000000DF4000-memory.dmp

Filesize
336KB

Download
memory/4428-252-0x0000000000D50000-0x0000000001158000-memory.dmp

Filesize
4.0MB

Download
memory/4428-259-0x0000000000D50000-0x0000000001158000-memory.dmp

Filesize
4.0MB

Download
memory/4428-16-0x0000000000D50000-0x0000000001158000-memory.dmp

Filesize
4.0MB

Download
memory/4428-19-0x0000000000D50000-0x0000000001158000-memory.dmp

Filesize
4.0MB

Download