amadey | 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c1e965d21ddfb6972824827a6ad3ed5.exe
Size

790KB
MD5

5c1e965d21ddfb6972824827a6ad3ed5
SHA1

3267ccd4de8c23ab99433235d5529937409162e7
SHA256

82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
SHA512

2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0
SSDEEP

12288:iwx2ZDHcnIo7YNQYBeW8/LViyIakQz15bbPnK2I4uGxZbmqMrUAPJHj0gr:iwx4DHcnJwQpiyIakELT5ZbmNrUuj0

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-64-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral2/memory/1844-292-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-64-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
behavioral2/memory/1168-105-0x00000000002E0000-0x0000000000332000-memory.dmp	family_redline
behavioral2/memory/724-253-0x0000000004A10000-0x0000000004A4E000-memory.dmp	family_redline
behavioral2/memory/724-250-0x00000000024D0000-0x0000000002512000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
behavioral2/memory/400-204-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5032-114-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-117-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-119-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-121-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-122-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-123-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-124-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-120-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-148-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-151-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-146-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-153-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/5032-126-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

59 6028 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5644 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
59	6028	rundll32.exe

pid	process
5644	netsh.exe

.NET Reactor proctector 20 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4832-154-0x00000000050B0000-0x000000000525C000-memory.dmp	net_reactor
behavioral2/memory/4832-163-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-162-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-166-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-157-0x0000000004F00000-0x00000000050AC000-memory.dmp	net_reactor
behavioral2/memory/4832-195-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-192-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-202-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-205-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-232-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-236-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-274-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-278-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-261-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/1844-292-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor
behavioral2/memory/4832-254-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-249-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-218-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-197-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor
behavioral2/memory/4832-177-0x0000000004F00000-0x00000000050A5000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

moto.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegAsm.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5c1e965d21ddfb6972824827a6ad3ed5.exeexplorhe.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	5c1e965d21ddfb6972824827a6ad3ed5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 31 IoCs

Processes:

explorhe.exemoto.execrypted.exeRegAsm.exe2024.exealex.exerdx1122.exeleg221.exeqemu-ga.exeolehps.exeLogs.exeWerFault.exeWerFault.exeInstallSetup7.exeConhost.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exeinstalls.exeFirstZ.exenetsh.exeWerFault.exesadsadsadsa.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeexplorhe.exereakuqnanrkn.exeinjector.exewindefender.exewindefender.exeexplorhe.exe

pid	process
1948	explorhe.exe
2740	moto.exe
3036	crypted.exe
2016	RegAsm.exe
1168	2024.exe
4832	alex.exe
3100	rdx1122.exe
724	leg221.exe
1228	qemu-ga.exe
1712	olehps.exe
3184	Logs.exe
3304	WerFault.exe
1476	WerFault.exe
2304	InstallSetup7.exe
4068	Conhost.exe
1760	31839b57a4f11171d6abc8bbc4451ee4.exe
232	BroomSetup.exe
3588	rty25.exe
5308	installs.exe
5336	FirstZ.exe
5644	netsh.exe
6100	WerFault.exe
4560	sadsadsadsa.exe
3524	31839b57a4f11171d6abc8bbc4451ee4.exe
5640	csrss.exe
2660	explorhe.exe
5948	reakuqnanrkn.exe
5688	injector.exe
1856	windefender.exe
5040	windefender.exe
2340	explorhe.exe

Loads dropped DLL 3 IoCs

Processes:

InstallSetup7.exerundll32.exe

pid process

2304 InstallSetup7.exe
2304 InstallSetup7.exe
6028 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2304	InstallSetup7.exe
2304	InstallSetup7.exe
6028	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

40 pastebin.com
41 pastebin.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
40	pastebin.com
41	pastebin.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 11 IoCs

Processes:

powershell.exeFirstZ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exereakuqnanrkn.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

explorhe.exe

pid	process
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe
1948	explorhe.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

crypted.exeRegAsm.exerdx1122.exealex.exenetsh.exeWerFault.exereakuqnanrkn.exe

description	pid	process	target process
PID 3036 set thread context of 4984	3036	crypted.exe	RegAsm.exe
PID 2016 set thread context of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 set thread context of 5032	2016	RegAsm.exe	conhost.exe
PID 3100 set thread context of 400	3100	rdx1122.exe	RegAsm.exe
PID 4832 set thread context of 1844	4832	alex.exe	WerFault.exe
PID 5644 set thread context of 2712	5644	netsh.exe	RegAsm.exe
PID 1476 set thread context of 5492	1476	WerFault.exe	RegAsm.exe
PID 5948 set thread context of 5188	5948	reakuqnanrkn.exe	conhost.exe
PID 5948 set thread context of 4592	5948	reakuqnanrkn.exe	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2612	sc.exe
4836	sc.exe
5744	sc.exe
560	sc.exe
660	sc.exe
2308	sc.exe
5516	sc.exe
3340	sc.exe
4688	sc.exe
3404	sc.exe
1976	sc.exe
5132	sc.exe
3148	sc.exe
6092	sc.exe
1096	sc.exe
1232	sc.exe
4680	sc.exe
4852	sc.exe
6016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 49 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5412	4068	WerFault.exe	toolspub1.exe
5584	1760	WerFault.exe
4536	6100	WerFault.exe	nsn99D1.tmp
5132	1760	WerFault.exe
3168	1760	WerFault.exe
5772	1760	WerFault.exe
5712	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3612	5308	WerFault.exe	installs.exe
6048	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5452	5492	WerFault.exe	RegAsm.exe
5412	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
6080	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2628	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5632	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5616	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1480	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5448	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3168	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5180	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4808	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3452	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5856	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5668	1760	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5808	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4484	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
976	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
6108	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4044	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5848	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4668	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1372	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1348	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4804	3524	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5828	5640	WerFault.exe	csrss.exe
5832	5640	WerFault.exe	csrss.exe
6132	5640	WerFault.exe	csrss.exe
5760	5640	WerFault.exe	csrss.exe
5956	5640	WerFault.exe	csrss.exe
5968	5640	WerFault.exe	csrss.exe
5268	5640	WerFault.exe	csrss.exe
3304	5640	WerFault.exe	csrss.exe
4572	5640	WerFault.exe	csrss.exe
5508	5640	WerFault.exe	csrss.exe
4172	5640	WerFault.exe	csrss.exe
1900	5640	WerFault.exe	csrss.exe
5132	5640	WerFault.exe	csrss.exe
1844	5640	WerFault.exe	csrss.exe
5888	5640	WerFault.exe	csrss.exe
4928	5640	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Conhost.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Conhost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Conhost.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3008 schtasks.exe
5808 schtasks.exe
2896 schtasks.exe
2012 schtasks.exe

pid	process
3008	schtasks.exe
5808	schtasks.exe
2896	schtasks.exe
2012	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

moto.exeRegAsm.exeRegAsm.execonhost.exe2024.exeleg221.exeRegAsm.exeConhost.exeLogs.exeolehps.exe

pid	process
2740	moto.exe
2740	moto.exe
2740	moto.exe
2740	moto.exe
2740	moto.exe
2016	RegAsm.exe
2016	RegAsm.exe
4984	RegAsm.exe
4984	RegAsm.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
1168	2024.exe
1168	2024.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
724	leg221.exe
724	leg221.exe
400	RegAsm.exe
400	RegAsm.exe
5032	conhost.exe
5032	conhost.exe
4068	Conhost.exe
4068	Conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
3184	Logs.exe
3184	Logs.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
1712	olehps.exe
1712	olehps.exe
1168	2024.exe
1168	2024.exe
1168	2024.exe
1168	2024.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
5032	conhost.exe
1168	2024.exe
1168	2024.exe
400	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

conhost.exealex.exeRegAsm.exe2024.exeleg221.exeWerFault.exeRegAsm.exeLogs.exeolehps.exeRegAsm.exeWerFault.exesadsadsadsa.exeConhost.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.execsrss.exesc.exe

description	pid	process
Token: SeLockMemoryPrivilege	5032	conhost.exe
Token: SeDebugPrivilege	4832	alex.exe
Token: SeDebugPrivilege	4984	RegAsm.exe
Token: SeDebugPrivilege	1168	2024.exe
Token: SeDebugPrivilege	724	leg221.exe
Token: SeDebugPrivilege	1476	WerFault.exe
Token: SeDebugPrivilege	400	RegAsm.exe
Token: SeDebugPrivilege	3184	Logs.exe
Token: SeDebugPrivilege	1712	olehps.exe
Token: SeDebugPrivilege	2712	RegAsm.exe
Token: SeDebugPrivilege	1844	WerFault.exe
Token: SeDebugPrivilege	4560	sadsadsadsa.exe
Token: SeDebugPrivilege	5732	Conhost.exe
Token: SeDebugPrivilege	1760	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1760	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	6068	powershell.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeShutdownPrivilege	984	powercfg.exe
Token: SeCreatePagefilePrivilege	984	powercfg.exe
Token: SeShutdownPrivilege	4428	powercfg.exe
Token: SeCreatePagefilePrivilege	4428	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeShutdownPrivilege	1888	powercfg.exe
Token: SeCreatePagefilePrivilege	1888	powercfg.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	1764	powercfg.exe
Token: SeCreatePagefilePrivilege	1764	powercfg.exe
Token: SeShutdownPrivilege	736	powercfg.exe
Token: SeCreatePagefilePrivilege	736	powercfg.exe
Token: SeShutdownPrivilege	3760	powercfg.exe
Token: SeCreatePagefilePrivilege	3760	powercfg.exe
Token: SeShutdownPrivilege	5384	powercfg.exe
Token: SeCreatePagefilePrivilege	5384	powercfg.exe
Token: SeLockMemoryPrivilege	4592	explorer.exe
Token: SeSystemEnvironmentPrivilege	5640	csrss.exe
Token: SeSecurityPrivilege	560	sc.exe
Token: SeSecurityPrivilege	560	sc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

5c1e965d21ddfb6972824827a6ad3ed5.exeexplorhe.exeBroomSetup.exeexplorhe.exeexplorhe.exe

pid process

4468 5c1e965d21ddfb6972824827a6ad3ed5.exe
1948 explorhe.exe
232 BroomSetup.exe
2660 explorhe.exe
2340 explorhe.exe

pid	process
4468	5c1e965d21ddfb6972824827a6ad3ed5.exe
1948	explorhe.exe
232	BroomSetup.exe
2660	explorhe.exe
2340	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5c1e965d21ddfb6972824827a6ad3ed5.exeexplorhe.execrypted.execmd.exeRegAsm.exerdx1122.exeRegAsm.exe

description	pid	process	target process
PID 4468 wrote to memory of 1948	4468	5c1e965d21ddfb6972824827a6ad3ed5.exe	explorhe.exe
PID 4468 wrote to memory of 1948	4468	5c1e965d21ddfb6972824827a6ad3ed5.exe	explorhe.exe
PID 4468 wrote to memory of 1948	4468	5c1e965d21ddfb6972824827a6ad3ed5.exe	explorhe.exe
PID 1948 wrote to memory of 3008	1948	explorhe.exe	schtasks.exe
PID 1948 wrote to memory of 3008	1948	explorhe.exe	schtasks.exe
PID 1948 wrote to memory of 3008	1948	explorhe.exe	schtasks.exe
PID 1948 wrote to memory of 2740	1948	explorhe.exe	moto.exe
PID 1948 wrote to memory of 2740	1948	explorhe.exe	moto.exe
PID 1948 wrote to memory of 3036	1948	explorhe.exe	crypted.exe
PID 1948 wrote to memory of 3036	1948	explorhe.exe	crypted.exe
PID 1948 wrote to memory of 3036	1948	explorhe.exe	crypted.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 3036 wrote to memory of 4984	3036	crypted.exe	RegAsm.exe
PID 1932 wrote to memory of 4068	1932	cmd.exe	Conhost.exe
PID 1932 wrote to memory of 4068	1932	cmd.exe	Conhost.exe
PID 1948 wrote to memory of 1168	1948	explorhe.exe	2024.exe
PID 1948 wrote to memory of 1168	1948	explorhe.exe	2024.exe
PID 1948 wrote to memory of 1168	1948	explorhe.exe	2024.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 3552	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 2016 wrote to memory of 5032	2016	RegAsm.exe	conhost.exe
PID 1948 wrote to memory of 4832	1948	explorhe.exe	alex.exe
PID 1948 wrote to memory of 4832	1948	explorhe.exe	alex.exe
PID 1948 wrote to memory of 4832	1948	explorhe.exe	alex.exe
PID 1948 wrote to memory of 3100	1948	explorhe.exe	rdx1122.exe
PID 1948 wrote to memory of 3100	1948	explorhe.exe	rdx1122.exe
PID 1948 wrote to memory of 3100	1948	explorhe.exe	rdx1122.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 3100 wrote to memory of 400	3100	rdx1122.exe	RegAsm.exe
PID 1948 wrote to memory of 724	1948	explorhe.exe	leg221.exe
PID 1948 wrote to memory of 724	1948	explorhe.exe	leg221.exe
PID 1948 wrote to memory of 724	1948	explorhe.exe	leg221.exe
PID 4984 wrote to memory of 1228	4984	RegAsm.exe	qemu-ga.exe
PID 4984 wrote to memory of 1228	4984	RegAsm.exe	qemu-ga.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe
"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:3008

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:1232

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4852

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4688

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:1228

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1844

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
3⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:5848

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:5536

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:5808

C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
5⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 288
6⤵
- Program crash
PID:4536

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 352
5⤵
- Program crash
PID:5412

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5336

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Launches sc.exe
PID:4680

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:3404

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:660

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
PID:5132

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:3148

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:2308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:1976

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:5516

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 720
5⤵
- Program crash
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 744
5⤵
- Program crash
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 768
5⤵
- Program crash
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 784
5⤵
- Program crash
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 812
5⤵
- Program crash
PID:2628

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 640
5⤵
- Program crash
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 748
5⤵
- Program crash
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 624
5⤵
- Program crash
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 628
5⤵
- Program crash
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 892
5⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 936
5⤵
- Program crash
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928
5⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 944
5⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 848
5⤵
- Program crash
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 920
5⤵
- Program crash
PID:5668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 356
6⤵
- Program crash
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 644
6⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 696
6⤵
- Program crash
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 744
6⤵
- Program crash
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 708
6⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 736
6⤵
- Program crash
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 696
6⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 224
6⤵
- Program crash
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 340
6⤵
- Program crash
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 732
6⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5612

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 684
7⤵
- Program crash
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 684
7⤵
- Program crash
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 772
7⤵
- Program crash
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 764
7⤵
- Program crash
PID:5760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 788
7⤵
- Program crash
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 672
7⤵
- Program crash
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 392
7⤵
- Program crash
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 388
7⤵
- Executes dropped EXE
- Program crash
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 372
7⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 636
7⤵
- Program crash
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 912
7⤵
- Program crash
PID:4172

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:1188

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 972
7⤵
- Program crash
PID:1900

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 988
7⤵
- Program crash
PID:5132

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 932
7⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1108
7⤵
- Program crash
PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1124
7⤵
- Program crash
PID:4928

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
3⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 1208
5⤵
- Program crash
PID:5452

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
3⤵
- Executes dropped EXE
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 312
4⤵
- Program crash
PID:3612

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
3⤵
PID:5644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\conhost.exe
conhost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6028

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:2016

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3552

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4068 -ip 4068
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1760 -ip 1760
1⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 372
1⤵
- Program crash
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1760 -ip 1760
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 388
1⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 392
1⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6100 -ip 6100
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1760 -ip 1760
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 440
1⤵
- Program crash
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5308 -ip 5308
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1760 -ip 1760
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5492 -ip 5492
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1760 -ip 1760
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1760 -ip 1760
1⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
1⤵
PID:6104

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1760 -ip 1760
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1760 -ip 1760
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1760 -ip 1760
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1760 -ip 1760
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
1⤵
- Executes dropped EXE
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1760 -ip 1760
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1760 -ip 1760
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524
1⤵
PID:6120

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524
1⤵
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3524 -ip 3524
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3524 -ip 3524
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3524 -ip 3524
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3524 -ip 3524
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3524 -ip 3524
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3524 -ip 3524
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5640 -ip 5640
1⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5640 -ip 5640
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5640 -ip 5640
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5640 -ip 5640
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5640 -ip 5640
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5640 -ip 5640
1⤵
PID:6088

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5948

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:6092

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5188

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:6016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4836

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5640 -ip 5640
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5640 -ip 5640
1⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5640 -ip 5640
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5640 -ip 5640
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5640 -ip 5640
1⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:5456

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
2⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5040

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5640 -ip 5640
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5640 -ip 5640
1⤵
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
1.3MB

MD5
d03c4906c952132f93f399169df517e3

SHA1
b0b4ae6ec0920a9e22921d0b755e84c9c26ff5f9

SHA256
6bc8dd684b86178ffe2ae02fc5ba713823b13bc61686845b95365840e0d90d7d

SHA512
cb68bdf0f18703ec9996007cad40e15f4230bc5a2af9e1253d16e5c2b244f13b52739cd40feb779a7039f6c9689f0f266ec115bb930e6df445d70bc119dfbc01

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
129KB

MD5
918da0105549aac3409ac0a601fa8c8b

SHA1
99ea14c67138d423cfc8b37f8bb145fc3df6355b

SHA256
511189e2f3f4641f07806100751b5fcdc2532e48076d32a7b2da7f6472efcb67

SHA512
2a107938329911ffc6d8efd6d0d19d462adc3ec0289b0f52b8e3f829f7ff8ab8f51a2a27399a9400f35483b5fdb46f78769189f98d00adbd697d78d0cbf23d5f

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
109KB

MD5
4b3abb01d3b1c9d16911ad10329bc1fb

SHA1
55124b5756d3ab7732e161bc3cf78497c11ecb3d

SHA256
ec41ebde8c0b2474a1df607f2112ce39275dee60a0ec9dec2ebe301f6a06f631

SHA512
fe2021dd6ea55032b6c04d2d257434d66b3dfe021d1e9cce1071f65112bf6bdb539504dad985b42b1999fa6bb9588dcda948c24bb704bdc60cc331bd76fdcacf

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
57KB

MD5
27fd92a15da2d6b9bb6f93a6dbc9a3dd

SHA1
7dfb9880c2720571e859ca2295607a27cfebccaa

SHA256
c72dae3390bb342058e0b25077bd061cd36cba92120fc43d6e5205e5b114f3cf

SHA512
d0ba823b6644a599e2c3e1ef1f36f8d1427ab421570318d5ded0499b93f8397af3766209ecdfe4c43cca00f71752eaa92b554f515c07cd4497c4e1bde9985aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1dfbfa155719f83b510b162d53402188

SHA1
5b77bb156fff78643da4c559ca920f760075906c

SHA256
b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831

SHA512
be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
505KB

MD5
5be010fcbca732027b1827d951ac1809

SHA1
f4f814e8d012beaa508bf66fa253320a4386fab1

SHA256
a7b9aa9c5570a94b84ef8bdb32de2de144d9ec664fcac3562fe824ea2c13a64d

SHA512
d9d62c5c4f817a63bbfbf17bdfc205b1390052ecdf931b4795fcdff18e41bb80e22a9f89d1a2f8452d7e765233597ba21d1b191fc17b33ca6903b37edfe4319f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
184KB

MD5
a01a91a8e82f826f8e18da57442c2c1b

SHA1
0a68fbace281435e18db380769b8884926ac7056

SHA256
d2ea0f68c1b550d503370fb280914edec7a5d190487a37d6c71dd60f784361bc

SHA512
15b696d073a9eaced5d1c7f588aa594adcdbc77043cdd8a243d573d378166397dbd121bd1b2aec4d8f3c42d7e45352db930ba9581c4650c9d854a7a2780f55cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
280KB

MD5
0b4fe42f318029cc59f6d042b1b477c0

SHA1
6fa25e328499ff9ee6041fc8210965edf8850da2

SHA256
cc1188de2b5f2a21cf8a93367fec453d5b84aa3c609ef778949e73768c2ad18f

SHA512
0811042e16693b5d37b315376c16bfa8df60cb7f1721d3865f2912988f2e93edc80aac127a25f4c42b0f469a424947029f1c2ea4b6e3c3b5546b027c6778911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
118KB

MD5
1e17144c5aa7340c87eb4d28a350c0d0

SHA1
cf8ea5439024864d0b0887841fc68bd0849578ba

SHA256
4a1d10b3aed949328b64f9515d3b744342de2238518d5960e3b293a2fe890edc

SHA512
dae090fb16f5e2ae7d6f1073b63f2a888f3da6c89360a68ea74d2f3a33da94183640b9e0f37653299e3e9502da152e7ff1244942de7da11d4ffbac2ff796f611

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
107KB

MD5
d9b18b522917365fcc3d323da23f4b66

SHA1
4b782ca675d5adbd1852eda905a654aae24df8e4

SHA256
42ecf9196def58ace41ec6afea4428515a657447da33ddd97ca51a03f17a35bc

SHA512
faa82a225756919c947b739a5021630a0cefd6ba778f6e57ee24baa2f97c7f17f61864653160694940670bf1dbf0aea111ca79de239d11f5d304526d3a8a5585

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
11KB

MD5
200d35a7f6656faa9f84e1a66d503737

SHA1
f7acbe2b49704b284cfe7ffd92b8f216c9c0a8a5

SHA256
dc088fb819f3907a89a3aa305141678ab8bbb9ce3b6fbd474900fa7563d98100

SHA512
ca5c00e08a74d52afa7a01f248328e30fa98d6bcbb3b5e57e0951aff0421e21ec29f5cb1f3f9a1a13814b81134dda7f68604601e5fcfcb6936af817fa8c01352

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
79KB

MD5
acf0f40ee0a3542084a6db8387eec3b3

SHA1
342c0c363fa998360cd489d3d5fcf8b7917f5ff0

SHA256
1a8379d2a05cbc4172346b51a7f5986c84cf4ea4a4ae097884cc2768dc88c7bb

SHA512
1f5e6933cb33cdaf6ce5149ed1cfb70131d52e07d752ef67d2ae304bac7d96630ddb513489cd4fb69a49288f8de7cf265d2224f8ae4b864358c5f19cfd7a150b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
61KB

MD5
0f35692594963b3364bec1b4b807fe30

SHA1
08f1fac251cb7dd77a915705efaa9423c0aeb467

SHA256
9de8418c6660cf533e354e826a7c50c0fac5cf785519431488d633665e3a1036

SHA512
a8b2dc4804bd1b7ccfbc32b7320bdace0ad2d0b125ed58072ed731178119f1ef35f90dfc33ad1ced6bb8d41a63179cff766d25ee4dc4b9bcc1582a71642f47ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
329KB

MD5
927fa2810d057f5b7740f9fd3d0af3c9

SHA1
b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8

SHA256
9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9

SHA512
54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
110KB

MD5
9a3f4a2d9ff0afdeee57cbfb7998cd7f

SHA1
d3fb95ee7de62bf876f1c4ed8bc2526e15b70854

SHA256
2ea670ae2b35f9d73f264191ee71bc329ae2b7c66989c67b0c364dd1e0ac71d6

SHA512
cbb6c4e34c5e5013359b67e6065c61e026011e9ed1cb4813bf7acdef94b24c7ad01574cc8e47dda413265cda8ce2ebcb9c64f1ef019894a37676c3d2e53d54cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
27KB

MD5
48690187f749909f8b8313fb08172e50

SHA1
bd9c4a7b4a68039975643d6fb7e1fa308d90dcc6

SHA256
8990a8cf9800c1ec94f8d15dda549e01cbed52dd4c33dea1ab6275ca920d226c

SHA512
1e5303f701a2c524391a8f7da58469bea182c82d2db8b3548f6cf0a88680814d7cd12606af0997c6e9c2c6623cb647ad74b27ee8e909af93eeae6666609e5124

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
271KB

MD5
e8f02798ac1ecff0e99b2264df45bf70

SHA1
7c449a68588d5fbec8e8ee5543a91e3f5aa2cf7d

SHA256
04fe1d37c58942262890171c3b6f86f392b0a939f70f64ff92cdcb4dc4a56631

SHA512
f2be59d593d896e06b2dfd3394cc93c6b20e691da6bbfef935118fdabbc5acf1b50b2eaf815009920f72ec880e2602b939e8ecfd59c068c075a4084462d2ed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
64KB

MD5
b42b486e8e55035076114f5b8da97c63

SHA1
98aecc3c7bfc55dff0f718769310eac122ae35e5

SHA256
48701fb4c814e8f3e50efb83ad11bf30d8bf09dce0b990a5aa36f7b6603130c6

SHA512
422de2a874389a44b1c92a07b7b5b8d8b1a7006ff919e4b513d5def827966a9ff698d9655315caa9eee1fc59d39fd69d799092c578ec7b06ec4228435879d77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
1KB

MD5
fcc52b464bceb4b40920b6bf05f3bb51

SHA1
919ceeaeebdb090496f049f7a1b36c80367efb63

SHA256
bb1e8b632d133d2cecc918736e8ed65caaa887d74060871881769881c7e56445

SHA512
36b2b346853e175e350aa0fd142055523e86a8a1c5f5e35ae8ccd4d80c0f9e3727e13b496d4f7cdd33d06c105be0de21024ff860f6c0a0f9507b32e70950b570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
82KB

MD5
982ff7212a1382621e8abfa1a1918d11

SHA1
79adecfe98857bd18f7f741f2ad75d662b2264c0

SHA256
26602ed80e52e42b1050beceed4ca1cb6c296d95684640390a94502df8ec420f

SHA512
7b7b5dcb8b6523c4186e6e4f83c274700646a9613518132ad6615580dcfc890a2af386fced1f8ba604d79f3937011d53d31977631f8219915a8c5d4d38dee1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
202KB

MD5
852e9d0a2df2716f36925c575e31c70d

SHA1
a978d7c0d9f9dc5e2f04654184f6fc421f84d7b7

SHA256
17fa9f002b4b354a1f3642ee67c1fe67b542faeb0386c1f02392f5201b7b16fa

SHA512
3c7fd38268ed40b880704daa7efa619e05dbc457d3bff79ce8768a1ea59cb9cf2ae8cd3554cca1df46d133eb4e7b72a5dfdc4c9a678637aecb9226667e13bafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
93KB

MD5
9a93dc5a9ff1a9e2f291f17331fc5aad

SHA1
272480849bd20b1dbe5337b538d1ecd757f78ecb

SHA256
8ae2596d49090df6956daf15c5aeae122d127a3f1958f605ed4c9a4613b91707

SHA512
4449b3e8b6d9c97735ff5f5b5a8ec3a60cbbd6629eb4a26008cc439b4ab20d4dbb56e97d81151eabdd9f9e56d6aefc03087b199611506ae0232c864f54f0dc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
129KB

MD5
2503c8077eae621e4054820aedd46912

SHA1
09ddcf018c13a38ed475c0a1f271456f780a9620

SHA256
4abb967b84adc989c0e76142ac7b35cd8927cab0fa06ce7f94987c5ab33c9061

SHA512
3448571a237c5ec47626de1f078ee1e638ba290fc1c6525929c514393b1650a2e2c4eb938d9d159e19d215239a446255df15019d83fd4785599077ebc3059612

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
361KB

MD5
254e7cd008c17a7c0db7bf999702cc04

SHA1
6816eef9ac362c94bda8873396924c70cf94fb08

SHA256
516a68e86a80ee80cb66d2ee749634d1a5b0756cc20c34416e11bd5b2664bbf0

SHA512
f8bbf00a30d48c6ee53c5d6c8f9b20b7a348f71f873037b6947a2696b56f0c3c52d5e2023340d9fb9cda315f8a5b3c7f0aa0367a075760054f8949e9cfd2303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
54KB

MD5
d0ab4a4863934bd7fa63eb3e9a3ef185

SHA1
4a536fc101321511ae05c6e2a68d7b202df91130

SHA256
df149017f93525b78296ee42191be6ea6d6ee8cb2f15d95cb72c1692a71b1305

SHA512
aa03ffcd60398d315f1724d81cdf2a86cae966e757b749c2022ad4755b57b19fe8b84d19abcc45bf13d08bad49801ce848153700a9bf36f196d3ab4f6e4589f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
30KB

MD5
7fcffd1b80ff3e09023b3bbfc2c553f5

SHA1
2cea15cacf42f558e73bc664e0157219eae3d8fb

SHA256
ce1886174191df78839e516e68d0f182306e7d85c65f63c0ff9be6ef3c090bc4

SHA512
223d47834ee232d59cd46295d394326873e19e31f14c1bd5a417cea73f4d01c9c2626f4ce03869642b805db82e3e556b87874cab6cb7656ddf4901c6071fb6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
79KB

MD5
b2d1b5222c4bca2673b979b4db97abe9

SHA1
a2df94645c8c84bcb5b2248c6092ccae259e52b0

SHA256
aea2a90f7fdb16b6348b00b2a9a42f0f325c6d611979cd5e7d71ebb813acc2bf

SHA512
a12e3c4fc3898c32ae30ebb192519e4611b4de3f44dea000d76b16c37a753e4570ce45f3d9455f81525e86d89ff174218efe6eda9263b5259b4fdbf27946b625

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
366KB

MD5
7f0cddd8f7952920ab647450603a7433

SHA1
f8b305a25080eddf40ac219f4d19edaaf7c7f6d1

SHA256
8e9d26d55f77559e8b21b293581be092b019a0bc7c33795d9c9e89cd7830365e

SHA512
9e0b0e759ff311ee934302926b940761c954934a00a12e001319bb2cd2e8167e4ed869e44296dc04616ddd13dd2ffd4ac2570bf926c5b6d2f49a2989a802d247

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
54KB

MD5
0f004afcc5dea0aa2307a0b52e9dc929

SHA1
dc284a126de760d8c67d034fc48a073cc91d999f

SHA256
046ffc54daa9ea2081f77546bf5d4ea8ef9b10253f672d0e48cf7097069783a1

SHA512
b771b3b58f7ac9bbccb5bd84e2bcb7936ed055acd3ee51bb62d9bf540c31003c4e43984fd9ce6bb23683ac61a38a01b05ca52d1efcf24f261ed51df01e862d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
83KB

MD5
1b4677c02e09d6a51f20f1461c08b6eb

SHA1
e2be17f0191ab166f3119a4272987451d1b49286

SHA256
48caf267b73db9788c319e05325a9b107f1e45fe6d7140df91359e890a9c63a7

SHA512
b88e8fdc3f22c1be692fde1ff9e738819459889fc2a62174b0bece3f671f21b671dd468e6310304782750992636d24aa06183fd2f512b9b01f76646306f711f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
71KB

MD5
a90c58ac9c8c5e4e9dfc2bb860b5d08b

SHA1
a3902054b5cfd22127062a872e9e57efe5d206e0

SHA256
aa84d7d50aa7c959603414f2d18932eef7cc36f5b13583b5915c588b441052cf

SHA512
db8ffb5bd47d71eda0b18a39da936376592e9e719ae7d8ab94248b3823e1131c57e724de7e7110c6632b1954e6c1f443089a3fddb5de125b7c997096a45d6319

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
37KB

MD5
4038beac7ab20d77f43c72adc1526174

SHA1
162fcc586b41500b2521b4dbba2879009145a27a

SHA256
19b0946cf06f5236b05308ed4f1f79fa7fb698cf24e43196554d1e3fc42e419e

SHA512
6eed065dc49d9394a78f5a719e2a53c034b676dae3f4b116c16e580b32566447477349a8caf7377630c2295e264f2b170e0ab205d7ba9c4ade94eb6d57614e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
37KB

MD5
91b3615718af6633c9996dd1750857fc

SHA1
f6ec963be50ad020ff16caad40a532a8cac51422

SHA256
073f86ea7b76e47c3071b44095869a5f051f67ee0e7100ee5051b493e58c6021

SHA512
1306546c931bde9a453b66d38853d338db7e4dc40154623503bb7771fff6fbf08aad3d3b95a6599be99c81cdb7fc7c3bd680a93293d970c57b867784524df68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
333KB

MD5
6668d29bd9a029b75a331320cd7fc4fc

SHA1
e5ebfdc6ce76e5de49603ecb763dc4351b7aefc0

SHA256
bae3d0e67b6d823cbeb20504309a0d161351ab66b2a65b9d881616c95916e47d

SHA512
d288e07384687f0d39c683b4bbc6e37c6b855ebe7ec4f09cc7ce69c1253f7a272dad65578aa6926b68429c961750d0e17dc8694ece75684ab6cad82f6e763ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
670KB

MD5
e500265d4a1aee36b86987f6e2760f48

SHA1
d45132b6e49ecf57f5ce11869d07445c3a219dbc

SHA256
ad899c8fef71f5e17756700c255870c351b0045323afcfee0ed139482fecd5e8

SHA512
d0264acce0ae7b39c8b992ff0a40f9fcacc6988b1871cfae762593ce06e27d0e99de1c8c9f4098586a4f2db8091b897841e570e4ebacd7657bea9e1271323ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
143KB

MD5
9cf397494fb0a5cb99cb71353c3ecc67

SHA1
38e62b291f59f063f9b0c31d92eaab372977a859

SHA256
30e8b9b8c292ceff748cb1e33f5a6633fcda128bceea642ebf5f9910e20e9a08

SHA512
b861d1d1252ac9d1b57fc45578f349b03b220d9f8c17031b016636d380a0c71c4bf9b5a9baf25d307a7ddd1ac8fb51a48ce6a7bb2f702f172382b649bfb1670e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
596KB

MD5
784b367f202683574645c90f3780e7b1

SHA1
e2b667b362ab32875bc2d0f4b60ce4ab6c895d47

SHA256
cf8ffb58e2bd37fd98434cfcca2c99186ebb41e7cca123f1188293634e506c4e

SHA512
e60fad49b766fd4503dbf9c6f26312aa20bfc7c6644e1b973c736dd62fb5b0192ca4446f13e888d2b5e68002bf1174e27fa9e3cceff5eac626d143f8fecac2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
21KB

MD5
b427560697c9d02c5571dd59780f3262

SHA1
5e4edab649c24105ae43571b9dc61989b0a8d2e1

SHA256
4d1d05c2b0d68e14ee49edb1d63b7b731d20dbeb14d1c365c1851d899b25f3a5

SHA512
eec2da5da9881a87bc539d5caa6cb62e4009d10551585945038a07036f4f5094473f7ae5b00f365206f8de6b80ffe8712bc303c176dc5d72fca25b18efd5b250

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
140KB

MD5
0762eb59b048af6f4c844cc7bd6c141f

SHA1
27ba3c76db77f5106bbff9bea305cd5e55493b60

SHA256
0dda68ac17ec559d74bba2fb6d7b9261bb34bba4a1b9341768892d0f09f41e5d

SHA512
368319c430d2d92a20a0891503076237bf4987c26780c06bb0ed3e309e5f8d8562783842b9cd1bb7e78e0b90d5090a7c3f3e58d5ec5e5d7885f5bac515ebc0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
63KB

MD5
3bb95d2e5ed1979fbd073f6614439f93

SHA1
6361efb464b4f9035586cde1cd065cae28e30d38

SHA256
f5419bf16ba1d11ba67715e3bc3b80533212a9686236a86494c9d12e22a358ba

SHA512
c0ee338900b0d3d92705804f03675cd4bb36b3d60827d7b72f9eb7afc34f7dad5a42f85007ce4332a0e271625a8bda1997e837b66a844a67e78ab09888ab9ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
450KB

MD5
573bfad48fbc019b6757bd6b1cae118b

SHA1
a8b90a3778703fe5782a8578f7fa37f6f032accf

SHA256
b813972b6a6c787a1638ee9da4f407def919b6a94f04150c2e4c70e019f26b03

SHA512
374dc1f31034e16aa2585b892cb717448a962ce17915c7fbdf05d20273e129250e801b095ce271cbc159025421ccba5f89bf7703c31294873f958cdbb271930d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
602KB

MD5
e46be2a8ee23841d6bb09a141a93d851

SHA1
4e5c8fc539f5b4682930a16c6e909132c4c6ba91

SHA256
90701504d97d7e24ce2a96cf4ef3b2dc9146db20cae6df79a1d5a28f9067247a

SHA512
0ea5011c967796e4213a48109cdcceee7244b4ac1506ed96da285e866698802352101b113bbfc38d5441a4fa613628532addb5a254a772ecd659f9f87b416cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
21KB

MD5
fba2866d974fad9ffb1d5ade3a861958

SHA1
bd6bd25881ad9e3993912e8da7ef324d1fd9bfb2

SHA256
ad16b6cfd0271515ce784baf4cd18dd387961a366c4be0c503852489f9aa6cff

SHA512
aa551c36ad56518c74cc44b5207dc6edaef259bce328be0ccbe0eb351873995bbaca7ecc0168124cec2c8376c874dbb17aae0515fcbd1042e069a4a29d49d463

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jb4ewra.qv4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
664KB

MD5
55aea01f21ac2e8806639583eaeb349a

SHA1
8cde033cac24e9c978885e7156b3627d48689418

SHA256
8773febcde56930d27222f3bdd3e15d420cdb07fa03acbc9be0838d44ef73613

SHA512
23881714c79fe530f9e6e375b65610a8cbf40e22e154e49bbe8fc434dab46ffce65275df1bfa347447e84eeb2d6a1b15cd5173881a7fbd086200134acb3d5e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
671KB

MD5
53412bbb102473ebadf7880a25578597

SHA1
a785805f6fb0598479b5cf827cd50ba1da3418b6

SHA256
c66143cda121f20fe1aff4faec2c0a782fc097f8e7b3f38620c5229436c5c789

SHA512
beb230c277985cc6862677c33aa8e9a6edce4b2a2e70144545ab9d85f2b5652c5507678cd5f522866c60fe0ff6c346efb0c76911a9d698608088f6ae73270041

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
607KB

MD5
fb69be017bf357f8211ddfa76078dc36

SHA1
45964800a8901af84850316c346989a0750fc999

SHA256
d150feabbcc4aae5491e6488b7a88be4f31041b410a07808f27f700c3be8ebf8

SHA512
f9c27cfa7734e790e80adc35fe490c4da7651a7971e6728e7f08596d43db630673cd612f3d5dffa21173e0d04d52e22a2bd2dcb060b4c37f5cc48b745db0a105

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
71KB

MD5
0d287a8937a6ee8abc19926b94ed53ae

SHA1
7c13672c8d49742ccc04ee35c7db97963c61f635

SHA256
2c73ef2306d0b7c9afd9a5eba8aa5fb6330abd58c3519d52947c8767e684b0e7

SHA512
8b3b7cbcb1ac5a9209034ef4b8eeaacdbb63a7e6d5da65d5f7915f2e3372cceec5344052e2bd6a11f01eef9e656ab95e28624169d8a037681a6a74672cef4ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj900C.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
Filesize
141KB

MD5
0a3f4465bc792921a8f384d4f252dad1

SHA1
5c72f029c0093086dd0645309df79cdee33d7942

SHA256
bccace8eb6240dc1f6f75b188bac45d304bbdde638d98214fe21e9d167018efe

SHA512
6663564c3ddab95a1754e3525f50607ac093f1753b3ae7fe04706cb3466b591d29848777f06c95cb1eebab72e6ce4bbcfa997e9d83a506d5fba591f203e89ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
Filesize
189KB

MD5
8d457a930ac3f2f1e362ecd765cdf5d4

SHA1
60f5afd859216362cf1d6735276f15da434af428

SHA256
211ba0e98e7085c759c4cfee60a65b4cf1e56234c457ff87df7395d30a84ee82

SHA512
d3c81c167992bdf808e54309bbc84a9a582bfc51baa3f92f83d24149b3a8fffbd85e3eac3e45cdcb8cb1797186781cd29c0405fd66fef2e307aaa98f1d7f59e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
326KB

MD5
a6fef0562abecca0d7b3567825ae5b99

SHA1
2fa30153197cf09fd9bc36a26c062ee69644be2d

SHA256
dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b

SHA512
7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
51KB

MD5
358819c479c6210d2009cc7c9c51119c

SHA1
b1c00d0d2404dc937cace084e1e7948d180f09e1

SHA256
b371d7e1e1290b170437b32610cd219f868f8c8449d25dc14013049c99dd0eea

SHA512
a7b20e9f292c0a86cdce373e84e7b22aff9da75d9e2a84bb44dc8da7914c6a18cb7a12a126461b10405c8e5cd43347a75cd1a640baeb8ca87b6378a381ba7c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
43KB

MD5
e21cdf8762533e331940e16c5ccf0f9c

SHA1
14793d011e19af1e05b5166d7598db9fa60430ac

SHA256
3c605a382b49a8b953480c083423ed1c60b602f602665862a6d7bb4748b06870

SHA512
23f8edf6f608b56a15f42ea5f03ef194d799de262a10ab99cc5c18c096a56d840abd3f491408601c35c948b5c3ec864c5d2970b0bdaac6b9eb69be7c7e8a3ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
45KB

MD5
971d8da6ad03fc455b01fc80c31f5e71

SHA1
eb594c5626f7a2c0471bec35899d33cf9383a145

SHA256
fea8637994a1da07c25e0384a789938a055cace8e1b8d6156fe01648f6ad8de4

SHA512
102214059968bfe80cecb4222b7d8e6faf300ca1c0c67ab425c6b4cb8caccd39cb98f8bc25f5f33941b3c44983f5dffe0ace03cc908235ddf9e66477751b3711

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
224KB

MD5
4fe7bef521345515a1a3e94fa4a25c3a

SHA1
081fe1bedaabd9586b4c3af635814de71d41467d

SHA256
c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

SHA512
3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
82KB

MD5
f958acf237887abd029fbeef7067c6ba

SHA1
c95c471a564be0a0eb82e4f9acc520ae6ba3dfbb

SHA256
53c4c574159a230c523e6249d02eb94b11ffa6dea28235dd0fdb34616a8a43b3

SHA512
e2a8a22556f6f636538d352423fde8bfb83950e9888f0fcbb47eb9d327125deecdf97f74136494141e6f24ed1bfba127ef4155dd75ac9cba617bfc5f4fa36ec4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
43KB

MD5
53da6a223e72d07be846e3be301f1539

SHA1
3bce9eb7c2aa94c99d7d71cd029207b3d0b3c6df

SHA256
1261a6d2f249611a241140fabfc845b42887d9adcbd6bd7a7029e3f74b00f192

SHA512
1ba358478da4f63f269e724b39e991a0ed9917ba99ec8097b6b3976fee54123137adaa9b39d8b3048836e13066d584c704b17cc051a9dc313aec094f3d394b6c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
80KB

MD5
add28c048a423ae41055610da76a3503

SHA1
08dd97d5d86565a9bfa5a591ecb5d850aa5847ac

SHA256
1114fa5879383f2be5f0837e8f95d5eb5b0e6104d646a5a09a5869531f018238

SHA512
965801db96346b75e874faf5c9c52b9d27c73b23cc2b36151715d83700d8e427202c5b96e7550fb78c0a2140df5b7ed46e87af1454b4a187b93b0bcdc04d6c3d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
22KB

MD5
c838ad2afaf2e86044561f24879e07f6

SHA1
ee86a1456afa2cb16e389b9804b339376544acaf

SHA256
cb4f3c780e5f401be85ac2cc2f8de2816477ec85808fd3ca87159c5ab159b39c

SHA512
71c4ac326f007425f7daede5fcf9befc396fd7efe9b78a141e5dd4a5317095ee5884151774f4d21da985cc3cceddd31526cdfb5e5dc7ab307b0b31aba2b0b765

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
1KB

MD5
7c6158126fcaf750413a7930915b308f

SHA1
caa1e195ea7af6169a0e6ac0709223557998792b

SHA256
13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3

SHA512
d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
49KB

MD5
15d5b40e0d37d0e656c41d08f3a4d4ac

SHA1
cf97c6c5b345c415ccab37e345b62542036e6187

SHA256
465b91b4bed08f729ff3a806c0428a3efedd77f7825a341a344bef899f0423f1

SHA512
e4d835fe088bdc8d772b1f41dd8de423aed2da4634d1b6abe8971b2262eba3327eaf0bfe355633392c8659745a0b316bea6b3008a05112c031eb6477591c2da4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
101KB

MD5
d992f0885cfcf317a8a85d7bfdf69a02

SHA1
99953be7642ed4423584877efde585c7e6174f69

SHA256
c38e579d81b9e841484005e6a9416fd18e9a3f57ee0a617c8f68852545da9495

SHA512
4c3157c6e9efacea942babed088b3d084b62e15c6caabfb2abd48c09b7c460b476e6fcbaec31282fa80aaa8c126463b1eb4bd43959f01849ef0324fd287161ee

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
20KB

MD5
13d4efc2a10f443673cfde54faef6ea5

SHA1
1c2ecede2b5f4440d7121193e830e7e12fba19db

SHA256
f17a369b4861f55141ba1fdcf371b931cba6586417067335772d7d44e5dd4a8d

SHA512
8aec72da71091d8136b020305db9cf6c177858cbf0ba5a86f8df1fded1e53da3796b49b769f7d8b2e8070820b899b9ec97f5c5dcc6f26c5a072077ca280da3d8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
78KB

MD5
c9dc42a14074c1987b7c655da5ef5877

SHA1
1ce48160c039c2cddad3e3be97c07270dbf9b74d

SHA256
32d28467af9604b36e9637c67f9934ea663725bd14dae60fa102ebf2201b238a

SHA512
6c84d0d39d84a443c038ba426ba71dfbf8a27abe25cab3616a0806e56952af81f072c32bcadb19a0282bda92aa54e0ae1af379e6a81b34cfbf2669d3df9520d4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
963011512e80ac2831d48de6e4872deb

SHA1
a198993154aa3d66395e958806f3de672164cd87

SHA256
0b25653f922f467f1c19d288d5d74ab2ec77ed9803896c4bf5d92f60307f562b

SHA512
8ad5f7283bcf070d425bda0911d71dcd8c89511db1446d97de65ab2b41b7fff7f1c4c1d5f3ff4c4caf857d6c570a4b4666a27f6576253ec268da5512e5a8f6b4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d4bacd1fd08ca6b3dd24f9182846d666

SHA1
08509a2dbff494cda8011896563b48b300527e8c

SHA256
bd663a0a55eac67011a3e5608b9b9455aa73286e8de20751100d35e2e3a05af0

SHA512
1253ab9313f4b11acc5c3b23e7dc3b2e07270d35ed91a55c0991b868bacfb67a68de47ba1780c41c5c78978e6c28897db6427b0d2b134c84270b5fec4a0316d5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
3d0129dd0f07b577f3c823a53c06ddf4

SHA1
4cb6fd4e4c146ede70578a8cd174dddfcdd1198b

SHA256
1c2988684c4ad5ee0b414b77acea6908af8ba0d1091ec120b4db7e88ea21ae8b

SHA512
88170dd4399c2cd59663cfa5887ef7ab4ca0f3d32fd2ab0be909ccd0576fa5034ef12c05d7dcb134d9b6698e78f4858fe034dd9cec1fd3d4d7088676bdbf27f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f9202c2e64702a42ebaa6ddf3db3f0ae

SHA1
4c8a2eed2722551350f03c0e09194a0ee1436a87

SHA256
e59916ddf93f178807c72e8ec05fbd2ec4a2cef03bd41b3a15942f9dd20a22f8

SHA512
fcfab27aae94ea0bfb6f87b5da7dc4f64a0ccc1ec426afb8ea00b5addeae8a390e08b600a3d5625413d39cc9358442ba10e3fe3c26f8496e4e6e4ca4e68710d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
fdd89730a0bbb8d14a757815e105be99

SHA1
3c10a0e4ce2757175db2df4f0cab9cc3a669ec4f

SHA256
2cd16b9ed0dab3712d0df88a751f8acc8a8b225eaf775e0eb896b71681c60053

SHA512
4ccd4da813dfd890a2b0617eeaed0a36b5fd4146396a03de71d62d5204044418bee76f12c29636fb77bcf3aafa90fa20397f5446ab3536c3b8238668663ed29e

Download Submit
C:\Windows\rss\csrss.exe
Filesize
21KB

MD5
8f9d8ca2a638e5cf492b94b51463c1bc

SHA1
d5f917674f91848099505803b99bf7eb6b6c8871

SHA256
141ef982f399600d2849ed444b352d5d2abd84fcf3de10f05d074c1b5c9eb248

SHA512
0dbf2942e3fea8c9fb4d179bd274efb7803340828b3e5db565476eacea8e997063ed922dc02235d998f218fdf07673f0113ea10b54a353cdab7a2a7ad61ea892

Download Submit
C:\Windows\rss\csrss.exe
Filesize
9KB

MD5
51b28206a67a3b7d7a4bf3e3ae4a5319

SHA1
524f8f6d7fe54e70b33f4ba9d964e2a4513af885

SHA256
620c86af824f6404f55fe7cbd9dea30d6bbedfb6e13ed7f3821cf91fed422282

SHA512
b80364656ac3a0351663612c8bf29e6881de779a9e2788629b01ef5487931b54063b8e46b229d7abb0d611da0e0524dd40201da28692622c360671d20c49b427

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
86dcf064474fd20f25006f96ab661f01

SHA1
69375b55e39c2bab40cc6da7896762a56d631d91

SHA256
d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc

SHA512
86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

Download Submit
memory/400-247-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/400-204-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/400-251-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/724-267-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/724-253-0x0000000004A10000-0x0000000004A4E000-memory.dmp

Filesize
248KB

Download
memory/724-259-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/724-272-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/724-275-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/724-257-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/724-250-0x00000000024D0000-0x0000000002512000-memory.dmp

Filesize
264KB

Download
memory/1168-103-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/1168-108-0x0000000005150000-0x00000000056F4000-memory.dmp

Filesize
5.6MB

Download
memory/1168-111-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/1168-118-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1168-288-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/1168-116-0x0000000004C10000-0x0000000004C1A000-memory.dmp

Filesize
40KB

Download
memory/1168-296-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1168-105-0x00000000002E0000-0x0000000000332000-memory.dmp

Filesize
328KB

Download
memory/1228-273-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1228-280-0x00007FFBDE130000-0x00007FFBDEBF1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-294-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/1844-292-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1948-18-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/1948-219-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/1948-16-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/1948-115-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/2016-127-0x00007FF669250000-0x00007FF669C8D000-memory.dmp

Filesize
10.2MB

Download
memory/2016-89-0x00007FF669250000-0x00007FF669C8D000-memory.dmp

Filesize
10.2MB

Download
memory/2740-39-0x00007FF6A7610000-0x00007FF6A804D000-memory.dmp

Filesize
10.2MB

Download
memory/2740-76-0x00007FF6A7610000-0x00007FF6A804D000-memory.dmp

Filesize
10.2MB

Download
memory/3036-68-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/3036-60-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/3036-59-0x0000000000460000-0x00000000004CC000-memory.dmp

Filesize
432KB

Download
memory/3036-217-0x0000000002A80000-0x0000000004A80000-memory.dmp

Filesize
32.0MB

Download
memory/3036-61-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/3036-69-0x0000000002A80000-0x0000000004A80000-memory.dmp

Filesize
32.0MB

Download
memory/3100-191-0x0000000000C00000-0x0000000000C56000-memory.dmp

Filesize
344KB

Download
memory/3100-199-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/3100-193-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/3100-230-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/3100-237-0x0000000002E20000-0x0000000004E20000-memory.dmp

Filesize
32.0MB

Download
memory/3552-102-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3552-106-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3552-101-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3552-98-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3552-104-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3552-110-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4468-0-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4468-12-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4468-2-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4468-1-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4832-177-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-166-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-156-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/4832-274-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-154-0x00000000050B0000-0x000000000525C000-memory.dmp

Filesize
1.7MB

Download
memory/4832-278-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-261-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-236-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-295-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/4832-159-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4832-158-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4832-160-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4832-291-0x00000000029B0000-0x00000000049B0000-memory.dmp

Filesize
32.0MB

Download
memory/4832-254-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-249-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-232-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-205-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-202-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-192-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-163-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-195-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-197-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-162-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4832-157-0x0000000004F00000-0x00000000050AC000-memory.dmp

Filesize
1.7MB

Download
memory/4832-161-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4832-218-0x0000000004F00000-0x00000000050A5000-memory.dmp

Filesize
1.6MB

Download
memory/4984-74-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/4984-255-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/4984-165-0x0000000007300000-0x0000000007350000-memory.dmp

Filesize
320KB

Download
memory/4984-112-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4984-178-0x0000000007E00000-0x0000000007FC2000-memory.dmp

Filesize
1.8MB

Download
memory/4984-182-0x0000000008700000-0x0000000008C2C000-memory.dmp

Filesize
5.2MB

Download
memory/4984-155-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/4984-140-0x0000000006590000-0x0000000006606000-memory.dmp

Filesize
472KB

Download
memory/4984-279-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/4984-229-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4984-64-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4984-67-0x0000000005C70000-0x0000000006288000-memory.dmp

Filesize
6.1MB

Download
memory/4984-77-0x0000000005760000-0x00000000057AC000-memory.dmp

Filesize
304KB

Download
memory/4984-70-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/4984-72-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/4984-73-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/4984-71-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/5032-113-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-114-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-123-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-121-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-153-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-117-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-122-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-124-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-119-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-120-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-128-0x00000230BE710000-0x00000230BE730000-memory.dmp

Filesize
128KB

Download
memory/5032-148-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-151-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-126-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-146-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5032-152-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download