amadey | cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dce9705c0c4c3f6175d0ac758a7aaad.exe
Size

791KB
MD5

8dce9705c0c4c3f6175d0ac758a7aaad
SHA1

6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b
SHA256

cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
SHA512

f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731
SSDEEP

12288:qiX3xOEm6Yc4aWfAPDnHo7YNQn2YcKify3ieduiDtGnSr3/35elActMblmZunnh:qEmeDnIwQ2siK3PftGnQ3v0lAca0unn

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4348-85-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2628-314-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4348-85-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
behavioral2/memory/3804-135-0x0000000000880000-0x00000000008D2000-memory.dmp	family_redline
behavioral2/memory/2736-293-0x0000000002270000-0x00000000022B2000-memory.dmp	family_redline
behavioral2/memory/2736-297-0x0000000002450000-0x000000000248E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
behavioral2/memory/3768-255-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1756-119-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-128-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-139-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-144-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-148-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-150-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-149-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-136-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-131-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1756-118-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exepowershell.exe

flow pid process

74 1520 rundll32.exe
100 5396 powershell.exe
32 5396 powershell.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4720 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
74	1520	rundll32.exe
100	5396	powershell.exe
32	5396	powershell.exe

pid	process
4720	netsh.exe

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4768-182-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-186-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-198-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-201-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-212-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-214-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-231-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-235-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-249-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-260-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-278-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/2628-314-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor
behavioral2/memory/4768-288-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-272-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-253-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-227-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-180-0x0000000004F20000-0x00000000050C5000-memory.dmp	net_reactor
behavioral2/memory/4768-179-0x0000000004F20000-0x00000000050CC000-memory.dmp	net_reactor
behavioral2/memory/4768-177-0x00000000050D0000-0x000000000527C000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

moto.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exeexplorhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	8dce9705c0c4c3f6175d0ac758a7aaad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorhe.exe

Executes dropped EXE 33 IoCs

Processes:

explorhe.exestan.exemoto.execrypted.exeiojmibhyhiws.exe2024.exealex.exerdx1122.exeqemu-ga.exeleg221.exeolehps.exepowercfg.exeWerFault.exeInstallSetup7.exeMRK.exetoolspub1.exeBroomSetup.exe31839b57a4f11171d6abc8bbc4451ee4.exerty25.exeFirstZ.exeConhost.exeWerFault.exeexplorhe.exeConhost.exesadsadsadsa.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exereakuqnanrkn.exeinjector.exewindefender.exewindefender.exeexplorhe.exeexplorhe.exe

pid	process
3044	explorhe.exe
4076	stan.exe
4812	moto.exe
4140	crypted.exe
4852	iojmibhyhiws.exe
3804	2024.exe
4768	alex.exe
4472	rdx1122.exe
4916	qemu-ga.exe
2736	leg221.exe
2324	olehps.exe
4620	powercfg.exe
4176	WerFault.exe
2876	InstallSetup7.exe
2840	MRK.exe
4320	toolspub1.exe
2408	BroomSetup.exe
1960	31839b57a4f11171d6abc8bbc4451ee4.exe
4196	rty25.exe
3024	FirstZ.exe
2712	Conhost.exe
4552	WerFault.exe
5112	explorhe.exe
3940	Conhost.exe
5244	sadsadsadsa.exe
4976	31839b57a4f11171d6abc8bbc4451ee4.exe
4520	csrss.exe
228	reakuqnanrkn.exe
2140	injector.exe
1680	windefender.exe
1352	windefender.exe
3068	explorhe.exe
5524	explorhe.exe

Loads dropped DLL 3 IoCs

Processes:

InstallSetup7.exerundll32.exe

pid process

2876 InstallSetup7.exe
2876 InstallSetup7.exe
1520 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2876	InstallSetup7.exe
2876	InstallSetup7.exe
1520	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 11 IoCs

Processes:

powershell.exeFirstZ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exereakuqnanrkn.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

Processes:

explorhe.exestan.exe

pid	process
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

crypted.exeiojmibhyhiws.exerdx1122.exealex.exeConhost.exeMRK.exereakuqnanrkn.exe

description	pid	process	target process
PID 4140 set thread context of 4348	4140	crypted.exe	choice.exe
PID 4852 set thread context of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 set thread context of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4472 set thread context of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4768 set thread context of 2628	4768	alex.exe	powercfg.exe
PID 3940 set thread context of 5192	3940	Conhost.exe	RegAsm.exe
PID 2840 set thread context of 5396	2840	MRK.exe	powershell.exe
PID 228 set thread context of 5324	228	reakuqnanrkn.exe	conhost.exe
PID 228 set thread context of 5328	228	reakuqnanrkn.exe	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3348	sc.exe
1008	sc.exe
3488	sc.exe
5512	sc.exe
4468	sc.exe
4472	sc.exe
5936	sc.exe
5788	sc.exe
5428	sc.exe
1100	sc.exe
4228	sc.exe
3144	sc.exe
456	sc.exe
5596	sc.exe
5224	sc.exe
4940	sc.exe
5732	sc.exe
4192	sc.exe
1956	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 46 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
828	4320	WerFault.exe
3840	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4964	4552	WerFault.exe
3032	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5340	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5608	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5688	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5764	2712	WerFault.exe	installs.exe
5776	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5836	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5888	5396	WerFault.exe	RegAsm.exe
5908	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4280	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5228	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4604	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4124	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2120	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1940	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5380	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5524	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5008	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5572	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4520	1960	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
6020	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3192	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5648	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2248	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3612	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4444	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4200	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3504	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5752	4976	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3628	4520	WerFault.exe	csrss.exe
5328	4520	WerFault.exe	csrss.exe
6036	4520	WerFault.exe	csrss.exe
5704	4520	WerFault.exe	csrss.exe
5848	4520	WerFault.exe	csrss.exe
5884	4520	WerFault.exe	csrss.exe
3480	4520	WerFault.exe	csrss.exe
5440	4520	WerFault.exe	csrss.exe
1980	4520	WerFault.exe	csrss.exe
5872	4520	WerFault.exe	csrss.exe
2336	4520	WerFault.exe	csrss.exe
1516	4520	WerFault.exe	csrss.exe
3308	4520	WerFault.exe	csrss.exe
3532	4520	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4608 schtasks.exe
6020 schtasks.exe
5836 schtasks.exe
5164 schtasks.exe

pid	process
4608	schtasks.exe
6020	schtasks.exe
5836	schtasks.exe
5164	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

moto.exeiojmibhyhiws.exechoice.execonhost.exe2024.exeleg221.exetoolspub1.exepowercfg.exeRegAsm.exe

pid	process
4812	moto.exe
4812	moto.exe
4812	moto.exe
4812	moto.exe
4812	moto.exe
4852	iojmibhyhiws.exe
4852	iojmibhyhiws.exe
4348	choice.exe
4348	choice.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
1756	conhost.exe
1756	conhost.exe
2736	leg221.exe
2736	leg221.exe
3804	2024.exe
1756	conhost.exe
1756	conhost.exe
4320	toolspub1.exe
4320	toolspub1.exe
1756	conhost.exe
1756	conhost.exe
4620	powercfg.exe
4620	powercfg.exe
1756	conhost.exe
1756	conhost.exe
3768	RegAsm.exe
3768	RegAsm.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
3768	RegAsm.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

conhost.exechoice.exealex.exe2024.exeleg221.exeMRK.exepowercfg.exeRegAsm.exeolehps.exeRegAsm.exepowercfg.exesadsadsadsa.exepowercfg.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exeexplorer.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeLockMemoryPrivilege	1756	conhost.exe
Token: SeDebugPrivilege	4348	choice.exe
Token: SeDebugPrivilege	4768	alex.exe
Token: SeDebugPrivilege	3804	2024.exe
Token: SeDebugPrivilege	2736	leg221.exe
Token: SeDebugPrivilege	2840	MRK.exe
Token: SeDebugPrivilege	4620	powercfg.exe
Token: SeDebugPrivilege	3768	RegAsm.exe
Token: SeDebugPrivilege	2324	olehps.exe
Token: SeDebugPrivilege	5192	RegAsm.exe
Token: SeDebugPrivilege	2628	powercfg.exe
Token: SeDebugPrivilege	5244	sadsadsadsa.exe
Token: SeDebugPrivilege	5592	powercfg.exe
Token: SeDebugPrivilege	1960	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1960	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeShutdownPrivilege	5652	powercfg.exe
Token: SeCreatePagefilePrivilege	5652	powercfg.exe
Token: SeShutdownPrivilege	5592	powercfg.exe
Token: SeCreatePagefilePrivilege	5592	powercfg.exe
Token: SeShutdownPrivilege	5632	powercfg.exe
Token: SeCreatePagefilePrivilege	5632	powercfg.exe
Token: SeShutdownPrivilege	212	powercfg.exe
Token: SeCreatePagefilePrivilege	212	powercfg.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeShutdownPrivilege	4620	powercfg.exe
Token: SeCreatePagefilePrivilege	4620	powercfg.exe
Token: SeShutdownPrivilege	1116	powercfg.exe
Token: SeCreatePagefilePrivilege	1116	powercfg.exe
Token: SeShutdownPrivilege	2628	powercfg.exe
Token: SeCreatePagefilePrivilege	2628	powercfg.exe
Token: SeShutdownPrivilege	2852	powercfg.exe
Token: SeCreatePagefilePrivilege	2852	powercfg.exe
Token: SeLockMemoryPrivilege	5328	explorer.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeSystemEnvironmentPrivilege	4520	csrss.exe
Token: SeSecurityPrivilege	3144	sc.exe
Token: SeSecurityPrivilege	3144	sc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exeexplorhe.exestan.exeBroomSetup.exeexplorhe.exeexplorhe.exeexplorhe.exe

pid process

1096 8dce9705c0c4c3f6175d0ac758a7aaad.exe
3044 explorhe.exe
4076 stan.exe
2408 BroomSetup.exe
5112 explorhe.exe
3068 explorhe.exe
5524 explorhe.exe

pid	process
1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe
3044	explorhe.exe
4076	stan.exe
2408	BroomSetup.exe
5112	explorhe.exe
3068	explorhe.exe
5524	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exeexplorhe.execrypted.exeiojmibhyhiws.execmd.exechoice.exerdx1122.exe

description	pid	process	target process
PID 1096 wrote to memory of 3044	1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe	explorhe.exe
PID 1096 wrote to memory of 3044	1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe	explorhe.exe
PID 1096 wrote to memory of 3044	1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe	explorhe.exe
PID 3044 wrote to memory of 4608	3044	explorhe.exe	WerFault.exe
PID 3044 wrote to memory of 4608	3044	explorhe.exe	WerFault.exe
PID 3044 wrote to memory of 4608	3044	explorhe.exe	WerFault.exe
PID 3044 wrote to memory of 4076	3044	explorhe.exe	stan.exe
PID 3044 wrote to memory of 4076	3044	explorhe.exe	stan.exe
PID 3044 wrote to memory of 4076	3044	explorhe.exe	stan.exe
PID 3044 wrote to memory of 4812	3044	explorhe.exe	moto.exe
PID 3044 wrote to memory of 4812	3044	explorhe.exe	moto.exe
PID 3044 wrote to memory of 4140	3044	explorhe.exe	crypted.exe
PID 3044 wrote to memory of 4140	3044	explorhe.exe	crypted.exe
PID 3044 wrote to memory of 4140	3044	explorhe.exe	crypted.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4140 wrote to memory of 4348	4140	crypted.exe	choice.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 3044 wrote to memory of 3804	3044	explorhe.exe	2024.exe
PID 3044 wrote to memory of 3804	3044	explorhe.exe	2024.exe
PID 3044 wrote to memory of 3804	3044	explorhe.exe	2024.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 4392 wrote to memory of 2148	4392	cmd.exe	choice.exe
PID 4392 wrote to memory of 2148	4392	cmd.exe	choice.exe
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	conhost.exe
PID 3044 wrote to memory of 4768	3044	explorhe.exe	alex.exe
PID 3044 wrote to memory of 4768	3044	explorhe.exe	alex.exe
PID 3044 wrote to memory of 4768	3044	explorhe.exe	alex.exe
PID 3044 wrote to memory of 4472	3044	explorhe.exe	rdx1122.exe
PID 3044 wrote to memory of 4472	3044	explorhe.exe	rdx1122.exe
PID 3044 wrote to memory of 4472	3044	explorhe.exe	rdx1122.exe
PID 4348 wrote to memory of 4916	4348	choice.exe	qemu-ga.exe
PID 4348 wrote to memory of 4916	4348	choice.exe	qemu-ga.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe
"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:4608

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2148

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:1956

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:456

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2628

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:5376

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
3⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:3192

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:5652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:6020

C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp
C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp
5⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 372
5⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 388
5⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 404
5⤵
- Program crash
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
5⤵
- Program crash
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 728
5⤵
- Program crash
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
5⤵
- Program crash
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
5⤵
- Program crash
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 752
5⤵
- Program crash
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 768
5⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 744
5⤵
- Program crash
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 716
5⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 644
5⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 772
5⤵
- Program crash
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 872
5⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 708
5⤵
- Program crash
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 768
5⤵
- Program crash
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 708
5⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 624
5⤵
- Program crash
PID:5572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 872
5⤵
- Program crash
PID:4520

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 336
6⤵
- Program crash
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 352
6⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 656
6⤵
- Program crash
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 732
6⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 736
6⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 724
6⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 656
6⤵
- Program crash
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 644
6⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 364
6⤵
- Program crash
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 372
7⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 388
7⤵
- Program crash
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 392
7⤵
- Program crash
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 680
7⤵
- Program crash
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 728
7⤵
- Program crash
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 728
7⤵
- Program crash
PID:5884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 760
7⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 776
7⤵
- Program crash
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 768
7⤵
- Program crash
PID:1980

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5836

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:5568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 748
7⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 844
7⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 956
7⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 972
7⤵
- Program crash
PID:3308

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 928
7⤵
- Program crash
PID:3532

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5164

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:5224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Launches sc.exe
PID:4940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:5936

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
PID:5596

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5592

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5652

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:5788

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5732

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:5428

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3348

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:4196

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 1176
5⤵
- Program crash
PID:5888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
3⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 312
4⤵
- Program crash
PID:5764

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1520

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
3⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3808

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4320 -ip 4320
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 348
1⤵
- Program crash
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 288
1⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4552 -ip 4552
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1960 -ip 1960
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1960 -ip 1960
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 1960
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1960 -ip 1960
1⤵
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1960 -ip 1960
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2712 -ip 2712
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1960 -ip 1960
1⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1960 -ip 1960
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5396 -ip 5396
1⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1960 -ip 1960
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1960 -ip 1960
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1960 -ip 1960
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1960 -ip 1960
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1960 -ip 1960
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1960 -ip 1960
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1960 -ip 1960
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1960 -ip 1960
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1960 -ip 1960
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1960 -ip 1960
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1960 -ip 1960
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 1960
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4976 -ip 4976
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4976 -ip 4976
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4976 -ip 4976
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4976 -ip 4976
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4976 -ip 4976
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4976 -ip 4976
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4976 -ip 4976
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4976 -ip 4976
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4976 -ip 4976
1⤵
PID:5952

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4520 -ip 4520
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4520 -ip 4520
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4520 -ip 4520
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 4520
1⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4520 -ip 4520
1⤵
PID:1516

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:228

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5396

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5324

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:5512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4228

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3968

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4520 -ip 4520
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4520 -ip 4520
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4520 -ip 4520
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4520 -ip 4520
1⤵
PID:5448

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4520 -ip 4520
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 4520
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4520 -ip 4520
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4520 -ip 4520
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4520 -ip 4520
1⤵
PID:2268

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
976KB

MD5
1f6323bd1c025ab699842d37f811fad9

SHA1
9d6deef0e417044c78211d8a2c48b1c5010a90a6

SHA256
c81489bc8e3e16b93793737c9351f7eb0467eb5577599197bfd73a8d9da95155

SHA512
559e94cf84adc8b1fcfc00ee73f35c4ada11ab94a8fe061140e3480479c12b605ed2d55392190853ccdbbf9c5666013af2019808388411acc457e2cc971f584b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
40KB

MD5
6d9cca0ca7417bb078dc9cebbf99dc67

SHA1
09b11afac94218935bfba4ada5225b414d737028

SHA256
9e76081c9df4c5753b3d4dc37a436684d3fe5b54ba39046c09b5e788f35faee9

SHA512
d70998a353a25fe72cc36e5d92d67b5d5c279e3401d582230ef8ee2077ebbdebb17b9765e2e3a3c193f778372ebddb3dc81f0c8bbf8813b21931e6cd3992a7c4

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
105KB

MD5
3aa02ea06bbadcf35b7dd8c56e509e39

SHA1
d52a98bbbe194779c1b1de5b3e7f7dae709ca7b0

SHA256
de43f5047acb4402708cb3841ae71eaec148a24152a8142435101fc23f9c30da

SHA512
7da8f6e21bf0abf916dd1ae122faa56ad3571a8e4f03699b568a4a27fb5102e8bee86329d166df9c4b8d46bcb962f3276f380d8c789888dbb03286234459965a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1dfbfa155719f83b510b162d53402188

SHA1
5b77bb156fff78643da4c559ca920f760075906c

SHA256
b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831

SHA512
be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
291KB

MD5
70ea32395538657457dbaa75c5c2928c

SHA1
2385ac062c5dcf09d291ca044b4f4d970ced4951

SHA256
4311a5996f1975a1e4bb796d25aa3e3759e012892f9b32036c051f4c2c2e5812

SHA512
cde78d96e2c98de028a88cc5a4530cb7d27b3c703f01970c415214c791b49b29f5ca59e7a91ce4c02f35611077f624d909f200ea8e5cdfb77dc71a560e8f0fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
366KB

MD5
22fc2c1cc6577d909e254402df541f51

SHA1
e8207f6995df229845d561ed05a72ec0cc809a7c

SHA256
a76139ab9451b9bce36ef217a2b7c2636b963ef72c7baf0b1105e4f89939d810

SHA512
66ba74da0819b3ebd3368807899e517ad127cc1b86b0876586de675a78e601ccd87d7067a451e0e8ee78250b861e48e73557be6a29b75e66b22fe76a9c17d56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
387KB

MD5
b619769123b940d5a03647b90074626d

SHA1
0aec65a33f2f65932d514d9062536bab5ff617f1

SHA256
8fe66ed30809662831ff6dc65d0369a3e7ba7b14f881470a62fa5f77816086ae

SHA512
f6d6c46826dd1a298a2fcd9834229df435ae30c9839531755e218c054d2dbe1ff525eca901104f451eb746f4ca8715b90e7b67a88286f373a9f061edf5b4f9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
904KB

MD5
c00215254ac49bb280fbb445d3681001

SHA1
d6b05cec51052b733260ac4b4929c0a607bcbdd4

SHA256
b357610e646f962b0ee35538c61756005ad2088a236e978592747bafac56cdae

SHA512
f75eb80385b912c6dc180b2c1452f344c2a4c7b6aec81b73066a8ae38ef6b3b55396c2cd9d4dbf4c129eb77758b645a39eed975b4d132990a58f7c76e962ffb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
723KB

MD5
4681ee063e34f27dc24849f54b612528

SHA1
f578389307a0544f5df28538af54f2aaa44cf9e8

SHA256
830140410005533e2233f6b2848757c7f93d6e182a38e60f700d3e0298624a93

SHA512
4328989df688ee0b708f29832c190f409c83b0b7b9c871c212541aa6884ed2ff1676b9f0fe06beb2ff22ff71fb9cd8a608bfa2683a416ea702a7d33939f7533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
641KB

MD5
1792b9ca6674bb2307c9c24883220960

SHA1
39a0bd34419d1a97eec66cf327275ceb3f104273

SHA256
c3ff9d21a1a360c6e3bd0f68d3f5c9047c6a28c568f0397422c776202a724f3f

SHA512
58b779882f3d900640997a3e02e0a55cd708342d0467da1f3ce6d8ccb966bf5ec521376fc5f2c2d4929c0a5e809c64ccef7a47564ad527766f09ff787be9e3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
271KB

MD5
c556f327d99a424bad8ebf7fee470e92

SHA1
6659c2e700c10c5bb627880b41097d49858998fc

SHA256
83a531e0cfe6ddf9546c298fa582a1c1bba445b65cf16ff062ae8fbd51da1fe7

SHA512
f79e30a1dacc894efb2018cb1679b0e50d7ee1041d79ae7ab72cd764a141014db1d36ccbfa430a83039fec1650e1154f7e67c25340bfb175e6b189dab0051a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
303KB

MD5
bf3346c0b4dff9559fcf51ea3fb440bb

SHA1
8f7f5f3f04c32d73c9f7de5f14c36f5ae38c3e2b

SHA256
095e8a3fafdb44d06a7de9073be52019b3b7322d0c8d82c359e618fea760a59b

SHA512
e655eac1ad4c9769974e400289ce97b7a7ccf1ae4936943283a97ecf27c216531f4432db838d7e8df5b0925b3492d44871e1ed16177d13be5290d2c697a1e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
178KB

MD5
2498631906388b3a59c3161701dc4da2

SHA1
4edffe6bc44fc7d857b7d3c7fc9de58aa545fcc6

SHA256
717959d0b7ac9118a4540dd5466baed91c6872fab1089d5b9cc2dfb48a9bbfd0

SHA512
a85e7dca0a882691a8c999993520eaa0b7088f63400735314c3ef02036eb7914b45957966385e869db05735f44941cf48860772968606cf50758e82328167f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
207KB

MD5
3fd52782baddae80413d1b5468844df8

SHA1
195c7cb365aa132bfb04d56b480c9e4fb02714e7

SHA256
63f9a000928ccd2bdfeb70211e12f99569bd9f3c4aad2ab05b84a188face6497

SHA512
57bf9becaad1aa0d7a92c2830399cecd7e08d5c66b5003a0ef8826ec2c3ca20c8bed4858080f30c4236df371b26aae7245a233a48ec7eb5d33a1107f6f137baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
72KB

MD5
c8286c2cc455b4c44e1b9b881b64eebd

SHA1
dec87e4204b058ad44e14cadcb31abbf29900eac

SHA256
5b05a9766972d04d7fe70504463ece3396dc5e41671a3182e29028343657492a

SHA512
7e1fdb603e0d8493a3c46880ce94306a4fd4def0f78ecb07bd6a41dad6bad4efd2fb5e99d149962f028597a271fae038149ebf8445de37e09d948b79193d3137

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
45KB

MD5
81868f250324c7b336f8826d5ecc5599

SHA1
052622036d348c2033aa474dfef000e16d2e6fe1

SHA256
8a0dd1145845d0aa162f38d550f48fd4429e9efe0603fb14e7d0edf6f495e9a7

SHA512
39bdc60ee08409f4616c2ac11870a8d5f8e2abb5e3e37cdda2eedb3a50548054f8a8046c8058ef990ff75b8ccd71e880dcde216d5026c1fade0347c55318d237

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
839KB

MD5
4117311304798cecf8b05cfc06c7c77f

SHA1
f07418e766300761e934159405057eadc379da89

SHA256
cb6b0b23f299daa76f8b80e6a5e78ce88643236190b61abac8e3206c0e7409d6

SHA512
a758704116bf112ead73cfc506dc75158d4f868c77c0fc2734936494ba577ab28a8c6b0219883981722f7b545d702da65298a2a01f60c202b907faf4227492be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
1KB

MD5
4f27eb6d818a2c2ed21ad4d4bb584e99

SHA1
0d6a4cc16e40a05ad524ae3839b933919318b261

SHA256
fb66feda7fb70da58119f6646f5a4755d77c33a7035a9f939368d72b6e9d5af5

SHA512
a9072e1c040251e9f0bd211afb9844d478252d17662887caa33754f8be38246dc283bc40c39c053ff8ad48a686361c2db8296f1d4fad3f18a9582b8086f9cf82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
99KB

MD5
7f32cee251c05fa8c982723f44b63783

SHA1
11cae59bd6fd28dd857cbb668e32d459b8206f81

SHA256
0e71fec3d9e5710ed999e2b27800b8fb334d442c3adc5361e64ae05f89589850

SHA512
de30e5b04cb9ade390f231227fe23a0a467b90e13f32b6fb032a6ba93cdd1e9d5605ec901fbae43e31f9e21125c9917851ce7006847f8914069f9c06bc33b9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
78KB

MD5
edfe4307c9b02e10da637fa66f1834e4

SHA1
0ae0f1c0930337ec415f3fd60774f2e5772f9910

SHA256
4e8f738500b178f1bc5a8b1ff007f4597cd7d2c36a9cb7b18acac18018a962a9

SHA512
0362e2cf3935fe9e7993a24f0be9401e0bae184ad15ed4eaa6afd11674ce466c8e39b0ace776cc775e2b45093f3d4eb8a8273aff76c79145e0857e381b17e4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
329KB

MD5
927fa2810d057f5b7740f9fd3d0af3c9

SHA1
b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8

SHA256
9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9

SHA512
54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
201KB

MD5
3509619fdc745155690e0ad095460bda

SHA1
3e75abc6bd789f7cbf31db7750135c1600614165

SHA256
eb2a85a51e07dd967335e5fb35520dde13ed6894c5c1d1b266f930b91601eed3

SHA512
9bdce43f82f958eeb016467ab1b2847b9a2a3302b24d9340a04ae5b326a6b212706e3d23d0efb70544f1a1009d52c111bca115fec2dc206b7347b978cb16b50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
118KB

MD5
ab1a66e39447dd5fda76f4f91426b1a8

SHA1
8f4cffc54d2c4bfa867a685499a3929078abca35

SHA256
d44f009645e13b52111e7a3f30016f2abcdc760ef7df3334d2bb520f0e9ad4b7

SHA512
32377503d2296774c2bc96ad1321f761f5bd694f46e97bda2fa71d119ba0c3493971cf8b348d79513b95e2e457b4849e7ac29297a2521eeda24cc51ce25fe4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
54KB

MD5
741e94c2153b1a52c811f0764180162d

SHA1
1253640da00d0d6410b08b2d4d1920d4c380421b

SHA256
073114bffd8e58a9a47b9a7e7e777682c2ec6a1d939dc3b3501173bb20d737fb

SHA512
7a92c4b079b410bb78a5d62de370631c7a59bef5579c7778d6734fd5217797f592bd6b6031f044ce57ed696d3d8dfd7db910c3b5192016527d40284e500d1c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
45KB

MD5
6fe9c23cd2784451c0ef128ae27dd421

SHA1
631fc44057bd2c9aad140d7047578873d5722599

SHA256
c77014e713fca5c780c69751c0d6b2a25b8c2494b447852f5a2eb0e8f8043a77

SHA512
4dff8c6a8287471c6ce3a79c03cb6def2e4d415013404c357270af253b857415461291919ac4cda608ed8a02b3dfbbbdda15efebcf5cec61214b2a7913ab0598

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
14KB

MD5
6603a16d43ae5e963fa182d6e6ca8dfe

SHA1
c487fa0a4a006bc584f7285c4abf13a5c76488f1

SHA256
17759a94afa5050d87508efe4ad8d63bf2d1552aecf010e0f4f17200266fa272

SHA512
f33b7a7b407235bf41ae5168754a142021e5f4cb41b4dadd5987e4026cdd1059e52e26b3732a835768c923a179872ba934373fbbc5ba25896877c85e05b48be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
48KB

MD5
f871a539325ce764c3a6396dcb7d0961

SHA1
5040edd831ffbcc42faf6ecbdf2d3c25c2e353c3

SHA256
c0eecbe4ec75b74a3bc01cc27e0f19a5f25167404604107c3d78b76af6a63336

SHA512
aa83cf1f34ba73f6e322f29c19fc9f961453a09721f65a639665e60d4c412c4f6dbe7711db7970ef09a2551f4d3424e3eb3b4c066829982281fac338e81ca227

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
91KB

MD5
e49333839311fc09a49931722d7685d1

SHA1
b5b9f781ec27b080af80dbcaa92deef941b8d6fc

SHA256
56c9007d46585467d76e5cf4683018a3eed4e9430d27bb2cc0bdb3924a130a2a

SHA512
972558534757ec3f4ec0f79879cfbacdec8d8fcdeaacd380647c75279864be89595f79de435ccc46b8125cd4bd851438980fe58c8e63079505d3118c82384da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
370KB

MD5
1ade7c1384a31789bd4d09ffc84a6fe7

SHA1
d242836a654d6e52d1160cf4c88c78397c01dbfd

SHA256
4d550e9f6eb7428143ba8e8e85384ee9d74e9295ede645becf9e5af9ca6f71ff

SHA512
8443fbae45f955ad03ac35431b173a0db38cbbee1e306f99a49ba44d58eff4b5bd491e325a7ac4c71f38c0d822ca91c9406161a4a87064b63d7f307e64f7589a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
441KB

MD5
a9088a8cbb611d97f8359864661c74d8

SHA1
6063249425658cb22d01c138cb10047110ec673d

SHA256
b77a8ac4bbbc4f920ca637c0b3670d8d0fdc541b4eba8d823515c63d743fbdda

SHA512
8d68a8267c4ef2834f80dcf0d53f48b212216082bbbc51c00f9b401b5624d7fd9fcfe8a552bce11db578418e6137bb2ed923b67628b6254883e0718907e980b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
72KB

MD5
68dc91e6ae17078d57c6d6f60f65cb0e

SHA1
b496f30507ae448976ea4182eee625050dc76171

SHA256
98510bdd98db07101750d78bda10305b88bebc0a3756a316205bd2bbf4bebd63

SHA512
7bc08f15ad08b488d5d0ad6c4b7c8f9252274d6db5c42111c076ee7eab7695953e12004bb02211c8332a1d7e4882d025d94f0b2e33337d7754fc35ff5ec0873e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
93KB

MD5
9728f92077f7f60aa38dc072e78132ab

SHA1
eacd8e34ada9e7a0a6af499a39d8f0cd640cf0c1

SHA256
5420c63584c519150080c448f1bb151f61a9f811edc41ba8388d2e1e04845e6f

SHA512
065bd8b618becbbb24d08eec87a2783a413dea15bf1146e1c92487a64bd37242bbe19716bcb52a27bf87d74db0f260c3673a2bbeca2cb40cd83a9ec285cc5b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
127KB

MD5
ac6f14f64824bd41276e25cdc80d4365

SHA1
9520c126c7e98db0d4a2e20c5526a7093e2ee345

SHA256
db552e17f7f5ab10d205b1be01f75a0a30fe06fffad3af9031e14b67dabc6730

SHA512
cf2d480f21333628b9ee4785a32e2481cfa5df36a9f3ff5ac094b5d3b08e3bf97263f286d4c41855cf485f13c6e0dfc67187c2aec68f67917d3dd6d2b1b06ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
149KB

MD5
64a4d730ea9d86b035df81b91536cc0d

SHA1
01bdb6176755a3a8097859b414a2c15a3aa0a147

SHA256
eb2b900a6670389e105a569d004254e4049c0672c6543eec643c8985f1cbea95

SHA512
cfb908a261c8b0b676284e52ea3cc706bf57bfd1d38b0289a226d2e98995299faf322cc691960f2222dbca7716a6a45642a60b7f2d117a6e8cdd98184bd423f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
83KB

MD5
81d2b9263697feee08914a751eea15a0

SHA1
80c594165f3665309abc78ebdc06ed6a615fcbeb

SHA256
5302adfb18b4f4a1c12f77349a7c51fd09d92acf347bd10a9d139c7ea6dd0651

SHA512
d21cb72fa8a188ef65154d14bde9bc70d28b6fc663a66b9ec9e77ac36113e528257e297855960c7dff21b7129d8b083a66bd1a71e85a9e5f1176d2abdd0cbf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
48KB

MD5
ce4b5454241080adc32e260ef3f3d31b

SHA1
eb97f71b088fcdcb25ec6b18bea6e5dd000bbf14

SHA256
7329eabdf16eb39f2c5d6a9a2dc27ffb97a25c8ac1aa0bd2f358fd6259ed93a2

SHA512
b258562b0568306d490aef41369ebcb4e2cfd94c93c73b498c4b9a491ef5053f6aa4aaf6299f54c0c4422c47eafb477b7a79a05d441b3a732fd6b5da576382ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
92KB

MD5
82b89673f9ccf77e4bb5f7cf72b8b859

SHA1
876206287d8049ee26b701706689a35c3aad4b10

SHA256
40d509cd5b400c71f7decd77ae4d932d3325482e2fa984607e453be7bfc346fe

SHA512
433a91f1f615b8946c035ed17193e36dd3eea6563b604cb0a733f1fd65210b0c8a0fc52ee0038b2c7890735198f46b80dcef6af2994b81e41678933121531989

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
58KB

MD5
0c949aa46a9ee1dfd7f875169706f1b6

SHA1
c303c36038cbc9145345daba8bea87acace39ab2

SHA256
4f5428ca4be075b6d67b8e390e913be8de7241345de773e642d418b720871c67

SHA512
07d2848d2e9cb3eeb08a54c6ae5ba25a2da53c8639a70497da3bdf84d8111ccef2ca82beaf33ccacf7adabcb015dbd645654c055b6fb145214d3f67055f4544a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
52KB

MD5
aa0861b680d010a03ee0c2c74f03e26e

SHA1
69d01c0e25daa54910f543cd1516a2791c943009

SHA256
982b0363eff5b6dc5c731599b2013149bac754d90f5110f22bc73976939551c5

SHA512
857701f7e41614ac8bece21ee19b82fbaf4913536bd84171cc69a94db81c87c7ac9d7f18ecd363a3438cbdaab3e8cb367c5c726b29b4dbc67d903d5e67b5af46

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
3KB

MD5
0897a04b6cf6248b4d489d6cf9368952

SHA1
62901be20e74b0fcfd60766bcbdbd52b5983c882

SHA256
4217d72e7d08d16cf55e7ac92f1f5740befba70713ba17d10120fbfaa51f9812

SHA512
573512b8a774fcacf533dc46a5902d78a1a68ae6b04c5ed5b70fa414635d3e9fcc6bb026838865e75591a4780d60540b256e3f409ab57770411b420b56387a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
255KB

MD5
063a47c494f7f28a5c6b78153f4a55c0

SHA1
4dab8921e3d1b00884037f24916a736005a9dabe

SHA256
957db4cd633b05b5723fee553e817a7c004f015b6b10736d0939b2ad1865b761

SHA512
3db26cf208b30861fddf337f8808ab8cfdf5926fa268724067240af754802c26360c702334087e6291f8fbf770ecb59d50336ba229f62e4e1d40e8fc25130951

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
411KB

MD5
af7b498f6ec209860f56b1ddea2ff3f6

SHA1
6fea69b9425e23c6bdef4ffe61c57c9d1a606597

SHA256
b190f3bdf493f18dfe13ca516f98188bfd889f9388ac3be8d370e84e7fef5d3c

SHA512
0edd0bb2c7623c691307268f23639a779501b4a6335ac85111d6574fbe6ffd68a6a71fffca174c1360f4d5bd1655e4984200dfb70a1f248bbf39de9e806e028a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
46KB

MD5
018925a5b1c0be02caafdc45ff19ee1b

SHA1
eed43294802062971a38d69d59afb0cf91748180

SHA256
c39cbf74e44955b44baa0b737844d1251a6556dc2d6641a53e48c68baab1aefc

SHA512
958c2882e3978ee53de7c415c877d2e9d1ced93e7b7955f30a0f7f70a00e23197a603391f134bf5e5c53b56d8a898c3a6253acb94483d029662eaa70d5085393

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
81KB

MD5
23ccd7dd42a1316f2cee06d632559eb6

SHA1
90e7214f996190985179ca1ebef9ee65ae4ff6bd

SHA256
91164a548848e609e859fbfbb702029f85262d1cbabe05e369460f8cc48835cd

SHA512
dcba7f03ec45761a6e41aeb6ed0a1bc0026b113dd498022c001124bc4daf83fd0453cc6edcbd1b66fb2c2e1f3651a7554a1f01a19cfdac330593e1143a74e091

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
185KB

MD5
8c43b735b599e6330f3740f366874d9d

SHA1
4927948449d92cf36f0cf78622a65671aff6cc26

SHA256
b1873fdf4ee531a833616f70941b2db6138378f4df1a5dad06e505faac3ba1bd

SHA512
fd6e4cf212f0826a71e4ee9108543b22a70e010ffd82025b4b9c3fdbc67948614c81e00ed10a5232d90d1f4223aa480ca2ecac49bdd7eae6f3566edf31740f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
146KB

MD5
5c60e05daa5047fec4e2f9ccd4b15b7e

SHA1
0e8c306d98cd76f214bab857347e68b88ae16b90

SHA256
f625bb140e70c8a77ff3a4ce80149be894d0365c093667d0e79b94dfe41a2529

SHA512
8661f83fbef7b402798e32d6f768c6f1ed24a5290596d053fa665bca988ab96b3d75e0ca177048385eb27d1f6bafa4676bc1bb137d85d5c219289ab20ec0af58

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
259KB

MD5
905cee752ed0539ec1ce6c6f14775b06

SHA1
eb895f6ea93495c8659d7fb56fb10bc801231e6b

SHA256
c1fedd1755f87ffae55224ed5a9f183bd98fb212c2d358f547b35d25b4b9a6d5

SHA512
fef598debf7b3b2a69ea739b3986b0b51abeb389069094b67b2880da6329f873d459efa441d508b92b479069c85708b94ceae110a7f44299f40a3ebed089abaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
53KB

MD5
011d6dcb9d594a1ab794865bdef344b4

SHA1
02ccba7e7ff5959a79725f8776f5592e551e16f2

SHA256
0ac184f3c53527f077d501ed52e83c62682ab60837244318f8924af05432aaae

SHA512
9db68994ba67deccc31c01dfb96de9cd1fc8da45ea15874dad41eee0aed741cec7f84b3fcc35fd89f78eb3fe9fc7409de1d4410949bdc8b6fb949e5a17e9f507

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
54KB

MD5
f7396dbb87b4b6fb43bacfeac91d7cb2

SHA1
3ded8e0194cc11e62df068f847353c2168e0365b

SHA256
6cfe4d7e45c2a99a50a9fa7c68d07c7fc9ea596f7193b3b6ebc8d647001c195f

SHA512
56e624f191fc60ebb542122b7c2cfec79cc39bb3bbecdc19091c630a99cf819648b87c161de7458cd1612fabddc44f837a8a3d76903b5631e5d35fcc1e76b76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
260KB

MD5
df402810f36b20deecb7b6d652cb6545

SHA1
be5aa241077fa8d7c38f431ec28412947fa813a7

SHA256
5e92530e89f0ae2ee0a558fd8712b971cd2577fe923d9b381a2ccb61c90c7e79

SHA512
89d35a477babb8ca4d69e5b7658043338dacbe280d0515cada967c7fcba5b827ee89af15161bee15a70cdb0f8983897974e99ce99624dbd139d7a8a874b74b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1ipr4qq.qxo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
572KB

MD5
8e313f44f6f41e25ca0aeecf0cb53b87

SHA1
2a0b391731b6284e008f62dc4172b04f2a76bdf5

SHA256
e503b860717bde61df2fe14fa070a27b103a403800f916f096c36f9937acbfdb

SHA512
2880216031ac860242c8e6d6c6ea32f2f9ad4ca102678779997e81df4f01d0c9d3f2cde1a90757785a715721db499c6e22cdbe96659d2106c875705279315113

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
501KB

MD5
0f884dedcf528d247f40f3c9de50a9ee

SHA1
58908bc822b35a00af79be5831d823961b262dc1

SHA256
748cddcfe205dd5811c8b9aa642455b510039d0ea82a61fb5afc2c1469e50c6d

SHA512
d047d66ad5f994c6506c894f5ca8ddabf4dc520d5d976aa1f1cd82a9fee73b6086b58b8c1b3e680167ec995a75ec373d5aceaaff4c2166df98b5a7dbc092d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
125KB

MD5
6856e34f586c0540f73c5bf6737fa0fe

SHA1
747919a044b1bc8ecc2e22d739f61207260b9ba0

SHA256
cc50e0483658a56b36a621d3cdfe33ea844d3f556f0cb5223c29865b683fbba4

SHA512
0d7f60bc14a9a8182432e14b4d959d039e6923f380873c1fc7c7e0f6e277b3e7819c09a1ccf6cc3f8b810967c396a8a81cd878cc56ffa83512d6e92a70abd930

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
397KB

MD5
d46033d811b5d20291b75b64e2ab87f0

SHA1
fe90f5536749daf74b21c4c50e57ef177a5fb840

SHA256
c03bbb9bce36da7b9bdd4a07bef09ab36d76889d5222bf459c1d3967d4b7d4bc

SHA512
bb3320aecc0fa7f1e49aedbccf00d499259337ce8994983193b4ab2f6844373cfd68a3778dab8ab766657d28af09ee7ba4fccfa49b9d211a73781b84f01551be

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
1KB

MD5
d5f3d2440a8ef3bc32ef9463ee2c3609

SHA1
29608184d847ae2b6a484b795b881799100592cb

SHA256
372ee45ed4ffd1c7125e5b257bd33f39391e1bd2a6d5d1fe1adb2b19b7c66c03

SHA512
65761d5f894648f70d3f4bdcd3071a59f854f8ceb6f71ad3f87159f2bfd808f1430cbcc4052bc51d60c2e2cf432a195bbfd6aaf8661322d7574a0eb530bf54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp
Filesize
8KB

MD5
0a9ae33b32488b442726b1f7b745e3b0

SHA1
0d4ec18baef276c3554e3151a524fe1878c9c580

SHA256
9d29d92062238449132ece8c7a40cf05ff28f1e9e3a5ae28b85aefc2e29d8bcf

SHA512
02d8955d5650e4aaf091b9bcaf7f863dd4633a5620e504214b85680d40174658ca578281030c88f52f75c16557befbd2fffeaab2caa53769d618c23a333b749c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp
Filesize
68KB

MD5
052d4bdde0a872396a769012bf7dafc7

SHA1
49357402289d957eaa5e973e0d62209ed3d86177

SHA256
e1a76b9082b9e363aa6bf957328a0aa6497e1b1e8f08e54605f861b37d10e34f

SHA512
008d9430ae15ec573830dcec31dcc9659174305222b478d78d29fa34868b1633d3abbb40f1d0c8491be471f86a90a0d9fdb8ab12566438980a5c01029a2014cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9BF3.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
326KB

MD5
a6fef0562abecca0d7b3567825ae5b99

SHA1
2fa30153197cf09fd9bc36a26c062ee69644be2d

SHA256
dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b

SHA512
7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
71KB

MD5
0f9dece7a5e48da0dc2c7c0aa14bd3ff

SHA1
f625954a9f3bf5913404a9b55b6873bcf1d1d8ef

SHA256
a91f129c94cdeac13a9161d14403508f2a58614439730b70b88e8025d53e5d77

SHA512
ecf5d5b7b7279b968217257ea7c9fc4b7e98b338c23f7fb179c46eeef336f608f59c8c24e339a2785b8db8ef896bbe4ed9b2cd9f16358f2ae75d01e5b977a827

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
222KB

MD5
1cacdaca7a00f88d0932515385e33e56

SHA1
ad130c7c747d73a988a2504aa4a7f3540f3ad8e4

SHA256
d9b767ba66b02c88b1384aa3d9ea8eaf62e322a8c16f9ff7bbda0146ff7ccdec

SHA512
66010c51a67566831c273780348bae061436f7024ac1324b78aa3d521c332f5db536c9d8f5f9b19891c805b1378e06aff4a100dedd281b75c9fd18004569d1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
224KB

MD5
4fe7bef521345515a1a3e94fa4a25c3a

SHA1
081fe1bedaabd9586b4c3af635814de71d41467d

SHA256
c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

SHA512
3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
45KB

MD5
01052d2ced2888865f9ee99360ff5b98

SHA1
a29608fbc9fb0723f454dd45043fc4068eb81a47

SHA256
a958d1f7f582fa63b12463b15b2ac544c5d30e70bc283c992a6c8f75540e9f69

SHA512
a6b9d14f9a418dd22ace678f7c4fa25a513d1cba5eeff27ef9f0a0334a86b892412d29367514ed1c9b20df92c9780f30fb405b07123f1b0814eadfcf094b666d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
49KB

MD5
286035618b819d377449463c8eb3dd74

SHA1
76f9da21bbe2a845013c86385faaea54a267f017

SHA256
1284b6491cd1ee97bc1078a23d2f684fbce981cfa44aa1e0625e4f46e8247dcc

SHA512
a687f844300cb736e10b3d4daad226f63e2c74fba7c86c9e351e00b3c02871eef94452150558d0a59bdbaf6b62459d81637456a32da73133af673b1773c14111

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
56KB

MD5
64a45ac4aecf2403e09cfdd778371394

SHA1
377fb5d999f648f00e3da7309f2efab0e7edc8a4

SHA256
71ad06566c28bb153d2804eb4caa7711d2d1d19582e0b384bd89548309e18f3f

SHA512
a0bf2686220a50c899f20a8a8c6c28ece3561552d8d48847e26336b41be422c5fdce274a822523bfd944a2cede46c833a4c0b2b4217b1287a13fb67215a98761

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
14KB

MD5
d46bb349dd2634d29a9fac6c3248a70c

SHA1
5d998a04008286a1a20506db050ec5ec9e965b29

SHA256
485ac463c609c76a52dd5b2d26b2c951144fa11e936068889a414bfce26f0575

SHA512
e44defea2f62d91edebcf3035367e59aa56e127542cba3c2714e50b89bdc5481e21e18b5cac1d1ff40f286b50f142f65a17dbc3f7d46311af490cfcf81882e94

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
22KB

MD5
e810523d94214c7d824b490c56604e46

SHA1
11d10134f2b574766f570e0caba41e2cf5e37345

SHA256
39cbee25e7d668d566a0c52578817520df8f64ac15715dff7188eb84f12fa167

SHA512
ab0a8f3e8de8b147eced0097eeb1cf9a86de1577bc1a047c3a1cb92092980d6b088236945199814dbfbf2d07fad715812356199b74496e902cabfdea88e4e64b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
1KB

MD5
7c6158126fcaf750413a7930915b308f

SHA1
caa1e195ea7af6169a0e6ac0709223557998792b

SHA256
13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3

SHA512
d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
76KB

MD5
7d9dac5e1197789e060b792db618ba78

SHA1
57a4ac4136121cb934780e6d744532aab5b09633

SHA256
ad029d476d7606e487e08c73c2cb8c85856c361d555432a380434032406ec37f

SHA512
10c57a79b0bda895fd567fec5516d3ad20c0a49341c1ac5b3fe6e40b48a9c5bfd6a53ca3c8f94d21a372d62697eafb27e66a6e9dc126a9e14f3c1a949a58cc6e

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
37KB

MD5
e0c191fab174d149038310487b253b9d

SHA1
fb6d6b9030adcf482e9fcd2537d14b75e41ecc7b

SHA256
32c86fe558bcc24b3c342dcd97f0f49898c1b79850f70fec0d122c965e3e88f0

SHA512
eae0114587043aa69ba6a0eabec257b844a784c81ef5c0231d910fbdff936feac11443a98714308905ed8e21f1e58880f2a2074a95df8d399432a02e95570d1d

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
16KB

MD5
782b3df0b32f12f2020f8d154bf5e772

SHA1
3e8db8af4c8b7f9f9f5a01830f88dffc5aa7ef94

SHA256
9c591d9837c7e67c2bb473cfa17092ad08d9145e19d97096abd5e507d839d984

SHA512
4ce563d3823237a5b72ebeab44575dca5923434a5d65d1373ca474f92f25205744f43c4f2107cd507b30bf92293421e3497466f55f7e9b1e5bc874d8426987e7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
ae5f2a708d1b481d1ae1a9fbfee6bfcf

SHA1
558911961d5cebf98a288a8abc0b21b954556004

SHA256
00a1d6c1b914312c76e4b2b2068ab3e5bd433b1a7cf5354b3bfcdb446e9da659

SHA512
d9cec12e803817a118d3c3b44746fca0b6ebc7e667a3aa78683e69d1c23ec8ca1c16f1f0560a2e462100d36727849ba2c2600f7a6c22fe1e8e6056904e804e0e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
783abad4c454672d8ee69ec69cdc4401

SHA1
ab96cd57ed9e5275c7ff4eaf6e9ea0fdcf7a7f4a

SHA256
c998f751b995ed1a84ea006cfa5f7ace7296321ab2d85dc9fe920a28eaad9b0a

SHA512
7b7f7023cc9d50eedd2e747670420ddb033764686983c03307e3274e88c4f8040459ef56763edf8ee70a6c8eca98275b3dbf1ebbbe32bd68c89c0a2a08747a0f

Download Submit
C:\Windows\rss\csrss.exe
Filesize
77KB

MD5
62c8640f1074305052aef386125e4808

SHA1
3ad1935713f2bf0b86937d7eb42c81f6c8518e4a

SHA256
c277b6ac08828e84be7166448bbc87e4d3810a6cef164743738a29b812b51531

SHA512
4f3dfe19a647f9a48b8ce67edd33c9612effd2e6583ddf5f86343fe90e416e0e1e81fb23931288d046c0125377dfa45c1090ea7e1630563bdcc37c3bda124e9a

Download Submit
C:\Windows\rss\csrss.exe
Filesize
57KB

MD5
0a4bbf06a06dcb9844b9320f30dfd22c

SHA1
1d90ca67408d8492be4b7b6024521168cba02a51

SHA256
d18f50f3a782cfbde46005b5f435a7a79b624eddd9e1cb86c43ce26d01be93c3

SHA512
5cf84b1744e2623584cdeae8d341f027acbc54bcc6651b677c4f2086584ff9b6f85e93a4d503d33fe79929eddaf3a644bee9377fcf62945985716597c5df9922

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
86dcf064474fd20f25006f96ab661f01

SHA1
69375b55e39c2bab40cc6da7896762a56d631d91

SHA256
d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc

SHA512
86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

Download Submit
memory/1096-14-0x0000000000FE0000-0x00000000013E8000-memory.dmp

Filesize
4.0MB

Download
memory/1096-1-0x0000000000FE0000-0x00000000013E8000-memory.dmp

Filesize
4.0MB

Download
memory/1096-2-0x0000000000FE0000-0x00000000013E8000-memory.dmp

Filesize
4.0MB

Download
memory/1096-0-0x0000000000FE0000-0x00000000013E8000-memory.dmp

Filesize
4.0MB

Download
memory/1756-150-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-144-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-118-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-120-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-131-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-291-0x000001F35F920000-0x000001F35F940000-memory.dmp

Filesize
128KB

Download
memory/1756-119-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-136-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-128-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-133-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-139-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-149-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-151-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-147-0x000001F34F7B0000-0x000001F34F7D0000-memory.dmp

Filesize
128KB

Download
memory/1756-152-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-148-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-106-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2628-314-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2736-303-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2736-297-0x0000000002450000-0x000000000248E000-memory.dmp

Filesize
248KB

Download
memory/2736-301-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2736-299-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/2736-293-0x0000000002270000-0x00000000022B2000-memory.dmp

Filesize
264KB

Download
memory/3044-17-0x0000000000230000-0x0000000000638000-memory.dmp

Filesize
4.0MB

Download
memory/3044-178-0x0000000000230000-0x0000000000638000-memory.dmp

Filesize
4.0MB

Download
memory/3044-16-0x0000000000230000-0x0000000000638000-memory.dmp

Filesize
4.0MB

Download
memory/3044-141-0x0000000000230000-0x0000000000638000-memory.dmp

Filesize
4.0MB

Download
memory/3768-255-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3768-275-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/3768-277-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-296-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-142-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3804-137-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/3804-134-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-304-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3804-138-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3804-143-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/3804-135-0x0000000000880000-0x00000000008D2000-memory.dmp

Filesize
328KB

Download
memory/3808-89-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3808-93-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3808-98-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3808-100-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3808-96-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3808-105-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4076-36-0x0000000000560000-0x0000000000A43000-memory.dmp

Filesize
4.9MB

Download
memory/4076-254-0x0000000000560000-0x0000000000A43000-memory.dmp

Filesize
4.9MB

Download
memory/4076-189-0x0000000000560000-0x0000000000A43000-memory.dmp

Filesize
4.9MB

Download
memory/4140-78-0x0000000000C90000-0x0000000000CFC000-memory.dmp

Filesize
432KB

Download
memory/4140-79-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4140-92-0x0000000003250000-0x0000000005250000-memory.dmp

Filesize
32.0MB

Download
memory/4140-95-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4140-81-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4348-155-0x0000000007400000-0x0000000007450000-memory.dmp

Filesize
320KB

Download
memory/4348-101-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/4348-117-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/4348-168-0x0000000008490000-0x00000000089BC000-memory.dmp

Filesize
5.2MB

Download
memory/4348-85-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4348-90-0x0000000005AF0000-0x0000000006108000-memory.dmp

Filesize
6.1MB

Download
memory/4348-94-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/4348-145-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/4348-154-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/4348-99-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/4348-97-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-153-0x0000000006490000-0x0000000006506000-memory.dmp

Filesize
472KB

Download
memory/4348-256-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-165-0x0000000007D90000-0x0000000007F52000-memory.dmp

Filesize
1.8MB

Download
memory/4348-104-0x00000000055C0000-0x00000000055FC000-memory.dmp

Filesize
240KB

Download
memory/4472-228-0x0000000000D70000-0x0000000000DC6000-memory.dmp

Filesize
344KB

Download
memory/4472-229-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4472-241-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4472-274-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4472-273-0x0000000003070000-0x0000000005070000-memory.dmp

Filesize
32.0MB

Download
memory/4768-227-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-315-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-201-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-212-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-214-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-199-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4768-231-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-235-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-278-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-305-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-177-0x00000000050D0000-0x000000000527C000-memory.dmp

Filesize
1.7MB

Download
memory/4768-308-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4768-198-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-187-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4768-253-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-260-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-186-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-185-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4768-272-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-180-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-179-0x0000000004F20000-0x00000000050CC000-memory.dmp

Filesize
1.7MB

Download
memory/4768-183-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4768-182-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-288-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-249-0x0000000004F20000-0x00000000050C5000-memory.dmp

Filesize
1.6MB

Download
memory/4768-311-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4768-181-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-309-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4812-82-0x00007FF707720000-0x00007FF70815D000-memory.dmp

Filesize
10.2MB

Download
memory/4812-58-0x00007FF707720000-0x00007FF70815D000-memory.dmp

Filesize
10.2MB

Download
memory/4852-146-0x00007FF6DBD50000-0x00007FF6DC78D000-memory.dmp

Filesize
10.2MB

Download
memory/4852-107-0x00007FF6DBD50000-0x00007FF6DC78D000-memory.dmp

Filesize
10.2MB

Download
memory/4916-251-0x00007FF9ACFF0000-0x00007FF9ADAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-248-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download