amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrome
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-1J0WWM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

redline

Botnet

adel

62.233.51.177:14107

Attributes

auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

xworm

91.92.249.37:9049

Mutex

aMtkXNimPlkESDx9

aes.plain

Extracted

Family

formbook

Version

4.1

Campaign

he09

Decoy

clhear.com

maythunguyen.com

xiongmaoaijia.com

kembangzadsloh.xyz

speedwagner.com

360bedroom.com

campereurorg.top

cwxg2.site

mcdlibre.live

globigprimecompanylimited.com

1707102023-stripe.com

xhfj5.site

mugiwaranousopp.xyz

texmasco.com

sc9999.net

lite.team

8xb898.com

cibecuetowing.top

mgplatinemlak.xyz

southwestharborkeyword.top

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\first.exe	family_xworm
behavioral3/memory/3008-407-0x0000000000CF0000-0x0000000000D06000-memory.dmp	family_xworm

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4076-86-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1580-473-0x0000000002E40000-0x000000000372B000-memory.dmp	family_glupteba
behavioral3/memory/1580-478-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/1580-513-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/1580-550-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/1580-591-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4076-86-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral3/memory/2720-277-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/4784-489-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral3/memory/2200-577-0x0000000000E00000-0x0000000000E2F000-memory.dmp	formbook

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3916 netsh.exe

pid	process
3916	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

buildcosta.exe360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exefirst.exe360TS_Setup.exe4363463463464363463463463.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	buildcosta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	first.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	RegAsm.exe

Executes dropped EXE 29 IoCs

Processes:

networa.exetuc5.exetuc5.tmp360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.execrypted.exe6.exeFreeMP3CutterJoiner.exeFreeMP3CutterJoiner.exelolMiner.exesc.exec4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exevinu.execonhost.exeWatchDog.exeqemu-ga.exebuildcosta.exetoolspub1.exefirst.exee0cbefcb1af40c7d4aff4aca26621a98.exeConhost.exe360TS_Setup.execonhost.execonhost.exebuildcosta.exe360TS_Setup.exerty27.exeFirstZ.exebuildcosta.exee0cbefcb1af40c7d4aff4aca26621a98.exe

pid	process
4812	networa.exe
4772	tuc5.exe
1164	tuc5.tmp
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4764	crypted.exe
4668	6.exe
4908	FreeMP3CutterJoiner.exe
3004	FreeMP3CutterJoiner.exe
3604	lolMiner.exe
964	sc.exe
3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
4440	vinu.exe
1532	conhost.exe
4920	WatchDog.exe
4608	qemu-ga.exe
1272	buildcosta.exe
756	toolspub1.exe
3008	first.exe
1580	e0cbefcb1af40c7d4aff4aca26621a98.exe
1636	Conhost.exe
4780	360TS_Setup.exe
544	conhost.exe
4784	conhost.exe
1384	buildcosta.exe
3492	360TS_Setup.exe
4536	rty27.exe
2492	FirstZ.exe
3156	buildcosta.exe
2984	e0cbefcb1af40c7d4aff4aca26621a98.exe

Loads dropped DLL 7 IoCs

Processes:

tuc5.tmp360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe360TS_Setup.exeWerFault.exe360TS_Setup.exe

pid	process
1164	tuc5.tmp
1164	tuc5.tmp
1164	tuc5.tmp
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4780	360TS_Setup.exe
1236	WerFault.exe
3492	360TS_Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe	upx
behavioral3/memory/3604-267-0x00007FF7AC310000-0x00007FF7B0A6B000-memory.dmp	upx
behavioral3/memory/3604-355-0x00007FF7AC310000-0x00007FF7B0A6B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

first.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe"	first.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

32 raw.githubusercontent.com
31 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

147 ip-api.com

flow	ioc
32	raw.githubusercontent.com
31	raw.githubusercontent.com

flow	ioc
147	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\networa.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vinu.exe

pid process

4440 vinu.exe
4440 vinu.exe
4440 vinu.exe
4440 vinu.exe
4440 vinu.exe
4440 vinu.exe

pid	process
4440	vinu.exe
4440	vinu.exe
4440	vinu.exe
4440	vinu.exe
4440	vinu.exe
4440	vinu.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

crypted.exec4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exesc.execonhost.execonhost.execscript.exe

description	pid	process	target process
PID 4764 set thread context of 4076	4764	crypted.exe	RegAsm.exe
PID 3024 set thread context of 2720	3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 964 set thread context of 4160	964	sc.exe	cmd.exe
PID 1532 set thread context of 4784	1532	conhost.exe	conhost.exe
PID 4784 set thread context of 3372	4784	conhost.exe	Explorer.EXE
PID 2200 set thread context of 3372	2200	cscript.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\1706530387_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1706530387_0\360TS_Setup.exe	360TS_Setup.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1236 sc.exe
964 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1236	sc.exe
964	sc.exe

Program crash 32 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4464	3024	WerFault.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
3116	756	WerFault.exe	toolspub1.exe
1244	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
2592	1636	WerFault.exe	toolspub1.exe
5020	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4120	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4384	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
984	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
2568	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4840	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
3708	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4868	4920	WerFault.exe	WatchDog.exe
1648	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
3984	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
2656	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1668	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4036	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
8	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
2308	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1512	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1992	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1236	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1668	1580	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
2640	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
2204	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4840	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
3148	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1236	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4372	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
4356	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1012	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
1856	2984	WerFault.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1584 schtasks.exe

pid	process
1584	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

first.exe

pid process

3008 first.exe

pid	process
3008	first.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tuc5.tmpsc.exeRegAsm.exeWatchDog.execmd.execonhost.execonhost.execscript.exe

pid	process
1164	tuc5.tmp
1164	tuc5.tmp
964	sc.exe
4076	RegAsm.exe
4076	RegAsm.exe
964	sc.exe
964	sc.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4160	cmd.exe
4160	cmd.exe
4160	cmd.exe
4160	cmd.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
1532	conhost.exe
1532	conhost.exe
4920	WatchDog.exe
4920	WatchDog.exe
4784	conhost.exe
4784	conhost.exe
4784	conhost.exe
4784	conhost.exe
4784	conhost.exe
4784	conhost.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
2200	cscript.exe
2200	cscript.exe
2200	cscript.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe
4920	WatchDog.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

sc.execmd.execonhost.execscript.exe

pid process

964 sc.exe
4160 cmd.exe
4784 conhost.exe
4784 conhost.exe
4784 conhost.exe
2200 cscript.exe
2200 cscript.exe

pid	process
964	sc.exe
4160	cmd.exe
4784	conhost.exe
4784	conhost.exe
4784	conhost.exe
2200	cscript.exe
2200	cscript.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exe360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exeRegAsm.exeWatchDog.exefirst.execonhost.execonhost.exeExplorer.EXEcscript.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4620	4363463463464363463463463.exe
Token: SeManageVolumePrivilege	3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
Token: SeDebugPrivilege	4076	RegAsm.exe
Token: SeDebugPrivilege	4920	WatchDog.exe
Token: SeDebugPrivilege	3008	first.exe
Token: SeDebugPrivilege	1532	conhost.exe
Token: SeDebugPrivilege	4784	conhost.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeDebugPrivilege	2200	cscript.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeDebugPrivilege	3660	svchost.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeDebugPrivilege	3008	first.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

networa.exetuc5.tmp360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

pid	process
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
1164	tuc5.tmp
4812	networa.exe
4812	networa.exe
4812	networa.exe
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4812	networa.exe
4812	networa.exe
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

networa.exe360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

pid	process
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4812	networa.exe
4812	networa.exe
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
3144	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe
4812	networa.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6.exevinu.exe360TS_Setup.exe360TS_Setup.exe

pid process

4668 6.exe
4440 vinu.exe
4780 360TS_Setup.exe
3492 360TS_Setup.exe

pid	process
4668	6.exe
4440	vinu.exe
4780	360TS_Setup.exe
3492	360TS_Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exetuc5.execrypted.exetuc5.tmpnet.exesc.exec4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exeRegAsm.exe

description	pid	process	target process
PID 4620 wrote to memory of 4812	4620	4363463463464363463463463.exe	networa.exe
PID 4620 wrote to memory of 4812	4620	4363463463464363463463463.exe	networa.exe
PID 4620 wrote to memory of 4812	4620	4363463463464363463463463.exe	networa.exe
PID 4620 wrote to memory of 4772	4620	4363463463464363463463463.exe	tuc5.exe
PID 4620 wrote to memory of 4772	4620	4363463463464363463463463.exe	tuc5.exe
PID 4620 wrote to memory of 4772	4620	4363463463464363463463463.exe	tuc5.exe
PID 4772 wrote to memory of 1164	4772	tuc5.exe	tuc5.tmp
PID 4772 wrote to memory of 1164	4772	tuc5.exe	tuc5.tmp
PID 4772 wrote to memory of 1164	4772	tuc5.exe	tuc5.tmp
PID 4620 wrote to memory of 3144	4620	4363463463464363463463463.exe	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
PID 4620 wrote to memory of 3144	4620	4363463463464363463463463.exe	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
PID 4620 wrote to memory of 3144	4620	4363463463464363463463463.exe	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
PID 4620 wrote to memory of 4764	4620	4363463463464363463463463.exe	crypted.exe
PID 4620 wrote to memory of 4764	4620	4363463463464363463463463.exe	crypted.exe
PID 4620 wrote to memory of 4764	4620	4363463463464363463463463.exe	crypted.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4764 wrote to memory of 4076	4764	crypted.exe	RegAsm.exe
PID 4620 wrote to memory of 4668	4620	4363463463464363463463463.exe	6.exe
PID 4620 wrote to memory of 4668	4620	4363463463464363463463463.exe	6.exe
PID 4620 wrote to memory of 4668	4620	4363463463464363463463463.exe	6.exe
PID 1164 wrote to memory of 100	1164	tuc5.tmp	net.exe
PID 1164 wrote to memory of 100	1164	tuc5.tmp	net.exe
PID 1164 wrote to memory of 100	1164	tuc5.tmp	net.exe
PID 1164 wrote to memory of 4908	1164	tuc5.tmp	FreeMP3CutterJoiner.exe
PID 1164 wrote to memory of 4908	1164	tuc5.tmp	FreeMP3CutterJoiner.exe
PID 1164 wrote to memory of 4908	1164	tuc5.tmp	FreeMP3CutterJoiner.exe
PID 1164 wrote to memory of 3004	1164	tuc5.tmp	FreeMP3CutterJoiner.exe
PID 1164 wrote to memory of 3004	1164	tuc5.tmp	FreeMP3CutterJoiner.exe
PID 1164 wrote to memory of 3004	1164	tuc5.tmp	FreeMP3CutterJoiner.exe
PID 100 wrote to memory of 2592	100	net.exe	WerFault.exe
PID 100 wrote to memory of 2592	100	net.exe	WerFault.exe
PID 100 wrote to memory of 2592	100	net.exe	WerFault.exe
PID 4620 wrote to memory of 3604	4620	4363463463464363463463463.exe	lolMiner.exe
PID 4620 wrote to memory of 3604	4620	4363463463464363463463463.exe	lolMiner.exe
PID 4620 wrote to memory of 964	4620	4363463463464363463463463.exe	sc.exe
PID 4620 wrote to memory of 964	4620	4363463463464363463463463.exe	sc.exe
PID 4620 wrote to memory of 3024	4620	4363463463464363463463463.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
PID 4620 wrote to memory of 3024	4620	4363463463464363463463463.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
PID 4620 wrote to memory of 3024	4620	4363463463464363463463463.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
PID 964 wrote to memory of 4160	964	sc.exe	cmd.exe
PID 964 wrote to memory of 4160	964	sc.exe	cmd.exe
PID 964 wrote to memory of 4160	964	sc.exe	cmd.exe
PID 4620 wrote to memory of 4440	4620	4363463463464363463463463.exe	vinu.exe
PID 4620 wrote to memory of 4440	4620	4363463463464363463463463.exe	vinu.exe
PID 4620 wrote to memory of 4440	4620	4363463463464363463463463.exe	vinu.exe
PID 3024 wrote to memory of 2720	3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 3024 wrote to memory of 2720	3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 3024 wrote to memory of 2720	3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 3024 wrote to memory of 2720	3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 3024 wrote to memory of 2720	3024	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 4620 wrote to memory of 1532	4620	4363463463464363463463463.exe	conhost.exe
PID 4620 wrote to memory of 1532	4620	4363463463464363463463463.exe	conhost.exe
PID 4620 wrote to memory of 1532	4620	4363463463464363463463463.exe	conhost.exe
PID 4620 wrote to memory of 4920	4620	4363463463464363463463463.exe	WatchDog.exe
PID 4620 wrote to memory of 4920	4620	4363463463464363463463463.exe	WatchDog.exe
PID 4620 wrote to memory of 4920	4620	4363463463464363463463463.exe	WatchDog.exe
PID 4076 wrote to memory of 4608	4076	RegAsm.exe	qemu-ga.exe
PID 4076 wrote to memory of 4608	4076	RegAsm.exe	qemu-ga.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\Files\networa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\networa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4812

C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\is-06RVP.tmp\tuc5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-06RVP.tmp\tuc5.tmp" /SL5="$501E4,7878473,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 29
5⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 29
6⤵
PID:2592

C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
"C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe" -i
5⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
"C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe" -s
5⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
"C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3144

C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe" /c:WW.Ginmobi.CPI202401 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Program Files (x86)\1706530387_0\360TS_Setup.exe
"C:\Program Files (x86)\1706530387_0\360TS_Setup.exe" /c:WW.Ginmobi.CPI202401 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\AppData\Local\Temp\Files\6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe"
3⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4160

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
5⤵
- Launches sc.exe
PID:1236

C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 240
4⤵
- Program crash
PID:4464

C:\Users\Admin\AppData\Local\Temp\Files\vinu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\vinu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
4⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1444
4⤵
- Program crash
PID:4868

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
"C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN buildcosta.exe /TR "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe" /F
4⤵
- Creates scheduled task(s)
PID:1584

C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
4⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 372
5⤵
- Program crash
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 396
5⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 416
5⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 680
5⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 720
5⤵
- Program crash
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 732
5⤵
- Program crash
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 760
5⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 732
5⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 788
5⤵
- Program crash
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 788
5⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 720
5⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 840
5⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 748
5⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 880
5⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 624
5⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 888
5⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 796
5⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 620
5⤵
- Loads dropped DLL
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 872
5⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 340
6⤵
- Program crash
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 356
6⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 360
6⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 592
6⤵
- Program crash
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 688
6⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 688
6⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 688
6⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 716
6⤵
- Program crash
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 744
6⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Modifies data under HKEY_USERS
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4024

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:3916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\1000121001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000121001\toolspub1.exe"
4⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 340
5⤵
- Program crash
PID:2592

C:\Users\Admin\AppData\Local\Temp\1000122001\rty27.exe
"C:\Users\Admin\AppData\Local\Temp\1000122001\rty27.exe"
4⤵
- Executes dropped EXE
PID:4536

C:\Users\Admin\AppData\Local\Temp\1000123001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\FirstZ.exe"
4⤵
- Executes dropped EXE
PID:2492

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe"
3⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 340
4⤵
- Program crash
PID:3116

C:\Users\Admin\AppData\Local\Temp\Files\first.exe
"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
4⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
3⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe"
3⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe"
3⤵
PID:4200

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
3⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3024 -ip 3024
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 756 -ip 756
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1580 -ip 1580
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1636 -ip 1636
1⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1580 -ip 1580
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1580 -ip 1580
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1580 -ip 1580
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1580 -ip 1580
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1580 -ip 1580
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1580 -ip 1580
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4920 -ip 4920
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1580 -ip 1580
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1580 -ip 1580
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1580 -ip 1580
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1580 -ip 1580
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1580 -ip 1580
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1580 -ip 1580
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1580 -ip 1580
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1580 -ip 1580
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1580 -ip 1580
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1580 -ip 1580
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1580 -ip 1580
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1580 -ip 1580
1⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2984 -ip 2984
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2984 -ip 2984
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2984 -ip 2984
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2984 -ip 2984
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2984 -ip 2984
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2984 -ip 2984
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2984 -ip 2984
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2984 -ip 2984
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2984 -ip 2984
1⤵
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Scripting

T1064

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1706530387_0\360TS_Setup.exe
Filesize
2.2MB

MD5
2be39970b33ff55b4199bcfa927f263a

SHA1
f4f1f447861e1835003acc68986de5c828a5426b

SHA256
931b69b19a7771191260616811573ede37f17189f5a2ac48b09a7366cb5c7f7f

SHA512
b74a67ee9781483a7fc3a89a118082f8663fd9db2d9fcd3542d6ce671643e4aacdbd60b6da02e6b1b9d89b4d3f200053355823ce6cdb538860b98b2a35529a3b

Download Submit
C:\Program Files (x86)\1706530387_0\360TS_Setup.exe
Filesize
1024KB

MD5
030cf12b8c6e8df499dff11a48ab9b7c

SHA1
e216305280217a0aba157405a7dbc40d7b711038

SHA256
d17b18e6fd0d7d3126f43291440792f91ef34b8bc9c2810a2f377b90d257ffd3

SHA512
abc7dbd190f7e1bec4f1cf55ed54f15dc39f868008f0af9ec881f8dc2d87d510aa4079c540ca76eae5b9e1dceb8367587935c8cc1902efd1a3d45bf586de48f5

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
Filesize
1.2MB

MD5
a3aeacfc4ccb8864c1a562347fcdb4b7

SHA1
f09054bd21fe34a75a80ace4975734a5ec11387a

SHA256
f45f4676b59ad00aa4d8e6a8267481d17950aaa5b1af80ed739606ba6be72319

SHA512
48a3fa73bb1c85da2f4ec12213960b63b60c09866b8a7e3c8eeb9c1bf7e7c7f44607a1578ca310b1d2317c3405558fd4970046c6c9cd2502eed9c381e2071da0

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
Filesize
832KB

MD5
f16680354ef40847872c1d6e6639888a

SHA1
5c8242d9b913803fef0b5047af5690d057799881

SHA256
8f1b1bbb9b3c83564353bd76c4eda6bae15056a9f3f1e806dd4275dca36d18bd

SHA512
cc168835bb0b916b53cd922d767a555341dc89ea8c69bde1f44f998f86afad8b62b66e2ce4d0f14870b526bc10c14d94bed0d7104a0e6e8693ba56c6c8c9080c

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
Filesize
512KB

MD5
b63deb2e52902d072543fa5cdadc2a1c

SHA1
f0f3126c0e0c5700b3465aea5ebb1dc2a0bb521c

SHA256
0ab4323e62cefb6921c0e43dba5c4d0a3e3368b0daa73afc314215a68e3a9829

SHA512
63b341dc8cb01faff59a907445ed1d60051f0fa33ca4f2c0b630eeba437da7c6d7e3b197e5d326e25321a5d50e66a12ec50331eb3231e503893e31ded3865493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
655B

MD5
2c523acc54088d19ddf454bda954beef

SHA1
0e9cea5e5ac11c40377c65bc6a048b1835f26d7b

SHA256
b1a7726dfc4a90133215602b504c3939605b0015c00cc7b426378edfcddcc3dd

SHA512
67f5d4fa4e45c09ed4ed4fcbe534dba038e43731802f1b05f0b4a7b892dc1349f34d58b8c3b54e904932b91e93ca213a37db71fceec2165689fea4aff8de5a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
830B

MD5
4026b676c1fda3313ab793cc703a7de7

SHA1
dcb130e9c4c89cff8d558225a8d7eee683d439df

SHA256
a6af86b7815469dc3e043a6f13875c0f73101741d3a55bafeedaa86b988c5799

SHA512
0a1444f8069a4750cc300e9303225c9407a27c364e6876541d73ec25ec6ef605ff464aef15d0a07891621afefdcda08148533d8df412595d0f1c1f87ab52ff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
1.2MB

MD5
71a5d4fce625ca9bede8e447ca8ca774

SHA1
62950646faa6b2c64807ef8ac76ccd71ee282ea4

SHA256
2126af0b26c4800d4d96b2f5794303506cd468fd65fd6e3592ea78fd49279ebd

SHA512
afcf494d5a96d50127625f977f451462000defd0337c0bc2cc41c1f0656b24f42a3b86afd035b5c9a3a2b28b4dbdc42464979f245dfebdaf9b3dfe6eea16820d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
1.7MB

MD5
8b9b69e8ad4b38aa8a5841b499278b77

SHA1
e2342ec8fdeb27c7983a07834cad945e99d225a7

SHA256
b625ed0bc113c97f4c284993db70835b4690ca09c794f61ecf5498e0f0ad1d83

SHA512
a14984b6089ab602af3fa389718eb0f2a8ece210c33bbfe8eb8efce96b199cdec6ed9a09b76bd6e3915dbb267cece95f9058d918eaa8ce00c3b73fcfbbdf054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
1.6MB

MD5
0b4c7181ad761aea85f4170d2cb62cbc

SHA1
6aabc6c44116fa494b8237ba8b0334ca9f0395cc

SHA256
74ddb21978deec833ccdb1bb356a29389c70b23ea011a73c4b5c13e26f2199f9

SHA512
21307d7ac7dc53256cce3c9e55732279975656918affbfca947cea391be27aab34b8522500865c128277f77d0e7aeee139e6565b3498dd97e778af6bbd441954

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.2MB

MD5
d8240b90c73c22c7122a2c5d9231c0ed

SHA1
97ed361c249a62eca9cac0a0259e346df587e12d

SHA256
c34e679b492f2cc6163a59e1b8d199fc382d6b0bb414df85eb56690c80a6d9e4

SHA512
a4e88631e698ceb6cf7bd5cdbe4a5090a3a7a9bc6c54d22e8e597a4783fee0cc378076b18954fc30292f33579f4b0236020b6801ac4de295ebe27dff9056d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000122001\rty27.exe
Filesize
715KB

MD5
f838df75b8246152af74728a058fa8c8

SHA1
3eddf463a67b5a200b0737f4574224250e85068e

SHA256
655ec713446b922fe8e9233e614d813906c4ce43c4db273180cd8c2c6a79d52c

SHA512
5df11d0fea0b929fbdcfb223c10b1c266b041950f87fc7ad249dc369a55fc8c747330c5937d2effed2365c5cd8ccb0c673c98e2b9ac3f4b810cedda0fce5c8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000123001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1706530383_00000000_base\360base.dll
Filesize
256KB

MD5
55fe5be5e0158ef3902473ebc1278b96

SHA1
037710613db10fcb4a1c857236815f450ce0f3d6

SHA256
f6424460b7285bae3d3faa0a5e75a323eea8b0a71e8b62cb1f5c26a741b9441e

SHA512
c754d0a660b03978311c7614b40920da4f8b52fe0c2d6ce0ac1faf669159b3c0c135ba151bcf7c4b6f0fcc86137dd0848df5bf9f53f9162834262d0f55dacb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1706530398_00000000_base\360base.dll
Filesize
832KB

MD5
8ef8da0176ee66d928731591ba70ebe3

SHA1
7e91517f64bf68b8886249eb8cfbcf40fc089f67

SHA256
0d4d0cf6b9b9654734b6795cf7421e3796e06a3af6977d12b0c9ceb7abeabee6

SHA512
fea2c390360e910a5407fa9848426f14a1a962c54b651d3197ba33159b33ce06c6a43bb40e7c68d644ed9ca543995c041dcc029f32787d088a584c816cc5e5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e9de703
Filesize
704KB

MD5
e97f714edeb1eeb584918c8e9810e212

SHA1
c813977e5552316ebaf2dd658ccb9dea3070a922

SHA256
8a90da16c135a193e55986fd71660da2d946d6f351330846b7be517aebc53fe8

SHA512
e701777b2d1b18b9da7b988758e2db53672d23de1bc6adf6bb20ca25a24c610fb0f28040597414545630eae0728ef6c2c52813bd458f2569e15e01f3bffa45ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe
Filesize
768KB

MD5
7133c49140bf5bfff01673fb742cedeb

SHA1
f06bf5a10dc0b774510d5521e006d6720c984354

SHA256
b073dc5a43c12492695af62193e0d6c9387ed5da2b5f2b3c15246714f1bd7709

SHA512
0b336ac4f7bd26b391910dbdc3ee7967954b88455b5c7155f82a7e86b1960bed1ba4a3492452129c684a732094f9b8082f087cbc893250ab4960d03307961f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe
Filesize
1.1MB

MD5
fc57de69375dc6fd7a8f4c112cec8bc8

SHA1
7dc7390c8c83a83a5775c24f5789f5feb6c84831

SHA256
a2836063957fbf9df8cf1da7b9fe3ea0056fc3844f13840b6623849f62eab6f5

SHA512
a64ad3e591c835e7b0d05e25b9c63ff0b9ca33caf867da52c6500463c85e7ac830b76a5b31ac20976beac557b872c2d2691f66248507d4bb619349a8cd726630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe
Filesize
832KB

MD5
ca3821de5b3cea9fcfc5d1ddc556c6a6

SHA1
62c7add4b23e679badf9a02489948612cc6df13c

SHA256
7c82a34e176533f8fabf657e251f51a6fa20acaee2d911bd6f946e141ee38658

SHA512
51bb99ba8aa078c76330ca8a2a7b9f617bc148c9f6686ec10e86e6e379969644146fe835b6a12270fd5642bbfeb20b1d357c0d8c4fb83f88a72fa74f4307e95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
Filesize
1.4MB

MD5
3016285c9eb979ba1703d25012457567

SHA1
61575b3ee417204cbb26c3f33daa88e9effb2fa1

SHA256
5f064000c7676369171bbec324f5384d014f5f74c56d71f1329b4c6cc1a9724d

SHA512
0bfa46b59b3e2100c3167e651e8a4c718066b1d58a252077750f888c34b3b21e08e05852e9244f6446d2fd039db335bf4914b01a856978f85dfd642b1412e118

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe
Filesize
1024KB

MD5
c2dc2a706e7fb2a119b45cb399215eec

SHA1
89f3d038a06b30ca3bf8faa1e73797ec9a523861

SHA256
b74c594c1938c6c44dea831fb9913b87e1984b1d416ef09b1a43f65c16922d00

SHA512
7859789a69a9a09db563cbf2f2ef5382834e1fba72d1c20a1990d9757abb17c2e36fb23b74c653d80261a72c502db4a4109b714e8a368a991d042af6079a615b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe
Filesize
463KB

MD5
0a28fcd4193b6245f996e04769f8f636

SHA1
22fe9a8b9a414a42c0119890c90da877fd136b15

SHA256
e133f61dfecdf2887af9942b8ac8cdbef141829bcf6aa03037d6d3e7d5c2d623

SHA512
f551667b1261780e4946214d2791fefcc57afa256c210d103e93342fce89d1f07c9ee3332c1d42c596d8057725afe7ab06e9e97e00d98de9e0eaa0c2464aaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
Filesize
1.1MB

MD5
d49e458fa8aa52345817c2fc7ffc49ce

SHA1
ccf8b3af5a2caba0a18374334b1535f43e9066c6

SHA256
6d5b26c18f22d9cc87630344ba3de27df5b98b8fc6decded6b36c34e582a2ad6

SHA512
9ad9ceafe4251f5bb5cbfb7070b0a59ed736cc34ddb150cd58f1a9de04a1e4a0f14654c4f17e11f86238d3eb90c74d4822806a8d0989404c7c148ce1b6d2e72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project7.exe
Filesize
128KB

MD5
015ebdee20d79ef2db98722dbe884dec

SHA1
134a02d92d332f78b8315a9c6dd76e4019869c48

SHA256
695360e8fae70d11ae7e648329eb125f0bcfe70712870cfc940b7350f6b8c1c3

SHA512
6dfa0846f214d1aa57903b7b76202f5ce460b9ece37773fee176282d955b8488990f2f07db18da247eb47f31381853183af4fbe3c447945bfb2f51a590ef471e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amin.exe
Filesize
354B

MD5
6d984706c32d54ce80613fd44050827e

SHA1
01466d3e29980c2e77f91649c3b6eebcb24987af

SHA256
ffd0acb3fd6323ce6a2a10d98bc4dfd051d86934207c1f9c04bf2f532016e23e

SHA512
f8dafa44ca40f6d31f402643220397fa978ba2999e6c7854a0ecbfefa5f937c0966af9f19ed2439d24efafdf4bf3e2d7a4e3eb84b3e5877037f6c93e6b129559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
Filesize
192KB

MD5
822bb7b291c2cd31b60550759333a3f5

SHA1
381b6ddc0a48a736a0e65da27c9b2cf3da6e6986

SHA256
c12798a6710b88bfdebbd5a1061a5f059453959de215aabca0dbc412862a362e

SHA512
7c792ef5a8207c0a24a7af01e0f9a8482a31468475ac7a7d89e5891d68efb92cd31a2b1ff2376a2a52c07d515fb7d6a1ed8e99df9864322b355e5d3b81f5c00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
Filesize
384KB

MD5
5a67e4802a52a577c2d07f49c45fcef4

SHA1
75773efc981d19a3b442f20a2ec234bc346ccd92

SHA256
c928fe6752632f9cb936098daafeabca505841f29f503d65d8cc8293039e05a6

SHA512
6f71fe452ffcd03e8dced22688c7554686cf5b795d3af85c3c75febc17509d20157bb8b748fb8954aafb1592988439f960ceaa41c2f352d62531b4f367ecf93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
Filesize
355KB

MD5
a4d0dbf9045deed9778135b5af1440c3

SHA1
008884082f6f52d379311ad9e9f50190b0923a6b

SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
Filesize
256KB

MD5
6c62dc56ca5cd94976e7afc47a5e96f6

SHA1
186d0541a05b6232f9c5d43e06c97e3767e723bd

SHA256
f49ec274d3d0fbb07d4f509cf4ce9f81860675fb1ead4dc3678dae4edff794df

SHA512
1e67e21fd39de490ebe9c83f2f641071e19f84893cdc4633da8d12c09a553ba4b7a8a4f9daef99ece5ebe3801cd95854748bc6602f6de49ebb2252e12334e7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
Filesize
128KB

MD5
44dc51719cfb703a6ceadf4eca415257

SHA1
be694a00feaa5e570ca152b4221696bd791fb34a

SHA256
8b5624120dcbc664b2afe741b0f319d937e0c9933fdc1be0c02667a7c5d7344f

SHA512
2578b2c17c4e3a99888f15c322a5a1147b0fd33250f70f6d0b0f5cbeae4844f0c0e55f14a4e77a9b687aaeee9a096629fb6d42e00025bd060d0d03994a05e924

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
Filesize
699KB

MD5
591dac333aff7739bf01a4c9d3e838a5

SHA1
5211f3ab4d80644439220d11fb204eb2bee9fdb8

SHA256
0509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4

SHA512
b511a6b960b2c092577ab8fbf20767e9ad5dc86682e76e630602cfd88b4e8bf9b8fa8fac7e60fd4aa40ca8bcb49f69b9e8e9cc5a44f4c4b03d6e3d38ff402bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\first.exe
Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
Filesize
281KB

MD5
5c71794e0bfd811534ff4117687d26e2

SHA1
f4e616edbd08c817af5f7db69e376b4788f835a5

SHA256
f5740aded1f401665ab8bde43afee5dc0b01aa8aacabe9b8bb61b1ef52134a39

SHA512
a7a489d39d2cabdd15fd23354140c559a93969a7474c57553c78dbb9ebbf045541f42c600d7d4bea54a2a1f1c6537b8027a1f385fde6040f339959862ac2ea54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
Filesize
384KB

MD5
200b3d29ef2e8ee39c61c517007a498e

SHA1
6fd487881b8b0b3df667f2623f22d99f1a353b9a

SHA256
19ecf4b901fe47c7b4a8bbb325e3e71cfbd954d06e10de8363b8ba7c401d17ff

SHA512
5b491aceb06af766119c22382b30c9ec529fd422e50b9bb3a1b04c35b321ccb84ef5825d67ce4efeb8fef4541b5c02323a1e39ea117b09b2b4b3e8dbdfaf3d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
Filesize
4.9MB

MD5
50738998a1c09a08a94c8421b6ecc38e

SHA1
1502bc16811815206cc2a053135d2627bacaf40a

SHA256
47b6994b0475736caebbad969ff8bab775c26a50edf8f3aa258d8ec1ac836158

SHA512
2290f3fa7e94c16dc83f4be84822aa6aaf9f1f70bd9c32ee3a264bc9c483b3666b97e9bf2109f19aa2e8cf9da7253cea56d3f240007a4ab2765df735a656372a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
Filesize
448KB

MD5
aa8eaee853b5d0547fc45239055cbc8f

SHA1
c95c14b53e23dc110d6351a87d77d13831f662fc

SHA256
d745193e9348a04ec118d94a50f1d6d7462f8f4badf554ca812b616945fc1a2f

SHA512
61bd82ef2e8bfa2ee20d5d6bbabcc957d9dd80a8dc6104741b328db50ee338ccd10e6fd3d52068d2cbdb8cb3874024dc061958cd66d0e1756b7eb319cc5ea32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\networa.exe
Filesize
894KB

MD5
0df1284142b211b83b2cf2b4bb4c8e94

SHA1
56ab788f1185c9d2571dddf763eb645660f43fd1

SHA256
02a1ba34ba467f8ac45614e870e8606e0ea1f145909a6224b17f069a2280104b

SHA512
e65b9d03b0e8d574701ca123f9ea701d975d9e375f5e11b6d97f78f4ca516829aa48a1a210f6b48e51bc9ef5c05f55967df2f7bd7bb4db7acc8798d694a4c575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
768KB

MD5
877ae0e3db9f414999290fefc71a2388

SHA1
927dcf85cbda4ff24f2254fabee4bcb9ef9926d4

SHA256
26d833885d690ab5f3c12551de5a550cf3a86d0b44974ce1cd8f4b4677e4e09c

SHA512
0ed748e602f2e52685e16761def05d2f5f59e32a777ffd7a2244429706fe863de21e0539e42e9f30a958f2d3fcc7c807e91892f539659d1f37a80ba13962396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
384KB

MD5
d169bd84ccefe3c713082b0fb43e44e2

SHA1
cb2f84811831c28a21c0548c55914301510bb025

SHA256
b81ced900ce383c922cf0fba36558ecd76961d66430fa063a52fe727cf6e9f9e

SHA512
53f36661c6d3e7038181d434b45334896a5c81b02637eecd18f55183ca51555e899e40e2fcf61677d40000bb5e3efff278a50e01001bf0d9f969cf39a62e46e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
256KB

MD5
7b523490c0e5f79d4cbf59a7596b6293

SHA1
87229d2516afd057f0cddfc94ffb0d72ffbf2791

SHA256
fb68a62fbb4476616de26c3a4c9b944336d87500a9676d6f54bb9a7acda8399a

SHA512
2b1bd4bcca86a548ef659d70637015294cdb50a25271f97baf1380201b30096a82bc5bd00d67564cb8d506db44db8692046e9bd670bb6fc411fa61d1618efa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
1.4MB

MD5
9e1d9449d92d69c51a605225410f46f9

SHA1
f6e4d110f48bb4264097dd3101ef791f2c3d01b0

SHA256
c5e71ca1dcfe7975449a25d339036f3720b0b72aa52d8794b024442216487a4d

SHA512
000904eeacc9cc086a9f666dc8cca356e4d1a0ec0fc79dd9032c1b37399a8d75585d4a9b874ca161a38675afe69fceb817482afba75f0e09fc11169fdf16227c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
Filesize
175KB

MD5
01fb175d82c6078ebfe27f5de4d8d2aa

SHA1
ff655d5908a109af47a62670ff45008cc9e430c4

SHA256
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3

SHA512
c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
Filesize
320KB

MD5
1f8134abdbee1e2ffc0e2eb6fa94ebb1

SHA1
45b71fb8a71ef46a4581fbfbea1c430937358ef4

SHA256
f3d258a0b49312ee78a91644b547dd1e5e94cfe4699f43f8c296793eb8285625

SHA512
336b9643af2b6da68f4364ddff8f56cdc8e89701ec047bb5fdda6860cbbbb0648ba16b05d2bc063cb9ed55b54c70caa53d527bc36e382f58c5c0c8d63a1e435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
Filesize
7.8MB

MD5
87a77bebb56d5419af10d6367449e45a

SHA1
fee0e4e230977b4921b06a826816499abd4e41f8

SHA256
35f7a09c18339925fb181fbfccebc534538ab0c0d89964698cbcaa59f806b0e0

SHA512
8c9622b2eec5d561a50f45f8bd0aaa50356a5960e309443c1bf87b4e26c3a4c4edc58a5e7c03128a128a5be8d85348638d0d0f3058185b4d14df6b578fcbbb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vinu.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vinu.exe
Filesize
320KB

MD5
7d996da9d7d55b1d5a233f2f6968bb34

SHA1
59b56acab913d3d48a40ba95e1e80c519a7ae396

SHA256
de56f844678038a80aaccaf11fe151dde51041f73f2cf252706a63272982b561

SHA512
cdbff3fd0666bacd11f0a5c536bd50a3082206c6c36f57bfe2bc4f5506ef5bc921317bfbd437a722e819c61c0ffc4113d5bb3db0c01c244ea8e1e5e117cd6d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vinu.exe
Filesize
512KB

MD5
6880f6d5d7e07b6e770e91322610e933

SHA1
07c3161b18a59e78d64f9639be0ddd5e015a1613

SHA256
14f6410f200621fba2c4e9a1da218bce6c77f4bc84cd5e439e1d2eaec3a6ea3d

SHA512
1fbee09c26f1e4e49c9d0ebc592a61eee6bdcddf376262fbeb0095a106fedca2d06103d8905a686b68c23c53144d7625c52b6f502060ff1ed216ea0af0c84af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0alepsh.jny.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-06RVP.tmp\tuc5.tmp
Filesize
692KB

MD5
a8d7c912d1375880e27bf63576b90c46

SHA1
e564cccc0fc75639527fb3b41fceb82fc59bca71

SHA256
d59a6afbd098b868c15303df6f21776f09712cdb88cf1d0baefd654ae8b6ce8a

SHA512
56e6dda083c7920a6b4cf50c21b205ec1d09caa4058b1f5fedb890b8549d40f652901dd76f6d6c0eb262902ecdbae4e796cdcf328dceee4018597843321daa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQ3B0.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQ3B0.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE249.tmp\ioSpecial.ini
Filesize
662B

MD5
bf8e918f608484e69cc0a14c02b9ca1e

SHA1
b6453be913f1a8f2005f825316641634211a37dc

SHA256
5625660fec92908086c90a2eb69d508721313bc8bc1cf92959f778312f1777e1

SHA512
26991c809f9a7b31c5f5eee6998527d5e3b97d46a1919d7af18cc19aab2ef9fef2037346a875ad6664416b434db94536a3529755a6edb59a8c0a0261cf68e0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{13CD5748-D38F-4cbb-91B5-1BD9434091C0}.tmp
Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4AD1C928-5EE5-4b19-A787-BBBB1E87EF50}.tmp\360P2SP.dll
Filesize
576KB

MD5
f63f504abe357571882fe70e9aec59c2

SHA1
5db4cfffc9384aac00d79e6a098073c8fe0f5e56

SHA256
b9eff825d336ea26ae0110f5230df7e070fa840290b4a0f9f2affbdc9cf52e40

SHA512
a152d454f3ae4b452b71cd3466ce4ad936fa35559ccb727d452cc298dc08451b3a1e7423982c5160a598f0e02b11b51d5c7a1d214e8ead05b1cf495fee2cd50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4AD1C928-5EE5-4b19-A787-BBBB1E87EF50}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat
Filesize
124B

MD5
325b0cc3081d641cbbf0b93cfb66f488

SHA1
6380255e956163cfc17727ae33dcedd6190dd0a4

SHA256
20d4273fb94b7b95812218f78ae44dfe873a548a515d5cda41a248a5ecfb9680

SHA512
da7074ff85c5bd8d6b1c28ee21e637d3f20060e6fb4af1ca46f3915a936aed3fcfe9621b24e4a7eabadf1ca841ea0a143346952ffc0c9e1608bfd2b63065b600

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ebac43d436b19af9d484ae1f2c3537d7

SHA1
023cd37b20ac3dd75341b09cfaa8fc988229db48

SHA256
996143631d4b4eccf2d13973fc0cb69456a2d4167c9729ff768c7400ce8c7f5f

SHA512
4b796fbcb100a8658bb01f9bf35edbb3b8a7a929950d2a0f6be168fadb19eafb4345aadbfdd96b3031eaf73707dd93bbc5e37f6523616d10c96ba1566d0b5370

Download Submit
memory/756-461-0x0000000002C30000-0x0000000002C3B000-memory.dmp

Filesize
44KB

Download
memory/756-414-0x0000000000400000-0x0000000002B04000-memory.dmp

Filesize
39.0MB

Download
memory/756-398-0x0000000002C30000-0x0000000002C3B000-memory.dmp

Filesize
44KB

Download
memory/756-397-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/964-346-0x00007FFC73260000-0x00007FFC733D2000-memory.dmp

Filesize
1.4MB

Download
memory/964-238-0x00007FF73BFB0000-0x00007FF73C10F000-memory.dmp

Filesize
1.4MB

Download
memory/964-240-0x00007FFC73260000-0x00007FFC733D2000-memory.dmp

Filesize
1.4MB

Download
memory/964-303-0x00007FFC73260000-0x00007FFC733D2000-memory.dmp

Filesize
1.4MB

Download
memory/1164-35-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1164-337-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1164-250-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1236-528-0x00007FF7B8540000-0x00007FF7B859A000-memory.dmp

Filesize
360KB

Download
memory/1236-589-0x00007FF7B8540000-0x00007FF7B859A000-memory.dmp

Filesize
360KB

Download
memory/1532-460-0x0000000006C50000-0x0000000006CBE000-memory.dmp

Filesize
440KB

Download
memory/1532-329-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/1532-324-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1532-328-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/1532-307-0x0000000000AF0000-0x0000000000BA6000-memory.dmp

Filesize
728KB

Download
memory/1532-365-0x0000000005740000-0x0000000005754000-memory.dmp

Filesize
80KB

Download
memory/1532-443-0x00000000058A0000-0x00000000058A8000-memory.dmp

Filesize
32KB

Download
memory/1532-444-0x0000000006AE0000-0x0000000006AEC000-memory.dmp

Filesize
48KB

Download
memory/1580-513-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1580-482-0x00000000011A0000-0x00000000015A0000-memory.dmp

Filesize
4.0MB

Download
memory/1580-550-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1580-591-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1580-478-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1580-473-0x0000000002E40000-0x000000000372B000-memory.dmp

Filesize
8.9MB

Download
memory/1636-492-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/1636-483-0x0000000000400000-0x0000000002B04000-memory.dmp

Filesize
39.0MB

Download
memory/2200-577-0x0000000000E00000-0x0000000000E2F000-memory.dmp

Filesize
188KB

Download
memory/2200-524-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/2200-523-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/2720-322-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2720-277-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3004-251-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-587-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-394-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-548-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-511-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-335-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-445-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3004-211-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/3008-480-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3008-412-0x00007FFC724C0000-0x00007FFC72F81000-memory.dmp

Filesize
10.8MB

Download
memory/3008-407-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/3024-306-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3144-178-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/3144-477-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/3604-267-0x00007FF7AC310000-0x00007FF7B0A6B000-memory.dmp

Filesize
71.4MB

Download
memory/3604-355-0x00007FF7AC310000-0x00007FF7B0A6B000-memory.dmp

Filesize
71.4MB

Download
memory/4076-185-0x0000000004F70000-0x0000000004FAC000-memory.dmp

Filesize
240KB

Download
memory/4076-223-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4076-252-0x00000000075D0000-0x0000000007792000-memory.dmp

Filesize
1.8MB

Download
memory/4076-189-0x0000000004FD0000-0x000000000501C000-memory.dmp

Filesize
304KB

Download
memory/4076-219-0x0000000005F00000-0x0000000005F92000-memory.dmp

Filesize
584KB

Download
memory/4076-243-0x0000000007080000-0x00000000070D0000-memory.dmp

Filesize
320KB

Download
memory/4076-266-0x0000000007CD0000-0x00000000081FC000-memory.dmp

Filesize
5.2MB

Download
memory/4076-177-0x0000000005040000-0x000000000514A000-memory.dmp

Filesize
1.0MB

Download
memory/4076-212-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/4076-215-0x0000000005DE0000-0x0000000005E56000-memory.dmp

Filesize
472KB

Download
memory/4076-222-0x0000000006550000-0x0000000006AF4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-172-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/4076-364-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4076-162-0x0000000005530000-0x0000000005B48000-memory.dmp

Filesize
6.1MB

Download
memory/4076-165-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4076-161-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4076-86-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4160-475-0x000000006AEF0000-0x000000006B06B000-memory.dmp

Filesize
1.5MB

Download
memory/4160-372-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-490-0x000000006AEF0000-0x000000006B06B000-memory.dmp

Filesize
1.5MB

Download
memory/4440-571-0x0000000000030000-0x0000000000510000-memory.dmp

Filesize
4.9MB

Download
memory/4440-426-0x0000000000030000-0x0000000000510000-memory.dmp

Filesize
4.9MB

Download
memory/4440-327-0x0000000000030000-0x0000000000510000-memory.dmp

Filesize
4.9MB

Download
memory/4440-527-0x0000000000030000-0x0000000000510000-memory.dmp

Filesize
4.9MB

Download
memory/4440-479-0x0000000000030000-0x0000000000510000-memory.dmp

Filesize
4.9MB

Download
memory/4440-371-0x0000000000030000-0x0000000000510000-memory.dmp

Filesize
4.9MB

Download
memory/4608-353-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/4608-366-0x00007FFC724C0000-0x00007FFC72F81000-memory.dmp

Filesize
10.8MB

Download
memory/4620-3-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4620-176-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4620-2-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/4620-210-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4620-1-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/4620-0-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4764-72-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/4764-160-0x0000000002750000-0x0000000004750000-memory.dmp

Filesize
32.0MB

Download
memory/4764-410-0x0000000002750000-0x0000000004750000-memory.dmp

Filesize
32.0MB

Download
memory/4764-70-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/4764-71-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4764-156-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4772-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4772-249-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4784-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-186-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/4908-179-0x0000000000400000-0x00000000007E9000-memory.dmp

Filesize
3.9MB

Download
memory/4920-336-0x0000000006F40000-0x0000000006F50000-memory.dmp

Filesize
64KB

Download
memory/4920-330-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/4920-333-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download