amadey | 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278

Resubmissions

30-01-2024 11:24

240130-nh7seaehf4 10

30-01-2024 06:03

240130-gsdtraaah5 10

Analysis

max time kernel
57s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

791KB
MD5

dafba6b93e117bf5477c56a3a30a1a2d
SHA1

9f5b1c990ec15ba2a90377dbc1da6e046d083050
SHA256

594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
SHA512

eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc
SSDEEP

24576:0CusCnjwQrBaWnBCqHjooSQU2kLExTSee:0CanjlrBaWntHjoTQrkgxuee

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

65.109.90.47:50500

Extracted

Family

redline

Botnet

@RLREBORN Cloud (TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4404-44-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe	family_zgrat_v1
behavioral2/memory/812-305-0x0000000000580000-0x0000000000602000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4404-44-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral2/memory/4820-238-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe	family_redline
behavioral2/memory/1888-343-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4540-234-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4540-237-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4540-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4540-256-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4540-265-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4540-266-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4540-269-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

57 1752 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4836 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
57	1752	rundll32.exe

pid	process
4836	netsh.exe

.NET Reactor proctector 25 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2476-135-0x0000000004BF0000-0x0000000004C88000-memory.dmp	net_reactor
behavioral2/memory/2476-139-0x0000000004B50000-0x0000000004BE8000-memory.dmp	net_reactor
behavioral2/memory/1712-226-0x00000000049B0000-0x0000000004A12000-memory.dmp	net_reactor
behavioral2/memory/1712-228-0x0000000005000000-0x0000000005060000-memory.dmp	net_reactor
behavioral2/memory/1084-272-0x00000000051B0000-0x000000000535C000-memory.dmp	net_reactor
behavioral2/memory/1084-276-0x0000000005000000-0x00000000051AC000-memory.dmp	net_reactor
behavioral2/memory/1084-288-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-287-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-298-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-307-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-311-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-301-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-313-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-324-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-334-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-341-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-345-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-358-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-361-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-374-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-389-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-400-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-407-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-410-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor
behavioral2/memory/1084-414-0x0000000005000000-0x00000000051A5000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeexplorhe.exeRegAsm.exeworkforroc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	workforroc.exe

Executes dropped EXE 26 IoCs

Processes:

explorhe.execrypted.exeWerFault.exeredline1234.exeWerFault.exemrk1234.exeqemu-ga.exe1234pixxxx.exeuwgxswmtctao.exeWerFault.exealex.exefsdfsfsfs.exesadsadsadsa.exe2024.execrypted.exeleg221.exe55555.exeWerFault.exeLogs.exeworkforroc.exeInstallSetup9.exeWerFault.exeBroomSetup.exeschtasks.exerty25.exeWerFault.exe

pid	process
3640	explorhe.exe
3780	crypted.exe
2660	WerFault.exe
632	redline1234.exe
1816	WerFault.exe
2476	mrk1234.exe
5068	qemu-ga.exe
364	1234pixxxx.exe
1788	uwgxswmtctao.exe
1712	WerFault.exe
1084	alex.exe
812	fsdfsfsfs.exe
2140	sadsadsadsa.exe
4004	2024.exe
960	crypted.exe
2704	leg221.exe
1072	55555.exe
4828	WerFault.exe
3336	Logs.exe
888	workforroc.exe
4724	InstallSetup9.exe
4496	WerFault.exe
4908	BroomSetup.exe
964	schtasks.exe
404	rty25.exe
1432	WerFault.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exeInstallSetup9.exe

pid process

1752 rundll32.exe
4724 InstallSetup9.exe
4724 InstallSetup9.exe
4724 InstallSetup9.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1752	rundll32.exe
4724	InstallSetup9.exe
4724	InstallSetup9.exe
4724	InstallSetup9.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4540-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-225-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-227-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-229-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-230-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-234-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-237-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4540-269-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
21 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

explorhe.exe

pid process

3640 explorhe.exe
3640 explorhe.exe
3640 explorhe.exe
3640 explorhe.exe
3640 explorhe.exe

flow	ioc
20	api.ipify.org
21	api.ipify.org

Suspicious use of SetThreadContext 7 IoCs

Processes:

crypted.exemrk1234.exeuwgxswmtctao.exeWerFault.exefsdfsfsfs.execrypted.exealex.exe

description	pid	process	target process
PID 3780 set thread context of 4404	3780	crypted.exe	RegAsm.exe
PID 2476 set thread context of 4572	2476	mrk1234.exe	RegAsm.exe
PID 1788 set thread context of 4540	1788	uwgxswmtctao.exe	explorer.exe
PID 1712 set thread context of 4820	1712	WerFault.exe	RegAsm.exe
PID 812 set thread context of 1888	812	fsdfsfsfs.exe	RegAsm.exe
PID 960 set thread context of 4796	960	crypted.exe	RegAsm.exe
PID 1084 set thread context of 4824	1084	alex.exe	WerFault.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

848 sc.exe
4740 sc.exe
3292 sc.exe
4732 sc.exe
400 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
848	sc.exe
4740	sc.exe
3292	sc.exe
4732	sc.exe
400	sc.exe

Program crash 51 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1816	4572	WerFault.exe	RegAsm.exe
4208	1072	WerFault.exe	55555.exe
848	1072	WerFault.exe	55555.exe
2500	4496	WerFault.exe	toolspub1.exe
3168	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1716	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
936	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5072	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1716	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5036	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3416	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1636	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2216	1432	WerFault.exe	nsa1356.tmp
2916	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3552	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2864	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3168	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4448	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4164	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4244	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2660	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
664	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1432	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5100	964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4752	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5016	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4824	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4728	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2424	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3724	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1952	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1564	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4428	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2536	536	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3688	3312	WerFault.exe	csrss.exe
3172	3312	WerFault.exe	csrss.exe
3888	3312	WerFault.exe	csrss.exe
1088	3312	WerFault.exe	csrss.exe
2144	3312	WerFault.exe	csrss.exe
5036	3312	WerFault.exe	csrss.exe
4604	3312	WerFault.exe	csrss.exe
4972	3312	WerFault.exe	csrss.exe
4792	3312	WerFault.exe	csrss.exe
1712	3312	WerFault.exe	csrss.exe
8	3312	WerFault.exe	csrss.exe
1512	3312	WerFault.exe	csrss.exe
3836	3312	WerFault.exe	csrss.exe
3976	3312	WerFault.exe	csrss.exe
1096	3312	WerFault.exe	csrss.exe
4432	3312	WerFault.exe	csrss.exe
2500	3312	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1636 schtasks.exe
2312 schtasks.exe
964 schtasks.exe
2312 schtasks.exe

pid	process
1636	schtasks.exe
2312	schtasks.exe
964	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

WerFault.exeRegAsm.exeredline1234.exeuwgxswmtctao.exeRegAsm.exeRegAsm.exeLogs.exeleg221.exeWerFault.exeRegAsm.exeWerFault.exe2024.exeWerFault.exe

pid	process
2660	WerFault.exe
4404	RegAsm.exe
3352
3352
632	redline1234.exe
632	redline1234.exe
632	redline1234.exe
632	redline1234.exe
1788	uwgxswmtctao.exe
4820	RegAsm.exe
4820	RegAsm.exe
4796	RegAsm.exe
4796	RegAsm.exe
3336	Logs.exe
3336	Logs.exe
2704	leg221.exe
2704	leg221.exe
4496	WerFault.exe
4496	WerFault.exe
4820	RegAsm.exe
1888	RegAsm.exe
1888	RegAsm.exe
1432	WerFault.exe
1432	WerFault.exe
4004	2024.exe
4004	2024.exe
4828	WerFault.exe
4828	WerFault.exe
4004	2024.exe
4004	2024.exe
4004	2024.exe
4004	2024.exe
4004	2024.exe
1888	RegAsm.exe
1888	RegAsm.exe
1888	RegAsm.exe
1888	RegAsm.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

WerFault.exe

pid process

2660 WerFault.exe

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exeexplorer.exealex.exeRegAsm.exeRegAsm.exeLogs.exeleg221.exe

description	pid	process
Token: SeDebugPrivilege	4404	RegAsm.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeLockMemoryPrivilege	4540	explorer.exe
Token: SeDebugPrivilege	1084	alex.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4820	RegAsm.exe
Token: SeDebugPrivilege	4796	RegAsm.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	3336	Logs.exe
Token: SeDebugPrivilege	2704	leg221.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tmp.exe

pid process

4264 tmp.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

tmp.exeexplorhe.exeWerFault.exeBroomSetup.exe

pid process

4264 tmp.exe
3640 explorhe.exe
1816 WerFault.exe
4908 BroomSetup.exe

pid	process
4264	tmp.exe

pid	process
4264	tmp.exe
3640	explorhe.exe
1816	WerFault.exe
4908	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeexplorhe.execrypted.exemrk1234.exeRegAsm.exeuwgxswmtctao.exeWerFault.exefsdfsfsfs.exe

description	pid	process	target process
PID 4264 wrote to memory of 3640	4264	tmp.exe	explorhe.exe
PID 4264 wrote to memory of 3640	4264	tmp.exe	explorhe.exe
PID 4264 wrote to memory of 3640	4264	tmp.exe	explorhe.exe
PID 3640 wrote to memory of 1636	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 1636	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 1636	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 3780	3640	explorhe.exe	crypted.exe
PID 3640 wrote to memory of 3780	3640	explorhe.exe	crypted.exe
PID 3640 wrote to memory of 3780	3640	explorhe.exe	crypted.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3780 wrote to memory of 4404	3780	crypted.exe	RegAsm.exe
PID 3640 wrote to memory of 2660	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 2660	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 632	3640	explorhe.exe	redline1234.exe
PID 3640 wrote to memory of 632	3640	explorhe.exe	redline1234.exe
PID 3640 wrote to memory of 2476	3640	explorhe.exe	mrk1234.exe
PID 3640 wrote to memory of 2476	3640	explorhe.exe	mrk1234.exe
PID 3640 wrote to memory of 2476	3640	explorhe.exe	mrk1234.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 2476 wrote to memory of 4572	2476	mrk1234.exe	RegAsm.exe
PID 4404 wrote to memory of 5068	4404	RegAsm.exe	qemu-ga.exe
PID 4404 wrote to memory of 5068	4404	RegAsm.exe	qemu-ga.exe
PID 3640 wrote to memory of 364	3640	explorhe.exe	1234pixxxx.exe
PID 3640 wrote to memory of 364	3640	explorhe.exe	1234pixxxx.exe
PID 3640 wrote to memory of 364	3640	explorhe.exe	1234pixxxx.exe
PID 3640 wrote to memory of 1712	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 1712	3640	explorhe.exe	WerFault.exe
PID 3640 wrote to memory of 1712	3640	explorhe.exe	WerFault.exe
PID 1788 wrote to memory of 4540	1788	uwgxswmtctao.exe	explorer.exe
PID 1788 wrote to memory of 4540	1788	uwgxswmtctao.exe	explorer.exe
PID 1788 wrote to memory of 4540	1788	uwgxswmtctao.exe	explorer.exe
PID 1788 wrote to memory of 4540	1788	uwgxswmtctao.exe	explorer.exe
PID 1788 wrote to memory of 4540	1788	uwgxswmtctao.exe	explorer.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 1712 wrote to memory of 4820	1712	WerFault.exe	RegAsm.exe
PID 3640 wrote to memory of 1084	3640	explorhe.exe	alex.exe
PID 3640 wrote to memory of 1084	3640	explorhe.exe	alex.exe
PID 3640 wrote to memory of 1084	3640	explorhe.exe	alex.exe
PID 3640 wrote to memory of 812	3640	explorhe.exe	fsdfsfsfs.exe
PID 3640 wrote to memory of 812	3640	explorhe.exe	fsdfsfsfs.exe
PID 3640 wrote to memory of 812	3640	explorhe.exe	fsdfsfsfs.exe
PID 3640 wrote to memory of 2140	3640	explorhe.exe	sadsadsadsa.exe
PID 3640 wrote to memory of 2140	3640	explorhe.exe	sadsadsadsa.exe
PID 3640 wrote to memory of 2140	3640	explorhe.exe	sadsadsadsa.exe
PID 812 wrote to memory of 1888	812	fsdfsfsfs.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

outlook_win_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:1636

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:5068

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"
3⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
4⤵
- Launches sc.exe
PID:4732

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
4⤵
- Launches sc.exe
PID:400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
4⤵
- Launches sc.exe
PID:848

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4740

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1256
5⤵
- Executes dropped EXE
- Program crash
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
3⤵
- Executes dropped EXE
PID:364

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"
3⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4824

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:3560

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1752

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"
3⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1104
4⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1064
4⤵
- Program crash
PID:848

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:888

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4724

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:1604

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:2312

C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp
C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp
5⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1328
6⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 352
5⤵
- Program crash
PID:2500

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 376
5⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 260
5⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 376
5⤵
- Program crash
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 688
5⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 436
5⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 740
5⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 772
5⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 780
5⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 756
5⤵
- Program crash
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 632
5⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 864
5⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 864
5⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 628
5⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 724
5⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 628
5⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 716
5⤵
- Executes dropped EXE
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 936
5⤵
- Program crash
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 824
5⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 888
5⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 340
6⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 356
6⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 360
6⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 652
6⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 664
6⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 664
6⤵
- Program crash
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 664
6⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 744
6⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 776
6⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:1260

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 588
6⤵
- Program crash
PID:2536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4640

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 372
7⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 392
7⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 404
7⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 680
7⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 692
7⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 692
7⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 752
7⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 760
7⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 752
7⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4088

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Executes dropped EXE
- Creates scheduled task(s)
PID:964

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 820
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Program crash
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 892
7⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 964
7⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 980
7⤵
- Program crash
PID:3836

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:1460

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 940
7⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 952
7⤵
- Program crash
PID:1096

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:1852

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1152
7⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1168
7⤵
- Program crash
PID:2500

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:1816

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4572 -ip 4572
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1072 -ip 1072
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4496 -ip 4496
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 964 -ip 964
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 964 -ip 964
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 964 -ip 964
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 964 -ip 964
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 964 -ip 964
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 964 -ip 964
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 964 -ip 964
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 964 -ip 964
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1432 -ip 1432
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 964 -ip 964
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 964 -ip 964
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 964 -ip 964
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 964 -ip 964
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 964 -ip 964
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 964 -ip 964
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 964 -ip 964
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 964 -ip 964
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 964 -ip 964
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 536 -ip 536
1⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 536 -ip 536
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 536 -ip 536
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 536 -ip 536
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 536 -ip 536
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 536 -ip 536
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 536 -ip 536
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 536 -ip 536
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 536 -ip 536
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 536 -ip 536
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3312 -ip 3312
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3312 -ip 3312
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3312 -ip 3312
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3312 -ip 3312
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3312 -ip 3312
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3312 -ip 3312
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3312 -ip 3312
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3312 -ip 3312
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3312 -ip 3312
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3312 -ip 3312
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3312 -ip 3312
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3312 -ip 3312
1⤵
PID:5112

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3312 -ip 3312
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3312 -ip 3312
1⤵
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
440KB

MD5
64a48e48fc058204464f5ecdef31e2af

SHA1
cbbf1fbf923fa8c1cad2b6f749bbc2023b42a859

SHA256
6e2573c49c6af020201d9f797552bf72c1c77ead8699ccb335025d99b1a587eb

SHA512
02e4ec86a520e3241ab02a766f8a3d45180e477047b53e56c6fabca2e29243dd12a3e3220aad3b4c50b71805d9ac18e1dad7760a4d72068555b5c4b6b392207b

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
673KB

MD5
e593f9f9987473036d1791b3162563aa

SHA1
ebc39c3639c2804f1c5e9b937ff22a69bf10d249

SHA256
aab3fd1ead51c67792ef40e1bab04bbf3abd1b3bb9e742883778c3b5d6bd31bb

SHA512
7d3781978db904e0953f504ef3e91289685fa686c5d97ecea051ab2472bff16ef1301b9510be441be61fae585bd07f29e9decaf2982ba1855d4b28caee28b5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1305705ab4eb7a8ff5a73874670d91f4

SHA1
a118cf0ba2d4ac47473b9140c0aa7745efc6aac7

SHA256
d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b

SHA512
27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
Filesize
1.3MB

MD5
21b3cdb66660fadba45736665a0ff154

SHA1
3b23ee37190aad70e9010fa08c5fcb394f020a9a

SHA256
8c582dc3a0be35110a53c40dd83fa69f31302a458fe8a3da513ae7a2e4515352

SHA512
a8d15c75ae291af96cac9dafa35ce36b7e7a9618b3078f1d5e0ed32ac5a2f385268a92f6f9e411f511c8ebd7af19629eb6bac45a156e7c0702d3ddad90cb252f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
Filesize
657KB

MD5
8240b06252f50573a3ae42e8dbc7dbbc

SHA1
ad5669c34897063f2e13491f67d9976026de467e

SHA256
56dad02abd308d5d8a7b894773d38aa61b687fa9c84165fe18d377a82cfac256

SHA512
25977c6dc2048a5d786be9608b999dc263095b95cd20a599b2f121c7859ea72984f499fa71e4aeb0b1d50ba3d89edde17a6c89992a1027c77e03088f985c0e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
Filesize
865KB

MD5
782bd79a7233083a0dafdf6d832b2f4e

SHA1
ac6455a1b1e3d57bff0df9bf6b6f715d9c7db530

SHA256
04091af6d56ac3bd3b8d704c1b0231e265d77b437caaa115d33ff479d814b602

SHA512
8f1426a46e564777ab9b55801d9222aad43e44b9bef7d1d0de7948651a08f80865f5c0a0c1d052bc2a13444810b4118e047b74914584fb82db25abcd8396f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe
Filesize
710KB

MD5
1756062967375c5e57de7c7cbceb1def

SHA1
3e092dca1c558b2c0b5e43065a7da744e543ec2d

SHA256
1075c329f6e324dcc573e5afe11f771fc7ea50bd72cfa031b81d3fd0c0af8280

SHA512
e1d246835172f00c2e64a55d0389d6b5e441614fdd15bf723ec82cf931dc507cd41d05b80a419f45b2bc8fcd03632371b646c4ca1e5d8af21da330d28646f43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe
Filesize
675KB

MD5
11c0ee9bbb98d3e4b72e545f1d12d37e

SHA1
d7894a42ca6e95f4d7c516a9c675d27c9bdb6f72

SHA256
66147d8610339fac3335a1d04f71ff679e912c07c0b2f179c51671266478891b

SHA512
8c6a629ca33170d6620e1d8ee7b4c37f60074ffaa152d3ea7f8d0dbfd8584c205aee7cca4cdad768c5bf0a8e8f95301e9bb18108a9930046c24c4caca1230755

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe
Filesize
572KB

MD5
4feeb9741d58f2aaab11d6788e637e0e

SHA1
8fd5ffe0f34c0209fdca2a0edf2643cd61dad9bd

SHA256
961a18f14f1175d3ffb55d986f86619aad60c6d8827efb7a405dc2db40a5e345

SHA512
c24f0d3db52fe65bc18a2b18046afac48983bc6ba8f6038e87ecc3d01b8b11e0decb969da348eb5caab590d23f864133556af2f7c0e066590895419844ba19a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
Filesize
254KB

MD5
48f6447bfc32b84fe9b3bcbbe5a72922

SHA1
618c2f541fd9b79004303556686b7139ce8cdff3

SHA256
03de9d2ce591a18948bd6f45b3c7d527dff03f5897f49e1ff3cfb189e910ba1c

SHA512
8fab4e98dfe1c5ee58341b634d763f6d54d097ecb29623efde49a220eb608a2a9d06a08eb01fe844949911cc176c6882103cd10dd9555d9456a6cb8fc3ca3fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
Filesize
151KB

MD5
92fcf86b51e867d825fb7f2b641dd496

SHA1
d902278a9581be8d05a256ca406564c4c1d8162f

SHA256
fc50eecf117651f2ed01b45f05060873c4659a7bfef44ae64c9e11588b462c74

SHA512
a274a4dae459e3fe5e2d14fd097675120edfb88e5553309ac42d53f130e69eb81c6938d3bc9753d0c4a8c375947dd041f5f2cf8595a83b02e6fa7b887352225c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
Filesize
155KB

MD5
cc5f64ef514b2c1e2eb625bcd90d862e

SHA1
e43c5f1e8f5a90b276ca4f006096b4b6ba50d2af

SHA256
10b1bb81fc55c680fc4d26762d6280bc4365d190844502458ab392002784488c

SHA512
2b62b88a03cd788d80b5d504815c591e5ec565b2d85c17067674a1fc4d38f1d1c5c09bc14306fa52293db1fceae9e5ef60478c1e213b4a9023827596f7b0cfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
160KB

MD5
ce7e7642cfc6aa2cfed843b615ad6053

SHA1
1e7483ea2c68063b0a088a03e29dd2231443394b

SHA256
d4508b74c36711a4cb2f60f7e835217c7f82a1f50a97cf5ac3241b9259e9c43e

SHA512
e7479f08a1997f92c0d49367356e1d8b5a4181c4da4277c93bf55b33d27db8634d4551f1df99b2db0b739889ef5b3ac78cbb77d9c707b4424244f34ce97b8e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
253KB

MD5
5d0128c066c20f4d6bde23e12365b0d6

SHA1
44657ac3f24e4b243e4c14fe07f100256702dfe3

SHA256
fd795614970e7cff0ae2c2733963c0d9689511bf79461341a07f31ac02754dc0

SHA512
b43dac4a615d90e64b740b4165cc6c1be00705cf5a3e210df67f45e7df0a394d9cbe96116b8e118930ec0a0ce2084e420df812815f6406be7379793a0ad78138

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
441KB

MD5
46107703f19a352a0ff8c8f5243b4389

SHA1
a9b36a2e614a422346668018852e608f02dac9f3

SHA256
beb2903dc42fa9120cd3f082ab7112c2fd0a54d04c555c778ac5a2e95c733bef

SHA512
28deda1315a53fcdf7288bc5c7eb965f9bac0ef30f1ffee32bd042e658e1ed632ff0236ed1b133827068f5375e219d0b5f9d8bb1fc233767771c7fb6b6bd2782

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
Filesize
25KB

MD5
be7d728e4c054a32cb8df2df0b89b372

SHA1
9ed79e08d5979c1c8af823d2e90d596284f1730c

SHA256
a40235a6455d5d423f673c0a442c712241d55e78321d5e52c65f9d23303a7673

SHA512
d35cc47350044d38fa07141e7af7f55ffc4d7f7303f7efb1944b5eb4f9930d6a4ec1d471428d14764b509c32adcdfb7c042d91cb389cb11b8d4b8eb52686bceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
Filesize
471KB

MD5
810da00c69d55e89dca3bfe9a6f6a420

SHA1
ca02bdce48ac20f7b40ab720079009894f369990

SHA256
64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

SHA512
453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
Filesize
340KB

MD5
1bc668e7b4a0125a1e47b542f8e76d91

SHA1
29351bf900ccd0f048da907358a3febaa64c8fe0

SHA256
2aa267a8bacfe85ea74c7d19756ea8d6e096f75eab21e6ace12dbe60c8ce371f

SHA512
9170225a7988d576837711ef02aaa25135d748c6e6d75c18984b22bcc0fa5363170b209abb82c9611226b7424e78fd3558486cde115d3b62290d612f145a6d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
Filesize
194KB

MD5
f7784dc12d69a586a6dda5c8579cddc3

SHA1
b8652830113acbfef679da8e35f6abc62c45ed49

SHA256
bdbad6ca84ed3de37d5eeaf173f7ead6013338f4a07af42b2167aec0467a40c7

SHA512
69bd4e94bcbdc3e6851822eb61d16bf9c472700b6f382f1232e08c356a655f2f097db5e6b765903539b252b57a36d8549d3d85a0b44d060e692e2883aac00ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
Filesize
61KB

MD5
84773bb9bd7e1306b965928fba6455dd

SHA1
6a6dec2ab38262374b68faa0bf35ddacc6180dae

SHA256
bfadbc4525b44560fa291135344e14279fc18f2b1e5aade05e86174a788103fd

SHA512
c387383ede84fc814920a3d9b3219f4b38f97f4ec9d657a17a70a28773c62292208e7aa5b2a00861a9bcc0a9a809dfbf4a87b03e0fd9062704700a0a2c781646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
Filesize
173KB

MD5
0f72d96741104aafe69e16df5297156e

SHA1
aa907d828f9cce95ca785177b90aac673134d401

SHA256
913e3d085a0f83ec0a848d3c6662679de6b36c0562bfbe9149d2fde0d661abd9

SHA512
3a4d70467c01f708a39651dac048647a8750e85638298fd2d241567bd0fb81f1b1bdb8d0ef6b7d1a3a6e323db456a4944118de5b26973ba098c75587e66f03db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
Filesize
157KB

MD5
4b2ef4a7e1405871d4b949bc931fe3d3

SHA1
a4d89294551c5bf709a1f78094b810d83ee3d76f

SHA256
7bed0d2c23c8b62c9d5d8e464abcbf6ad605e2fb63e812bcdf03c098b5659d3d

SHA512
eab8a794f14371c5da53e69dc870f3c5b785fbacdd724d036c85134c800b993daba9fe96fcea95b3da60703d9de605e8422c3a82d101b29a54afbe7724e7d6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
Filesize
24KB

MD5
533d3519e44987c0d817571da9e2dbd6

SHA1
b08d928be38431aa3e2b49f5049054b92e25c15e

SHA256
b4d0c3c2c3c44aae42d6b70af00ba91259336a83685db65c7da3e3801cc971e2

SHA512
5b5b0fc8f5c508574e6be2480eccd5158cff475ee8aa917d43340ee0b19883294bd5f103b7c47ceb36efa3904386551d80ddb1eee068ad42a95b5dc1f867a9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
Filesize
163KB

MD5
4ca7cfff3f4626013ed0f1c4a6a2f7b0

SHA1
eb8b9a9d56babae1a7c2c85c68046f346f950248

SHA256
29d35ed0664e368510ffe9b2ed769fc6345110fdf2e20cc731ff9bd694adbe66

SHA512
4e2214927f3acd7fa6916eb336eae04787d9fa89dc2235e026685ebd54e0294c82540193898b54e8cd725a9b2d7557edc410f8df0bb82de007a3713f8dbb2646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
Filesize
283KB

MD5
9a2eca3a996358b1a94b2a124675d9a1

SHA1
76e524a27da50b4481b5f7bd0a0e84f7ec8c49bd

SHA256
669ec335427c969b7554f7e8ce23ee2755e53946c80407cd00afc54c68b28ba1

SHA512
8522429d903ceed44cf069c43b24ac6163ff5b391deebefe3923825528735103bab64ea9c9ff577b19d511474740c366bfd1d965ee87ffacffda73886e55a4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe
Filesize
192KB

MD5
93b99d7cb16108da01740ce7ba4c7e7d

SHA1
3fd8da9cef8bea3b9247f289be2f2fdde2894cf7

SHA256
e9b5e6cf61c6752d41b81ce892e129af840e4d1b4cfbc4f3999185b407748eb9

SHA512
04c0657d2f12134c4b7cb184f4e73c0aac2986825babe1ad4bb0efb262014a201265429f62a983c423e31f760bbca65d7850f851492540b29345a8a3e4082ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
Filesize
191KB

MD5
318da36d542117eae6ea120fa8c41e48

SHA1
5e47b5fc97c181eb9e141da7223cce9011730ab6

SHA256
fcca43777c193e75099357933c4bea850cd81a202bf3b9914799f9a431212a86

SHA512
5854b2838cffeacc8f439801bf76eb2d06dd3544eff0d2a6835712e9cdbf1510de674cc7475580ab9be69b79c6aa67f3ab8bc59657c262916c0de0b48ea6e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
Filesize
352KB

MD5
14838158250b616353f821ee351eef2d

SHA1
4f95a81a47cebefbe5b61435eccddf6541d19536

SHA256
ea621488bc8834b1cd59ac1d333092ce511b2c5f561d09f0713dcf42f212b615

SHA512
fcc348c29776da6d4f5573f19a33b3a92c1156b2356b54ea609939379a598ce4db834d7acc7db0561fa0111f5c3f2d50c17a7f4e8e98a9ceaab373ce3efe123b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
Filesize
41KB

MD5
6dc8a46d8bf8b88649b73f55e3eca7b7

SHA1
198dbcece164dec90bb14248a311d4d261dfc009

SHA256
47b1e535822bc9ce9fa94e2c758a927162381720132b942b645e9bc8de3d695f

SHA512
5802b33c9a2885dc39ea3aadb758f92d4f468a6f82b88eb7e16eba5a75776cd6c45a3a6c8183f9c4356dd048d5e0de6ad9b162bb6e9c738716f7752e960ef05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
Filesize
140KB

MD5
47cc6395af087812be10774baaab90f0

SHA1
4fa7ea7b1843b3c4d8c742b25f86fd66ec7a10e3

SHA256
fb3eaff4b0e3727c3e9b1fbdef587e785b556ef093f5fabd602a882759c908b1

SHA512
88d098e14025296ee995505ab9be457a5b2311d34ab7b65b5e067f1bb69bf203c3b38909bfde78afc68da08edb55f49aeb331e434149c7ccf588689743bc4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
Filesize
211KB

MD5
2f199b2d3b35d52e1910ffe65fe55cf7

SHA1
7eb7e965842cce28c5045725aaecdd9f10fa4f85

SHA256
b8b9f562eaa9c64b2f7d141e655027fcaba3fb8d2e3aabac4d0dde0a1161a062

SHA512
5217aa85ded85cbf16d0a5f8cf332e0204777fb0877bc4156f43c57b3d6d4088baa473c291b563f8326b39c593aa1ac17ae16440d51ac6d1f9c2449e84e7916c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
Filesize
115KB

MD5
4c69c60b347e5a861e4ba4b57af40b5f

SHA1
65fdae417d4ab98d745bd5cb6af8bf2c177f5e0a

SHA256
97ecd71283f795e56f75f9d4df69fe267915cfcfda77f0ee69a219b8bd42bf5d

SHA512
2a212ce31646d3e37dea9825369f260324fde43278624ac5bac4a60667f64e7739efc35050b271d2883be1f634b2c5b82e7128dd5eef9678da59514d4f728a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
Filesize
17KB

MD5
332dc2c8681255db1d421b2e1dc1316c

SHA1
9b92ac4d76590febf20e85c5deac0fd426a88917

SHA256
9d1067569b52e6a72093bb517bbcccc1d6964451c2a24c60d5beab4743d1eacf

SHA512
cb4ea9fa44aa923511910894c806bcc0488f84bf6cd8d756f7711e0c4dcc8ae1981010dc09c8f4188667a92e9c58f3f65b105615a6880b97e11a7cba0fbd063b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
Filesize
156KB

MD5
bb148ae4daa2331b15689a4197344217

SHA1
2aad9650bbd7b6a4ca57162cefe2d69a3a0c23dc

SHA256
c741d8f3345a64dcd50aac9896125a264d5fb6fe265de4e70e64bc80d70e1598

SHA512
f40d4cdb7dd250ca2f6dd8bb92a2dfd3f5b5af031c303491f0039f7516e2a2602ded6402df557754adaeefac9999351891cf2e0b486f0093f0046618ded07d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000764001\moto.exe
Filesize
390KB

MD5
9b76168059e86c2c05ced61d6b2f5895

SHA1
c567e510b758c3475f70a5916c14d8162160129d

SHA256
122316a895eb278f69276374b0e3a20186dc996033c898c3852af6e0bd26d482

SHA512
bdaaf370d4f76c87e5517a7ca9d788be8a57108af5a18bf819b1dce90af8334d85858dab0c704f813f27e1c5da7463373bf1a275a14da673e200a5e515721190

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
Filesize
498KB

MD5
406773681ddaf37c14aa7f2a743ab626

SHA1
a0186da6dfb9a8f3c2a98092705db8d9a0fb647c

SHA256
2cdbd99cfb1f63807aae89d43c8dbfd283b0e67cfa7020d29bff937167becdf4

SHA512
58d1caff1a84bcc39d8a4100f2593f5b863a0ce3add96e2b1991b928860702f6be17c21791e66467209c2fef3b5d44ea219c828f34e4ea31abe0bd805e7291a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
Filesize
222KB

MD5
a5f696f7347ad8affb60e6bf7705b38d

SHA1
854b2df5a766a94321753b9efbbf7c900c296a96

SHA256
fcf542a68cad00eb4816c66f161baee7f7189961255d30012c36fea3c3ee2673

SHA512
8f510ca7da1ee5b59f810360f2aac93806b4c10b52baf1a02fe106e51301f097200cc8cb2428893f3ddaf52e449d2d37a4ce410fa2c4f5eeadef9b8e15eed874

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
Filesize
144KB

MD5
d56381ea0f2e4f38e6e86de163897d9e

SHA1
d65075048802324f2bb75008c56fcd2b6ebf5dcc

SHA256
79be6077a86ab039eb5d6b97c9660084ae072b8cd5b1cd97211d03a6afa951f2

SHA512
8144b3f28b75c3e0ebc364ba54392b5d311867e1fd759086342b1f52b7c885706a763b799f8eaee9868258114e9516ad97b7142978a661540fb0f3486aaa0224

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
326KB

MD5
cc48a6eba2c0ed0002ab92d5c93fbc08

SHA1
df8bcfb71ec1ee3a48c6e6ff9b522d81a5390b4c

SHA256
4ba7fbee4cb981b8b6c621314bdd822484817c72f8266ed9ec240a09449b02f5

SHA512
99c229faa952cd474f8658fa1b45c3c11e1a7a7d41a0f9f37417b8a72cc50d33bd79fd50eae9b3e922cb3cf4ecccb6c91795fdf5fdecaa201e36f506ce6617fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
267KB

MD5
b6b18dfb2eea7955e77319e8888ae296

SHA1
a069ffac5cc49f99656ec2654cc7359f9edb5ea1

SHA256
66c247dfb7da266647c8544baa274070d91b50e4aef6f85916030ef67b980675

SHA512
fbed0a0be1ba13202d56b70827653465c6b4ed13ea66044336ad8c933b25a3b31654c8a284669bb1991415dcfe4f0bc791243b0c45e495dc318eac5308d8ca14

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
187KB

MD5
3086775360ce33afb7ac97271b975751

SHA1
5cde3365a925d625ae557876748020e156d7e01a

SHA256
0abe7997f8c971b7e64150258b143e15e2956c8cbf871c3828c041338785e36e

SHA512
b23b9fabafb078b0d877e7c542808dd95870af7987044ecbe3a2cea3d578076280bdbaebbdfc401f184447c5faccf769a065be2cc4e78fc8954201d0ddacdd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.5MB

MD5
b9fd85bc156db52c72a9c4583761d028

SHA1
c544a7926dc7639dd30ab5b687c886a7a22b736f

SHA256
70f44c49eaee6e8bc17570fdda58e9819e6615390753b07dd36c7f75f893ac53

SHA512
e443dc95fcaa01fc825161bcf48963836072350d0b7ed61f3c2ea87d5ecbc44f40de5ad8da45e1c88d2af34f8110563176be5a9ebd06b13c00c7e102a027d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
365KB

MD5
7ce61f14584011ca6e799b88e3c7c65f

SHA1
a2174044738768cab128597deccefca62832ded8

SHA256
8054549b7f9650a44d781581a4ddc4ea8d195918902dcf904a5858a245b29c8d

SHA512
54db7c046f849800cf47d5a68446e1e2c0fa610b5a7acfc992e6a33199e61b626af838a985a14e4021ea80edf3e045e53e2ec7856611207951864daadc2d89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
182KB

MD5
16dadb34182cf37ff26b7c9a3acf755f

SHA1
f22558c610bdad9411fdaa6981e2de1feb197801

SHA256
1ba9280d440c54bb8469dddd6ede6755203348ea539342151fce225357fc146f

SHA512
64ed7da22e1ba873ae1094210d7923d928ef0baabf8330ea9c2ae286a7c1ef2ac9d62806359bd0c2a38134043364656767c7fe3a8b3e7c0044b48869fa53b1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
221KB

MD5
3e1032fee91199ec67322a59ceca9d80

SHA1
e29797b426190364adca88b05435ffd2394bd503

SHA256
2c066488dc75a5429a9328ffc099aa3017e6b473c314a53005c0f6dc3b238afa

SHA512
7c396259844b336fb406104afd9670f4b77b775719b2ff3c20ac56818bedb8327432d916650edbb6a4cba90b4ab98987036f9db469919227536a5827e2618256

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
541KB

MD5
d6fae01454cb734aed85ff8ee62e098e

SHA1
2de1d99906151d35e7a953b3e72800d030697bca

SHA256
2250b981416e1077f42664fa6bbf2d082bb8b6a7c7e5175d8455ddf72b6207ff

SHA512
cf0fda17af2c714ea8e183ac4bab673a2dbdc53fb675bc49156c5b70d0f0a20bd3b346532572d0483c285a40f1f5b390181d58859962ca318053250b02f1a887

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtqcwle1.zhm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
dafba6b93e117bf5477c56a3a30a1a2d

SHA1
9f5b1c990ec15ba2a90377dbc1da6e046d083050

SHA256
594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278

SHA512
eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
230KB

MD5
2ab9d92e16694f0f626cdd866fee7627

SHA1
09ced5a8452da7476f066324b1fc19a7d0d1f4b7

SHA256
8bf7d914747e3144121f48c4cbc9b9f0958103542618cb772ccb5aee4b358084

SHA512
6dfe227412ae474254100f4cae9f00da135f262c74feb2ec3d05c07d06ed46ed8290bc263fed4cd865ed04b5ddd88fc2b9e78e94e5496b7720e0329225a93201

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp
Filesize
136KB

MD5
abcf7804c518938c705350fb4f7c93e2

SHA1
957958826c15b71f99995cdd1d599706e9c86897

SHA256
f79b7e675422dfe8e52c36f9efdd5f21fc337a3836e5e4bc626b28ec53bf4dfd

SHA512
fd7c3cb085f7a5a9d263c9dbfbe2742edb3e6df1584c2ae109327a355216224f02772590897e40f59dd8fb2d4d03d32656bcbfce8d9682664adf34abb89683b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp
Filesize
51KB

MD5
6fc891fa64027819ad3625d5b2ccb25a

SHA1
c81c8d355cb7a3083e868197532fb85be0633793

SHA256
cbfbee6920c03d82a2e13f3a5e3f33f7457f875afce90e651d791cd56f8f8f7b

SHA512
48e16cc6663b4080574b6beba6a2893402c6fd2aaacfb6b4c6aa9869486011d9ec0e4861649e019e664f7b1ccfc838f2982d0804f6997146b855a8b4ab128c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb914.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb914.tmp\INetC.dll
Filesize
24KB

MD5
82fef98c93873c84201d7c470ab7a5a8

SHA1
0bd913811db221efc9b1b5391e3eb45949b6fa4e

SHA256
906fa5e581bb91307be26ce99ca9fe2d96da4f82146f61dca6f596b8e1144819

SHA512
c78f75ed69c263d3812b3cd30156163cc133d2751200771d4a4c2baa0948354ee7e14d9202565cc66e3399921b212237d638b0d295dbe1d0f2bfbe03e1023dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
306KB

MD5
9ee899895acbfd9e0c34d5a5b46b6205

SHA1
0e7be92b824f98ccbd37fab7affb8c9efdb1ef5d

SHA256
e85361387ac726f8636ac24e9027a92cafad3a8d039a7a8809f76e0dbee2c7a1

SHA512
1e10169b60d623c0acf43a2196ce1e75dbc72f8a8458cd4c205aab01b1437764bc0cde0e53cc6140c03934ebc717ea54e55de13df423986074ba1b68220fee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
232KB

MD5
84d7c3f3863cda5065fd83d35842280a

SHA1
3d1f69135752845b8fdab448d44f4d5e06fd8ddc

SHA256
684539de7ac46e0aeb57d7bfe372b55933222d1b52cbe16b2d1650c16cd5e79d

SHA512
f3a282e1bf14f6e67e3e3635f923bf5e827ea60b4ad8818a87818d06a5f23246b8e9a5a31c117d38d124300c617d496e62a295ea57a1eeaf3067b61f73b97a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
154KB

MD5
3a7936f508992db4c82bbbcd0554897e

SHA1
9a9aa0d4a4af4eb16339c43218ee83386c71ca03

SHA256
9a8283e40a20037f14c4b8f1885ce653e70790efa7ce2f4b420b8d15d4add252

SHA512
9e0250ab4ef52f7f9f788be8ad542c4276c30f893ddea5b6b8cc6d5d308ede8e9da0e45ced24dd5faa016cb62edf28e0b0a6113d9bf5e7ea73d164b9c489fefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
169KB

MD5
1d3976879d2a98ddbb49151ef652c3d7

SHA1
3b17be2f1a63eafe589911b7e6461b9b94e9f424

SHA256
f7cd23f9e6b47e319b2dd8d96acd8b57a6989051367065f973f463d70bca9c50

SHA512
b9f77d933f6dde3457cca2c6e5ce7da9d8b0dfb3d68bc8b977dd5df485ad52cd487d52cd838e9d6f37701ccf67bdc873bc0bd02c918061ec9229f414f67457e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
332KB

MD5
a1470335c14e84fd1f158878a5776ae1

SHA1
98ff4297b83233ce26c0a116abe76312af645398

SHA256
8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5

SHA512
cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
40KB

MD5
0857eb718ec9afa477d59a64bd5efb34

SHA1
3ba85e7d9d15404b73768dadcd0640a8154863d4

SHA256
cc0e18045e21b6b00059083c630f090bda1b3e71abfb45677d7d1ab44f76bc2a

SHA512
a6f2e5f07645e3bd7f6748ca1a097d298eb2d9adf6b07c060a6b6ef17eb3d25c3f75cdca2ac63d0239ab8b45ff14715b567206324b64a5b42c990317b3a5d439

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
325KB

MD5
3058f10b2fe431d9f8a487a35cd89ba3

SHA1
adf31cfada940e96a02305177bea754d4ee41861

SHA256
73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30

SHA512
4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
166KB

MD5
484dd41c0ac2b855a786ce79ea15e4f2

SHA1
1c57b7737ea40859655c65447bb137fed257f239

SHA256
48fe7600b68bb298be12565e9085913fab1448bf45ebc99bb3e3552bb36ce62d

SHA512
84cc87b7ada36713ef5e8ccf2fc65b125aa68f4de087b137bc78c800fd444d0b3630e68066ea2f3cbdaec1475d739028db629ea7fcfe53bae0f1d70f9a66fd6b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
189KB

MD5
794cec9e8db825915673ea52be715a17

SHA1
1967650874fa347cfd1c5e762db8a85013694729

SHA256
686eabd2374cf5d68ce415aa960e0f2ad2a1ebdfe7c47fca5011ff2609d2d27f

SHA512
7fc6275effab7f1f1b50283175e8fe9c498bc6ee5d6a67f1c98c978f4ff6370cc9842d779d96d14d09c5afd576a9f4bf2fb4f9c61ce0026d342d66fc9a4a79ab

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
147KB

MD5
12c75eb915a110e10722cdc66e709c64

SHA1
ccc7133274bf68e8df8ba3f3b3e1110e50661c4d

SHA256
18126c1f6c048a13038f94624c831489d73e499c384ea232df503c2b372c617e

SHA512
b0ee066d413bdb35824753bea7ba0b3accd6ac5cc46056ea6e0df98a784e4422ae18dcb0636cc0365ff903daad5044b207f48af86715725f863a668e14badef0

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
176KB

MD5
7c67997e1ab6c59d1a55fd548dc5dd2b

SHA1
a74e25e6b35a482331391125f97b509cd7d7da90

SHA256
629c6af26f47c12b30d3f08e9d902d7727aabc46a3daadf3132b5e9e79e0c1bb

SHA512
da8c57d5a24c1dd390c1436997ce8432d62630ee49c1ea8beaeb33472e99e511a1f9a1faeda51631f8699609862dbb3075fff22b9f5a3ac79ed9efbc36b02df6

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
313KB

MD5
5ea776e43112b097b024104d6319b6dc

SHA1
abd48a2ec2163a85fc71be96914b73f3abef994c

SHA256
cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341

SHA512
83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a8184b1cacdf7b45acf203cdca1f8350

SHA1
70dbd34716bbcc3c39ae2e66e94585f4c9dcc3a8

SHA256
e435cb7a53481a934ef04124528065b2787c6e4b14746b4396ed3dfc12c61b7a

SHA512
26c4ee726a7ac14337c9f774d2e386b8609c5d417e9115886dcd068eeae70a0a5d6ae62dffe134c1c3ff63bb82886a390aff50b1309ebbd2b472605acbf736a5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
3853abb35ab617a117144f119cdc9808

SHA1
03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae

SHA256
f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef

SHA512
0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

Download Submit
memory/812-305-0x0000000000580000-0x0000000000602000-memory.dmp

Filesize
520KB

Download
memory/1084-301-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-274-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1084-273-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1084-324-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-400-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-313-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-361-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-311-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-389-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-307-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-341-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-345-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-358-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-334-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-298-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-289-0x0000000073480000-0x0000000073C30000-memory.dmp

Filesize
7.7MB

Download
memory/1084-287-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-407-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-288-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-414-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-277-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1084-374-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-410-0x0000000005000000-0x00000000051A5000-memory.dmp

Filesize
1.6MB

Download
memory/1084-276-0x0000000005000000-0x00000000051AC000-memory.dmp

Filesize
1.7MB

Download
memory/1084-272-0x00000000051B0000-0x000000000535C000-memory.dmp

Filesize
1.7MB

Download
memory/1712-235-0x0000000073480000-0x0000000073C30000-memory.dmp

Filesize
7.7MB

Download
memory/1712-241-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/1712-270-0x0000000073480000-0x0000000073C30000-memory.dmp

Filesize
7.7MB

Download
memory/1712-228-0x0000000005000000-0x0000000005060000-memory.dmp

Filesize
384KB

Download
memory/1712-257-0x0000000002570000-0x0000000004570000-memory.dmp

Filesize
32.0MB

Download
memory/1712-236-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/1712-226-0x00000000049B0000-0x0000000004A12000-memory.dmp

Filesize
392KB

Download
memory/1712-239-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/1816-102-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/1816-100-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/1816-105-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/1888-343-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2476-141-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2476-152-0x0000000002590000-0x0000000004590000-memory.dmp

Filesize
32.0MB

Download
memory/2476-138-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2476-137-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2476-136-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2476-135-0x0000000004BF0000-0x0000000004C88000-memory.dmp

Filesize
608KB

Download
memory/2476-142-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2476-139-0x0000000004B50000-0x0000000004BE8000-memory.dmp

Filesize
608KB

Download
memory/2476-151-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3352-75-0x0000000002CF0000-0x0000000002D4E000-memory.dmp

Filesize
376KB

Download
memory/3640-224-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/3640-140-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/3640-17-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/3640-16-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/3640-392-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

Filesize
4.0MB

Download
memory/3780-47-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-48-0x0000000002920000-0x0000000004920000-memory.dmp

Filesize
32.0MB

Download
memory/3780-41-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3780-40-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-39-0x0000000000330000-0x000000000039C000-memory.dmp

Filesize
432KB

Download
memory/3780-231-0x0000000002920000-0x0000000004920000-memory.dmp

Filesize
32.0MB

Download
memory/4264-0-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/4264-14-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/4264-2-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/4264-1-0x0000000000580000-0x0000000000988000-memory.dmp

Filesize
4.0MB

Download
memory/4404-87-0x0000000006290000-0x0000000006322000-memory.dmp

Filesize
584KB

Download
memory/4404-50-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/4404-44-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4404-49-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4404-51-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4404-52-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4404-53-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/4404-54-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/4404-179-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4404-55-0x00000000053F0000-0x000000000543C000-memory.dmp

Filesize
304KB

Download
memory/4404-76-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4404-88-0x00000000063B0000-0x0000000006426000-memory.dmp

Filesize
472KB

Download
memory/4404-77-0x0000000006730000-0x0000000006CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4404-92-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4404-106-0x0000000008110000-0x000000000863C000-memory.dmp

Filesize
5.2MB

Download
memory/4404-97-0x00000000075C0000-0x0000000007610000-memory.dmp

Filesize
320KB

Download
memory/4404-99-0x0000000007A10000-0x0000000007BD2000-memory.dmp

Filesize
1.8MB

Download
memory/4540-234-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-229-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-227-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-225-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-230-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-251-0x0000000000990000-0x00000000009B0000-memory.dmp

Filesize
128KB

Download
memory/4540-269-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4540-237-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4572-166-0x00000000014B0000-0x00000000014E2000-memory.dmp

Filesize
200KB

Download
memory/4572-156-0x0000000001390000-0x00000000013D0000-memory.dmp

Filesize
256KB

Download
memory/4572-183-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4572-169-0x00000000014B0000-0x00000000014E2000-memory.dmp

Filesize
200KB

Download
memory/4572-163-0x00000000014B0000-0x00000000014E2000-memory.dmp

Filesize
200KB

Download
memory/4572-148-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4572-145-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4572-153-0x0000000001390000-0x00000000013D0000-memory.dmp

Filesize
256KB

Download
memory/4820-303-0x0000000008010000-0x000000000805C000-memory.dmp

Filesize
304KB

Download
memory/4820-238-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4820-275-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/4820-271-0x0000000073480000-0x0000000073C30000-memory.dmp

Filesize
7.7MB

Download
memory/5068-180-0x00007FF813D70000-0x00007FF814831000-memory.dmp

Filesize
10.8MB

Download
memory/5068-167-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download