dcrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

10/03/2024, 15:09

240310-sjmk3sfc5s 10

Analysis

max time kernel
612s
max time network
628s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat lumma neshta raccoon rhadamanthys zgrat a9a7275fb9eb4dd3731cb51ff1f26091 bootkit discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

a9a7275fb9eb4dd3731cb51ff1f26091

http://193.233.132.13:80/

Attributes

user_agent
SouthSide

xor.plain

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

https://associationokeo.shop/api

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Neshta payload 34 IoCs

resource	yara_rule
behavioral3/files/0x0008000000023234-4594.dat	family_neshta
behavioral3/files/0x0008000000023234-4599.dat	family_neshta
behavioral3/files/0x0007000000023246-4702.dat	family_neshta
behavioral3/files/0x0004000000009f88-4717.dat	family_neshta
behavioral3/files/0x0004000000020162-4824.dat	family_neshta
behavioral3/files/0x000600000002005a-4887.dat	family_neshta
behavioral3/files/0x0004000000020136-4886.dat	family_neshta
behavioral3/files/0x00010000000200bc-4885.dat	family_neshta
behavioral3/files/0x0001000000021309-4926.dat	family_neshta
behavioral3/files/0x0001000000021308-4924.dat	family_neshta
behavioral3/files/0x0001000000021307-4923.dat	family_neshta
behavioral3/files/0x0001000000022d51-4932.dat	family_neshta
behavioral3/files/0x000100000001680e-4943.dat	family_neshta
behavioral3/files/0x00010000000167d5-4949.dat	family_neshta
behavioral3/files/0x0001000000016861-4951.dat	family_neshta
behavioral3/files/0x0001000000016811-4956.dat	family_neshta
behavioral3/files/0x00010000000167d9-4955.dat	family_neshta
behavioral3/files/0x00010000000167f5-4961.dat	family_neshta
behavioral3/files/0x00010000000167f6-4960.dat	family_neshta
behavioral3/files/0x000100000001dbe6-4969.dat	family_neshta
behavioral3/files/0x000300000001df9b-4973.dat	family_neshta
behavioral3/files/0x000100000001dbe4-4968.dat	family_neshta
behavioral3/files/0x000100000001dbda-4967.dat	family_neshta
behavioral3/files/0x0001000000022cd9-4992.dat	family_neshta
behavioral3/files/0x0001000000022cd5-4991.dat	family_neshta
behavioral3/files/0x0001000000016923-4990.dat	family_neshta
behavioral3/files/0x000100000001df94-4989.dat	family_neshta
behavioral3/files/0x00020000000213f2-4996.dat	family_neshta
behavioral3/files/0x0002000000000729-4994.dat	family_neshta
behavioral3/files/0x000100000001e00b-4988.dat	family_neshta
behavioral3/files/0x000100000001df9e-4987.dat	family_neshta
behavioral3/files/0x000100000001dfa9-4986.dat	family_neshta
behavioral3/files/0x001400000001db3e-5075.dat	family_neshta
behavioral3/files/0x000900000001db1c-5066.dat	family_neshta

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral3/memory/932-34-0x0000000005000000-0x0000000005208000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-35-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-36-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-38-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-40-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-42-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-44-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-46-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-48-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-50-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-52-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-54-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-56-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-58-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-60-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-62-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-64-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-66-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-68-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-70-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-72-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-74-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-76-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-78-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-80-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-82-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-84-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-86-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-88-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-90-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-92-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/932-94-0x0000000005000000-0x0000000005203000-memory.dmp	family_zgrat_v1
behavioral3/memory/2560-1022-0x0000000004CE0000-0x0000000004E0A000-memory.dmp	family_zgrat_v1
behavioral3/memory/4980-2088-0x00000000050C0000-0x00000000051A8000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3572	schtasks.exe	172
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3572	schtasks.exe	172

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral3/memory/1380-19-0x0000000000400000-0x0000000001809000-memory.dmp	family_raccoon_v2
behavioral3/memory/1380-18-0x0000000000400000-0x0000000001809000-memory.dmp	family_raccoon_v2
behavioral3/memory/1380-979-0x0000000000400000-0x0000000001809000-memory.dmp	family_raccoon_v2
behavioral3/memory/1380-1019-0x0000000000400000-0x0000000001809000-memory.dmp	family_raccoon_v2

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2852 created 2528	2852	native.exe	43
PID 4472 created 2528	4472	ghjk.exe	43
PID 2016 created 2528	2016	asdfg.exe	43

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0007000000023243-4693.dat	dcrat
behavioral3/files/0x0007000000023243-4704.dat	dcrat
behavioral3/files/0x0007000000023243-4709.dat	dcrat
behavioral3/files/0x000b00000002323b-6092.dat	dcrat

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral3/files/0x000700000002326f-6811.dat	net_reactor

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	rhsgn_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	MSBLOC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	TSMSOQO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	FUCKER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	native.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	svcrun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Zenith_Hub_20240229201747443.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ARA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Msblockreview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	AttributeString.exe

Executes dropped EXE 49 IoCs

pid	Process
1380	update.exe
932	native.exe
2928	svcrun.exe
2560	BBLb.exe
2852	native.exe
3120	VLTKBacdau.exe
4980	BBLb.exe
2088	loader.exe
1948	ghjk.exe
1792	rhsgn_protected.exe
2028	Zenith_Hub_20240229201747443.exe
1588	Zenith_Hub_20240229201747443.exe
2852	svchost.com
1860	ARA.exe
848	svchost.com
792	LOADER~1.EXE
1372	svchost.com
3352	asdfg.exe
1004	svchost.com
4548	ama.exe
3996	Msblockreview.exe
4472	ghjk.exe
2400	svchost.com
220	SIGNED~1.EXE
2524	svchost.com
3208	MSBLOC~1.EXE
2372	AttributeString.exe
868	svchost.com
3716	osminog.exe
1588	MSI.CentralServer.exe
2016	asdfg.exe
1180	svchost.com
5068	STELLA~1.EXE
2184	svchost.com
4684	WINDOW~1.EXE
1676	svchost.com
2980	svchost.com
984	hv.exe
1240	svchost.com
3580	cmt.exe
3624	ATTRIB~1.EXE
3996	StartMenuExperienceHost.exe
2176	TSMSOQO.exe
964	svchost.com
4552	ATTRIB~1.EXE
4416	ATTRIB~1.EXE
2540	svchost.com
3472	timeSync.exe
4008	AttributeString.exe

Loads dropped DLL 1 IoCs

pid	Process
984	hv.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Zenith_Hub_20240229201747443.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
171	raw.githubusercontent.com
172	raw.githubusercontent.com
185	pastebin.com
186	pastebin.com
215	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	VLTKBacdau.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1792	rhsgn_protected.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 932 set thread context of 2852	932	native.exe	115
PID 2560 set thread context of 4980	2560	BBLb.exe	126
PID 1948 set thread context of 4472	1948	ghjk.exe	157
PID 3716 set thread context of 968	3716	osminog.exe	171
PID 3352 set thread context of 2016	3352	asdfg.exe	177
PID 984 set thread context of 4876	984	hv.exe	220
PID 3624 set thread context of 4416	3624	ATTRIB~1.EXE	231

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	MSBLOC~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	Zenith_Hub_20240229201747443.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\5b884080fd4f94	MSBLOC~1.EXE
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\unsecapp.exe	MSBLOC~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	Zenith_Hub_20240229201747443.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\unsecapp.exe	MSBLOC~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	MSBLOC~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE	Zenith_Hub_20240229201747443.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\29c1c3cc0f7685	MSBLOC~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\29c1c3cc0f7685	MSBLOC~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	Zenith_Hub_20240229201747443.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Msblockreview.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	Msblockreview.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\Tasks\MSI.CentralServer.job	ama.exe
File opened for modification	C:\Windows\directx.sys	AttributeString.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AttributeString.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3356	2852	WerFault.exe	115
1236	2852	WerFault.exe	115
4524	4472	WerFault.exe	157
3128	4472	WerFault.exe	157
3612	2016	WerFault.exe	177
4136	2016	WerFault.exe	177

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	timeSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	timeSync.exe

Creates scheduled task(s) 1 TTPs 23 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3052	schtasks.exe
4556	schtasks.exe
1136	schtasks.exe
2856	schtasks.exe
1376	schtasks.exe
4960	schtasks.exe
3108	schtasks.exe
2324	schtasks.exe
4016	schtasks.exe
664	schtasks.exe
3204	schtasks.exe
2464	schtasks.exe
2864	schtasks.exe
2880	schtasks.exe
1380	schtasks.exe
1644	schtasks.exe
4952	schtasks.exe
748	schtasks.exe
4440	schtasks.exe
1452	schtasks.exe
3472	schtasks.exe
3584	schtasks.exe
2960	schtasks.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	ARA.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	FUCKER.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	Msblockreview.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	AttributeString.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	MSBLOC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	TSMSOQO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Zenith_Hub_20240229201747443.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	rhsgn_protected.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1380	update.exe
1380	update.exe
2928	svcrun.exe
2928	svcrun.exe
5112	powershell.exe
5112	powershell.exe
2852	native.exe
2852	native.exe
4992	dialer.exe
4992	dialer.exe
4992	dialer.exe
4992	dialer.exe
4472	ghjk.exe
4472	ghjk.exe
2016	dialer.exe
2016	dialer.exe
2016	dialer.exe
2016	dialer.exe
3208	MSBLOC~1.EXE
2016	asdfg.exe
2016	asdfg.exe
3208	MSBLOC~1.EXE
3208	MSBLOC~1.EXE
3208	MSBLOC~1.EXE
3208	MSBLOC~1.EXE
5104	dialer.exe
5104	dialer.exe
5104	dialer.exe
5104	dialer.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
3996	StartMenuExperienceHost.exe
3996	StartMenuExperienceHost.exe
1856	powershell.exe
1856	powershell.exe
2176	TSMSOQO.exe
2176	TSMSOQO.exe
3964	powershell.exe
3964	powershell.exe
3624	ATTRIB~1.EXE
3624	ATTRIB~1.EXE
208	powershell.exe
208	powershell.exe
3472	timeSync.exe
3472	timeSync.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	VLTKBacdau.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	FUCKER.exe
Token: SeDebugPrivilege	932	native.exe
Token: SeDebugPrivilege	2928	svcrun.exe
Token: SeDebugPrivilege	2560	BBLb.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4980	BBLb.exe
Token: SeDebugPrivilege	3120	VLTKBacdau.exe
Token: SeDebugPrivilege	1948	ghjk.exe
Token: SeDebugPrivilege	3352	asdfg.exe
Token: SeDebugPrivilege	3208	MSBLOC~1.EXE
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3580	cmt.exe
Token: SeDebugPrivilege	3624	ATTRIB~1.EXE
Token: SeDebugPrivilege	3996	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4876	jsc.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2176	TSMSOQO.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4416	ATTRIB~1.EXE
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	4008	AttributeString.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1792	rhsgn_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1380	2032	FUCKER.exe	109
PID 2032 wrote to memory of 1380	2032	FUCKER.exe	109
PID 2032 wrote to memory of 1380	2032	FUCKER.exe	109
PID 2032 wrote to memory of 932	2032	FUCKER.exe	110
PID 2032 wrote to memory of 932	2032	FUCKER.exe	110
PID 2032 wrote to memory of 932	2032	FUCKER.exe	110
PID 2032 wrote to memory of 2928	2032	FUCKER.exe	113
PID 2032 wrote to memory of 2928	2032	FUCKER.exe	113
PID 932 wrote to memory of 2560	932	native.exe	114
PID 932 wrote to memory of 2560	932	native.exe	114
PID 932 wrote to memory of 2560	932	native.exe	114
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 932 wrote to memory of 2852	932	native.exe	115
PID 2928 wrote to memory of 5112	2928	svcrun.exe	116
PID 2928 wrote to memory of 5112	2928	svcrun.exe	116
PID 2852 wrote to memory of 4992	2852	native.exe	118
PID 2852 wrote to memory of 4992	2852	native.exe	118
PID 2852 wrote to memory of 4992	2852	native.exe	118
PID 2852 wrote to memory of 4992	2852	native.exe	118
PID 2852 wrote to memory of 4992	2852	native.exe	118
PID 2032 wrote to memory of 3120	2032	FUCKER.exe	125
PID 2032 wrote to memory of 3120	2032	FUCKER.exe	125
PID 2032 wrote to memory of 3120	2032	FUCKER.exe	125
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2560 wrote to memory of 4980	2560	BBLb.exe	126
PID 2928 wrote to memory of 4964	2928	svcrun.exe	128
PID 2928 wrote to memory of 4964	2928	svcrun.exe	128
PID 4964 wrote to memory of 3052	4964	cmd.exe	131
PID 4964 wrote to memory of 3052	4964	cmd.exe	131
PID 2032 wrote to memory of 2088	2032	FUCKER.exe	132
PID 2032 wrote to memory of 2088	2032	FUCKER.exe	132
PID 2032 wrote to memory of 2088	2032	FUCKER.exe	132
PID 2032 wrote to memory of 1948	2032	FUCKER.exe	133
PID 2032 wrote to memory of 1948	2032	FUCKER.exe	133
PID 2032 wrote to memory of 1948	2032	FUCKER.exe	133
PID 2088 wrote to memory of 1792	2088	loader.exe	136
PID 2088 wrote to memory of 1792	2088	loader.exe	136
PID 2088 wrote to memory of 1792	2088	loader.exe	136
PID 2032 wrote to memory of 2028	2032	FUCKER.exe	138
PID 2032 wrote to memory of 2028	2032	FUCKER.exe	138
PID 2032 wrote to memory of 2028	2032	FUCKER.exe	138
PID 2028 wrote to memory of 1588	2028	Zenith_Hub_20240229201747443.exe	139
PID 2028 wrote to memory of 1588	2028	Zenith_Hub_20240229201747443.exe	139
PID 1792 wrote to memory of 2852	1792	rhsgn_protected.exe	140
PID 1792 wrote to memory of 2852	1792	rhsgn_protected.exe	140
PID 1792 wrote to memory of 2852	1792	rhsgn_protected.exe	140
PID 2852 wrote to memory of 1860	2852	svchost.com	141
PID 2852 wrote to memory of 1860	2852	svchost.com	141
PID 2852 wrote to memory of 1860	2852	svchost.com	141
PID 1860 wrote to memory of 4840	1860	ARA.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\Files\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
    "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
      C:\Users\Admin\AppData\Local\Temp\BBLb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4980
- - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 480
      4⤵
      Program crash
      PID:3356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 504
      4⤵
      Program crash
      PID:1236
- C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "TSMSOQO" /tr "C:\ProgramData\datajs\TSMSOQO.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "TSMSOQO" /tr "C:\ProgramData\datajs\TSMSOQO.exe"
      4⤵
      Creates scheduled task(s)
      PID:3052
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ARA.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\ARA.exe
        
        C:\Users\Admin\AppData\Local\Temp\ARA.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
        6⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
        7⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
        
        "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\MSBLOC~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\MSBLOC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\MSBLOC~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZRhINtWmFH.bat"
        11⤵
        
        PID:4764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2824
        
        C:\Users\Default User\StartMenuExperienceHost.exe
        
        "C:\Users\Default User\StartMenuExperienceHost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 460
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 472
      4⤵
      Program crash
      PID:3128
- C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe"
    3⤵
    - Executes dropped EXE
    PID:1588
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\LOADER~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\Files\LOADER~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\LOADER~1.EXE
    3⤵
    - Executes dropped EXE
    PID:792
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
      C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 448
        5⤵
        Program crash
        
        PID:3612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 476
        5⤵
        Program crash
        
        PID:4136
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4548
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE
    3⤵
    - Executes dropped EXE
    PID:220
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe
    C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3716
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:968
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\STELLA~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\Files\STELLA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\STELLA~1.EXE
    3⤵
    - Executes dropped EXE
    PID:5068
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE
    3⤵
    - Executes dropped EXE
    PID:4684
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4876
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cmt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\Files\cmt.exe
    C:\Users\Admin\AppData\Local\Temp\Files\cmt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
    C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2852 -ip 2852
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2852 -ip 2852
1⤵
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Users\Admin\AppData\Local\TypeId\rwcqw\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\rwcqw\AttributeString.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2372
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE
      4⤵
      Executes dropped EXE
      PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\ATTRIB~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4472 -ip 4472
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4472 -ip 4472
1⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2016 -ip 2016
1⤵
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2016 -ip 2016
1⤵
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\ink\uk-UA\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ink\uk-UA\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\ink\uk-UA\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\ProgramData\datajs\TSMSOQO.exe
C:\ProgramData\datajs\TSMSOQO.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "TSMSOQO" /tr "C:\ProgramData\datajs\TSMSOQO.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn TSMSOQO /tr C:\ProgramData\datajs\TSMSOQO.exe
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn TSMSOQO /tr C:\ProgramData\datajs\TSMSOQO.exe
      4⤵
      Creates scheduled task(s)
      PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Local\TypeId\tdrynyry\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\tdrynyry\AttributeString.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
3.3MB

MD5
86794f1741fe63f6d2fc5864e62a39c2

SHA1
ecb832956acbc4ea5d9f9f40bb9ddcecd83f8caa

SHA256
67789c9e02cc8d8038b800fd41c429ee7be892fcf858618d08d1e4dff61d7c34

SHA512
cba251e96dc2d469385f508a90c947b99e60f7fc4310558309976b361f1d5428c6ef40b918a2ee78bec1e4d52160829320a6abf9cfd01689a573614b0880c0e1

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
1106ff26e23d003793c9d5bef018ecba

SHA1
e0a2ce8fa76f2e95d7d8a29e80f6fa765ce6a9ef

SHA256
059db5529603304417e4b8deb7d9f5be475863a23b6c8db7d99599b814d17e9d

SHA512
2cc7f4495c6d6754c132b808efafca5438cbd2e8d31accd090b579710bdfce0d98a1497f682b8478da255d6a7f1b1efca21ef6d5aa633a55d866f9f84d933102

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE

Filesize
139KB

MD5
147b5ade315673b925bdd21eba5d9732

SHA1
212b9882f166b187ef578298ee4bfdd174529115

SHA256
d49c72831f1b505b1846b23c3bf836219e27ea69e8fd43e8e4ca3ead7601252b

SHA512
7bb8186c67a20471d54fd37f3db55edaf86cdb34861359df092e1251ccadb80e2a71197304d192ccb5df0111676017be6823fd85617fefcb366ac405878caab0

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE

Filesize
640KB

MD5
325af64d209dfbf0258d5563da220924

SHA1
56d63cfa859a02b481ed77d4aa4d4578f705cbf8

SHA256
055873f7c40d9587ebdaf39a2eff3408fbae06f9e02db131a272acf8e96873ef

SHA512
07ac88f411ed0f3380f2b681c6b9eb6ec628e8e836031bb7d0fd2fef1cfeb94b669e6ad35e440291fc09f17f84f6d70614df7a7bb4480067640e588aecf855e4

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE

Filesize
242KB

MD5
247348036dbe419034c3289f577ec6ea

SHA1
6adfd450bd84a629c612c7a2f8b2a613afb49245

SHA256
29af76a6a5c935cae799cba744b4604da06d69f30e272a873f15ecfd57043b1d

SHA512
1c8c636f9a1c3c0e4f92ef026f9509fd29d696823bb1c7086b877f6f32663c2c42a83ea51c9751192cae331ad25733b417030dba81654fd747903cc3eae11025

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE

Filesize
302KB

MD5
0f087e158950e3f1d665448e3336bf19

SHA1
0e2ce75f02bbfe87b0837651e3e027075190be34

SHA256
32de49b2fe1b519af7ab9b31986f3fab62718e2235c4e50d60be83b6ac25b9fb

SHA512
5fce7ac2e152e110eab3ee775e077f85b21f55681934c5a86fe35c765882ad8309a494ca541efc7f3cfd4f6f565420626319521e3a96df489568727d2117ce10

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE

Filesize
704KB

MD5
fbcaa39db1800d5c0796bfb8f522d2be

SHA1
b0ce75a0faca137a0b0f6c32dd623336f79d9e44

SHA256
a1af174cd642729faf85b1400d082152a6c40e162f106e772bc397fe1942a283

SHA512
49345e90519913ff9a8df3bd8e940997995835965939890bf40ce3fe5436677fe4a504db4ae39f9fffce96ba3dc4730b1c431d8ffe007e1b288432ed81fb81b5

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
c0ac85794f04cb1648989075e6dfa55c

SHA1
c4e2ae9b72b40cd2eca4a178400c3832ad1df89e

SHA256
a62f88cb577ffe115d6b712dc4c559d5b9852f055ebbab092fda223b5e0dd046

SHA512
ef2f2a9b04e20a0dc7f5f088119d0f6e32801948e11f7f7a05e1e80c0e4313b6faa2527e4e8f15f878219e593ee0afc8350ade9094beae4a0c1f5107e2cf6a15

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
640KB

MD5
02c0bc8f2245b5a7ccfcc0b5e0c6894c

SHA1
b94d3bd517b274ac31ff30f2f51aab16519224b1

SHA256
05b5be151ea1de1987cda756a8ee259b7baca955cff38a647c8e2e89f57551eb

SHA512
dcd27ed49311d2021a7d8e28e3d970f73a3a658a422d8e66e9e58a64c8186a966dd865f1878887e9a653b4f4820c404109dba74ba26b49a7c889226bd89deef8

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
896KB

MD5
6024c30d2249a0ab4a44da584bec7fcd

SHA1
8530151b1b8eaff4e55b064e8a3b4ca8cfdc3c37

SHA256
c08dd7543abd5afdff8ff48aec8e8b2c2caad0700255064045ee741474a0a4c6

SHA512
188af736e10ed7813c0c57f9559f85a2ad992a76fdc0e0587a3a6c5887312e831287600927232684b330e7442dd26892614c91a24eb08074a5e67330749bc73e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
960KB

MD5
3f2fa7983d755f4747c28a0294092249

SHA1
ce9d37ef077b8e65a36bde2f6ce975422fa17191

SHA256
449cd91af15c4d0206483291c06ed13e65a68e7ab5384d705a4dbfcced3a86d6

SHA512
f010d0d1b1146fb2ead2abda1f8d6b89c4622c1f5e49c0bd1a05e725129dae5bd2f719c1b835a663fe54f94e42bcef499481f33a1b0305a2624edcd56f53fc62

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
1.1MB

MD5
76d21321bb77eaf6c9ce10bd7ea03299

SHA1
aa5d7062b239025d92455d783f0a86285e604422

SHA256
32840bc9cabc373d2d99b0e29359d0e2cfe2b5b1f1e6105c6a12f1c22f5654f4

SHA512
0b74607690a2a98a781832b86c5a3dfe3e78182e7a196e286ade65344a146c90fe32f85d983779e51afddfb5285c807fd8cd9d210f8f19ae8bd2ee4e80860a86

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
576KB

MD5
51013417f813951da2f5c748b8ed5c14

SHA1
f641c596bc110fee314ebc8f6313f943f8b2cfdf

SHA256
81db265c77dc8d32301f4b03e9e08dd1b7cd7a84ee55a5695972b9daf6293517

SHA512
87fce63a35536240acadb639152abe8a915ee3279476e3de557c0b4dec8ad049ac7a570335ef304005174c9a89c65954dedb59b0d787979c4a5912ea5aae5891

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
576KB

MD5
3e6d3608dcc5492bea2de5800db1c7aa

SHA1
5e738c392cabfa6fbbbe9779239d036b4ecf436b

SHA256
91970b226044d13711d57f3f43c20e4087e9794651880725607bf3b0aae0ac9e

SHA512
ac797cc3f1b0a599526cb3dbefab2ca97c80d2adaa7e098d6d63ef1cfe5fba8fc774441a96fe27363adaa9aaff2c5b1da15004a207bb8d9dd0260ac8e584d232

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
267KB

MD5
15163eb05b0a8f65a5ca3c74a658077d

SHA1
8b116062a5754fa2d73fc4df9f635283ae1ccd02

SHA256
8751c43ee0f3f0e080103a9b77be9e79346004769ed43d4cadd630ea15d26dcf

SHA512
a8299e9a522aa58429847920b999598551c1863f63ba473178f61cde43fb91cab6ef62c9e1a51268e54338e012ccfe6428a7c37bc89007d1604fafa2560258c9

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
7e3b8ddfa6bd68ca8f557254c3188aea

SHA1
bafaaaa987c86048b0cf0153e1147e1bbad39b0c

SHA256
8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2

SHA512
675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
768KB

MD5
3eac7703eadce6bdaf4286fbfde25d42

SHA1
507a734087d3e015fa44ff876f4f0dbdae6ce3f8

SHA256
4f9cfb2f17ebeeae745498329b4995b53611f6aa633041de33073934e85894cb

SHA512
d4df73660a5c229294e71f26baed55f6b37883291eddcf7d7b2d973a7103d46bf70e28285dc08a2daf3efb66c3209661c5dfc4338139bd6e6fc06c0ad3f0b7f7

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
320KB

MD5
a6b95ed25b604962edc6ed452d522e9a

SHA1
f87aae6701e810688758e066a0cd9a7a4d3c73eb

SHA256
fb5062552e12fd12d2795e5d88296317edb48b95b7756ce9fdadf9ec190a64e5

SHA512
b7fd50d5b4d6a9a5472961af9e027532d942dc3215c9d27bcd3bbd53dd65a5d6ed2864ea237461dccd344b3ede2a4766af4c98ecbcc9c1947d562e56576b8c25

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
256KB

MD5
ff81c21cfe7cae5663cdbac6afe0bf82

SHA1
583999951d3f60bbde0e3152321d72a3bf7ba4c8

SHA256
80646271f554bd1e7f1e72e841a8d3cde8e1e0abfc37a1f9be2a0edb52d1060e

SHA512
ea9c39fedba62f87a46389dba7c14cb14c4fcaa18b38d567ac3f93c3c17514a74855bc0f622f30f5ad1c6a5cfb276de4573f84405791c80f36e8696698806037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Msblockreview.exe

Filesize
320KB

MD5
08ebd488d271ae485c277753e7673a34

SHA1
5220a957d3d20dc027ca8fee796327567c88cf47

SHA256
0c3b9b1ca7f5982fafb8517f25ebfa24e99b0a74682086f13b633715c3c40894

SHA512
644a58de4982aa2fb43433db57ac90ea9ccacca65d47b280564f6ab6d2f25ab1b1fea8a9b45c63a5d09faa200470904a2a42fb1de663f224add6274df3b27770

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe

Filesize
1.3MB

MD5
ae16ce1655bb21ce82d472a12f6a0d45

SHA1
10af68278bbd5be9a4a478839b967e00fb5f1f68

SHA256
7a6508b095cd88f10dad4004841e50f576606414bf1fa33213f65668ebb84bf6

SHA512
8de88920dde83d8436db858f2cec4795e28c85e7ef1cc6276cc2d4d1c54bbffabab1f724f4aa7d27dcce6e83643121dca2b938742391b92e07f76764a0b69138

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe

Filesize
1.2MB

MD5
0782452dbfc32a18822a9a18c1464022

SHA1
03b7a2540ee09a1e726ea0f1ffb88ee6d9b19f81

SHA256
8df2a9d61d645f8db6531154733187573e7a984423144ac6ae8d47091f26037d

SHA512
90f7bd88b586f58810e9c9d78c25d5ef2b08fa3ce3afeecd8c3926e9e4c76561d9b066db8b4e9f2207cb5e7a08b161b1b6fade8e14182d35156a6e5a1b85429c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
1.4MB

MD5
8f6909a9623a58877c7036c085967707

SHA1
63b90db4f66abded2c0b7f0bdf06bb6cd6e7cf6e

SHA256
4ccc7d9ae854e46a2b4a364b11d80594efa2a3060b5cd12556963c33adda4c4b

SHA512
184f861f55c5d4fca499927394f7ce3afe7ee50b062752cdbcc1922d210d6f0179148909b08b176e56a1b28e3617343bd21a731632c7c8ebb74677852983fb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
896KB

MD5
8b1278176e149412c25964b798becfea

SHA1
c813fa87485a36dc031a55db0a6327ef7b05d747

SHA256
cd2f6d210bf29087fd0937bf706130e994f7fd760f61d167b6c92a2288a17f36

SHA512
1d9eb96d034738bcd50cdf9d60887d38ad42ae7e1d1408efa81fbe742ec3f3208e0cbe4e559422b0479cba0279303f964b10cb5541738dcb344d5cefede0935a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
192KB

MD5
e509e6f01a19798465ac56ed15f7bd14

SHA1
65298a5343c068d8b266c84d47e6da18b980805f

SHA256
d2343696f6cf09ab8d5719e33f6453b55bd917f34378da31ac9ad16c88ea9d40

SHA512
a8db6cf86761455fa16e12e37eb35a27517f99aeb4c50ad3e55c485b5c7600e7c268380037bef0e56a4c50a1dd0d6493f1673bc062d5c4d98627b6316a767106

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
896KB

MD5
5c63556492a51966ce4b579921036096

SHA1
569dfe00f01ef7d5e6f5e866fccb1cf970d1ef2c

SHA256
2a7a91637a26c351ef8f8e6d5033bb667c82208c602731c1dda70a5e6436a837

SHA512
48a00f6343475398ab3478e19dfa279b8cb3e39f436713c5ec0ae9eb03a3960c2152b675212690d3cfb62049d5dbe569a9a30411fc4c983abebf1289dd622b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
1.2MB

MD5
71eb1bc6e6da380c1cb552d78b391b2a

SHA1
df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

SHA256
cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

SHA512
d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
640KB

MD5
4086eb36f8575ebf4a27babe5536461d

SHA1
9df44b4604101be904787c132707892b772b5b6a

SHA256
f738fa8436a9fab0a04b85f1bfdca8b20497d840521b7d4e322073dcef2c3e87

SHA512
1ddcddefac1b90509c00334c862e5456bf435aca37636e9b9ee5d3b6c8cdc599765c31d1c9931e8eaa85d30b1e02b4222b23792f878edbd1ee814a40abb23a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LOADER~1.EXE

Filesize
640KB

MD5
2ccacc8bf18fdad60c93d1518c8e4b72

SHA1
f812c5bf41ef1242a8fc0e2f4c2e7b2b1f074437

SHA256
4411adef8aaaa2ede570a80e81b946197344da44eb1a01ca28528e46afae3da3

SHA512
cb172182e903764ceb87f567c662a8832280839f1d857988a6935cdea7111e69203aed31b8ea4560e8fc9b0236f3d5906384c861e86d8c30f15a3f3a8a78cc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe

Filesize
1.2MB

MD5
0c43fe7786f9c0e4b726f72c758e3eed

SHA1
1746a8826c2f3cae77ff09eccbe93c14bdbfd2ce

SHA256
13421339f7ad76def0302d75897ae4d0e3d4d06545716285f9d0c48e02aca7be

SHA512
6a95b03f90e8fa6b3d375bde6105cfe0c62a780b9766868e173bd27a6cabb27f8b798295b0682015bd77706ac2eceb037eedcf263fc2110ba9be5b80921e6fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe

Filesize
192KB

MD5
b8a678a2ab954429cad22bac236728f1

SHA1
81ea8ee0c7584c93baa90af58b2bdfa6c8b95a3b

SHA256
ae6560a9a144f41afb7bd6ce961323700298554211471078537ebf7bd47b7e95

SHA512
a9b79f502397ee8cbd894977bd06e007310eef786c51c428222b4da56b67f96a67cce195781086a77f5b97a66f33ac6beb3d6b92daa0a2c0597326bd574f7855

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe

Filesize
1.6MB

MD5
03e8111dd82352ceab22be5f11a722fc

SHA1
1ec0b8d8939090c2ffdd5f263acb47bcc0249ad2

SHA256
c3f2d5937e10ca109e108de7f108caf76a367ddb432dbabb6e24861c5dc318cb

SHA512
d4e9de344722c8d64931a44c69d2fe561b9d36d0ccf33ac89ecfe371d3c7a4c805b051b6f8fc3816580862ba252eef3ada472bf96dd047e5bfc9a4b96d192728

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe

Filesize
1.3MB

MD5
29dae1779fe7eeb4c5f4c5a83f3b801c

SHA1
623e5692eba39521d73752ac6e27ee9942c45d00

SHA256
223a1cab36c291e27671d72b2915f4c41480ee6884974c24f14b93dd139da402

SHA512
f59db5a90bb7f6fdb8b4a4577da3bab441a8dc4e1e82ea9ed0897445284bd82f6b4aa23883dc5099af653ead08180cac0ec9c2e8e9f7fdd1e4ed91a8f76c3445

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe

Filesize
1.3MB

MD5
492b9cec4bab558d09bfdcff88600953

SHA1
148598f122553279552fb05f3300e3a07e3fd591

SHA256
678cb517b83dfe84399f3e91c647706cdd73baddb97ec369ea8189c795033848

SHA512
72e4d79680f85d145f4e4737673384da10a7f9417b91c5f80d1c758544b18bbd66bbe8f7fd3169aa4a7df2d4ee45e9783844c606163ff0aa231c9beb4f803b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cmt.exe

Filesize
8KB

MD5
dc0d40579447b035d980cf0b8cd7667c

SHA1
c907f983cb27d5caec6c941e0712afcc973487d0

SHA256
36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

SHA512
ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
512KB

MD5
7d4777ed6d9818a912c0cefc9f12dcfc

SHA1
48001b580d7a36f39823fd391411b3a32e39faba

SHA256
6862447b716d9ebac197fad0eda503fc81576fd86de9871dbfb82586b60751f6

SHA512
b898461eb44a0dd1958581a0e0cbb18b7d5ba88dcfc652bea73d84361936c1a90c40aacb4c3bf4dbfe424ddf441460c5342a5b5acb5f6605d355cefc62890414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
4.8MB

MD5
eb562e873c0d6ba767964d0de55ac5a9

SHA1
b0ca748a3046d721ec2dec8c3dbd0f204e01a165

SHA256
e8e3cddcc753e66757c3d6a47b63117f718103f03a039b40a4553849e04b8aec

SHA512
60a60cff48d0cf9293d5c84993f3f1883ccf25ccc261eaaed9fae9c41169001e802ba6926f72e8d61962e106f583b5dcb6fdbc4f1d1e88c679e91e4b41efb227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
1.6MB

MD5
a22e04468454684e96d8c90d5e69d272

SHA1
4e84db85aa4310770dd4439f4ba9dedd837d1ba9

SHA256
eff5221cad5f51ed8e5d419db5184ed479372b343ef8b1571183af91d8d6d147

SHA512
7439b5c6f2dca33c416d3f9a0a7b91ea558db2274034ec27c65480aa5ca76d1405e4ff9711071fec80d7654348d9b83a71ca541f8b1f276350114a5c04362ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
128KB

MD5
3d9ff8a504031fbbd2d866828ee7a642

SHA1
bd70d5e1e4e983ab855c19cc5021a193e0f43922

SHA256
82774139d6d23804accfc50c556856d472a79811deae8ffd52f0feb65bfeec9e

SHA512
43404ddd65207b94b80d27b0de35d5a17f7dec268567036f850b106543ef0993c57160e719ef0d9da9682dfc5b05f5dcd4a51751c588136ebead1efd6609f29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
2.1MB

MD5
1a917a85dcbb1d3df5f4dd02e3a62873

SHA1
567f528fec8e7a4787f8c253446d8f1b620dc9d6

SHA256
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

SHA512
341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe

Filesize
318KB

MD5
69c8535d268d104e0b48f04617980371

SHA1
a835c367b6f9b9e63605c6e8aaa742f9db7dcf40

SHA256
3c74e8c9c3694e4036fea99eb08ba0d3502ad3fe2158432d0efdfaacd9763c35

SHA512
93f35aa818391d06c4662796bec0dced2dc7a28b666c5c4bf6a6f68898ed52b77fa2ac7dd031b701b1ab8ae396e8941ade4ef0159765419788034742534a0c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe

Filesize
1.4MB

MD5
0bd721ab9bb5dc918218a743053cf41a

SHA1
63fd3a2650472397f31a88ffe210c8b46181963e

SHA256
89373f83f2101957b75bd4323f22c6c7e0449ab2044f3d061b8417ba8b29c7a3

SHA512
0bb7c79a5230ddf2bf34dae55652ef2193f9ec7c1d0174a4f792a9f62c9515114d6c2f355d061610505132c1ae2a9e735d998f2abdfeb0ad1f7ac7424b2d4605

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe

Filesize
201KB

MD5
02fb72e349fbf4eb6e75126a2e93130b

SHA1
9a3499b651eb21643590dd91f902dc532ba72678

SHA256
f60d870ba4a24b757b7d6200d7cbfdd6ee7da44fd8d674915895ec24065cb9a4

SHA512
40f1271646980e92f2e531a26a488680dfe70459e0570e130157eb6f5fd6077c8659e38ab1036d0c5e7903ded012f0f38f3de4e1160ea4cf7645f53acc519710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
13.0MB

MD5
bcabfc8a72168c9c59967950ba586367

SHA1
4b11cde5ca21ddc2126c5dede0170f3afbeda938

SHA256
8129a2a6764c59fdfbb1945be92d8452a9a6502c6047e39c5b8d9a3c982ca192

SHA512
f756cf50bf5fffac5309de6041027947020ea65b819245c156ee92519c72d4422559981d9880808b5a34a2514942ec85d98c4ed63f4b04f2441e565003e7fac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
4.2MB

MD5
86d5605ed80eff8eb6081432d41304d2

SHA1
c9af566bd7bbf9535fc50d345170bd46e6ee267c

SHA256
109cf4791fd76ede980cf7b15fd68be9032d73c4ea24d251ff601ca2cd800e7d

SHA512
6ff525a4c55d1c3862eeb0d873864221cbc5dbe5c559d0ad02493eef610e4662c9938755137dac039ac4b1c35650eeebf6a52a11eb84af962ca0b3e7fa7e4899

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
4.4MB

MD5
1f7a1061d5565ac8ac24f509509ca116

SHA1
82aab6c710ca036787295c3410cb31cb7acb8338

SHA256
f07161948780a94464f8a5beebd503396f8d2fcf513c2485333b35d9377e86a0

SHA512
1f056c1d9426dce43ea794ea908fed93f3d778847a73b753a210c865ce7a3204a64e23d2b0a99a47f54f9f246d23f2b572832bf9cbaaca54b0b38fc1d3421090

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzcwlewe.pfe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
1.8MB

MD5
250195952ea5cb2c82d89c19af901927

SHA1
2c1d1ebd9b91fb876cc0d18a83501261a6235ec0

SHA256
4e8803bcf36e0e2a7ad236a7cf72fd70cdfec98928cd12edf10377d84460c9b9

SHA512
fafd8741d3aaef40578fc3532cdd48c3e86da5b46c9484e354e11d2482a2cc7e1dccaf90ffc55a0e126193271c192f24c39a0828bcd380f0ac7d75b26c798b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
4.6MB

MD5
d0de8273f957e0508f8b5a0897fecce9

SHA1
81fefdef87f2ba82f034b88b14cf69a9c10bbb5b

SHA256
b4144cfd46ad378183a9f1d0136b8465ce80de44423343891400524cb6cc57eb

SHA512
c1c71de2b40eb59a4de86734b2ea024db02f76f9a6939cc2f132aadab4fbacd82ca4bb7cd30e35e919c5038fd16965c99ecb91b49cb119ca00b98da2442cb01d

Download Submit
C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe

Filesize
225B

MD5
5050104b6a1222b401de71f0079fd122

SHA1
af7a82f342a97a9788ce2d7e4c6d498d2775cf4d

SHA256
43c7b034403c39d71802a2efc7558648c229544b3337d4298498a0d503151a46

SHA512
895b921d5bf5d6f29d59aa950a5622a7f2ec301968fe9fd5a08caed8666b5ee8b792afc5813e82d6176e0793ccb05d4be362a87cce61f7f2d3192b898c2db7c2

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
093394bf1aaea033fce6108b096a47bc

SHA1
62ca3e081e648107adb64ddbf2355b613e17af5e

SHA256
1b0b2ad5cc5c0cf712f98e8c144a43efb7e0403defb3654ab6416df3bb58ea42

SHA512
79bafd00a2f456080f3b6b2899154e65abc87d72b6079f576e6bb05d7a30a184325e4bd6ec824d5ff4e99275e7019bb060ed8fc5751ec1cd30f09251e5809f74

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
d430ea51175fff2651cc4f893a9440f5

SHA1
a54f8a7164b62eb0c3a519706a2308486baf8120

SHA256
8c15d58c641f19b47170696b8653a644c5221e16dde3bfb1732070c264a97c82

SHA512
c4031c6922caf6b6875cdecc46e2d6f266041118c844e70cd184702cd9b89e897b9a84233c685fd656452eaf3dc156a4f52ed382ac6937dba5018f230f20b18c

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
3f6da78e356633ba6f8acc4a09fd9527

SHA1
407257bcfeb33c069de3628024c8e04687de48df

SHA256
83ba0112fb5874a7d9d677e8575d0dde3bd3969139f125550394a3f04f6ebc49

SHA512
d1f70f7ae6f4bfdb39f64da356770daca17172c5d72b622d59ef9695706b67431daa68f3d7e0c6d6cf04da6d11f8bae9abf1bfa907870bb5a63e70a3c0090c21

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
d672f260ef5faad1c5b33c0f44cc5b8e

SHA1
fc852fd04d623f419a8b2c77cded444814dc3fb9

SHA256
be109025d6a50856d073a3f957919eefa7ef50e077e220fc66aad1518a251fc2

SHA512
de3098392130c0e2e62379ec996605d4d762c92e928c7bcb55e32c5846cf93171ba9e20ff45ca377f9a679a36d456c422d96de94ef1ecbe3c7919a0bece9505c

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
3a302dbe3f9b7bd97ae8d95f1126c915

SHA1
17abe55f721fde0ea86949ae737feeee5f584752

SHA256
c0452229cd404e5fd645cc37002e9287ba02812a437955f20ff805337b071ca8

SHA512
8917fea39c2af66c72f87ef0a957ee3f2c0f1043cb4d3ce2c1b9ad4673012949c3c2ea9ae321bbea4e4e229d913a468d8b324931bdd159b3d7d94a24f6fbd543

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
60844798a724c95d4b47e438ee1451d1

SHA1
6e9837df3b06738767fecb63a97eabce6c5f8174

SHA256
2ed4b87565816711aedc9aa9d51f4f065119042b60bafca859e916eacc2c0cdf

SHA512
0c56be968941700da5b2966af407ade6a3079bc687df31bad4daabbfa58c1b9a836ec48ea0afb730ceb443aff0032d1dc7322f58e0c36520c5afa49fe5db5d1f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
b2b7facb71a0596dc04a86b659c9e4fc

SHA1
713cf7c420bf7340120eb124dc0ec9b816c5e915

SHA256
6d0fc37a4718575de1a80c8e0cb9fe763e5bdd9370af6c582e44a1920bdaedde

SHA512
b12a39671d9206c08a99253cc538058b9a7d0bb2c29e84efec2f1b8dc181e9de6c539a3583ae8aeff716bed622f6469139068c655e937f5303497f01b4837406

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
5964d49c13482aac449c3c363b982e07

SHA1
5dd5d0c37d9fa3284a94a9bfffc171c23578bbba

SHA256
524768f83227cf14c5123c0864f624d20ff2f0832af3745ef8da76697737022a

SHA512
fa257135ef9d3379dfc91acfbb4ab14c99ddfccb99883dca5f84b53b771e0c871443b605515bc1a8a68dbe0cafe823d4c6714c6dfa77d7e41784c7234742770d

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
c970531b2ed1629c0cbe5a72f0a41c00

SHA1
fd74d7784e5b824ab1559dbc4ee9d3a59d4ad66b

SHA256
ebd7e31a6649869ec7ee83f76ae748bc04ca3f67b79c231a97ce6a961f23aa22

SHA512
87d9c0bce20a270c1ef2bb91f3021102c39490a061c42aa6f56c740104ca1face3319f25c5a37c8d2c099c80fd9fde27ce0167f94c281a6be1a25b188a833495

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
f83d0de5ae20e6358521b2ad1e24db5b

SHA1
9b32c863b39a714c78da4e633a9e524514d3fd27

SHA256
1a33e8f8234ef40149f4589b1cc2c251b34cb8ace8b76b12ef6eac1a2d5e53f8

SHA512
e8d2dc07d8d58d366e68d11e5fea5be7f520b5c71b6d45d74c7ca75c5bc044717640210f0944677d13edbf9eed28475c1f8b96a4fcae682ca7b6ce759e1c9a89

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
4.3MB

MD5
425518c140372d62282ce4a83d204a08

SHA1
535a6c7b8ab2eed49f640d1864cc2455c22f1012

SHA256
d01cc3828fc499a5c33d6b07b0d0c365716d10458c485f5592b3705710377dee

SHA512
84895064b9ebab2d2954563974efaf5b2200ba19c1f18c07712e5d6a991d35f95e45f14c44d0c685851243e41a71188c9694e0519c19d7c2610c09eedad4d526

Download Submit
memory/932-88-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-58-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-32-0x0000000000480000-0x00000000006A8000-memory.dmp

Filesize
2.2MB

Download
memory/932-33-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/932-34-0x0000000005000000-0x0000000005208000-memory.dmp

Filesize
2.0MB

Download
memory/932-35-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-36-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-38-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-40-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-42-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-44-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-46-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-48-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-50-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-52-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-54-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-56-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-60-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-62-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-64-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-66-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-68-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-70-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-72-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-74-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-76-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-78-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-80-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-82-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-84-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-86-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-90-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-92-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-94-0x0000000005000000-0x0000000005203000-memory.dmp

Filesize
2.0MB

Download
memory/932-981-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/932-982-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/932-988-0x0000000005310000-0x00000000054B0000-memory.dmp

Filesize
1.6MB

Download
memory/932-1027-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/932-1012-0x0000000007640000-0x0000000007BE4000-memory.dmp

Filesize
5.6MB

Download
memory/932-990-0x0000000004F90000-0x0000000004FDC000-memory.dmp

Filesize
304KB

Download
memory/1380-1019-0x0000000000400000-0x0000000001809000-memory.dmp

Filesize
20.0MB

Download
memory/1380-17-0x0000000001970000-0x0000000001971000-memory.dmp

Filesize
4KB

Download
memory/1380-979-0x0000000000400000-0x0000000001809000-memory.dmp

Filesize
20.0MB

Download
memory/1380-18-0x0000000000400000-0x0000000001809000-memory.dmp

Filesize
20.0MB

Download
memory/1380-19-0x0000000000400000-0x0000000001809000-memory.dmp

Filesize
20.0MB

Download
memory/2032-1-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2032-5-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2032-0-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2032-4-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2032-3-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2032-2-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/2560-2083-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2560-1353-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2560-1680-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2560-2049-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2560-1016-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2560-2050-0x0000000005060000-0x0000000005120000-memory.dmp

Filesize
768KB

Download
memory/2560-1011-0x00000000001F0000-0x0000000000330000-memory.dmp

Filesize
1.2MB

Download
memory/2560-1013-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2560-1018-0x0000000004B40000-0x0000000004C68000-memory.dmp

Filesize
1.2MB

Download
memory/2560-1022-0x0000000004CE0000-0x0000000004E0A000-memory.dmp

Filesize
1.2MB

Download
memory/2852-1119-0x0000000004200000-0x0000000004600000-memory.dmp

Filesize
4.0MB

Download
memory/2852-1028-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2852-1181-0x0000000004200000-0x0000000004600000-memory.dmp

Filesize
4.0MB

Download
memory/2852-1112-0x0000000004200000-0x0000000004600000-memory.dmp

Filesize
4.0MB

Download
memory/2928-1131-0x0000000000960000-0x0000000000AB4000-memory.dmp

Filesize
1.3MB

Download
memory/2928-4328-0x00007FFC3F3E0000-0x00007FFC3F49E000-memory.dmp

Filesize
760KB

Download
memory/2928-1134-0x00007FFC21910000-0x00007FFC223D1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-983-0x00000000027E0000-0x0000000002823000-memory.dmp

Filesize
268KB

Download
memory/2928-989-0x0000000000960000-0x0000000000AB4000-memory.dmp

Filesize
1.3MB

Download
memory/2928-1679-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

Filesize
64KB

Download
memory/2928-1015-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

Filesize
64KB

Download
memory/2928-999-0x00007FFC21910000-0x00007FFC223D1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-1116-0x00000000027E0000-0x0000000002823000-memory.dmp

Filesize
268KB

Download
memory/2928-998-0x0000000000960000-0x0000000000AB4000-memory.dmp

Filesize
1.3MB

Download
memory/3120-4364-0x0000000002690000-0x0000000004690000-memory.dmp

Filesize
32.0MB

Download
memory/3120-2061-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3120-2062-0x00000000002C0000-0x0000000000462000-memory.dmp

Filesize
1.6MB

Download
memory/3120-4363-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3120-4324-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3120-2524-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/3120-2069-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3120-2514-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/4980-2081-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4980-2066-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4980-4362-0x00000000052E0000-0x0000000005336000-memory.dmp

Filesize
344KB

Download
memory/4980-2105-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4980-2088-0x00000000050C0000-0x00000000051A8000-memory.dmp

Filesize
928KB

Download
memory/4992-1162-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/4992-1137-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/5112-1098-0x0000015452EE0000-0x0000015452EF0000-memory.dmp

Filesize
64KB

Download
memory/5112-1140-0x0000015452EE0000-0x0000015452EF0000-memory.dmp

Filesize
64KB

Download
memory/5112-1063-0x000001546B2C0000-0x000001546B2E2000-memory.dmp

Filesize
136KB

Download
memory/5112-2065-0x00007FFC21910000-0x00007FFC223D1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-2048-0x00007FFC21910000-0x00007FFC223D1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-1043-0x0000015452EE0000-0x0000015452EF0000-memory.dmp

Filesize
64KB

Download
memory/5112-1041-0x00007FFC21910000-0x00007FFC223D1000-memory.dmp

Filesize
10.8MB

Download