c328ee0d8c7308d2612122290e81b13f7d1d52e22d5f221a49328a03f56c6449

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flame.exe
Size

16.9MB
MD5

93aa6e8b549da8466c54dd90a1a8e76e
SHA1

d64733c3b058db001b0368eb66044c303dcecad6
SHA256

c328ee0d8c7308d2612122290e81b13f7d1d52e22d5f221a49328a03f56c6449
SHA512

1539549a6507f7eeae6d7aedf9c1fe9aabbc3690e836bcd81dcff5f68c9dc3b8df9f05cf4984abc90f73a8c090a5e575172096df7fec930ee6c5e1a9ccc6fe90
SSDEEP

393216:vZEkZgf8XgP8AxYDX1+TtIiFGuvB5IjWqn6eclz1SypX8Wjs+d9:RRbXbX71QtIZS3ILn6ecayCes+d9

Score

10^/10

evasion persistence pyinstaller

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 8 IoCs

pid	Process
2480	flame.exe
1584	flame.exe
1156	Process not Found
944	icsys.icn.exe
2140	explorer.exe
800	spoolsv.exe
756	svchost.exe
112	spoolsv.exe

Loads dropped DLL 15 IoCs

pid	Process
2908	Flame.exe
2480	flame.exe
1584	flame.exe
1584	flame.exe
1584	flame.exe
1584	flame.exe
1584	flame.exe
1584	flame.exe
1584	flame.exe
1156	Process not Found
2908	Flame.exe
944	icsys.icn.exe
2140	explorer.exe
800	spoolsv.exe
756	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Flame.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Detects Pyinstaller 7 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0030000000016ce4-6.dat	pyinstaller
behavioral1/files/0x0030000000016ce4-8.dat	pyinstaller
behavioral1/files/0x0030000000016ce4-9.dat	pyinstaller
behavioral1/files/0x0030000000016ce4-130.dat	pyinstaller
behavioral1/files/0x0030000000016ce4-131.dat	pyinstaller
behavioral1/files/0x0030000000016ce4-146.dat	pyinstaller
behavioral1/files/0x0030000000016ce4-147.dat	pyinstaller

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2008	schtasks.exe
2284	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
2908	Flame.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
944	icsys.icn.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
2140	explorer.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2140	explorer.exe
756	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2908	Flame.exe
2908	Flame.exe
944	icsys.icn.exe
944	icsys.icn.exe
2140	explorer.exe
2140	explorer.exe
800	spoolsv.exe
800	spoolsv.exe
756	svchost.exe
756	svchost.exe
112	spoolsv.exe
112	spoolsv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2480	2908	Flame.exe	28
PID 2908 wrote to memory of 2480	2908	Flame.exe	28
PID 2908 wrote to memory of 2480	2908	Flame.exe	28
PID 2908 wrote to memory of 2480	2908	Flame.exe	28
PID 2480 wrote to memory of 1584	2480	flame.exe	29
PID 2480 wrote to memory of 1584	2480	flame.exe	29
PID 2480 wrote to memory of 1584	2480	flame.exe	29
PID 2908 wrote to memory of 944	2908	Flame.exe	30
PID 2908 wrote to memory of 944	2908	Flame.exe	30
PID 2908 wrote to memory of 944	2908	Flame.exe	30
PID 2908 wrote to memory of 944	2908	Flame.exe	30
PID 944 wrote to memory of 2140	944	icsys.icn.exe	31
PID 944 wrote to memory of 2140	944	icsys.icn.exe	31
PID 944 wrote to memory of 2140	944	icsys.icn.exe	31
PID 944 wrote to memory of 2140	944	icsys.icn.exe	31
PID 2140 wrote to memory of 800	2140	explorer.exe	32
PID 2140 wrote to memory of 800	2140	explorer.exe	32
PID 2140 wrote to memory of 800	2140	explorer.exe	32
PID 2140 wrote to memory of 800	2140	explorer.exe	32
PID 800 wrote to memory of 756	800	spoolsv.exe	33
PID 800 wrote to memory of 756	800	spoolsv.exe	33
PID 800 wrote to memory of 756	800	spoolsv.exe	33
PID 800 wrote to memory of 756	800	spoolsv.exe	33
PID 756 wrote to memory of 112	756	svchost.exe	34
PID 756 wrote to memory of 112	756	svchost.exe	34
PID 756 wrote to memory of 112	756	svchost.exe	34
PID 756 wrote to memory of 112	756	svchost.exe	34
PID 2140 wrote to memory of 1972	2140	explorer.exe	35
PID 2140 wrote to memory of 1972	2140	explorer.exe	35
PID 2140 wrote to memory of 1972	2140	explorer.exe	35
PID 2140 wrote to memory of 1972	2140	explorer.exe	35
PID 756 wrote to memory of 2008	756	svchost.exe	36
PID 756 wrote to memory of 2008	756	svchost.exe	36
PID 756 wrote to memory of 2008	756	svchost.exe	36
PID 756 wrote to memory of 2008	756	svchost.exe	36
PID 756 wrote to memory of 2284	756	svchost.exe	41
PID 756 wrote to memory of 2284	756	svchost.exe	41
PID 756 wrote to memory of 2284	756	svchost.exe	41
PID 756 wrote to memory of 2284	756	svchost.exe	41
PID 756 wrote to memory of 2640	756	svchost.exe	43
PID 756 wrote to memory of 2640	756	svchost.exe	43
PID 756 wrote to memory of 2640	756	svchost.exe	43
PID 756 wrote to memory of 2640	756	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\Flame.exe
"C:\Users\Admin\AppData\Local\Temp\Flame.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- \??\c:\users\admin\appdata\local\temp\flame.exe
  c:\users\admin\appdata\local\temp\flame.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2480
- - \??\c:\users\admin\appdata\local\temp\flame.exe
    c:\users\admin\appdata\local\temp\flame.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1584
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:800
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:04 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2008
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:05 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2284
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:06 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2640
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI24802\python312.dll

Filesize
2.7MB

MD5
e30235c81784754ddf9820698fbc60bd

SHA1
2a4197543db9c00e90ef9ef748598fa41986cce8

SHA256
1e0d5f3922b6caf8dc5e9a47c4b8c49e70955becbf9eef559ab12ed9d4f4bd71

SHA512
62966acca39ddf5ee5b0d28911bbfea0b5cd7d7cc830e4afb200dd28d3f4ef0245eb79a98b63975b23c346160cec4afd85f610434b9b3ccc1d62934b3f65b0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\flame.exe

Filesize
3.1MB

MD5
7f0db0f49c753a4b86bc16a4ae30b818

SHA1
7e71f3d49ef5412099ce957c6949122ec969e420

SHA256
c51b5ec2db37cb9bcabd4348ee69959a77af13e1388b9fd40eafb32bf54a2eb5

SHA512
bd553b150c6bbd50942fb1722b0f22f3fb07aa32773caaedf133a2827dbf7583620e44955c2589992ed836b37225101b549e07991417ce56e5dc4bcacf31a918

Download Submit
C:\Users\Admin\AppData\Local\Temp\flame.exe

Filesize
5.2MB

MD5
4ea8385150d1f13945964f731cb328db

SHA1
2b162351961bb0f86cec42802056ffaf2f9c76d8

SHA256
7b3664b7ca156d1904439bc141f59c427d993dcbfe0f47220ab6a16903783e6a

SHA512
33435ba1f0e7297e6f16b2523f001f96f696d07849cfeb8691dba6311b391fce2ee49c336db4f91a227dd653e02365ceb7bbd6c887fb40c2b1ff053500b4b94b

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
6926d35508aa78d41bb800bdc92929c7

SHA1
3442fde484e0ce3828052356284922aa73ea3813

SHA256
a54e084f2c5dd2fda4e16a82821113410b7c768e78f9d180fbc72d621ae9241b

SHA512
89afdaa29d586e704c547e19ca663798f041e3afde2c94ffe46cf584c5bf9258a7c9f4e6c156c76e2c149fac3eda4a1388fae4b1e11371deaaf834243761815f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
9d6894062fa439a496dc4645632de6ba

SHA1
d6193ca6d8177ac3ecdce2107bd64a2a701f5b20

SHA256
e355aa215e660abdbabc9ec91ef4a87418285963f78ab2dc255f1bc550087c51

SHA512
1924ed3569e92cb3a74571bb8a204f80b0b476d15935961595154f07d385877064aa52f511778eacfe34f5d8494930a53a10917177417d97be13ea0dc8c6449d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
cc14bb7e34215daa4b57444f887fcf92

SHA1
9acbc8ba557c95099f32113651100e26601009f7

SHA256
1806adf3070dac6d1411af59e001e99432cfbdb05705633bb2268a71439a8421

SHA512
db8c38a717b11a6d110f56ba2ba50e6a71bbce2277bdf49c718d6ce43cb6eae384a3fa35b04f76cdc450e023a89ede6e6612eb6d31868f225e9408a860723447

Download Submit
\??\c:\users\admin\appdata\local\temp\flame.exe

Filesize
4.6MB

MD5
170fe6490bae8c9a503797b9056a4675

SHA1
b3dd4dd40de57d7fed384bfe5a448aae38428c24

SHA256
dc5fc4b183bd4ebdc1c6af02e8327b821d98b17ea4a01f746c8c04d7ab79b5ce

SHA512
e0bc928630632f048841fbe9575bf65d8d85b7fce1a095976e52595ad5526d419b78973ff2a077e656decfb3b89d130276b5bf873722f145af27dbb456235873

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe

Filesize
135KB

MD5
c506b02b2c194c35a93117e153ecfe9a

SHA1
e27f1d6279b22f0eaaac4d60da18f62b5154f606

SHA256
35ae11797b46df8aa86997ea075ea2c2608092a9847a069cfc908b4920749ca6

SHA512
0c3f948cc4c36e49f867a1df8f7273de15122cf93e89ae2f4cac2e99dcc5bbfca75b3c403eabac099073903e6fd6b42f330f86e7b9943fe217f38fc14312f72f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\python312.dll

Filesize
2.3MB

MD5
87cc806e91ad1c03c7689d02be097f6d

SHA1
a94810013ce026645005d8d41894d12d7d973391

SHA256
92920c67acebe7df8916172acb719946929983508a75deb66c2e0490e1d27eb9

SHA512
57c3b39424094c50b3cbc15735f4df0342fd41dbb45ad46b1d481a8e5abd78509e4872f92e374e5bd10d8856ff912ece07f8d7a6658d41365629ed9b2738be9c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24802\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\flame.exe

Filesize
3.0MB

MD5
5c05c03c8f3fcc95e7e00fa77b881a97

SHA1
67eb648251448df8bae12adc596b1a17014d2260

SHA256
f997b3001cb28f7c98ec3e2e07db0f0e5414d0c3a9f5f27420449795759ab8ba

SHA512
6e976be17bddba276d9d1810df925772c7cff8f667fca67e04a00be4eefee881e29245f0a17935c4fef1cefe6cf6c09c8fba37e92662f1e42c12f2d9760ad469

Download Submit
\Users\Admin\AppData\Local\Temp\flame.exe

Filesize
2.4MB

MD5
4a35f1c11edb88e0a83d0a362e2f786b

SHA1
26570a17eb66833903e943d304258a23ddcf3dda

SHA256
4dcc0dbd17e4d5af945503d13f2aa6899b6a1800ed82710c981775f6615910e5

SHA512
b0dc3c90f0b371e15c91822920d3e8f80a3a10f6056146dcfca905516b54947b063244bcdeb62465939027d618c3a7c529646f6aefacca9021ceae7158d48fe1

Download Submit
\Users\Admin\AppData\Local\Temp\flame.exe

Filesize
2.0MB

MD5
9f0fda0c4661a614773a60dd9a7d2b38

SHA1
20a0777eed9b29cb1b7c56ec43343ce729662dd5

SHA256
3dd40a34b4d808f70df7b9a2a2efa602eca8cc208d2024faa0274c247df02683

SHA512
28e40bb7179840be993420d9ee73dd8313f280f98e75b9ea01dc895b2a75b9584c9496eb0af9295753a54861aa869ca05a9d4a7e5513e31096367c1fe42e40a2

Download Submit
\Users\Admin\AppData\Local\Temp\flame.exe

Filesize
5.5MB

MD5
e49a1da124cf6ff6a331b2bdf1f814eb

SHA1
192c532ae2ff8d8289c65ae73e2c5314006faebf

SHA256
b2da5b97d3ff5fd40f978686d01e84d5afaa824ff12ec33fc0edfe780c0079c8

SHA512
11fa5e80534d11a3b1dfd1d54aabf1de8a0fea3b6f502249ee81a35d7695156141cf5ff66cd83cee46e23a36291f1e8d0efdd40d9779131278c13c8b6e37f90c

Download Submit
memory/112-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/112-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-307-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/800-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-276-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2140-286-0x0000000000650000-0x000000000066F000-memory.dmp

Filesize
124KB

Download
memory/2908-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-265-0x0000000000200000-0x000000000021F000-memory.dmp

Filesize
124KB

Download
memory/2908-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download