asyncrat | 6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c

Resubmissions

06-09-2022 03:04

220906-dk2dasbcam 10

24-08-2022 20:26

220824-y7t8qaaffp 10

Analysis

max time kernel
105s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-08-2022 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18193c95d0c31ab132d9bc2da884d7c.exe
Size

22.0MB
MD5

a18193c95d0c31ab132d9bc2da884d7c
SHA1

063e58b4b3b920e68006d4d28625df894e20750a
SHA256

6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c
SHA512

1c5119a13ddbbe2293759e5cd66de8747abba98d46aa9883c1ccadb489a2cf54be58766aa157fd383a6f631c9265d7b873c068fd992c6dc592ab32a6afd10547
SSDEEP

393216:TJWrtpiMPeMNKxIyMMUGJQmNVmIRKGl5X1+moeWJIYR22uYZm:kpWMtMUJ+KG3XsmOZFpm

Score

10^/10

asyncrat limerat redline @miroskati discovery evasion exploit infostealer persistence rat spyware vmprotect

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

redline

193.106.191.106:26883

193.124.22.40:19788

193.106.191.16:28958

62.204.41.141:24758

Attributes

auth_value
7632632e4a60a2f35a2a92deeaa3ce8f

Extracted

Family

redline

Botnet

@Miroskati

litrazalilibe.xyz:81

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/159928-109-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/159928-120-0x000000000041B50E-mapping.dmp	family_redline
behavioral1/memory/159928-122-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/159928-123-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/320668-129-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/320668-139-0x000000000009ADCE-mapping.dmp	family_redline
behavioral1/memory/174664-142-0x00000000003A0000-0x00000000003FD000-memory.dmp	family_redline
behavioral1/memory/320668-141-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/174664-137-0x00000000003A0000-0x00000000003FD000-memory.dmp	family_redline
behavioral1/memory/320668-146-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/159348-152-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/159348-159-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/159348-160-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/5880-162-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/159348-165-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/5880-168-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/5880-169-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/5880-170-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000003d5d-58.dat	asyncrat
behavioral1/files/0x000a000000003d5d-61.dat	asyncrat
behavioral1/files/0x000a000000003d5d-62.dat	asyncrat
behavioral1/memory/1564-87-0x0000000001100000-0x0000000001122000-memory.dmp	asyncrat

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	6.exe

Executes dropped EXE 13 IoCs

pid	Process
1564	1.exe
1668	2.exe
840	3.exe
2860	5.exe
13780	6.exe
20016	7.exe
33824	9.exe
73804	11.exe
117808	10.exe
174664	8.exe
7460	BuildMiner.exe
24428	updater.exe
51976	dllhost.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
24228	takeown.exe
24248	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/380-55-0x0000000000400000-0x0000000003579000-memory.dmp	vmprotect
behavioral1/files/0x0009000000012732-67.dat	vmprotect
behavioral1/files/0x0009000000012732-69.dat	vmprotect
behavioral1/files/0x0009000000012732-75.dat	vmprotect
behavioral1/memory/840-86-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect
behavioral1/memory/840-99-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect
behavioral1/memory/840-121-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect

Loads dropped DLL 20 IoCs

pid	Process
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
380	a18193c95d0c31ab132d9bc2da884d7c.exe
159348	AppLaunch.exe
24384	taskeng.exe
7460	BuildMiner.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
24228	takeown.exe
24248	icacls.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
380	a18193c95d0c31ab132d9bc2da884d7c.exe
840	3.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 159928	1668	2.exe	43
PID 174664 set thread context of 320668	174664	8.exe	51
PID 20016 set thread context of 350196	20016	7.exe	52
PID 33824 set thread context of 159348	33824	9.exe	53
PID 73804 set thread context of 5880	73804	11.exe	54

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	6.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	6.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
24088	sc.exe
24128	sc.exe
53516	sc.exe
24000	sc.exe
24044	sc.exe
24060	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
53072	schtasks.exe
53020	schtasks.exe
24536	schtasks.exe
52732	schtasks.exe
52908	schtasks.exe
53032	schtasks.exe
53100	schtasks.exe
52952	schtasks.exe
53128	schtasks.exe
53084	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40aa09f0f7b7d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
24596	reg.exe
24624	reg.exe
24188	reg.exe
24200	reg.exe
24212	reg.exe
24144	reg.exe
24156	reg.exe
24608	reg.exe
24636	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
380	a18193c95d0c31ab132d9bc2da884d7c.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
840	3.exe
232592	powershell.exe
1852	powershell.exe
159928	AppLaunch.exe
350196	AppLaunch.exe
5880	AppLaunch.exe
350196	AppLaunch.exe
159348	AppLaunch.exe
7668	powershell.exe
13780	6.exe
23988	powershell.exe
24328	powershell.exe
24700	powershell.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe
51976	dllhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	232592	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	159928	AppLaunch.exe
Token: SeDebugPrivilege	350196	AppLaunch.exe
Token: SeDebugPrivilege	5880	AppLaunch.exe
Token: SeDebugPrivilege	159348	AppLaunch.exe
Token: SeDebugPrivilege	7668	powershell.exe
Token: SeDebugPrivilege	13780	6.exe
Token: SeShutdownPrivilege	24032	powercfg.exe
Token: SeShutdownPrivilege	24076	powercfg.exe
Token: SeShutdownPrivilege	24108	powercfg.exe
Token: SeShutdownPrivilege	24172	powercfg.exe
Token: SeTakeOwnershipPrivilege	24228	takeown.exe
Token: SeDebugPrivilege	23988	powershell.exe
Token: SeDebugPrivilege	7460	BuildMiner.exe
Token: SeDebugPrivilege	24328	powershell.exe
Token: SeDebugPrivilege	24700	powershell.exe
Token: SeDebugPrivilege	51976	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 1852	380	a18193c95d0c31ab132d9bc2da884d7c.exe	28
PID 380 wrote to memory of 1852	380	a18193c95d0c31ab132d9bc2da884d7c.exe	28
PID 380 wrote to memory of 1852	380	a18193c95d0c31ab132d9bc2da884d7c.exe	28
PID 380 wrote to memory of 1852	380	a18193c95d0c31ab132d9bc2da884d7c.exe	28
PID 380 wrote to memory of 1564	380	a18193c95d0c31ab132d9bc2da884d7c.exe	29
PID 380 wrote to memory of 1564	380	a18193c95d0c31ab132d9bc2da884d7c.exe	29
PID 380 wrote to memory of 1564	380	a18193c95d0c31ab132d9bc2da884d7c.exe	29
PID 380 wrote to memory of 1564	380	a18193c95d0c31ab132d9bc2da884d7c.exe	29
PID 380 wrote to memory of 1668	380	a18193c95d0c31ab132d9bc2da884d7c.exe	30
PID 380 wrote to memory of 1668	380	a18193c95d0c31ab132d9bc2da884d7c.exe	30
PID 380 wrote to memory of 1668	380	a18193c95d0c31ab132d9bc2da884d7c.exe	30
PID 380 wrote to memory of 1668	380	a18193c95d0c31ab132d9bc2da884d7c.exe	30
PID 380 wrote to memory of 840	380	a18193c95d0c31ab132d9bc2da884d7c.exe	32
PID 380 wrote to memory of 840	380	a18193c95d0c31ab132d9bc2da884d7c.exe	32
PID 380 wrote to memory of 840	380	a18193c95d0c31ab132d9bc2da884d7c.exe	32
PID 380 wrote to memory of 840	380	a18193c95d0c31ab132d9bc2da884d7c.exe	32
PID 380 wrote to memory of 2860	380	a18193c95d0c31ab132d9bc2da884d7c.exe	33
PID 380 wrote to memory of 2860	380	a18193c95d0c31ab132d9bc2da884d7c.exe	33
PID 380 wrote to memory of 2860	380	a18193c95d0c31ab132d9bc2da884d7c.exe	33
PID 380 wrote to memory of 2860	380	a18193c95d0c31ab132d9bc2da884d7c.exe	33
PID 380 wrote to memory of 13780	380	a18193c95d0c31ab132d9bc2da884d7c.exe	34
PID 380 wrote to memory of 13780	380	a18193c95d0c31ab132d9bc2da884d7c.exe	34
PID 380 wrote to memory of 13780	380	a18193c95d0c31ab132d9bc2da884d7c.exe	34
PID 380 wrote to memory of 13780	380	a18193c95d0c31ab132d9bc2da884d7c.exe	34
PID 380 wrote to memory of 20016	380	a18193c95d0c31ab132d9bc2da884d7c.exe	35
PID 380 wrote to memory of 20016	380	a18193c95d0c31ab132d9bc2da884d7c.exe	35
PID 380 wrote to memory of 20016	380	a18193c95d0c31ab132d9bc2da884d7c.exe	35
PID 380 wrote to memory of 20016	380	a18193c95d0c31ab132d9bc2da884d7c.exe	35
PID 380 wrote to memory of 33824	380	a18193c95d0c31ab132d9bc2da884d7c.exe	37
PID 380 wrote to memory of 33824	380	a18193c95d0c31ab132d9bc2da884d7c.exe	37
PID 380 wrote to memory of 33824	380	a18193c95d0c31ab132d9bc2da884d7c.exe	37
PID 380 wrote to memory of 33824	380	a18193c95d0c31ab132d9bc2da884d7c.exe	37
PID 380 wrote to memory of 73804	380	a18193c95d0c31ab132d9bc2da884d7c.exe	39
PID 380 wrote to memory of 73804	380	a18193c95d0c31ab132d9bc2da884d7c.exe	39
PID 380 wrote to memory of 73804	380	a18193c95d0c31ab132d9bc2da884d7c.exe	39
PID 380 wrote to memory of 73804	380	a18193c95d0c31ab132d9bc2da884d7c.exe	39
PID 380 wrote to memory of 117808	380	a18193c95d0c31ab132d9bc2da884d7c.exe	41
PID 380 wrote to memory of 117808	380	a18193c95d0c31ab132d9bc2da884d7c.exe	41
PID 380 wrote to memory of 117808	380	a18193c95d0c31ab132d9bc2da884d7c.exe	41
PID 380 wrote to memory of 117808	380	a18193c95d0c31ab132d9bc2da884d7c.exe	41
PID 1668 wrote to memory of 159928	1668	2.exe	43
PID 1668 wrote to memory of 159928	1668	2.exe	43
PID 1668 wrote to memory of 159928	1668	2.exe	43
PID 1668 wrote to memory of 159928	1668	2.exe	43
PID 380 wrote to memory of 174664	380	a18193c95d0c31ab132d9bc2da884d7c.exe	44
PID 380 wrote to memory of 174664	380	a18193c95d0c31ab132d9bc2da884d7c.exe	44
PID 380 wrote to memory of 174664	380	a18193c95d0c31ab132d9bc2da884d7c.exe	44
PID 380 wrote to memory of 174664	380	a18193c95d0c31ab132d9bc2da884d7c.exe	44
PID 1668 wrote to memory of 159928	1668	2.exe	43
PID 840 wrote to memory of 217864	840	3.exe	46
PID 840 wrote to memory of 217864	840	3.exe	46
PID 840 wrote to memory of 217864	840	3.exe	46
PID 13780 wrote to memory of 232592	13780	6.exe	47
PID 13780 wrote to memory of 232592	13780	6.exe	47
PID 13780 wrote to memory of 232592	13780	6.exe	47
PID 1668 wrote to memory of 159928	1668	2.exe	43
PID 380 wrote to memory of 238408	380	a18193c95d0c31ab132d9bc2da884d7c.exe	48
PID 380 wrote to memory of 238408	380	a18193c95d0c31ab132d9bc2da884d7c.exe	48
PID 380 wrote to memory of 238408	380	a18193c95d0c31ab132d9bc2da884d7c.exe	48
PID 380 wrote to memory of 238408	380	a18193c95d0c31ab132d9bc2da884d7c.exe	48
PID 174664 wrote to memory of 320668	174664	8.exe	51
PID 174664 wrote to memory of 320668	174664	8.exe	51
PID 174664 wrote to memory of 320668	174664	8.exe	51
PID 174664 wrote to memory of 320668	174664	8.exe	51

C:\Users\Admin\AppData\Local\Temp\a18193c95d0c31ab132d9bc2da884d7c.exe
"C:\Users\Admin\AppData\Local\Temp\a18193c95d0c31ab132d9bc2da884d7c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAdABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdABrACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:159928
- C:\Users\Admin\AppData\Local\Temp\3.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3.exe >> NUL
    3⤵
    PID:217864
- C:\Users\Admin\AppData\Local\Temp\5.exe
  "C:\Users\Admin\AppData\Local\Temp\5.exe"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\6.exe
  "C:\Users\Admin\AppData\Local\Temp\6.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:13780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAGsAcwBsACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:232592
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    3⤵
    PID:23936
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:24000
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:24044
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:24060
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:24088
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:24128
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
      4⤵
      Modifies security service
      Modifies registry key
      PID:24188
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
      4⤵
      Modifies registry key
      PID:24200
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
      4⤵
      Modifies registry key
      PID:24212
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\WaaSMedicSvc.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:24228
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:24248
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
      4⤵
      Modifies registry key
      PID:24156
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
      4⤵
      Modifies registry key
      PID:24144
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:24596
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:24608
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:24624
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
      4⤵
      PID:24652
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:24636
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
      4⤵
      PID:24688
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
      4⤵
      PID:52208
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
      4⤵
      PID:51788
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
      4⤵
      PID:51804
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
      4⤵
      PID:51828
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      PID:51848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:23976
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:24032
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:24076
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:24172
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:24108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
    3⤵
    PID:24276
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
      4⤵
      Creates scheduled task(s)
      PID:24536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:24524
  - - C:\Windows\system32\schtasks.exe
      schtasks /run /tn "GoogleUpdateTaskMachineQC"
      4⤵
      PID:24556
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:20016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:350196
- C:\Users\Admin\AppData\Local\Temp\9.exe
  "C:\Users\Admin\AppData\Local\Temp\9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:33824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:159348
  - - C:\Users\Admin\AppData\Local\Temp\BuildMiner.exe
      "C:\Users\Admin\AppData\Local\Temp\BuildMiner.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:7460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
        5⤵
        
        PID:7576
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:7636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:23988
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:24328
    - - C:\ProgramData\Dllhost\dllhost.exe
        
        "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:51976
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:52732
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52092
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:52952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5063" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52548
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7517" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7517" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:53084
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk6555" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk6555" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:53032
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6101" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6101" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:53128
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52364
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52340
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52312
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52288
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:52264
- C:\Users\Admin\AppData\Local\Temp\11.exe
  "C:\Users\Admin\AppData\Local\Temp\11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:73804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5880
- C:\Users\Admin\AppData\Local\Temp\10.exe
  "C:\Users\Admin\AppData\Local\Temp\10.exe"
  2⤵
  - Executes dropped EXE
  PID:117808
- C:\Users\Admin\AppData\Local\Temp\8.exe
  "C:\Users\Admin\AppData\Local\Temp\8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:174664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:320668
- C:\Users\Admin\AppData\Local\Temp\v0.7.exe
  "C:\Users\Admin\AppData\Local\Temp\v0.7.exe"
  2⤵
  PID:238408

C:\Windows\system32\taskeng.exe
taskeng.exe {8B1F7F10-0FCE-404E-AC7D-759996B234DE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:24384
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:24428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAGsAcwBsACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:24700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    3⤵
    PID:53448
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:53516

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:52908

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:53100

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:53072

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:53020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
836KB

MD5
4181ede0b282fe6236b98ff1196bf897

SHA1
1bed36de73bfcca637515975ae9ff206a503eacc

SHA256
192ffadf7348d1dcd7c37404e3911d1399bf12fefc275e74753996670af6a269

SHA512
f9017735c41944353af63dc3e629ec81c4173c4569334b1d77880a0379425c80c81f3d17f72f160f4b1a7b80936b52093185a1fd993ae94f1865582302b83a63

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
836KB

MD5
4181ede0b282fe6236b98ff1196bf897

SHA1
1bed36de73bfcca637515975ae9ff206a503eacc

SHA256
192ffadf7348d1dcd7c37404e3911d1399bf12fefc275e74753996670af6a269

SHA512
f9017735c41944353af63dc3e629ec81c4173c4569334b1d77880a0379425c80c81f3d17f72f160f4b1a7b80936b52093185a1fd993ae94f1865582302b83a63

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
497B

MD5
13fda2ab01b83a5130842a5bab3892d3

SHA1
6e18e4b467cde054a63a95d4dfc030f156ecd215

SHA256
76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

SHA512
c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
413KB

MD5
5998150187408a1d1da9090a8cbf4a6d

SHA1
d764bab45313e96d050c43c2c476d28baa2c1eaf

SHA256
8fb31b017a281212c5246fd1aad185548aee1ada35574b3758439d8921f24626

SHA512
83540bc89b1ac0d2ce1423e675c8781f326fb9fc9188e5545ba13ba52d8e376a98e6768b5f349e6df481745426c6cf62ead4d2aee5ea280634faaeedf4ca60cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
1.4MB

MD5
00854e47bc6249cefca953ddc3f20f48

SHA1
fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d

SHA256
981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa

SHA512
1ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.4MB

MD5
9bda451a29ccd4791cf8ac5c240e8048

SHA1
7ecded8397484e5b4cfcad8fdbe167bb1af2b11f

SHA256
a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635

SHA512
acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
4.9MB

MD5
43e86612f2667d3df11c97c2aacadc97

SHA1
6e3b37c580840dd44444b249941e98fd1b49852c

SHA256
d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591

SHA512
0479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
4.9MB

MD5
43e86612f2667d3df11c97c2aacadc97

SHA1
6e3b37c580840dd44444b249941e98fd1b49852c

SHA256
d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591

SHA512
0479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
2.4MB

MD5
7612d86c7e4b0d6624a1387da41c18ee

SHA1
aef37933ce24a135f0f84d09351b852f09ea1e58

SHA256
761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb

SHA512
e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
367KB

MD5
50e064b49ae012894a53fe30dac655d6

SHA1
19181a85a5d89d32cd8716b15b9160336168d273

SHA256
fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0

SHA512
4c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
2.5MB

MD5
6cabeda725dedf18f07565dd8ce222fd

SHA1
e42cc2c0cf55c603f322677b5008da0e9752d30e

SHA256
7a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf

SHA512
2050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuildMiner.exe

Filesize
702KB

MD5
4f081220853b2796222bd70f2e2b20ef

SHA1
9bd8daf817b5f2328fee4c7d2085a35aaac2f35e

SHA256
a79d3ec50cc89c543bf4d637b497fb810e5c11ca98b78ab7511896fad55dd955

SHA512
c84d2f5ab0e2cb5ea0451dd9285e3aff0e4c1a058829d20c588eeb285bd0e7de3834a9aba7b520c3fead620fe903396750fc9411877b853e389d158567cc0fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuildMiner.exe

Filesize
702KB

MD5
4f081220853b2796222bd70f2e2b20ef

SHA1
9bd8daf817b5f2328fee4c7d2085a35aaac2f35e

SHA256
a79d3ec50cc89c543bf4d637b497fb810e5c11ca98b78ab7511896fad55dd955

SHA512
c84d2f5ab0e2cb5ea0451dd9285e3aff0e4c1a058829d20c588eeb285bd0e7de3834a9aba7b520c3fead620fe903396750fc9411877b853e389d158567cc0fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
84f37d84cfe25d9388c13104dbd1e17c

SHA1
0181225f6084ef86972c6b80b0acddea11c1a158

SHA256
c9239e727955ccdf4691b45fc4178394025b983630eecf24dbc61fe268565310

SHA512
f10a12f945f6e03d6366536908dec01f1776affae448046da40ca859dfd46b4a5923cd555c15a967873f813cb98e8ea6b8e1564d6ca467b2bcd5687417002beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b1ee0d225dab22c02c34ead07d168016

SHA1
54528a0995811722924a91179dada481ac7a226c

SHA256
27c8a96ea56ca5c95a180166a7b2be5eb19124a3f146332410a9746a755ed704

SHA512
9889a42c510d33a9eaae04db3ce25b6d52d620baea4062a22f64442271773ddab400ca7ee01a0c63218b6c4cf4112366078a479bac6d9a3824e12e68680f9cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
84f37d84cfe25d9388c13104dbd1e17c

SHA1
0181225f6084ef86972c6b80b0acddea11c1a158

SHA256
c9239e727955ccdf4691b45fc4178394025b983630eecf24dbc61fe268565310

SHA512
f10a12f945f6e03d6366536908dec01f1776affae448046da40ca859dfd46b4a5923cd555c15a967873f813cb98e8ea6b8e1564d6ca467b2bcd5687417002beb

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
\ProgramData\Dllhost\dllhost.exe

Filesize
836KB

MD5
4181ede0b282fe6236b98ff1196bf897

SHA1
1bed36de73bfcca637515975ae9ff206a503eacc

SHA256
192ffadf7348d1dcd7c37404e3911d1399bf12fefc275e74753996670af6a269

SHA512
f9017735c41944353af63dc3e629ec81c4173c4569334b1d77880a0379425c80c81f3d17f72f160f4b1a7b80936b52093185a1fd993ae94f1865582302b83a63

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
\Users\Admin\AppData\Local\Temp\10.exe

Filesize
413KB

MD5
5998150187408a1d1da9090a8cbf4a6d

SHA1
d764bab45313e96d050c43c2c476d28baa2c1eaf

SHA256
8fb31b017a281212c5246fd1aad185548aee1ada35574b3758439d8921f24626

SHA512
83540bc89b1ac0d2ce1423e675c8781f326fb9fc9188e5545ba13ba52d8e376a98e6768b5f349e6df481745426c6cf62ead4d2aee5ea280634faaeedf4ca60cb

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe

Filesize
1.4MB

MD5
00854e47bc6249cefca953ddc3f20f48

SHA1
fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d

SHA256
981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa

SHA512
1ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe

Filesize
1.4MB

MD5
00854e47bc6249cefca953ddc3f20f48

SHA1
fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d

SHA256
981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa

SHA512
1ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.4MB

MD5
9bda451a29ccd4791cf8ac5c240e8048

SHA1
7ecded8397484e5b4cfcad8fdbe167bb1af2b11f

SHA256
a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635

SHA512
acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.4MB

MD5
9bda451a29ccd4791cf8ac5c240e8048

SHA1
7ecded8397484e5b4cfcad8fdbe167bb1af2b11f

SHA256
a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635

SHA512
acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
4.9MB

MD5
43e86612f2667d3df11c97c2aacadc97

SHA1
6e3b37c580840dd44444b249941e98fd1b49852c

SHA256
d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591

SHA512
0479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0

Download Submit
\Users\Admin\AppData\Local\Temp\5.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
\Users\Admin\AppData\Local\Temp\5.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe

Filesize
2.4MB

MD5
7612d86c7e4b0d6624a1387da41c18ee

SHA1
aef37933ce24a135f0f84d09351b852f09ea1e58

SHA256
761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb

SHA512
e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe

Filesize
2.4MB

MD5
7612d86c7e4b0d6624a1387da41c18ee

SHA1
aef37933ce24a135f0f84d09351b852f09ea1e58

SHA256
761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb

SHA512
e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0

Download Submit
\Users\Admin\AppData\Local\Temp\8.exe

Filesize
367KB

MD5
50e064b49ae012894a53fe30dac655d6

SHA1
19181a85a5d89d32cd8716b15b9160336168d273

SHA256
fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0

SHA512
4c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef

Download Submit
\Users\Admin\AppData\Local\Temp\8.exe

Filesize
367KB

MD5
50e064b49ae012894a53fe30dac655d6

SHA1
19181a85a5d89d32cd8716b15b9160336168d273

SHA256
fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0

SHA512
4c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef

Download Submit
\Users\Admin\AppData\Local\Temp\9.exe

Filesize
2.5MB

MD5
6cabeda725dedf18f07565dd8ce222fd

SHA1
e42cc2c0cf55c603f322677b5008da0e9752d30e

SHA256
7a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf

SHA512
2050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947

Download Submit
\Users\Admin\AppData\Local\Temp\9.exe

Filesize
2.5MB

MD5
6cabeda725dedf18f07565dd8ce222fd

SHA1
e42cc2c0cf55c603f322677b5008da0e9752d30e

SHA256
7a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf

SHA512
2050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947

Download Submit
\Users\Admin\AppData\Local\Temp\BuildMiner.exe

Filesize
702KB

MD5
4f081220853b2796222bd70f2e2b20ef

SHA1
9bd8daf817b5f2328fee4c7d2085a35aaac2f35e

SHA256
a79d3ec50cc89c543bf4d637b497fb810e5c11ca98b78ab7511896fad55dd955

SHA512
c84d2f5ab0e2cb5ea0451dd9285e3aff0e4c1a058829d20c588eeb285bd0e7de3834a9aba7b520c3fead620fe903396750fc9411877b853e389d158567cc0fb7

Download Submit
\Users\Admin\AppData\Local\Temp\v0.7.exe

Filesize
7.1MB

MD5
4fb5fe2d1c634048f57951fac1119c70

SHA1
ac212f208ea3e99e868f2846ece0ac5bfc5f1ad0

SHA256
c3196cefb0a5baa235a5ce3205f13650d80d918e5c5b44850dbf6bf87dd42f7b

SHA512
0582955b826945d6a6b971192b7560bacc514dc8adee493cb93a6634285d8cf011ca9a8d4d987cff2c2543d91331fbce451f488cb97f52d99264207d5dc667aa

Download Submit
memory/380-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/380-55-0x0000000000400000-0x0000000003579000-memory.dmp

Filesize
49.5MB

Download
memory/840-121-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/840-86-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/840-110-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download
memory/840-99-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/1564-87-0x0000000001100000-0x0000000001122000-memory.dmp

Filesize
136KB

Download
memory/1852-155-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-97-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-180-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-83-0x0000000000ED0000-0x0000000000EEE000-memory.dmp

Filesize
120KB

Download
memory/5880-169-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5880-162-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5880-170-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7460-186-0x00000000011D0000-0x0000000001278000-memory.dmp

Filesize
672KB

Download
memory/7668-196-0x00000000721E0000-0x000000007278B000-memory.dmp

Filesize
5.7MB

Download
memory/7668-194-0x00000000721E0000-0x000000007278B000-memory.dmp

Filesize
5.7MB

Download
memory/13780-85-0x000000013FEA0000-0x00000001402BE000-memory.dmp

Filesize
4.1MB

Download
memory/23988-221-0x000000006D6D0000-0x000000006DC7B000-memory.dmp

Filesize
5.7MB

Download
memory/24328-225-0x00000000721E0000-0x000000007278B000-memory.dmp

Filesize
5.7MB

Download
memory/24328-228-0x00000000721E0000-0x000000007278B000-memory.dmp

Filesize
5.7MB

Download
memory/24428-231-0x000000013F430000-0x000000013F84E000-memory.dmp

Filesize
4.1MB

Download
memory/24700-250-0x000000000115B000-0x000000000117A000-memory.dmp

Filesize
124KB

Download
memory/24700-249-0x0000000001154000-0x0000000001157000-memory.dmp

Filesize
12KB

Download
memory/51976-256-0x0000000000D70000-0x0000000000E20000-memory.dmp

Filesize
704KB

Download
memory/159348-160-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/159348-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/159348-165-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/159928-122-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/159928-103-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/159928-123-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/159928-109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/174664-137-0x00000000003A0000-0x00000000003FD000-memory.dmp

Filesize
372KB

Download
memory/174664-142-0x00000000003A0000-0x00000000003FD000-memory.dmp

Filesize
372KB

Download
memory/232592-178-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/232592-179-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/232592-138-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/232592-126-0x000007FEED970000-0x000007FEEE4CD000-memory.dmp

Filesize
11.4MB

Download
memory/232592-176-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/232592-177-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/320668-129-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/320668-146-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/320668-141-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/350196-130-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/350196-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/350196-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/350196-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download