mimikatz | 94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013

Analysis

max time kernel
23s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
22-02-2025 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bomb.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

mimikatz njrat phorphiex xmrig hacked defense_evasion discovery execution loader miner persistence trojan upx worm

Malware Config

Extracted

Family

njrat

Botnet

HacKed

Mutex

53$79$73$74$65$6d$33$32

Attributes

reg_key
53$79$73$74$65$6d$33$32
splitter
|-F-|

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral4/files/0x001d00000002aef1-33.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral4/memory/2104-152-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-156-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-155-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-159-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-218-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-158-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-157-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/2104-151-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/files/0x001a00000002af79-240.dat	family_xmrig
behavioral4/files/0x001a00000002af79-240.dat	xmrig
behavioral4/memory/1596-293-0x00007FF7DA210000-0x00007FF7DAE44000-memory.dmp	xmrig

Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral4/files/0x001900000002af6d-166.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5868	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 10 IoCs

flow	pid	Process
6	4964	bomb.exe
6	4964	bomb.exe
13	5664	http185.215.113.66pei.exe.exe
7	4964	bomb.exe
7	4964	bomb.exe
11	4964	bomb.exe
12	4964	bomb.exe
8	4964	bomb.exe
4	4964	bomb.exe
4	4964	bomb.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3180	netsh.exe
3768	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 18 IoCs

pid	Process
3268	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
5664	http185.215.113.66pei.exe.exe
1048	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
4612	httptwizt.netnewtpp.exe.exe
4524	http185.215.113.75filesLisan7random.exe.exe
3944	http185.215.113.66xmin.exe.exe
4820	http185.215.113.66mindelnew.exe.exe
3860	http185.215.113.66del3.exe.exe
3540	http185.215.113.66minedelll.exe.exe
5204	http185.215.113.66del1.exe.exe
3108	2013125154.exe
2832	sysnldcvmr.exe
6112	http185.215.113.66xmrminer.exe.exe
5548	http185.215.113.66del2.exe.exe
2404	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
1040	winuspdt.exe
5476	httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
3776	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUTDSRESW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
5860	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1040 set thread context of 5196	1040	winuspdt.exe	119
PID 1040 set thread context of 2104	1040	winuspdt.exe	120

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/2104-148-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-152-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-156-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-155-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-159-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-218-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-158-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-157-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-151-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-150-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-149-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-146-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/2104-147-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\sysnldcvmr.exe	2013125154.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
532	sc.exe
2176	sc.exe
424	sc.exe
4880	sc.exe
4244	sc.exe
1820	sc.exe
3576	sc.exe
3192	sc.exe
1792	sc.exe
2664	sc.exe
4860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	4524	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesLisan7random.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66mindelnew.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2013125154.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5776	taskkill.exe
2572	taskkill.exe
2880	taskkill.exe
2944	taskkill.exe
5992	taskkill.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3540	http185.215.113.66minedelll.exe.exe
5204	http185.215.113.66del1.exe.exe
5548	http185.215.113.66del2.exe.exe
3944	http185.215.113.66xmin.exe.exe
3944	http185.215.113.66xmin.exe.exe
3944	http185.215.113.66xmin.exe.exe
3944	http185.215.113.66xmin.exe.exe
1040	winuspdt.exe
1040	winuspdt.exe
1344	conhost.exe
5868	powershell.exe
5868	powershell.exe
6112	http185.215.113.66xmrminer.exe.exe
6112	http185.215.113.66xmrminer.exe.exe
5868	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	bomb.exe
Token: SeDebugPrivilege	3540	http185.215.113.66minedelll.exe.exe
Token: SeDebugPrivilege	5204	http185.215.113.66del1.exe.exe
Token: SeDebugPrivilege	5548	http185.215.113.66del2.exe.exe
Token: SeLockMemoryPrivilege	2104	dwm.exe
Token: SeDebugPrivilege	1344	conhost.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3268	4964	bomb.exe	77
PID 4964 wrote to memory of 3268	4964	bomb.exe	77
PID 4964 wrote to memory of 3268	4964	bomb.exe	77
PID 4964 wrote to memory of 5664	4964	bomb.exe	78
PID 4964 wrote to memory of 5664	4964	bomb.exe	78
PID 4964 wrote to memory of 5664	4964	bomb.exe	78
PID 4964 wrote to memory of 1048	4964	bomb.exe	79
PID 4964 wrote to memory of 1048	4964	bomb.exe	79
PID 4964 wrote to memory of 1048	4964	bomb.exe	79
PID 4964 wrote to memory of 4612	4964	bomb.exe	80
PID 4964 wrote to memory of 4612	4964	bomb.exe	80
PID 4964 wrote to memory of 4612	4964	bomb.exe	80
PID 4964 wrote to memory of 4524	4964	bomb.exe	81
PID 4964 wrote to memory of 4524	4964	bomb.exe	81
PID 4964 wrote to memory of 4524	4964	bomb.exe	81
PID 4964 wrote to memory of 3944	4964	bomb.exe	86
PID 4964 wrote to memory of 3944	4964	bomb.exe	86
PID 4964 wrote to memory of 4820	4964	bomb.exe	87
PID 4964 wrote to memory of 4820	4964	bomb.exe	87
PID 4964 wrote to memory of 4820	4964	bomb.exe	87
PID 4964 wrote to memory of 3860	4964	bomb.exe	88
PID 4964 wrote to memory of 3860	4964	bomb.exe	88
PID 4964 wrote to memory of 3540	4964	bomb.exe	89
PID 4964 wrote to memory of 3540	4964	bomb.exe	89
PID 3540 wrote to memory of 2332	3540	http185.215.113.66minedelll.exe.exe	90
PID 3540 wrote to memory of 2332	3540	http185.215.113.66minedelll.exe.exe	90
PID 2332 wrote to memory of 1792	2332	cmd.exe	92
PID 2332 wrote to memory of 1792	2332	cmd.exe	92
PID 2332 wrote to memory of 1580	2332	cmd.exe	93
PID 2332 wrote to memory of 1580	2332	cmd.exe	93
PID 4964 wrote to memory of 5204	4964	bomb.exe	94
PID 4964 wrote to memory of 5204	4964	bomb.exe	94
PID 5664 wrote to memory of 3108	5664	http185.215.113.66pei.exe.exe	95
PID 5664 wrote to memory of 3108	5664	http185.215.113.66pei.exe.exe	95
PID 5664 wrote to memory of 3108	5664	http185.215.113.66pei.exe.exe	95
PID 5204 wrote to memory of 3932	5204	http185.215.113.66del1.exe.exe	96
PID 5204 wrote to memory of 3932	5204	http185.215.113.66del1.exe.exe	96
PID 3932 wrote to memory of 4880	3932	cmd.exe	98
PID 3932 wrote to memory of 4880	3932	cmd.exe	98
PID 3932 wrote to memory of 2968	3932	cmd.exe	99
PID 3932 wrote to memory of 2968	3932	cmd.exe	99
PID 4612 wrote to memory of 2832	4612	httptwizt.netnewtpp.exe.exe	100
PID 4612 wrote to memory of 2832	4612	httptwizt.netnewtpp.exe.exe	100
PID 4612 wrote to memory of 2832	4612	httptwizt.netnewtpp.exe.exe	100
PID 4964 wrote to memory of 6112	4964	bomb.exe	101
PID 4964 wrote to memory of 6112	4964	bomb.exe	101
PID 4964 wrote to memory of 5548	4964	bomb.exe	102
PID 4964 wrote to memory of 5548	4964	bomb.exe	102
PID 5548 wrote to memory of 3940	5548	http185.215.113.66del2.exe.exe	103
PID 5548 wrote to memory of 3940	5548	http185.215.113.66del2.exe.exe	103
PID 3940 wrote to memory of 2664	3940	cmd.exe	105
PID 3940 wrote to memory of 2664	3940	cmd.exe	105
PID 3940 wrote to memory of 5892	3940	cmd.exe	106
PID 3940 wrote to memory of 5892	3940	cmd.exe	106
PID 4964 wrote to memory of 2404	4964	bomb.exe	107
PID 4964 wrote to memory of 2404	4964	bomb.exe	107
PID 4964 wrote to memory of 2404	4964	bomb.exe	107
PID 2404 wrote to memory of 2160	2404	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe	113
PID 2404 wrote to memory of 2160	2404	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe	113
PID 2404 wrote to memory of 2160	2404	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe	113
PID 1040 wrote to memory of 5196	1040	winuspdt.exe	119
PID 1040 wrote to memory of 5196	1040	winuspdt.exe	119
PID 1040 wrote to memory of 5196	1040	winuspdt.exe	119
PID 1040 wrote to memory of 5196	1040	winuspdt.exe	119

C:\Users\Admin\AppData\Local\Temp\bomb.exe
"C:\Users\Admin\AppData\Local\Temp\bomb.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3268
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3180
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\2013125154.exe
    C:\Users\Admin\AppData\Local\Temp\2013125154.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3108
  - - C:\Users\Admin\sysnldcvmr.exe
      C:\Users\Admin\sysnldcvmr.exe
      4⤵
      PID:4776
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1048
- - C:\Windows\WindowsServices.exe
    "C:\Windows\WindowsServices.exe"
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3768
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 868
    3⤵
    - Program crash
    PID:1476
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpla"
    3⤵
    - Launches sc.exe
    PID:4860
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpla" binpath= "C:\ProgramData\WinUpla\winuspdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4244
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpla"
    3⤵
    - Launches sc.exe
    PID:532
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:5860
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:5992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:2572
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3860
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" ""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
      4⤵
      PID:436
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        5⤵
        
        PID:5528
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\sc.exe
      sc delete "WinUpdt"
      4⤵
      Launches sc.exe
      PID:1792
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
      4⤵
      PID:1580
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\system32\sc.exe
      sc delete "Windows Services"
      4⤵
      Launches sc.exe
      PID:4880
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
      4⤵
      PID:2968
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6112
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:2176
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:424
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:3192
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\system32\sc.exe
      sc delete "WinSvcs"
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      4⤵
      PID:5892
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5868
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5476
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3776
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe"
  2⤵
  PID:824
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe"
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe"
  2⤵
  PID:5236
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe"
  2⤵
  PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4524 -ip 4524
1⤵
PID:1768

C:\ProgramData\WinUpla\winuspdt.exe
C:\ProgramData\WinUpla\winuspdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5196
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2104

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2540

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2152

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:460

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2400

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
PID:1524
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5220

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1644

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5708

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1652

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004BC
1⤵
PID:2244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a36855 /state1:0x41c64e6d
1⤵
PID:3728

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 0000008c
1⤵
PID:772

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 0000008c
1⤵
PID:3640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3408

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 0000008c
1⤵
PID:5476

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 0000008c
1⤵
PID:2944

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 0000008c
1⤵
PID:5992

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000138 0000008c
1⤵
PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vont2qks.ja2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.68lsrwva.exe.exe

Filesize
249B

MD5
5925dfb3f3b833ccf04bedce8333ab9d

SHA1
4e579bb293275c581718be0e6dff38d2e8791f38

SHA256
45271d1cb6c8be70c3e0c4660ec276655a1162d909f95a2620dcfbf23b4c8caa

SHA512
de89c9f375715c6b934b718b97dfe408d82a0871c87944d88337292859007e0c522e73ac4260582e4d98b7fef23b0d4cc8d14d96d6b322dc9b09dea4c2799616

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe

Filesize
9KB

MD5
6e0a9dfdc97d9097f3f9c5e8c0427f13

SHA1
7070dd144099f51e37934ed24c14f2d2a8f1543a

SHA256
5f47367c1393d2b6f4cd95195c8ac7e610875827cd4206853a1cb8215e6a9914

SHA512
da79aaee187bbefe5727dd74c59f237080248cea700a10c857280a06a78379e921b0981e5497bbdfd67aeedd9f0be5863b8bf4d8e622197f7ff61eef3edb0684

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe

Filesize
9KB

MD5
14b555f8c8e53a9a5e1fc24f0a0cca49

SHA1
968427e2fcd9af7f6ac4e39dc1f6fa595aa80734

SHA256
973bc2f864c9ceea0cfe7ba5c595914b202e2b407ae7a9d3eb064fd504616194

SHA512
30076e811851a034c94bd82bca494c4cbbf22993dcebf20252d772c66d45d0c75670e945f6268847f205e8780678106484a19903c097993246867c04b1d2a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe

Filesize
2.5MB

MD5
50c797100c3ac160abb318b5494673ac

SHA1
1c17cb58cad387d6191d0cad7ae02693df112312

SHA256
4fd1208171a4e6a3e9986d6a3dfe42676830f3134d7b184918a988e95960de4c

SHA512
5bb5c5ce75928aba80a624110503b6cf3cd2724729570a667cf31f18b91e827b2d066d3dde9f170040a8b392c992a7193fcd58d29bce828054b9b92821a9eb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe

Filesize
136KB

MD5
76a1de8dc8bff924e884ade0a7ac4967

SHA1
f9b2ac72407ffdbc2699f3a3292f22a391d5254f

SHA256
8c3af9b8fdd734699dd7bd451f0efd5e10da99aadd37ef20b9d98a79ad53c552

SHA512
461b29e801ed1980ad8cb07dcf96a652351317592281907d0b773b3bf378df28d1ea3de7bdfc459662c176369b48abcdbac0ef481c389525b00aa91de0f258d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http217.154.84.12223SWnew_image.jpg.exe

Filesize
3.5MB

MD5
7e691e0ddb06f041fffd6494503f9116

SHA1
55cbad7c75bd5d999398e60014a341c881483ab8

SHA256
76b1f681dd3b617b88568d2d0a0aac9b589c89b569fb25ac5be0df0839e96e8d

SHA512
261aaba90ac4ed7af6115b7f48a84d4614ffcf3cf0f00ef4d1c242f3ce976fd339ed892734ff51d352691b579ca79e61d8fc6a3850faa4361bd0fe2425751750

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe

Filesize
208KB

MD5
70ddf4f6215e0fd7b65685e3da758082

SHA1
8fb69a1e9d9049880787748c57e98bc9b76a5152

SHA256
9df0a6e74330d311721f5bf0e64734fd0bf8666f90863893cd4d869d053dcfcd

SHA512
a37d4f756c2ccf597f313f479559c8aef0510e02aea9625c73ead435defbf32bd2d71887e36ddb2bfe3caad5ab70febd6675040eb05430ea9c220ce0e7b29c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe

Filesize
971KB

MD5
46f366e3ee36c05ab5a7a319319f7c72

SHA1
040fbf1325d51358606b710bc3bd774c04bdb308

SHA256
2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a

SHA512
03e67c8f76a589ad43866396f46af12267e3c9ab2ca0a155f9df0406b4bd77b706e12757222d7c95bfa4b91d6ef073150edb87d11496617a2004e9dc953904e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe

Filesize
278KB

MD5
cc5e97a8a3e9b5dfc2093dde57137b23

SHA1
8c0d1dd75ae6fcf80d855b7494a8cab54eb05b29

SHA256
5975948b57707a6f3da15eecf5c53642caaea7ef315273ddf4a71c2530c5c3e4

SHA512
6f7da6d45e186d3037504f547fb7500a9fccf0e65940cad2f0972fbb0f01febd123a28f4808e615848db11e2e0813f3a006febef4e1233ba112087c4066765ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainncpa.cpl.exe

Filesize
211KB

MD5
dc503db57e725664e4c7f18998496294

SHA1
1ff194472c65c0e6bee6b6854cd2f8ff920a1e94

SHA256
629783e4b3adb802672bae160fc7e77c8150621ba2cb586ff491277af864e97e

SHA512
a827657fd087f4c3a556d385938cbd6f022c7f76a185bbd8d3dd9734f99c08f9e4a9dafb5f684443a30680fdc8bbe2849c1d5865a875060d75ee07231c6629b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe

Filesize
189KB

MD5
8d04bc23c265be8dc918b1ba7d299cc8

SHA1
5317e870120f3dcb71052f02ba3af46aa8f70979

SHA256
e9c8e31f8b93a78f224ba8a4bdb85e00d76b369033b9eb65b17637b915c9904e

SHA512
06392cac7933605a53cced3f11d27e225fa36fe9be1ca80530c86bdba0942b540785c04e8f64b27a8928357a650632de2453b4270d7737a17cf9d3dd4083e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
memory/1048-27-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/1124-326-0x0000000005E70000-0x0000000005F0C000-memory.dmp

Filesize
624KB

Download
memory/1124-328-0x0000000005D50000-0x0000000005D5A000-memory.dmp

Filesize
40KB

Download
memory/1124-324-0x0000000005DD0000-0x0000000005E62000-memory.dmp

Filesize
584KB

Download
memory/1124-323-0x0000000000D50000-0x00000000013EA000-memory.dmp

Filesize
6.6MB

Download
memory/1344-154-0x0000018DB9460000-0x0000018DB9466000-memory.dmp

Filesize
24KB

Download
memory/1344-160-0x0000018DBAFD0000-0x0000018DBAFD6000-memory.dmp

Filesize
24KB

Download
memory/1596-289-0x0000029458E90000-0x0000029458EB0000-memory.dmp

Filesize
128KB

Download
memory/1596-293-0x00007FF7DA210000-0x00007FF7DAE44000-memory.dmp

Filesize
12.2MB

Download
memory/2104-218-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-152-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-147-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-146-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-149-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-150-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-159-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-155-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-151-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-156-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-153-0x0000024718490000-0x00000247184B0000-memory.dmp

Filesize
128KB

Download
memory/2104-148-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-157-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2104-158-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3268-291-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/3268-28-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/3540-84-0x00000000000A0000-0x00000000000A6000-memory.dmp

Filesize
24KB

Download
memory/4524-46-0x0000000005960000-0x0000000005F06000-memory.dmp

Filesize
5.6MB

Download
memory/4524-45-0x0000000000910000-0x0000000000938000-memory.dmp

Filesize
160KB

Download
memory/4964-0-0x00007FF81CD93000-0x00007FF81CD95000-memory.dmp

Filesize
8KB

Download
memory/4964-2-0x00007FF81CD90000-0x00007FF81D852000-memory.dmp

Filesize
10.8MB

Download
memory/4964-1-0x000001D8C06A0000-0x000001D8C06AA000-memory.dmp

Filesize
40KB

Download
memory/4964-332-0x00007FF81CD90000-0x00007FF81D852000-memory.dmp

Filesize
10.8MB

Download
memory/4964-61-0x00007FF81CD90000-0x00007FF81D852000-memory.dmp

Filesize
10.8MB

Download
memory/5196-142-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5196-141-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5196-140-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5196-138-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5196-139-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5196-145-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5204-96-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/5220-281-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5220-283-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5220-290-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5220-285-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5220-284-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5220-282-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5548-126-0x0000000000890000-0x0000000000896000-memory.dmp

Filesize
24KB

Download
memory/5868-320-0x0000000007680000-0x0000000007724000-memory.dmp

Filesize
656KB

Download
memory/5868-174-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/5868-196-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/5868-318-0x0000000007610000-0x000000000762E000-memory.dmp

Filesize
120KB

Download
memory/5868-177-0x0000000006070000-0x00000000063C7000-memory.dmp

Filesize
3.3MB

Download
memory/5868-309-0x0000000072000000-0x000000007204C000-memory.dmp

Filesize
304KB

Download
memory/5868-197-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/5868-327-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/5868-329-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/5868-162-0x00000000030B0000-0x00000000030E6000-memory.dmp

Filesize
216KB

Download
memory/5868-330-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/5868-175-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/5868-325-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/5868-176-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/5868-308-0x0000000007630000-0x0000000007664000-memory.dmp

Filesize
208KB

Download
memory/5868-331-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

Filesize
68KB

Download
memory/5868-172-0x0000000005860000-0x0000000005E8A000-memory.dmp

Filesize
6.2MB

Download