8d025c8034092b69331f21684eaeee9ebf1d3b4db491997f857b9b1a233b2ef5

Target

TOOL.exe
Size

15.3MB
MD5

42c3370a6bdc0bd641bf0583cef3cfe2
SHA1

33fea4db9b6a1fd9167f4bfa5abad4c0c86f6b58
SHA256

8d025c8034092b69331f21684eaeee9ebf1d3b4db491997f857b9b1a233b2ef5
SHA512

628eaac733723b2f371182c0fd017e558859d15fc32077a0abf04fc7b82e6e8c1a53e6ed5ba85467bce63bdfeff9b23b7f09c342c0e744ffdd3307ee9037975d

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 37 IoCs

Processes:

TOOL.exe

pid	process
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe
1004	TOOL.exe

JavaScript code in executable 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll	js
\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll	js
C:\Users\Admin\AppData\Local\Temp\_MEI9322\base_library.zip	js
C:\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll	js
\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll	js
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll	js
\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll	js

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1760 ipconfig.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe

flow	ioc
3	ip-api.com

pid	process
1760	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

WMIC.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe
Token: SeShutdownPrivilege	1160	powercfg.exe
Token: SeShutdownPrivilege	1636	powercfg.exe
Token: SeShutdownPrivilege	2016	powercfg.exe
Token: SeShutdownPrivilege	1220	powercfg.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeShutdownPrivilege	1556	powercfg.exe
Token: SeShutdownPrivilege	740	powercfg.exe
Token: SeShutdownPrivilege	1400	powercfg.exe
Token: SeShutdownPrivilege	1560	powercfg.exe
Token: SeShutdownPrivilege	2028	powercfg.exe
Token: SeShutdownPrivilege	1824	powercfg.exe

Suspicious use of WriteProcessMemory 114 IoCs

Processes:

TOOL.exeTOOL.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 932 wrote to memory of 1004	932	TOOL.exe	TOOL.exe
PID 932 wrote to memory of 1004	932	TOOL.exe	TOOL.exe
PID 932 wrote to memory of 1004	932	TOOL.exe	TOOL.exe
PID 1004 wrote to memory of 1792	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1792	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1792	1004	TOOL.exe	cmd.exe
PID 1792 wrote to memory of 1768	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 1768	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 1768	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 1760	1792	cmd.exe	ipconfig.exe
PID 1792 wrote to memory of 1760	1792	cmd.exe	ipconfig.exe
PID 1792 wrote to memory of 1760	1792	cmd.exe	ipconfig.exe
PID 1792 wrote to memory of 1676	1792	cmd.exe	findstr.exe
PID 1792 wrote to memory of 1676	1792	cmd.exe	findstr.exe
PID 1792 wrote to memory of 1676	1792	cmd.exe	findstr.exe
PID 1004 wrote to memory of 2020	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2020	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2020	1004	TOOL.exe	cmd.exe
PID 2020 wrote to memory of 1356	2020	cmd.exe	chcp.com
PID 2020 wrote to memory of 1356	2020	cmd.exe	chcp.com
PID 2020 wrote to memory of 1356	2020	cmd.exe	chcp.com
PID 1004 wrote to memory of 2008	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2008	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2008	1004	TOOL.exe	cmd.exe
PID 2008 wrote to memory of 788	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 788	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 788	2008	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 1784	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1784	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1784	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1900	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1900	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1900	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2016	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2016	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 2016	1004	TOOL.exe	cmd.exe
PID 2016 wrote to memory of 1052	2016	cmd.exe	rundll32.exe
PID 2016 wrote to memory of 1052	2016	cmd.exe	rundll32.exe
PID 2016 wrote to memory of 1052	2016	cmd.exe	rundll32.exe
PID 1004 wrote to memory of 540	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 540	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 540	1004	TOOL.exe	cmd.exe
PID 540 wrote to memory of 1876	540	cmd.exe	rundll32.exe
PID 540 wrote to memory of 1876	540	cmd.exe	rundll32.exe
PID 540 wrote to memory of 1876	540	cmd.exe	rundll32.exe
PID 1004 wrote to memory of 1800	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1800	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1800	1004	TOOL.exe	cmd.exe
PID 1800 wrote to memory of 1160	1800	cmd.exe	powercfg.exe
PID 1800 wrote to memory of 1160	1800	cmd.exe	powercfg.exe
PID 1800 wrote to memory of 1160	1800	cmd.exe	powercfg.exe
PID 1004 wrote to memory of 1180	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1180	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1180	1004	TOOL.exe	cmd.exe
PID 1180 wrote to memory of 1636	1180	cmd.exe	powercfg.exe
PID 1180 wrote to memory of 1636	1180	cmd.exe	powercfg.exe
PID 1180 wrote to memory of 1636	1180	cmd.exe	powercfg.exe
PID 1004 wrote to memory of 1484	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1484	1004	TOOL.exe	cmd.exe
PID 1004 wrote to memory of 1484	1004	TOOL.exe	cmd.exe
PID 1484 wrote to memory of 2016	1484	cmd.exe	powercfg.exe
PID 1484 wrote to memory of 2016	1484	cmd.exe	powercfg.exe
PID 1484 wrote to memory of 2016	1484	cmd.exe	powercfg.exe
PID 1004 wrote to memory of 1396	1004	TOOL.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1768

C:\Windows\system32\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:1760

C:\Windows\system32\findstr.exe
findstr /i "Default Gateway"
4⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\Wbem\WMIC.exe
wmic BIOS get BIOSVersion
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver.exe"
3⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start rundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');"
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\rundll32.exe
rundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');
4⤵
- Modifies Internet Explorer settings
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start rundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');"
3⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\rundll32.exe
rundll32.exe javascript:'\..\mshtml,RunHTMLApplication ';alert('');
4⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\powercfg.exe
powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"
3⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0"
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0"
3⤵
PID:1396

C:\Windows\system32\powercfg.exe
powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start ms-cxh-full://0"
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg /setdcvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 1"
3⤵
PID:1948

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 1
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg /setacvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 1"
3⤵
PID:1444

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex scheme_current sub_none F15576E8-98B7-4186-B944-EAFA664402D9 1
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -attributes F15576E8-98B7-4186-B944-EAFA664402D9 +ATTRIB_HIDE"
3⤵
PID:1668

C:\Windows\system32\powercfg.exe
powercfg -attributes F15576E8-98B7-4186-B944-EAFA664402D9 +ATTRIB_HIDE
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -attributes SUB_BUTTONS 7648efa3-dd9c-4e3e-b566-50f929386280 +ATTRIB_HIDE"
3⤵
PID:1784

C:\Windows\system32\powercfg.exe
powercfg -attributes SUB_BUTTONS 7648efa3-dd9c-4e3e-b566-50f929386280 +ATTRIB_HIDE
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -change -monitor-timeout-ac 0"
3⤵
PID:540

C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -change -monitor-timeout-dc 0"
3⤵
PID:2040

C:\Windows\system32\powercfg.exe
powercfg -change -monitor-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powercfg -SetActive SCHEME_CURRENT"
3⤵
PID:1692

C:\Windows\system32\powercfg.exe
powercfg -SetActive SCHEME_CURRENT
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_Salsa20.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_aes.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ocb.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_MD5.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA1.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA256.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_ghash_portable.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Protocol\_scrypt.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_cpuid_c.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_strxor.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\TOOL.exe.manifest

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\VCRUNTIME140.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_bz2.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_ctypes.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_hashlib.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_lzma.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_portaudio.cp38-win_amd64.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_queue.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_socket.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_sqlite3.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\_ssl.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\base_library.zip

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\certifi\cacert.pem

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libffi-7.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\libssl-1_1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\pythoncom38.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\select.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\sqlite3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\unicodedata.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\win32api.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9322\win32gui.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_Salsa20.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_aes.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ocb.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_MD5.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA1.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_SHA256.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Hash\_ghash_portable.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Protocol\_scrypt.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_cpuid_c.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\Crypto\Util\_strxor.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\VCRUNTIME140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_bz2.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_ctypes.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_hashlib.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_lzma.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_portaudio.cp38-win_amd64.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_queue.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_socket.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_sqlite3.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\_ssl.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\libcrypto-1_1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\libffi-7.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\libssl-1_1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\python38.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\pythoncom38.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\pywintypes38.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\select.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\unicodedata.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\win32api.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9322\win32gui.pyd

Download Submit
memory/540-125-0x0000000000000000-mapping.dmp

Download
memory/540-92-0x0000000000000000-mapping.dmp

Download
memory/740-122-0x0000000000000000-mapping.dmp

Download
memory/788-85-0x0000000000000000-mapping.dmp

Download
memory/1004-0-0x0000000000000000-mapping.dmp

Download
memory/1052-89-0x0000000000000000-mapping.dmp

Download
memory/1052-103-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/1052-90-0x0000000000000000-mapping.dmp

Download
memory/1160-109-0x0000000000000000-mapping.dmp

Download
memory/1180-110-0x0000000000000000-mapping.dmp

Download
memory/1220-115-0x0000000000000000-mapping.dmp

Download
memory/1356-83-0x0000000000000000-mapping.dmp

Download
memory/1396-114-0x0000000000000000-mapping.dmp

Download
memory/1400-124-0x0000000000000000-mapping.dmp

Download
memory/1444-118-0x0000000000000000-mapping.dmp

Download
memory/1484-112-0x0000000000000000-mapping.dmp

Download
memory/1556-120-0x0000000000000000-mapping.dmp

Download
memory/1560-126-0x0000000000000000-mapping.dmp

Download
memory/1636-111-0x0000000000000000-mapping.dmp

Download
memory/1668-121-0x0000000000000000-mapping.dmp

Download
memory/1676-41-0x0000000000000000-mapping.dmp

Download
memory/1692-129-0x0000000000000000-mapping.dmp

Download
memory/1760-40-0x0000000000000000-mapping.dmp

Download
memory/1768-39-0x0000000000000000-mapping.dmp

Download
memory/1784-123-0x0000000000000000-mapping.dmp

Download
memory/1784-86-0x0000000000000000-mapping.dmp

Download
memory/1792-38-0x0000000000000000-mapping.dmp

Download
memory/1800-108-0x0000000000000000-mapping.dmp

Download
memory/1824-130-0x0000000000000000-mapping.dmp

Download
memory/1876-94-0x0000000000000000-mapping.dmp

Download
memory/1876-93-0x0000000000000000-mapping.dmp

Download
memory/1900-87-0x0000000000000000-mapping.dmp

Download
memory/1904-119-0x0000000000000000-mapping.dmp

Download
memory/1908-116-0x0000000000000000-mapping.dmp

Download
memory/1948-117-0x0000000000000000-mapping.dmp

Download
memory/2008-91-0x000007FEF7100000-0x000007FEF737A000-memory.dmp

Filesize
2.5MB

Download
memory/2008-84-0x0000000000000000-mapping.dmp

Download
memory/2016-113-0x0000000000000000-mapping.dmp

Download
memory/2016-88-0x0000000000000000-mapping.dmp

Download
memory/2020-82-0x0000000000000000-mapping.dmp

Download
memory/2028-128-0x0000000000000000-mapping.dmp

Download
memory/2040-127-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads