8d025c8034092b69331f21684eaeee9ebf1d3b4db491997f857b9b1a233b2ef5

Target

TOOL.exe
Size

15.3MB
MD5

42c3370a6bdc0bd641bf0583cef3cfe2
SHA1

33fea4db9b6a1fd9167f4bfa5abad4c0c86f6b58
SHA256

8d025c8034092b69331f21684eaeee9ebf1d3b4db491997f857b9b1a233b2ef5
SHA512

628eaac733723b2f371182c0fd017e558859d15fc32077a0abf04fc7b82e6e8c1a53e6ed5ba85467bce63bdfeff9b23b7f09c342c0e744ffdd3307ee9037975d

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1484 created 2168 1484 WerFault.exe explorer.exe
Executes dropped EXE 1 IoCs

Processes:

CommandCam.exe

pid process

2264 CommandCam.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

description	pid	process	target process
PID 1484 created 2168	1484	WerFault.exe	explorer.exe

pid	process
2264	CommandCam.exe

Loads dropped DLL 64 IoCs

Processes:

TOOL.exeTOOL.exe

pid	process
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
2448	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe
196	TOOL.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 2168 WerFault.exe explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

flow	ioc
15	ip-api.com

pid	pid_target	process	target process
1484	2168	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2156 tasklist.exe
3588 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1168 ipconfig.exe
3016 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3856 taskkill.exe

pid	process
2156	tasklist.exe
3588	tasklist.exe

pid	process
1168	ipconfig.exe
3016	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 17 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132625117264543786"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000016d26ce37980d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f3720de37980d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033a4c4b1d72dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

748 explorer.exe

pid	process
748	explorer.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

taskkill.exeWerFault.exe

pid	process
3856	taskkill.exe
3856	taskkill.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

748 explorer.exe

pid	process
748	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3808	WMIC.exe
Token: SeSecurityPrivilege	3808	WMIC.exe
Token: SeTakeOwnershipPrivilege	3808	WMIC.exe
Token: SeLoadDriverPrivilege	3808	WMIC.exe
Token: SeSystemProfilePrivilege	3808	WMIC.exe
Token: SeSystemtimePrivilege	3808	WMIC.exe
Token: SeProfSingleProcessPrivilege	3808	WMIC.exe
Token: SeIncBasePriorityPrivilege	3808	WMIC.exe
Token: SeCreatePagefilePrivilege	3808	WMIC.exe
Token: SeBackupPrivilege	3808	WMIC.exe
Token: SeRestorePrivilege	3808	WMIC.exe
Token: SeShutdownPrivilege	3808	WMIC.exe
Token: SeDebugPrivilege	3808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3808	WMIC.exe
Token: SeRemoteShutdownPrivilege	3808	WMIC.exe
Token: SeUndockPrivilege	3808	WMIC.exe
Token: SeManageVolumePrivilege	3808	WMIC.exe
Token: 33	3808	WMIC.exe
Token: 34	3808	WMIC.exe
Token: 35	3808	WMIC.exe
Token: 36	3808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3808	WMIC.exe
Token: SeSecurityPrivilege	3808	WMIC.exe
Token: SeTakeOwnershipPrivilege	3808	WMIC.exe
Token: SeLoadDriverPrivilege	3808	WMIC.exe
Token: SeSystemProfilePrivilege	3808	WMIC.exe
Token: SeSystemtimePrivilege	3808	WMIC.exe
Token: SeProfSingleProcessPrivilege	3808	WMIC.exe
Token: SeIncBasePriorityPrivilege	3808	WMIC.exe
Token: SeCreatePagefilePrivilege	3808	WMIC.exe
Token: SeBackupPrivilege	3808	WMIC.exe
Token: SeRestorePrivilege	3808	WMIC.exe
Token: SeShutdownPrivilege	3808	WMIC.exe
Token: SeDebugPrivilege	3808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3808	WMIC.exe
Token: SeRemoteShutdownPrivilege	3808	WMIC.exe
Token: SeUndockPrivilege	3808	WMIC.exe
Token: SeManageVolumePrivilege	3808	WMIC.exe
Token: 33	3808	WMIC.exe
Token: 34	3808	WMIC.exe
Token: 35	3808	WMIC.exe
Token: 36	3808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	420	WMIC.exe
Token: SeSecurityPrivilege	420	WMIC.exe
Token: SeTakeOwnershipPrivilege	420	WMIC.exe
Token: SeLoadDriverPrivilege	420	WMIC.exe
Token: SeSystemProfilePrivilege	420	WMIC.exe
Token: SeSystemtimePrivilege	420	WMIC.exe
Token: SeProfSingleProcessPrivilege	420	WMIC.exe
Token: SeIncBasePriorityPrivilege	420	WMIC.exe
Token: SeCreatePagefilePrivilege	420	WMIC.exe
Token: SeBackupPrivilege	420	WMIC.exe
Token: SeRestorePrivilege	420	WMIC.exe
Token: SeShutdownPrivilege	420	WMIC.exe
Token: SeDebugPrivilege	420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	420	WMIC.exe
Token: SeRemoteShutdownPrivilege	420	WMIC.exe
Token: SeUndockPrivilege	420	WMIC.exe
Token: SeManageVolumePrivilege	420	WMIC.exe
Token: 33	420	WMIC.exe
Token: 34	420	WMIC.exe
Token: 35	420	WMIC.exe
Token: 36	420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	420	WMIC.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

sihost.exeexplorer.exeexplorer.exe

pid	process
2600	sihost.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

748 explorer.exe
748 explorer.exe

pid	process
748	explorer.exe
748	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TOOL.exeTOOL.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3876 wrote to memory of 2448	3876	TOOL.exe	TOOL.exe
PID 3876 wrote to memory of 2448	3876	TOOL.exe	TOOL.exe
PID 2448 wrote to memory of 208	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 208	2448	TOOL.exe	cmd.exe
PID 208 wrote to memory of 2284	208	cmd.exe	chcp.com
PID 208 wrote to memory of 2284	208	cmd.exe	chcp.com
PID 208 wrote to memory of 1168	208	cmd.exe	ipconfig.exe
PID 208 wrote to memory of 1168	208	cmd.exe	ipconfig.exe
PID 208 wrote to memory of 3728	208	cmd.exe	findstr.exe
PID 208 wrote to memory of 3728	208	cmd.exe	findstr.exe
PID 2448 wrote to memory of 3144	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3144	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3992	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3992	2448	TOOL.exe	cmd.exe
PID 3144 wrote to memory of 1328	3144	cmd.exe	chcp.com
PID 3144 wrote to memory of 1328	3144	cmd.exe	chcp.com
PID 3992 wrote to memory of 3808	3992	cmd.exe	WMIC.exe
PID 3992 wrote to memory of 3808	3992	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 2388	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2388	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2140	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2140	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3940	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3940	2448	TOOL.exe	cmd.exe
PID 3940 wrote to memory of 1512	3940	cmd.exe	sfc.exe
PID 3940 wrote to memory of 1512	3940	cmd.exe	sfc.exe
PID 2448 wrote to memory of 2424	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2424	2448	TOOL.exe	cmd.exe
PID 2424 wrote to memory of 2280	2424	cmd.exe	chcp.com
PID 2424 wrote to memory of 2280	2424	cmd.exe	chcp.com
PID 2424 wrote to memory of 2032	2424	cmd.exe	netsh.exe
PID 2424 wrote to memory of 2032	2424	cmd.exe	netsh.exe
PID 2448 wrote to memory of 1344	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 1344	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2268	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2268	2448	TOOL.exe	cmd.exe
PID 2268 wrote to memory of 420	2268	cmd.exe	WMIC.exe
PID 2268 wrote to memory of 420	2268	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 3196	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3196	2448	TOOL.exe	cmd.exe
PID 3196 wrote to memory of 2368	3196	cmd.exe	WMIC.exe
PID 3196 wrote to memory of 2368	3196	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 3124	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3124	2448	TOOL.exe	cmd.exe
PID 3124 wrote to memory of 1372	3124	cmd.exe	WMIC.exe
PID 3124 wrote to memory of 1372	3124	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 3544	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3544	2448	TOOL.exe	cmd.exe
PID 3544 wrote to memory of 1380	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 1380	3544	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 2512	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2512	2448	TOOL.exe	cmd.exe
PID 2512 wrote to memory of 2068	2512	cmd.exe	WMIC.exe
PID 2512 wrote to memory of 2068	2512	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 2224	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 2224	2448	TOOL.exe	cmd.exe
PID 2224 wrote to memory of 2160	2224	cmd.exe	WMIC.exe
PID 2224 wrote to memory of 2160	2224	cmd.exe	WMIC.exe
PID 2448 wrote to memory of 3908	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 3908	2448	TOOL.exe	cmd.exe
PID 3908 wrote to memory of 1236	3908	cmd.exe	ARP.EXE
PID 3908 wrote to memory of 1236	3908	cmd.exe	ARP.EXE
PID 2448 wrote to memory of 1740	2448	TOOL.exe	cmd.exe
PID 2448 wrote to memory of 1740	2448	TOOL.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
3⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2284

C:\Windows\system32\findstr.exe
findstr /i "Default Gateway"
4⤵
PID:3728

C:\Windows\system32\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"
3⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"
3⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\Wbem\WMIC.exe
wmic BIOS get BIOSVersion
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver.exe"
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sfc /scannow"
3⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\sfc.exe
sfc /scannow
4⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp 65001 && netsh wlan show profile"
3⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2280

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver.exe"
3⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic ComputerSystem get Name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\System32\Wbem\WMIC.exe
wmic ComputerSystem get Name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic ComputerSystem get Model"
3⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\System32\Wbem\WMIC.exe
wmic ComputerSystem get Model
4⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic ComputerSystem get Manufacturer"
3⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\System32\Wbem\WMIC.exe
wmic ComputerSystem get Manufacturer
4⤵
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic CPU get Name"
3⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get Name
4⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_VideoController get Name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_VideoController get Name
4⤵
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic ComputerSystem get TotalPhysicalMemory"
3⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
wmic ComputerSystem get TotalPhysicalMemory
4⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "arp -a"
3⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\ARP.EXE
arp -a
4⤵
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:1740

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /f /fi "USERNAME eq %username%" /fi "IMAGENAME ne explorer.exe USERNAME eq %username%" /fi "IMAGENAME ne "TOOL.exe""
3⤵
PID:1764

C:\Windows\system32\taskkill.exe
taskkill /f /fi "USERNAME eq Admin" /fi "IMAGENAME ne explorer.exe USERNAME eq Admin" /fi "IMAGENAME ne "TOOL.exe"
4⤵
- Kills process with taskkill
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "explorer.exe"
3⤵
PID:3932

C:\Windows\explorer.exe
explorer.exe
4⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2168 -s 2136
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "@C:\Users\Admin\AppData\Local\Temp\CommandCam.exe /filename "C:\Windows\Temp\Webcam.jpg" /delay 2500 /devnum 1 > NUL"
3⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\CommandCam.exe
C:\Users\Admin\AppData\Local\Temp\CommandCam.exe /filename "C:\Windows\Temp\Webcam.jpg" /delay 2500 /devnum 1
4⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:3544

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3588

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
3⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
4⤵
- Loads dropped DLL
PID:196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
5⤵
PID:2352

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3524

C:\Windows\system32\ipconfig.exe
ipconfig
6⤵
- Gathers network information
PID:3016

C:\Windows\system32\findstr.exe
findstr /i "Default Gateway"
6⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"
5⤵
PID:3892

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"
5⤵
PID:1576

C:\Windows\System32\Wbem\WMIC.exe
wmic BIOS get BIOSVersion
6⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver.exe"
5⤵
PID:3544

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Modifies registry class
PID:3204

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:508

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd
MD5
03c703a8f4c2a1443cccc8316af8940c

SHA1
046d8c846d9393e472064aa1250826994a785577

SHA256
ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4

SHA512
a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd
MD5
6f1d3ed33d7dfeae5642406d76ff2084

SHA1
014cfee7d754564928ed2df2fef933aeda915918

SHA256
f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273

SHA512
e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd
MD5
c04554cf7f89e2d360ebcc39f85a2970

SHA1
42ac403bd2a854d7f6ac60a299594a9c4a793f35

SHA256
264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f

SHA512
668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd
MD5
d4535f5b8683cd4b523d1f97232d3772

SHA1
1a6ce4eeb5acd1762f629478db14dfe8e361967f

SHA256
a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad

SHA512
447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd
MD5
b537c5216bd68311d50b10d62d02b9bb

SHA1
eb613bdabc18ee0f43afa4a13e684d0f8bc57817

SHA256
2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5

SHA512
1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd
MD5
2101eb8948ad5b50feeceb0865169d48

SHA1
fd55a3553d0c0416cd733ae732361685c0d23c59

SHA256
962a6e4baf1fe8579b815c059abd924563835fc2139fa16d4ba191c291d033ec

SHA512
122c8ba5df3d3c2b6ddb6de8415634c02c296285e629f780e1f9d9a4afaf1ef3bef0863f83748f2ad5847385e349b4d39c4c54ed7d4246f502603080c5b973e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Hash\_SHA1.cp38-win_amd64.pyd
MD5
abc7d549b8974a93e441b45b118a3f8e

SHA1
1b78c6022f03550ca48a67aa2b2edc0add3a5fd7

SHA256
059e3b26c6816c5f2e3a3d6fdfcc0298077221cd8ae8a17fc9fe6d67ef2bfc3a

SHA512
8ac63714eebbe6c4ff7da73ebe1e03be1aaee194d635df068108956bf009b872bad1357a5c41e5780d053903784c10797d417f90f941e362f3d3774e91bbb98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Hash\_SHA256.cp38-win_amd64.pyd
MD5
4c16bb062911f8d38d881022dba921dc

SHA1
fed09bcb06fa5bb604bfb81d4aecbd012548f5f9

SHA256
d72174d81ef9e6c8c9c2b2c9a0392e85195a1fde81757a8fa61e7561b8689f84

SHA512
2ca19b324011f1957f2182b6d57a687cff1805e94c27118452d7b579ea4dc9bdf2f409c03cb97b71e312593c41312bd278c25d52cac1cf0eecc72ce79ba0d08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Util\_strxor.cp38-win_amd64.pyd
MD5
c718722a0c7e48a91b492b604ca15125

SHA1
6fa5b7da8366bfd7ae575452d389d01bfa25e6b4

SHA256
248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f

SHA512
953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\TOOL.exe.manifest
MD5
f36009384fb2b7df0ab4edb33d6d80c3

SHA1
56e0f6e7c6ccd4fad68616d70c2d4ad7829ca838

SHA256
47af5ba84be771d9e4ebc64563fa54cbe293330c0c83b4ca6e82052cd86913a7

SHA512
6f9959c929a2e63f4a2d730a244a84c66c36035b3e56f4c1d420717c193d91546d72c9e41c9a719e181b69dfbaed91d85a30e01ebf5d4ef78db6a3d386f37384

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\VCRUNTIME140.dll
MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_bz2.pyd
MD5
fc0d862a854993e0e51c00dee3eec777

SHA1
20203332c6f7bd51f6a5acbbc9f677c930d0669d

SHA256
e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863

SHA512
b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_ctypes.pyd
MD5
8adb1345c717e575e6614e163eb62328

SHA1
f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3

SHA256
65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8

SHA512
0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_hashlib.pyd
MD5
5fa7c9d5e6068718c6010bbeb18fbeb3

SHA1
93e8875d6d0f943b4226e25452c2c7d63d22b790

SHA256
2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155

SHA512
3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_lzma.pyd
MD5
60e215bb78fb9a40352980f4de818814

SHA1
ff750858c3352081514e2ae0d200f3b8c3d40096

SHA256
c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806

SHA512
398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_portaudio.cp38-win_amd64.pyd
MD5
f7b8055f8d54b1ff8fe16bf86eee9d22

SHA1
8da2387d8e840d6eb34978a8343fee27d86ae100

SHA256
a35531c046271b4e0355e0d6d2844d886480b01220b71e4795263312f50beea6

SHA512
82cd75009b17719e477785040b6fa3372affdcea4b16ffb579a869f5353cb914b88ade612624f7c0d0d7e2b64edb3c92cc34c6a0306a5c2fd2829c67b3e2de0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_queue.pyd
MD5
1fc2c6b80936efc502bfc30fc24caa56

SHA1
4e5b26ff3b225906c2b9e39e0f06126cfc43a257

SHA256
9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514

SHA512
d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_socket.pyd
MD5
1d53841bb21acdcc8742828c3aded891

SHA1
cdf15d4815820571684c1f720d0cba24129e79c8

SHA256
ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b

SHA512
0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_sqlite3.pyd
MD5
a3a0cb078aa4fc5d5a081be54745a4c9

SHA1
42b1873c4633f9a0288ce4ee44c50234c0f03e22

SHA256
e0ed20d5ae660a18bf60e907ba7f21013e04305aa67aa3b8b5a1cee9bd4dcd27

SHA512
ac6628bf3908c053362b8c840a7934d704413ae673702052b06d23d71995702d1c562e36a6bde3ad0170eb71a77f43d702ad71f74bc21a3d770f05b95be16f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\_ssl.pyd
MD5
84dea8d0acce4a707b094a3627b62eab

SHA1
d45dda99466ab08cc922e828729d0840ae2ddc18

SHA256
dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6

SHA512
fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\base_library.zip
MD5
493d1a9b50ea70bd522329ed79c1e354

SHA1
47110749679f3fd9ec2bf6adbe8ed06457e84ebc

SHA256
13f14c5213ea1bac476b84b3cdc5a398f73076676abb806cdd5436c3bdc57291

SHA512
71d776c893146fbc9853da5ecda4b81940f15913600d68cb03432bfbf307367ed50fa93e6b3d106a0ff5d73a0b37439f1cfd95fb6b0687199d42c449bd2db602

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\certifi\cacert.pem
MD5
c760591283d5a4a987ad646b35de3717

SHA1
5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134

SHA256
1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e

SHA512
c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\libssl-1_1.dll
MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\python38.dll
MD5
1f2688b97f9827f1de7dfedb4ad2348c

SHA1
a9650970d38e30835336426f704579e87fcfc892

SHA256
169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc

SHA512
27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\pythoncom38.dll
MD5
4f8818b15e4f1237748eaa870d7a3e38

SHA1
1baeca046a4bb9031e30be99d2333d93562c3bd9

SHA256
063d249851f457c8d5684943bee1c81d1c7810ce7e06469faef19898c556c8b5

SHA512
c9a6e3a03b2124e22fd179b5dc50d6d09ab51ac6d41390845c48508c7175ad4cd08599ee6e564158be3a375c40d88088dba50ca9cbcf8dba1c2480612f0f4539

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\pywintypes38.dll
MD5
306e8a0ca8c383a27ae00649cb1e5080

SHA1
25a4188ed099d45f092598c6ed119a41ef446672

SHA256
74565d7b4e01807eb146bf26cfeb7aa27029caca58fee7c394111cbd5fa95e2e

SHA512
3a61b826556c6cbbe56397cef9f0429bf366d453d6894327dcd6aeeaffb625b5fc82559a108b74612727100c5fff156ffa048d45fca149fe4437270e6293a763

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\select.pyd
MD5
a2ab334e18222738dcb05bf820725938

SHA1
2f75455a471f95ac814b8e4560a023034480b7b5

SHA256
7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7

SHA512
72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\sqlite3.dll
MD5
a2dbd94878af1bb29f8725a834696a60

SHA1
01c40f2949604183fb8c76fd5e7803009a83ce4d

SHA256
6af14006a4d732fc0c4bd44317457fca8c37d12ffcaf845790d3f57da75451fb

SHA512
6aad1e43e272b178127334c48925f69422ca9a4e6e4636e4c5a522a3b3690e0a715c1a3c400ec6962b6eeaac0ff2612208595d72747de3e286745eca90ee9953

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\unicodedata.pyd
MD5
549c9eeda8546cd32d0713c723abd12a

SHA1
f84b2c529cff58b888cc99f566fcd2eba6ff2b8e

SHA256
5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b

SHA512
9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\win32api.pyd
MD5
511367f74dd035502f2dc895b6a752e7

SHA1
40e319f0ace8cf7c6d7c1fb3041c7d3d9f9787eb

SHA256
202dd28e5d0451f2c672a4537116c70929ca6bbc5edd9115ed8a99f734f430ff

SHA512
7ee506c35c8b3a54f6cc1cf40abe6672a86780ada82024c519498c1d30a1a045ff79bd5a34116258503241880722da87a361f4dfea2729af7f812bc54d723d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38762\win32gui.pyd
MD5
1180f5ff22a6953310bb3fdf76830b9b

SHA1
0ff147907e7cdab11e164891dfe2257b70c384e0

SHA256
42ed7a66402ab771d9b072c46eb9db315e4a93728cac31a1eb62cdfed2e966cc

SHA512
546731456ca8d5c8488da0ab238f50b58546f172f98eb6bb51a9a4ef6664d5886020eec44cc713f310fbec18c7cd8bac7cef15d742f7646b7537766782db76ff

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd
MD5
03c703a8f4c2a1443cccc8316af8940c

SHA1
046d8c846d9393e472064aa1250826994a785577

SHA256
ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4

SHA512
a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd
MD5
6f1d3ed33d7dfeae5642406d76ff2084

SHA1
014cfee7d754564928ed2df2fef933aeda915918

SHA256
f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273

SHA512
e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd
MD5
c04554cf7f89e2d360ebcc39f85a2970

SHA1
42ac403bd2a854d7f6ac60a299594a9c4a793f35

SHA256
264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f

SHA512
668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd
MD5
d4535f5b8683cd4b523d1f97232d3772

SHA1
1a6ce4eeb5acd1762f629478db14dfe8e361967f

SHA256
a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad

SHA512
447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd
MD5
b537c5216bd68311d50b10d62d02b9bb

SHA1
eb613bdabc18ee0f43afa4a13e684d0f8bc57817

SHA256
2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5

SHA512
1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd
MD5
2101eb8948ad5b50feeceb0865169d48

SHA1
fd55a3553d0c0416cd733ae732361685c0d23c59

SHA256
962a6e4baf1fe8579b815c059abd924563835fc2139fa16d4ba191c291d033ec

SHA512
122c8ba5df3d3c2b6ddb6de8415634c02c296285e629f780e1f9d9a4afaf1ef3bef0863f83748f2ad5847385e349b4d39c4c54ed7d4246f502603080c5b973e4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Hash\_SHA1.cp38-win_amd64.pyd
MD5
abc7d549b8974a93e441b45b118a3f8e

SHA1
1b78c6022f03550ca48a67aa2b2edc0add3a5fd7

SHA256
059e3b26c6816c5f2e3a3d6fdfcc0298077221cd8ae8a17fc9fe6d67ef2bfc3a

SHA512
8ac63714eebbe6c4ff7da73ebe1e03be1aaee194d635df068108956bf009b872bad1357a5c41e5780d053903784c10797d417f90f941e362f3d3774e91bbb98e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Hash\_SHA256.cp38-win_amd64.pyd
MD5
4c16bb062911f8d38d881022dba921dc

SHA1
fed09bcb06fa5bb604bfb81d4aecbd012548f5f9

SHA256
d72174d81ef9e6c8c9c2b2c9a0392e85195a1fde81757a8fa61e7561b8689f84

SHA512
2ca19b324011f1957f2182b6d57a687cff1805e94c27118452d7b579ea4dc9bdf2f409c03cb97b71e312593c41312bd278c25d52cac1cf0eecc72ce79ba0d08d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\Crypto\Util\_strxor.cp38-win_amd64.pyd
MD5
c718722a0c7e48a91b492b604ca15125

SHA1
6fa5b7da8366bfd7ae575452d389d01bfa25e6b4

SHA256
248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f

SHA512
953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\VCRUNTIME140.dll
MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_bz2.pyd
MD5
fc0d862a854993e0e51c00dee3eec777

SHA1
20203332c6f7bd51f6a5acbbc9f677c930d0669d

SHA256
e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863

SHA512
b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_ctypes.pyd
MD5
8adb1345c717e575e6614e163eb62328

SHA1
f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3

SHA256
65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8

SHA512
0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_hashlib.pyd
MD5
5fa7c9d5e6068718c6010bbeb18fbeb3

SHA1
93e8875d6d0f943b4226e25452c2c7d63d22b790

SHA256
2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155

SHA512
3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_lzma.pyd
MD5
60e215bb78fb9a40352980f4de818814

SHA1
ff750858c3352081514e2ae0d200f3b8c3d40096

SHA256
c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806

SHA512
398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_portaudio.cp38-win_amd64.pyd
MD5
f7b8055f8d54b1ff8fe16bf86eee9d22

SHA1
8da2387d8e840d6eb34978a8343fee27d86ae100

SHA256
a35531c046271b4e0355e0d6d2844d886480b01220b71e4795263312f50beea6

SHA512
82cd75009b17719e477785040b6fa3372affdcea4b16ffb579a869f5353cb914b88ade612624f7c0d0d7e2b64edb3c92cc34c6a0306a5c2fd2829c67b3e2de0c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_queue.pyd
MD5
1fc2c6b80936efc502bfc30fc24caa56

SHA1
4e5b26ff3b225906c2b9e39e0f06126cfc43a257

SHA256
9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514

SHA512
d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_socket.pyd
MD5
1d53841bb21acdcc8742828c3aded891

SHA1
cdf15d4815820571684c1f720d0cba24129e79c8

SHA256
ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b

SHA512
0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_sqlite3.pyd
MD5
a3a0cb078aa4fc5d5a081be54745a4c9

SHA1
42b1873c4633f9a0288ce4ee44c50234c0f03e22

SHA256
e0ed20d5ae660a18bf60e907ba7f21013e04305aa67aa3b8b5a1cee9bd4dcd27

SHA512
ac6628bf3908c053362b8c840a7934d704413ae673702052b06d23d71995702d1c562e36a6bde3ad0170eb71a77f43d702ad71f74bc21a3d770f05b95be16f4e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\_ssl.pyd
MD5
84dea8d0acce4a707b094a3627b62eab

SHA1
d45dda99466ab08cc922e828729d0840ae2ddc18

SHA256
dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6

SHA512
fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\libssl-1_1.dll
MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\python38.dll
MD5
1f2688b97f9827f1de7dfedb4ad2348c

SHA1
a9650970d38e30835336426f704579e87fcfc892

SHA256
169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc

SHA512
27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\pythoncom38.dll
MD5
4f8818b15e4f1237748eaa870d7a3e38

SHA1
1baeca046a4bb9031e30be99d2333d93562c3bd9

SHA256
063d249851f457c8d5684943bee1c81d1c7810ce7e06469faef19898c556c8b5

SHA512
c9a6e3a03b2124e22fd179b5dc50d6d09ab51ac6d41390845c48508c7175ad4cd08599ee6e564158be3a375c40d88088dba50ca9cbcf8dba1c2480612f0f4539

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\pywintypes38.dll
MD5
306e8a0ca8c383a27ae00649cb1e5080

SHA1
25a4188ed099d45f092598c6ed119a41ef446672

SHA256
74565d7b4e01807eb146bf26cfeb7aa27029caca58fee7c394111cbd5fa95e2e

SHA512
3a61b826556c6cbbe56397cef9f0429bf366d453d6894327dcd6aeeaffb625b5fc82559a108b74612727100c5fff156ffa048d45fca149fe4437270e6293a763

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\select.pyd
MD5
a2ab334e18222738dcb05bf820725938

SHA1
2f75455a471f95ac814b8e4560a023034480b7b5

SHA256
7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7

SHA512
72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\sqlite3.dll
MD5
a2dbd94878af1bb29f8725a834696a60

SHA1
01c40f2949604183fb8c76fd5e7803009a83ce4d

SHA256
6af14006a4d732fc0c4bd44317457fca8c37d12ffcaf845790d3f57da75451fb

SHA512
6aad1e43e272b178127334c48925f69422ca9a4e6e4636e4c5a522a3b3690e0a715c1a3c400ec6962b6eeaac0ff2612208595d72747de3e286745eca90ee9953

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\unicodedata.pyd
MD5
549c9eeda8546cd32d0713c723abd12a

SHA1
f84b2c529cff58b888cc99f566fcd2eba6ff2b8e

SHA256
5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b

SHA512
9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\win32api.pyd
MD5
511367f74dd035502f2dc895b6a752e7

SHA1
40e319f0ace8cf7c6d7c1fb3041c7d3d9f9787eb

SHA256
202dd28e5d0451f2c672a4537116c70929ca6bbc5edd9115ed8a99f734f430ff

SHA512
7ee506c35c8b3a54f6cc1cf40abe6672a86780ada82024c519498c1d30a1a045ff79bd5a34116258503241880722da87a361f4dfea2729af7f812bc54d723d20

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38762\win32gui.pyd
MD5
1180f5ff22a6953310bb3fdf76830b9b

SHA1
0ff147907e7cdab11e164891dfe2257b70c384e0

SHA256
42ed7a66402ab771d9b072c46eb9db315e4a93728cac31a1eb62cdfed2e966cc

SHA512
546731456ca8d5c8488da0ab238f50b58546f172f98eb6bb51a9a4ef6664d5886020eec44cc713f310fbec18c7cd8bac7cef15d742f7646b7537766782db76ff

Download Submit
memory/196-222-0x0000000000000000-mapping.dmp

Download
memory/208-153-0x0000000000000000-mapping.dmp

Download
memory/420-196-0x0000000000000000-mapping.dmp

Download
memory/748-215-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1168-155-0x0000000000000000-mapping.dmp

Download
memory/1236-208-0x0000000000000000-mapping.dmp

Download
memory/1328-185-0x0000000000000000-mapping.dmp

Download
memory/1344-194-0x0000000000000000-mapping.dmp

Download
memory/1372-200-0x0000000000000000-mapping.dmp

Download
memory/1380-202-0x0000000000000000-mapping.dmp

Download
memory/1512-190-0x0000000000000000-mapping.dmp

Download
memory/1576-229-0x0000000000000000-mapping.dmp

Download
memory/1740-209-0x0000000000000000-mapping.dmp

Download
memory/1764-211-0x0000000000000000-mapping.dmp

Download
memory/1828-228-0x0000000000000000-mapping.dmp

Download
memory/2032-193-0x0000000000000000-mapping.dmp

Download
memory/2068-204-0x0000000000000000-mapping.dmp

Download
memory/2140-188-0x0000000000000000-mapping.dmp

Download
memory/2156-210-0x0000000000000000-mapping.dmp

Download
memory/2160-206-0x0000000000000000-mapping.dmp

Download
memory/2168-214-0x0000000000000000-mapping.dmp

Download
memory/2224-205-0x0000000000000000-mapping.dmp

Download
memory/2264-218-0x0000000000000000-mapping.dmp

Download
memory/2268-195-0x0000000000000000-mapping.dmp

Download
memory/2280-192-0x0000000000000000-mapping.dmp

Download
memory/2284-154-0x0000000000000000-mapping.dmp

Download
memory/2308-230-0x0000000000000000-mapping.dmp

Download
memory/2352-223-0x0000000000000000-mapping.dmp

Download
memory/2368-198-0x0000000000000000-mapping.dmp

Download
memory/2388-187-0x0000000000000000-mapping.dmp

Download
memory/2424-191-0x0000000000000000-mapping.dmp

Download
memory/2448-114-0x0000000000000000-mapping.dmp

Download
memory/2512-203-0x0000000000000000-mapping.dmp

Download
memory/3016-225-0x0000000000000000-mapping.dmp

Download
memory/3092-231-0x0000000000000000-mapping.dmp

Download
memory/3124-199-0x0000000000000000-mapping.dmp

Download
memory/3144-183-0x0000000000000000-mapping.dmp

Download
memory/3196-197-0x0000000000000000-mapping.dmp

Download
memory/3204-216-0x0000000000000000-mapping.dmp

Download
memory/3288-221-0x0000000000000000-mapping.dmp

Download
memory/3524-224-0x0000000000000000-mapping.dmp

Download
memory/3528-226-0x0000000000000000-mapping.dmp

Download
memory/3544-232-0x0000000000000000-mapping.dmp

Download
memory/3544-219-0x0000000000000000-mapping.dmp

Download
memory/3544-201-0x0000000000000000-mapping.dmp

Download
memory/3588-220-0x0000000000000000-mapping.dmp

Download
memory/3728-156-0x0000000000000000-mapping.dmp

Download
memory/3744-217-0x0000000000000000-mapping.dmp

Download
memory/3808-186-0x0000000000000000-mapping.dmp

Download
memory/3856-212-0x0000000000000000-mapping.dmp

Download
memory/3892-227-0x0000000000000000-mapping.dmp

Download
memory/3908-207-0x0000000000000000-mapping.dmp

Download
memory/3932-213-0x0000000000000000-mapping.dmp

Download
memory/3940-189-0x0000000000000000-mapping.dmp

Download
memory/3992-184-0x0000000000000000-mapping.dmp

Download