ac86a4c56421cbe12257e2bf68d282f1309ea3d9fa96358938255708039d4cfa

Analysis

max time kernel
30s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Checkers GOOD/Bin checker V5.2/Gen.exe
Size

8.3MB
MD5

e26dba74134563a5923a324c982c815f
SHA1

b972cceb5e274709ba0f2026205422bdb6532fcf
SHA256

77310fc015a21162faaeb76d0b70078ea23178e2208fb92e39f2aae44aaed39b
SHA512

7bced0da84a5602e1dd3abf186074b44ace0d3481475039e3b8b67411751e170e824facbc8259fac92af23812ba68d5f4eebd85b741a6146f462f187d9bf6f37
SSDEEP

196608:zDypb7KX/HdpSEeNT9iBqcEOVc1tYPQksBq:yYXP+7ELVEtT

Score

9^/10

spyware stealer upx

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/4104-269-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/4104-272-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/4104-269-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/4104-272-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
4104	getPass.exe

Loads dropped DLL 19 IoCs

pid	Process
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe
3532	Gen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022fbd-133.dat	upx
behavioral1/files/0x0006000000022fbd-134.dat	upx
behavioral1/memory/3532-137-0x00007FF8D1530000-0x00007FF8D1B19000-memory.dmp	upx
behavioral1/files/0x0006000000022fb6-139.dat	upx
behavioral1/files/0x0006000000022fb6-140.dat	upx
behavioral1/files/0x0006000000022fb3-141.dat	upx
behavioral1/files/0x0006000000022fb3-142.dat	upx
behavioral1/files/0x0006000000022fb8-143.dat	upx
behavioral1/files/0x0006000000022fb8-144.dat	upx
behavioral1/files/0x0006000000022fc0-145.dat	upx
behavioral1/files/0x0006000000022fc0-146.dat	upx
behavioral1/files/0x0006000000022fba-147.dat	upx
behavioral1/files/0x0006000000022fba-148.dat	upx
behavioral1/files/0x0006000000022fbb-149.dat	upx
behavioral1/files/0x0006000000022fbc-150.dat	upx
behavioral1/files/0x0006000000022fbb-152.dat	upx
behavioral1/files/0x0006000000022fbb-153.dat	upx
behavioral1/files/0x0006000000022fbc-151.dat	upx
behavioral1/memory/3532-154-0x00007FF8DF850000-0x00007FF8DF87D000-memory.dmp	upx
behavioral1/memory/3532-155-0x00007FF8E4190000-0x00007FF8E41A9000-memory.dmp	upx
behavioral1/memory/3532-156-0x00007FF8E40F0000-0x00007FF8E4109000-memory.dmp	upx
behavioral1/memory/3532-157-0x00007FF8E92D0000-0x00007FF8E92DD000-memory.dmp	upx
behavioral1/memory/3532-160-0x00007FF8D1470000-0x00007FF8D1528000-memory.dmp	upx
behavioral1/files/0x0006000000022fb5-159.dat	upx
behavioral1/memory/3532-158-0x00007FF8DF730000-0x00007FF8DF75E000-memory.dmp	upx
behavioral1/memory/3532-161-0x00007FF8D0BA0000-0x00007FF8D0F15000-memory.dmp	upx
behavioral1/files/0x0006000000022fb5-163.dat	upx
behavioral1/files/0x0006000000022fb7-165.dat	upx
behavioral1/files/0x0006000000022fb7-164.dat	upx
behavioral1/files/0x0006000000022fb9-166.dat	upx
behavioral1/files/0x0006000000022fb9-167.dat	upx
behavioral1/files/0x0006000000022fc1-168.dat	upx
behavioral1/files/0x0006000000022fc1-169.dat	upx
behavioral1/files/0x0006000000022fae-170.dat	upx
behavioral1/files/0x0006000000022fae-171.dat	upx
behavioral1/files/0x0006000000022fc3-172.dat	upx
behavioral1/files/0x0006000000022fc3-173.dat	upx
behavioral1/files/0x0006000000022fbf-174.dat	upx
behavioral1/files/0x0006000000022fbf-175.dat	upx
behavioral1/memory/3532-178-0x00007FF8E59C0000-0x00007FF8E59CD000-memory.dmp	upx
behavioral1/memory/3532-176-0x00007FF8E0020000-0x00007FF8E0034000-memory.dmp	upx
behavioral1/memory/3532-180-0x00007FF8D7720000-0x00007FF8D7743000-memory.dmp	upx
behavioral1/memory/3532-181-0x00007FF8D1300000-0x00007FF8D1470000-memory.dmp	upx
behavioral1/memory/3532-182-0x00007FF8D0950000-0x00007FF8D0BA0000-memory.dmp	upx
behavioral1/memory/3532-183-0x00007FF8D7130000-0x00007FF8D715B000-memory.dmp	upx
behavioral1/memory/3532-184-0x00007FF8D7100000-0x00007FF8D712F000-memory.dmp	upx
behavioral1/files/0x0006000000022fc2-202.dat	upx
behavioral1/files/0x0006000000022fc2-201.dat	upx
behavioral1/memory/3532-205-0x00007FF8D11E0000-0x00007FF8D12FC000-memory.dmp	upx
behavioral1/files/0x0006000000022fb4-218.dat	upx
behavioral1/files/0x0006000000022fb4-216.dat	upx
behavioral1/memory/3532-227-0x00007FF8D1190000-0x00007FF8D11D3000-memory.dmp	upx
behavioral1/memory/3532-246-0x00007FF8D1530000-0x00007FF8D1B19000-memory.dmp	upx
behavioral1/memory/3532-254-0x00007FF8DF730000-0x00007FF8DF75E000-memory.dmp	upx
behavioral1/memory/3532-253-0x00007FF8E40F0000-0x00007FF8E4109000-memory.dmp	upx
behavioral1/memory/3532-255-0x00007FF8D1470000-0x00007FF8D1528000-memory.dmp	upx
behavioral1/memory/3532-257-0x00007FF8D0BA0000-0x00007FF8D0F15000-memory.dmp	upx
behavioral1/memory/3532-267-0x00007FF8D1300000-0x00007FF8D1470000-memory.dmp	upx
behavioral1/memory/3532-268-0x00007FF8D0950000-0x00007FF8D0BA0000-memory.dmp	upx
behavioral1/memory/3532-279-0x00007FF8D1530000-0x00007FF8D1B19000-memory.dmp	upx
behavioral1/memory/3532-280-0x00007FF8DF850000-0x00007FF8DF87D000-memory.dmp	upx
behavioral1/memory/3532-281-0x00007FF8E4190000-0x00007FF8E41A9000-memory.dmp	upx
behavioral1/memory/3532-282-0x00007FF8E40F0000-0x00007FF8E4109000-memory.dmp	upx
behavioral1/memory/3532-284-0x00007FF8E92D0000-0x00007FF8E92DD000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1788	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3228	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4116	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4048	powershell.exe
2336	powershell.exe
2336	powershell.exe
4048	powershell.exe
3724	powershell.exe
3724	powershell.exe
4840	powershell.exe
4840	powershell.exe
1724	powershell.exe
1652	powershell.exe
1724	powershell.exe
1724	powershell.exe
1652	powershell.exe
1652	powershell.exe
612	powershell.exe
612	powershell.exe
4104	getPass.exe
4104	getPass.exe
4104	getPass.exe
4104	getPass.exe
4852	powershell.exe
4852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: 36	2580	WMIC.exe
Token: SeDebugPrivilege	1788	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe
Token: SeUndockPrivilege	4960	WMIC.exe
Token: SeManageVolumePrivilege	4960	WMIC.exe
Token: 33	4960	WMIC.exe
Token: 34	4960	WMIC.exe
Token: 35	4960	WMIC.exe
Token: 36	4960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 3532	3988	Gen.exe	79
PID 3988 wrote to memory of 3532	3988	Gen.exe	79
PID 3532 wrote to memory of 4804	3532	Gen.exe	80
PID 3532 wrote to memory of 4804	3532	Gen.exe	80
PID 4804 wrote to memory of 1320	4804	cmd.exe	82
PID 4804 wrote to memory of 1320	4804	cmd.exe	82
PID 1320 wrote to memory of 3984	1320	net.exe	83
PID 1320 wrote to memory of 3984	1320	net.exe	83
PID 3532 wrote to memory of 1800	3532	Gen.exe	87
PID 3532 wrote to memory of 1800	3532	Gen.exe	87
PID 3532 wrote to memory of 1256	3532	Gen.exe	84
PID 3532 wrote to memory of 1256	3532	Gen.exe	84
PID 1800 wrote to memory of 4048	1800	cmd.exe	88
PID 1800 wrote to memory of 4048	1800	cmd.exe	88
PID 1256 wrote to memory of 2336	1256	cmd.exe	89
PID 1256 wrote to memory of 2336	1256	cmd.exe	89
PID 3532 wrote to memory of 32	3532	Gen.exe	90
PID 3532 wrote to memory of 32	3532	Gen.exe	90
PID 32 wrote to memory of 3724	32	cmd.exe	92
PID 32 wrote to memory of 3724	32	cmd.exe	92
PID 3532 wrote to memory of 4900	3532	Gen.exe	93
PID 3532 wrote to memory of 4900	3532	Gen.exe	93
PID 4900 wrote to memory of 4840	4900	cmd.exe	95
PID 4900 wrote to memory of 4840	4900	cmd.exe	95
PID 3532 wrote to memory of 4104	3532	Gen.exe	153
PID 3532 wrote to memory of 4104	3532	Gen.exe	153
PID 4104 wrote to memory of 4288	4104	getPass.exe	98
PID 4104 wrote to memory of 4288	4104	getPass.exe	98
PID 3532 wrote to memory of 912	3532	Gen.exe	102
PID 3532 wrote to memory of 912	3532	Gen.exe	102
PID 3532 wrote to memory of 1644	3532	Gen.exe	99
PID 3532 wrote to memory of 1644	3532	Gen.exe	99
PID 3532 wrote to memory of 996	3532	Gen.exe	103
PID 3532 wrote to memory of 996	3532	Gen.exe	103
PID 3532 wrote to memory of 3620	3532	Gen.exe	104
PID 3532 wrote to memory of 3620	3532	Gen.exe	104
PID 3532 wrote to memory of 4452	3532	Gen.exe	107
PID 3532 wrote to memory of 4452	3532	Gen.exe	107
PID 3532 wrote to memory of 1848	3532	Gen.exe	108
PID 3532 wrote to memory of 1848	3532	Gen.exe	108
PID 3532 wrote to memory of 1336	3532	Gen.exe	117
PID 3532 wrote to memory of 1336	3532	Gen.exe	117
PID 3532 wrote to memory of 5008	3532	Gen.exe	115
PID 3532 wrote to memory of 5008	3532	Gen.exe	115
PID 3532 wrote to memory of 1204	3532	Gen.exe	114
PID 3532 wrote to memory of 1204	3532	Gen.exe	114
PID 912 wrote to memory of 1724	912	cmd.exe	116
PID 912 wrote to memory of 1724	912	cmd.exe	116
PID 1644 wrote to memory of 3240	1644	cmd.exe	119
PID 1644 wrote to memory of 3240	1644	cmd.exe	119
PID 3620 wrote to memory of 1652	3620	cmd.exe	118
PID 3620 wrote to memory of 1652	3620	cmd.exe	118
PID 996 wrote to memory of 3596	996	cmd.exe	120
PID 996 wrote to memory of 3596	996	cmd.exe	120
PID 1848 wrote to memory of 2580	1848	cmd.exe	121
PID 1848 wrote to memory of 2580	1848	cmd.exe	121
PID 1336 wrote to memory of 1788	1336	cmd.exe	122
PID 1336 wrote to memory of 1788	1336	cmd.exe	122
PID 1204 wrote to memory of 4960	1204	cmd.exe	124
PID 1204 wrote to memory of 4960	1204	cmd.exe	124
PID 5008 wrote to memory of 3228	5008	cmd.exe	123
PID 5008 wrote to memory of 3228	5008	cmd.exe	123
PID 3532 wrote to memory of 2548	3532	Gen.exe	129
PID 3532 wrote to memory of 2548	3532	Gen.exe	129

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4288	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe
"C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe
  "C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\_MEI39882'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\_MEI39882'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s 'C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe'"
    3⤵
    PID:4104
  - - C:\Windows\system32\attrib.exe
      attrib +h +s 'C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe'
      4⤵
      Views/modifies file attributes
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\getPass'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"
    3⤵
    PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3304
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"
    3⤵
    PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "where /r . *.sqlite"
    3⤵
    PID:2548
  - - C:\Windows\system32\where.exe
      where /r . *.sqlite
      4⤵
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2160
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5092
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:32
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getPass.exe /stext pass.txt"
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\_MEI39882\getPass.exe
      getPass.exe /stext pass.txt
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\Checkers GOOD\Bin checker V5.2\Gen.exe""
    3⤵
    PID:1744
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44af09c7d32f5d0a1db5bbd8a08c3808

SHA1
e13357e3f28407a02f570e4f6236757827c9a0d8

SHA256
4d53b259bb8965dc1b5116c1b45a8969ba41cef986d35eb22b357dcdb7757214

SHA512
3ef25a066f38fb42fc28a344a72649802dc9cbfa29023504251f469ebdb581018bfd51e8ebea1ed6ced0060f6ea0591bcc3826f67d8cb7808e5e688497b96f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50b916e9e6f01388135646888fec8e43

SHA1
4b959d21855d4ac5f9da636fcd603448d4ba2dff

SHA256
d3a824c9c90dbec26560eece15647259d6f57817a3cc3d9c6a0cc0055c88942e

SHA512
611acf2d1fedede2cef0a6307334ee6afd04a2d9ae7fed7a44283f699a52bb7ff0d028470350a9884e446be6bd46d5c56a31c91d3d66a427a6c095a0fba71eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50b916e9e6f01388135646888fec8e43

SHA1
4b959d21855d4ac5f9da636fcd603448d4ba2dff

SHA256
d3a824c9c90dbec26560eece15647259d6f57817a3cc3d9c6a0cc0055c88942e

SHA512
611acf2d1fedede2cef0a6307334ee6afd04a2d9ae7fed7a44283f699a52bb7ff0d028470350a9884e446be6bd46d5c56a31c91d3d66a427a6c095a0fba71eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\PIL\_imaging.cp311-win_amd64.pyd

Filesize
730KB

MD5
da57b5290f0ef336e62b1c114566bd16

SHA1
3c2ee897c64175de2bcccaf9ccc8662ff57d8cca

SHA256
5bd2e9f39cf29737a65b460b9df0004073b9698219427bde1318e4b49cfe0999

SHA512
eacbe9da0726d3840a96e012ddc500502fc42657c6d4265ad1ee72185973795ffdb5f4fea986bc1d3f1c03ddcdf9705a22fe14999629c28c2dc638062c4aa17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\PIL\_imaging.cp311-win_amd64.pyd

Filesize
730KB

MD5
da57b5290f0ef336e62b1c114566bd16

SHA1
3c2ee897c64175de2bcccaf9ccc8662ff57d8cca

SHA256
5bd2e9f39cf29737a65b460b9df0004073b9698219427bde1318e4b49cfe0999

SHA512
eacbe9da0726d3840a96e012ddc500502fc42657c6d4265ad1ee72185973795ffdb5f4fea986bc1d3f1c03ddcdf9705a22fe14999629c28c2dc638062c4aa17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_bz2.pyd

Filesize
46KB

MD5
bc041500b58c6437e73fe096d050d2f3

SHA1
852205bcc3ff9f8e897747559be166d179caafad

SHA256
a1a19e4e4de86d10087b413e7b7d9bd6bcd73b3770a25cccf75dc2d79c295ef7

SHA512
c29de529e2f56be7d309da63d86a2d23e124ca41bf9d83aab663d844e67eecc4bc3e7ce379ff0ca6e03f0756cf84a7ad66e6cc924eac0eae7851adc2dedf5fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_bz2.pyd

Filesize
46KB

MD5
bc041500b58c6437e73fe096d050d2f3

SHA1
852205bcc3ff9f8e897747559be166d179caafad

SHA256
a1a19e4e4de86d10087b413e7b7d9bd6bcd73b3770a25cccf75dc2d79c295ef7

SHA512
c29de529e2f56be7d309da63d86a2d23e124ca41bf9d83aab663d844e67eecc4bc3e7ce379ff0ca6e03f0756cf84a7ad66e6cc924eac0eae7851adc2dedf5fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_decimal.pyd

Filesize
104KB

MD5
36db4b6bd5acbfa193cfb9a01296c951

SHA1
307e856ed352aaa79dba0567501a6c1973c4d155

SHA256
de0b285502c52f28580c3af1a826ed5f598a4f7cbe4ce62918f38ef17e50efa9

SHA512
2a6878680ed94b5e2b576f332145ceecbd8ba6039611f0a80d32fb420dfe523f1bdefe4eb3452a8f45f80910a64c96be40559a5f0b43e684c4f7db45febe099c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_decimal.pyd

Filesize
104KB

MD5
36db4b6bd5acbfa193cfb9a01296c951

SHA1
307e856ed352aaa79dba0567501a6c1973c4d155

SHA256
de0b285502c52f28580c3af1a826ed5f598a4f7cbe4ce62918f38ef17e50efa9

SHA512
2a6878680ed94b5e2b576f332145ceecbd8ba6039611f0a80d32fb420dfe523f1bdefe4eb3452a8f45f80910a64c96be40559a5f0b43e684c4f7db45febe099c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_hashlib.pyd

Filesize
33KB

MD5
707ebd302ea59a2113fd603502f2e751

SHA1
dd4487daae5cc410785f6f611dd7c0ef579a683b

SHA256
a78dba08b85c7a98676b677ffe458a5bfc7e8fab07caccd5824ae6a898a7a884

SHA512
f45ad9ec6df5aab380ef4022af3b86f5a2f53a033c4c3b0654b169a705b4c3f4d23651bbc255c5d7fcbbcfe7f06d94e5e4e29ab3f57643d602b3be84e0ec29e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_hashlib.pyd

Filesize
33KB

MD5
707ebd302ea59a2113fd603502f2e751

SHA1
dd4487daae5cc410785f6f611dd7c0ef579a683b

SHA256
a78dba08b85c7a98676b677ffe458a5bfc7e8fab07caccd5824ae6a898a7a884

SHA512
f45ad9ec6df5aab380ef4022af3b86f5a2f53a033c4c3b0654b169a705b4c3f4d23651bbc255c5d7fcbbcfe7f06d94e5e4e29ab3f57643d602b3be84e0ec29e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_lzma.pyd

Filesize
84KB

MD5
1cc5f14b3177ca794f103615d678ec71

SHA1
d63ebfe06392b2aa2be78cd86fef31e06490f174

SHA256
d4ac9bd1975e47c64217b478849268ef50b5a543967ce3c0a159cb3ead30a72e

SHA512
3437b20be74499773e0ce780134ebb9c8a5c080432789e6ca7efb41f00138d01aef98006b3dd20c58722ea750cadbcd376b3ca2fae9f040f37164a67d375b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_lzma.pyd

Filesize
84KB

MD5
1cc5f14b3177ca794f103615d678ec71

SHA1
d63ebfe06392b2aa2be78cd86fef31e06490f174

SHA256
d4ac9bd1975e47c64217b478849268ef50b5a543967ce3c0a159cb3ead30a72e

SHA512
3437b20be74499773e0ce780134ebb9c8a5c080432789e6ca7efb41f00138d01aef98006b3dd20c58722ea750cadbcd376b3ca2fae9f040f37164a67d375b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_queue.pyd

Filesize
24KB

MD5
d2a8cd7b5a9a2a122ce6bb52dd8fb2c2

SHA1
f40608154a06f6565c0e2707050a276006768931

SHA256
bef919b90490e2a173781d6866b7710fd04639049a389faa3fbef49c26adc5dc

SHA512
8d7e7137a0f63b806c4f3f29573057c499ea9232153258c27d0c501dfce101d479030c7294dcb80ccd1cb7bc99170144c1e91413308b7d132c43e2a2312c59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_queue.pyd

Filesize
24KB

MD5
d2a8cd7b5a9a2a122ce6bb52dd8fb2c2

SHA1
f40608154a06f6565c0e2707050a276006768931

SHA256
bef919b90490e2a173781d6866b7710fd04639049a389faa3fbef49c26adc5dc

SHA512
8d7e7137a0f63b806c4f3f29573057c499ea9232153258c27d0c501dfce101d479030c7294dcb80ccd1cb7bc99170144c1e91413308b7d132c43e2a2312c59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_socket.pyd

Filesize
41KB

MD5
f6c396d6fe2b999a575fb65309769bc3

SHA1
102acdf2fa964342ad2d5b96a5adee99110a3bb4

SHA256
6ab66517e2e1c885bf05dd3d9141f55665aa9825d4d320ffce6930574464ff59

SHA512
0cecce5e1bedc03d84715f151f95ab4375f279188998dc71db0bcf2a0afa36ff5ee6dfbd69c57195fff520d780e98c508451f8c7a94b77ca2c836bdb9fca6e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_socket.pyd

Filesize
41KB

MD5
f6c396d6fe2b999a575fb65309769bc3

SHA1
102acdf2fa964342ad2d5b96a5adee99110a3bb4

SHA256
6ab66517e2e1c885bf05dd3d9141f55665aa9825d4d320ffce6930574464ff59

SHA512
0cecce5e1bedc03d84715f151f95ab4375f279188998dc71db0bcf2a0afa36ff5ee6dfbd69c57195fff520d780e98c508451f8c7a94b77ca2c836bdb9fca6e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_sqlite3.pyd

Filesize
54KB

MD5
34b0e812657d425548113a27d97ae0fc

SHA1
6632b6d532a2662051ad72f8da81bfec26acbac1

SHA256
2679a5e558c45aaf7e3936fd112682934707b668860c4ff962a446cf8c4f6e21

SHA512
0777ac0fb77419a6867d90818cbaf2d9abca86cbddc6a43c7298b4343bdd5a04e7cbe9f9a1ea50ae8211c744ad5977f27a4afd5a66b684f92f73e1fc61c4dccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_sqlite3.pyd

Filesize
54KB

MD5
34b0e812657d425548113a27d97ae0fc

SHA1
6632b6d532a2662051ad72f8da81bfec26acbac1

SHA256
2679a5e558c45aaf7e3936fd112682934707b668860c4ff962a446cf8c4f6e21

SHA512
0777ac0fb77419a6867d90818cbaf2d9abca86cbddc6a43c7298b4343bdd5a04e7cbe9f9a1ea50ae8211c744ad5977f27a4afd5a66b684f92f73e1fc61c4dccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_ssl.pyd

Filesize
60KB

MD5
27b6c55dad77537ae6c4010443966eb6

SHA1
ecf5a88e9ad7a5f1b3872378e6ec2185d2494301

SHA256
ce587323d681009c10526ce6aea671f4bfa3293cb839096f9e34751e31f374c8

SHA512
e4ccc3632c53baad9d340ec865fcc8d5143a8e16220849d71c28080fdf092356d1429b0d48ae4eb54720ec69bcce815e2744325535cc9cc51e720dc5886db44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\_ssl.pyd

Filesize
60KB

MD5
27b6c55dad77537ae6c4010443966eb6

SHA1
ecf5a88e9ad7a5f1b3872378e6ec2185d2494301

SHA256
ce587323d681009c10526ce6aea671f4bfa3293cb839096f9e34751e31f374c8

SHA512
e4ccc3632c53baad9d340ec865fcc8d5143a8e16220849d71c28080fdf092356d1429b0d48ae4eb54720ec69bcce815e2744325535cc9cc51e720dc5886db44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\base_library.zip

Filesize
1.7MB

MD5
c6b150f2eca4eec01765bdae9a78e097

SHA1
1eaf2a18863af05d4f8183978ea6ecadd21ed3de

SHA256
b8e074772e3f8203de0e4313ac274de4d4e5b5e847a3fe3dc4171413ea2a4502

SHA512
697cdcd1f23cf67683836cca593df643f3f2d3f139fdbf86bf990bd7c29a6721d8199fbff491cb234d2fb65bcd4f32f07796b8b522b895a52095d17628beb846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\config.json

Filesize
138B

MD5
17578596cd89902c4cf56cdbe42674ef

SHA1
296d0845ff06ef477d8f723941e97b33a422e624

SHA256
4cf60267ac2edb22b5403500c173b66709de7b7997bf61098e2450e5861ec073

SHA512
cdc50a728d9fbba69fab0b68157fc379f1029d03d79ae40d41e8ec2146cbd563561f2690f98926efb1f7033f7e07a45e3f4218e4b6daa3b89fa8e3dfca69fa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\getPass

Filesize
209KB

MD5
a0ab52d2a84dc59351b8b80ab0ee25c5

SHA1
5bb82ab6c10e239a3b46c722903a14995b541d44

SHA256
1c43bcad4652a12f27664459a8f6b04e69ebb630f5cd6b6c610e98fc1664c813

SHA512
d9e351605e86c290beea37b5a7c3e1499dd12ca169543e8e0bdd67fcd0be75166d3d35f7ce1cd208297674510ae577471d401c2f0546dd23fd03d2ac0b666e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\getPass.exe

Filesize
209KB

MD5
459c755800f6394bfced303c0f9002d0

SHA1
710ab70b5498c0b2094997cb63898475af859388

SHA256
2155b81fb8e4fb169bbdce891d542edd5be8cf14748a6e6e7d03edb28d5efc42

SHA512
b4258b05709d4163210f28fc1bbc4935e9b681c65c48f3255842cf46f07fa34889f50593f8497113ec97e47271da1d6b13048fe70435219b3f7f48910225a2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\getPass.exe

Filesize
209KB

MD5
459c755800f6394bfced303c0f9002d0

SHA1
710ab70b5498c0b2094997cb63898475af859388

SHA256
2155b81fb8e4fb169bbdce891d542edd5be8cf14748a6e6e7d03edb28d5efc42

SHA512
b4258b05709d4163210f28fc1bbc4935e9b681c65c48f3255842cf46f07fa34889f50593f8497113ec97e47271da1d6b13048fe70435219b3f7f48910225a2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\injection-obfuscated.js

Filesize
32KB

MD5
f421db9f34f345d816206f6554d11c29

SHA1
ecfc28673328191acbfaa1aa6e7588963e9da04c

SHA256
b99e8f5b7f4f7adfba03ea429478a2b21ff4fe481e8820768ab4f04ba8e5b3ba

SHA512
b29a302a372c0d352bfde27d14dbd5ac3f5a438371ee2c9cafb6030a47209b706c9bae65ade55d23c4114ce63204ff003e27059bf9a99cc731b80b2288c33905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
c702b01b9d16f58ad711bf53c0c73203

SHA1
dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b

SHA256
49363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1

SHA512
603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
c702b01b9d16f58ad711bf53c0c73203

SHA1
dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b

SHA256
49363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1

SHA512
603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
c702b01b9d16f58ad711bf53c0c73203

SHA1
dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b

SHA256
49363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1

SHA512
603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libssl-1_1.dll

Filesize
203KB

MD5
eed3b4ac7fca65d8681cf703c71ea8de

SHA1
d50358d55cd49623bf4267dbee154b0cdb796931

SHA256
45c7be6f6958db81d9c0dacf2b63a2c4345d178a367cd33bbbb8f72ac765e73f

SHA512
df85605bc9f535bd736cafc7be236895f0a3a99cf1b45c1f2961c855d161bcb530961073d0360a5e9f1e72f7f6a632ce58760b0a4111c74408e3fcc7bfa41edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\libssl-1_1.dll

Filesize
203KB

MD5
eed3b4ac7fca65d8681cf703c71ea8de

SHA1
d50358d55cd49623bf4267dbee154b0cdb796931

SHA256
45c7be6f6958db81d9c0dacf2b63a2c4345d178a367cd33bbbb8f72ac765e73f

SHA512
df85605bc9f535bd736cafc7be236895f0a3a99cf1b45c1f2961c855d161bcb530961073d0360a5e9f1e72f7f6a632ce58760b0a4111c74408e3fcc7bfa41edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\pass.txt

Filesize
4KB

MD5
07c14121728256ad56b1ef039a28e4a6

SHA1
0f39e1e02cd5e2b1b22d9e5470757ae13fe96738

SHA256
8d46702077d776b04085cbe5ce2f0e5971595ea4e11b025a215c4379e7fc18f8

SHA512
03d9113095e7b6143c4f99b131462fa451a9c2d7e841461603dace64bd6d525cb63d074384d2b3ff285a7183116f1715138beeb756fced9a6b1ad6fde36d4789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\python311.dll

Filesize
1.6MB

MD5
109e26bea83e7cd897d296c803502722

SHA1
d6c7fce09407b993207f5522fa6db0fd1aad8b22

SHA256
4834d101c620e32e059ba73cf13f53252c48b9326b9342cb1aa9da0a5b329e24

SHA512
b553a151d1fa81e578da83793eed8aa14862a91772cec16caef00b196c33b2f905beb7342c2d876306b068573be1ce543fac653d1177a1605e27a54ee1354cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\python311.dll

Filesize
1.6MB

MD5
109e26bea83e7cd897d296c803502722

SHA1
d6c7fce09407b993207f5522fa6db0fd1aad8b22

SHA256
4834d101c620e32e059ba73cf13f53252c48b9326b9342cb1aa9da0a5b329e24

SHA512
b553a151d1fa81e578da83793eed8aa14862a91772cec16caef00b196c33b2f905beb7342c2d876306b068573be1ce543fac653d1177a1605e27a54ee1354cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\pywin32_system32\pywintypes311.dll

Filesize
61KB

MD5
ba9a2334567d7cfa62b09e3ae1b975c1

SHA1
97eaa4d70a8088f978f23d0ca0da80920001da61

SHA256
639da13941becea3367632e3b1de46cb864bd7774cfefb4d5bc9a03831c3c656

SHA512
561adae64ac11ae28ead424931996438264bbaaeddd21757bbe01c17b1c41e99c6e509b881891ece78f09d3590783d00fb1fcab29e9d12b681ed7d1877dc5809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\pywin32_system32\pywintypes311.dll

Filesize
61KB

MD5
ba9a2334567d7cfa62b09e3ae1b975c1

SHA1
97eaa4d70a8088f978f23d0ca0da80920001da61

SHA256
639da13941becea3367632e3b1de46cb864bd7774cfefb4d5bc9a03831c3c656

SHA512
561adae64ac11ae28ead424931996438264bbaaeddd21757bbe01c17b1c41e99c6e509b881891ece78f09d3590783d00fb1fcab29e9d12b681ed7d1877dc5809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\select.pyd

Filesize
24KB

MD5
880b5f3e02c70698647793c8b0ed563c

SHA1
d67d3b8e2cfbb9abeed7226f4c72f48ede7437f9

SHA256
8b03b7aada480f262d5c8802ac09842933c6502120e48b12ef9cb01b1fff4e14

SHA512
cfe222935aebdd9cb9236baa54e5eb7bef18bf6d8783fd58eab2717ec657c06ecd204d6a47373dadcb2bdc7e8552cb804397ac20cf3a7063e1073b91dcd0358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\select.pyd

Filesize
24KB

MD5
880b5f3e02c70698647793c8b0ed563c

SHA1
d67d3b8e2cfbb9abeed7226f4c72f48ede7437f9

SHA256
8b03b7aada480f262d5c8802ac09842933c6502120e48b12ef9cb01b1fff4e14

SHA512
cfe222935aebdd9cb9236baa54e5eb7bef18bf6d8783fd58eab2717ec657c06ecd204d6a47373dadcb2bdc7e8552cb804397ac20cf3a7063e1073b91dcd0358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\sqlite3.dll

Filesize
606KB

MD5
5d4c95af31caed6fc4ebd82092e0a744

SHA1
caf9e1d55988ebe2bf90ced9bad5637bebb857b1

SHA256
24127a86a271c28df9dd086305153bd34294cd0586352b416b7e77d59966930e

SHA512
52cf13c9fe035dc29cb770b915f77029910af003daeb37e8355f09347415309d0ae57e53a940de6ae63cc1422360bac279970f186c17f3c692d9c9184af0d0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\sqlite3.dll

Filesize
606KB

MD5
5d4c95af31caed6fc4ebd82092e0a744

SHA1
caf9e1d55988ebe2bf90ced9bad5637bebb857b1

SHA256
24127a86a271c28df9dd086305153bd34294cd0586352b416b7e77d59966930e

SHA512
52cf13c9fe035dc29cb770b915f77029910af003daeb37e8355f09347415309d0ae57e53a940de6ae63cc1422360bac279970f186c17f3c692d9c9184af0d0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\unicodedata.pyd

Filesize
294KB

MD5
1eb616d4935d240d14cc4903923c5a08

SHA1
19433560376b2930cf60013a48b0e84ae1976e58

SHA256
76505e4c2f334994a740a9caf9fc7602e3fd48efa33b1232616e86800ae0208a

SHA512
76b98f46ff4d46215406811bec23134f943e31714ab63884bea3880f9acebc253d83fd654e565d1d163af8b5132ce017133832e9d6247ecaa6bf7f33db7b1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\unicodedata.pyd

Filesize
294KB

MD5
1eb616d4935d240d14cc4903923c5a08

SHA1
19433560376b2930cf60013a48b0e84ae1976e58

SHA256
76505e4c2f334994a740a9caf9fc7602e3fd48efa33b1232616e86800ae0208a

SHA512
76b98f46ff4d46215406811bec23134f943e31714ab63884bea3880f9acebc253d83fd654e565d1d163af8b5132ce017133832e9d6247ecaa6bf7f33db7b1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\win32crypt.pyd

Filesize
51KB

MD5
648c94af1d33b888a941716e898a5242

SHA1
9991e2e5617a45b9bb5d8253485ef604be739b9a

SHA256
b9a86f9f4c1d5b8da928fdb18a0568510bbefd6fbfd4d0cb28a52c47ed5d9db7

SHA512
2ff4bdf3293edb8c58b39c246ce858e130838de6b2abcfb98b50396faef4990a54b31c0dc9c27f54f0445557df706769ce44752f7a97b816f2b45dcf5d938ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39882\win32crypt.pyd

Filesize
51KB

MD5
648c94af1d33b888a941716e898a5242

SHA1
9991e2e5617a45b9bb5d8253485ef604be739b9a

SHA256
b9a86f9f4c1d5b8da928fdb18a0568510bbefd6fbfd4d0cb28a52c47ed5d9db7

SHA512
2ff4bdf3293edb8c58b39c246ce858e130838de6b2abcfb98b50396faef4990a54b31c0dc9c27f54f0445557df706769ce44752f7a97b816f2b45dcf5d938ed2

Download Submit
memory/612-265-0x00007FF8CFD60000-0x00007FF8D0821000-memory.dmp

Filesize
10.8MB

Download
memory/1652-230-0x00007FF8CFD60000-0x00007FF8D0821000-memory.dmp

Filesize
10.8MB

Download
memory/1652-245-0x00007FF8CFD60000-0x00007FF8D0821000-memory.dmp

Filesize
10.8MB

Download
memory/1724-244-0x00007FF8CFD60000-0x00007FF8D0821000-memory.dmp

Filesize
10.8MB

Download
memory/1724-232-0x00007FF8CFD60000-0x00007FF8D0821000-memory.dmp

Filesize
10.8MB

Download
memory/2336-196-0x00007FF8CFE80000-0x00007FF8D0941000-memory.dmp

Filesize
10.8MB

Download
memory/3532-253-0x00007FF8E40F0000-0x00007FF8E4109000-memory.dmp

Filesize
100KB

Download
memory/3532-259-0x00000271D4860000-0x00000271D4BD5000-memory.dmp

Filesize
3.5MB

Download
memory/3532-296-0x00007FF8D7100000-0x00007FF8D712F000-memory.dmp

Filesize
188KB

Download
memory/3532-156-0x00007FF8E40F0000-0x00007FF8E4109000-memory.dmp

Filesize
100KB

Download
memory/3532-295-0x00007FF8D7130000-0x00007FF8D715B000-memory.dmp

Filesize
172KB

Download
memory/3532-157-0x00007FF8E92D0000-0x00007FF8E92DD000-memory.dmp

Filesize
52KB

Download
memory/3532-227-0x00007FF8D1190000-0x00007FF8D11D3000-memory.dmp

Filesize
268KB

Download
memory/3532-294-0x00007FF8D0950000-0x00007FF8D0BA0000-memory.dmp

Filesize
2.3MB

Download
memory/3532-292-0x00007FF8D11E0000-0x00007FF8D12FC000-memory.dmp

Filesize
1.1MB

Download
memory/3532-205-0x00007FF8D11E0000-0x00007FF8D12FC000-memory.dmp

Filesize
1.1MB

Download
memory/3532-293-0x00007FF8D1190000-0x00007FF8D11D3000-memory.dmp

Filesize
268KB

Download
memory/3532-290-0x00007FF8D7720000-0x00007FF8D7743000-memory.dmp

Filesize
140KB

Download
memory/3532-154-0x00007FF8DF850000-0x00007FF8DF87D000-memory.dmp

Filesize
180KB

Download
memory/3532-291-0x00007FF8D1300000-0x00007FF8D1470000-memory.dmp

Filesize
1.4MB

Download
memory/3532-268-0x00007FF8D0950000-0x00007FF8D0BA0000-memory.dmp

Filesize
2.3MB

Download
memory/3532-267-0x00007FF8D1300000-0x00007FF8D1470000-memory.dmp

Filesize
1.4MB

Download
memory/3532-160-0x00007FF8D1470000-0x00007FF8D1528000-memory.dmp

Filesize
736KB

Download
memory/3532-289-0x00007FF8E59C0000-0x00007FF8E59CD000-memory.dmp

Filesize
52KB

Download
memory/3532-287-0x00007FF8D0BA0000-0x00007FF8D0F15000-memory.dmp

Filesize
3.5MB

Download
memory/3532-288-0x00007FF8E0020000-0x00007FF8E0034000-memory.dmp

Filesize
80KB

Download
memory/3532-286-0x00007FF8D1470000-0x00007FF8D1528000-memory.dmp

Filesize
736KB

Download
memory/3532-285-0x00007FF8DF730000-0x00007FF8DF75E000-memory.dmp

Filesize
184KB

Download
memory/3532-284-0x00007FF8E92D0000-0x00007FF8E92DD000-memory.dmp

Filesize
52KB

Download
memory/3532-282-0x00007FF8E40F0000-0x00007FF8E4109000-memory.dmp

Filesize
100KB

Download
memory/3532-158-0x00007FF8DF730000-0x00007FF8DF75E000-memory.dmp

Filesize
184KB

Download
memory/3532-246-0x00007FF8D1530000-0x00007FF8D1B19000-memory.dmp

Filesize
5.9MB

Download
memory/3532-184-0x00007FF8D7100000-0x00007FF8D712F000-memory.dmp

Filesize
188KB

Download
memory/3532-281-0x00007FF8E4190000-0x00007FF8E41A9000-memory.dmp

Filesize
100KB

Download
memory/3532-183-0x00007FF8D7130000-0x00007FF8D715B000-memory.dmp

Filesize
172KB

Download
memory/3532-182-0x00007FF8D0950000-0x00007FF8D0BA0000-memory.dmp

Filesize
2.3MB

Download
memory/3532-181-0x00007FF8D1300000-0x00007FF8D1470000-memory.dmp

Filesize
1.4MB

Download
memory/3532-280-0x00007FF8DF850000-0x00007FF8DF87D000-memory.dmp

Filesize
180KB

Download
memory/3532-254-0x00007FF8DF730000-0x00007FF8DF75E000-memory.dmp

Filesize
184KB

Download
memory/3532-255-0x00007FF8D1470000-0x00007FF8D1528000-memory.dmp

Filesize
736KB

Download
memory/3532-180-0x00007FF8D7720000-0x00007FF8D7743000-memory.dmp

Filesize
140KB

Download
memory/3532-257-0x00007FF8D0BA0000-0x00007FF8D0F15000-memory.dmp

Filesize
3.5MB

Download
memory/3532-155-0x00007FF8E4190000-0x00007FF8E41A9000-memory.dmp

Filesize
100KB

Download
memory/3532-176-0x00007FF8E0020000-0x00007FF8E0034000-memory.dmp

Filesize
80KB

Download
memory/3532-279-0x00007FF8D1530000-0x00007FF8D1B19000-memory.dmp

Filesize
5.9MB

Download
memory/3532-178-0x00007FF8E59C0000-0x00007FF8E59CD000-memory.dmp

Filesize
52KB

Download
memory/3532-137-0x00007FF8D1530000-0x00007FF8D1B19000-memory.dmp

Filesize
5.9MB

Download
memory/3532-162-0x00000271D4860000-0x00000271D4BD5000-memory.dmp

Filesize
3.5MB

Download
memory/3532-161-0x00007FF8D0BA0000-0x00007FF8D0F15000-memory.dmp

Filesize
3.5MB

Download
memory/3724-198-0x00007FF8CFE80000-0x00007FF8D0941000-memory.dmp

Filesize
10.8MB

Download
memory/3724-200-0x00007FF8CFE80000-0x00007FF8D0941000-memory.dmp

Filesize
10.8MB

Download
memory/4048-275-0x00007FF8CFE80000-0x00007FF8D0941000-memory.dmp

Filesize
10.8MB

Download
memory/4048-195-0x00007FF8CFE80000-0x00007FF8D0941000-memory.dmp

Filesize
10.8MB

Download
memory/4048-191-0x0000016D1A7E0000-0x0000016D1A802000-memory.dmp

Filesize
136KB

Download
memory/4104-269-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4104-272-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4840-207-0x00007FF8CFD10000-0x00007FF8D07D1000-memory.dmp

Filesize
10.8MB

Download
memory/4852-277-0x00007FF8CFD00000-0x00007FF8D07C1000-memory.dmp

Filesize
10.8MB

Download