njrat | 8b136d1e7c3b63ba93a1280f3d0456d1c4567e5ba5bfdbc610f0fa34385ab42c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload123.exe
Size

9.4MB
MD5

8f6886e05bafba931c4b003c24123604
SHA1

603d46eae1f1125ead48daa189f9198d972f6354
SHA256

8b136d1e7c3b63ba93a1280f3d0456d1c4567e5ba5bfdbc610f0fa34385ab42c
SHA512

23d59f892c3fe82d1a595585c584baaf57e05b9bac05621bbc9c6c0b3efbc845d3340bd7c3a83021496acfa98a3006e373899c74ae6224353be4929a20b836e7
SSDEEP

196608:ocLXDsDsjJfOD0jIvdYK2Gvxh7H/I8OaOEUzijB6lXYW:ouDsDUvkT2Eh7H/PnOEU/Y

Score

10^/10

njrat victim persistence pyinstaller trojan upx

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Victim

even-house.at.ply.gg:40766

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	payload123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	ddddddddddddddddddddddddddddddd.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	ddddddddddddddddddddddddddddddd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe

Executes dropped EXE 5 IoCs

pid	Process
228	ddddddddddddddddddddddddddddddd.exe
3632	Built.exe
964	Built.exe
2728	Mixcraft9-64Bit-installer.exe
2440	Payload.exe

Loads dropped DLL 20 IoCs

pid	Process
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe
964	Built.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002319b-253.dat	upx
behavioral2/files/0x000600000002319b-264.dat	upx
behavioral2/files/0x000600000002319f-272.dat	upx
behavioral2/memory/964-271-0x00007FFF4C440000-0x00007FFF4CA29000-memory.dmp	upx
behavioral2/files/0x000600000002319f-273.dat	upx
behavioral2/files/0x0006000000023199-276.dat	upx
behavioral2/files/0x000600000002316c-278.dat	upx
behavioral2/files/0x000600000002316c-279.dat	upx
behavioral2/files/0x0006000000023168-281.dat	upx
behavioral2/files/0x000600000002316f-283.dat	upx
behavioral2/files/0x000600000002319e-284.dat	upx
behavioral2/files/0x000600000002319e-285.dat	upx
behavioral2/files/0x000600000002316f-282.dat	upx
behavioral2/files/0x0006000000023168-280.dat	upx
behavioral2/files/0x000600000002316e-286.dat	upx
behavioral2/files/0x000600000002319d-289.dat	upx
behavioral2/files/0x0006000000023198-292.dat	upx
behavioral2/files/0x000600000002319a-294.dat	upx
behavioral2/files/0x0006000000023198-297.dat	upx
behavioral2/files/0x0006000000023198-296.dat	upx
behavioral2/files/0x000600000002319a-293.dat	upx
behavioral2/files/0x000600000002316d-300.dat	upx
behavioral2/files/0x0006000000023163-302.dat	upx
behavioral2/files/0x0006000000023163-303.dat	upx
behavioral2/memory/964-314-0x00007FFF5DC20000-0x00007FFF5DC34000-memory.dmp	upx
behavioral2/memory/964-315-0x00007FFF667C0000-0x00007FFF667CD000-memory.dmp	upx
behavioral2/memory/964-320-0x00007FFF53880000-0x00007FFF538A3000-memory.dmp	upx
behavioral2/memory/964-324-0x00007FFF5E680000-0x00007FFF5E68F000-memory.dmp	upx
behavioral2/memory/964-325-0x00007FFF51550000-0x00007FFF5157D000-memory.dmp	upx
behavioral2/memory/964-327-0x00007FFF51F80000-0x00007FFF51F99000-memory.dmp	upx
behavioral2/memory/964-317-0x00007FFF60700000-0x00007FFF60710000-memory.dmp	upx
behavioral2/files/0x000600000002316d-301.dat	upx
behavioral2/files/0x000600000002316b-299.dat	upx
behavioral2/files/0x000600000002316b-298.dat	upx
behavioral2/files/0x0006000000023170-291.dat	upx
behavioral2/files/0x0006000000023170-290.dat	upx
behavioral2/files/0x000600000002319d-288.dat	upx
behavioral2/files/0x000600000002316e-287.dat	upx
behavioral2/files/0x0006000000023199-277.dat	upx
behavioral2/files/0x0006000000023169-275.dat	upx
behavioral2/files/0x0006000000023169-274.dat	upx
behavioral2/memory/964-328-0x00007FFF51520000-0x00007FFF51543000-memory.dmp	upx
behavioral2/memory/964-329-0x00007FFF50170000-0x00007FFF502E0000-memory.dmp	upx
behavioral2/memory/964-330-0x00007FFF52170000-0x00007FFF523C2000-memory.dmp	upx
behavioral2/memory/964-331-0x00007FFF51BA0000-0x00007FFF51BB9000-memory.dmp	upx
behavioral2/memory/964-333-0x00007FFF5E400000-0x00007FFF5E40D000-memory.dmp	upx
behavioral2/memory/964-334-0x00007FFF514F0000-0x00007FFF5151E000-memory.dmp	upx
behavioral2/memory/964-335-0x00007FFF500B0000-0x00007FFF50168000-memory.dmp	upx
behavioral2/memory/964-337-0x00007FFF4F700000-0x00007FFF4FA79000-memory.dmp	upx
behavioral2/files/0x00060000000231a1-338.dat	upx
behavioral2/files/0x00060000000231a1-339.dat	upx
behavioral2/memory/964-359-0x00007FFF4C440000-0x00007FFF4CA29000-memory.dmp	upx
behavioral2/memory/964-360-0x00007FFF60700000-0x00007FFF60710000-memory.dmp	upx
behavioral2/memory/964-361-0x00007FFF53880000-0x00007FFF538A3000-memory.dmp	upx
behavioral2/memory/964-363-0x00007FFF5E680000-0x00007FFF5E68F000-memory.dmp	upx
behavioral2/memory/964-364-0x00007FFF51550000-0x00007FFF5157D000-memory.dmp	upx
behavioral2/memory/964-367-0x00007FFF51F80000-0x00007FFF51F99000-memory.dmp	upx
behavioral2/memory/964-369-0x00007FFF51520000-0x00007FFF51543000-memory.dmp	upx
behavioral2/memory/964-371-0x00007FFF50170000-0x00007FFF502E0000-memory.dmp	upx
behavioral2/memory/964-372-0x00007FFF51BA0000-0x00007FFF51BB9000-memory.dmp	upx
behavioral2/memory/964-373-0x00007FFF5E400000-0x00007FFF5E40D000-memory.dmp	upx
behavioral2/memory/964-374-0x00007FFF514F0000-0x00007FFF5151E000-memory.dmp	upx
behavioral2/memory/964-376-0x00007FFF4F700000-0x00007FFF4FA79000-memory.dmp	upx
behavioral2/memory/964-375-0x00007FFF500B0000-0x00007FFF50168000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddddddddddddddddddddddddddddddd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ddddddddddddddddddddddddddddddd.exe"	payload123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Built.exe"	payload123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mixcraft9-64Bit-installer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mixcraft9-64Bit-installer.exe"	payload123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	ddddddddddddddddddddddddddddddd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023160-172.dat	pyinstaller
behavioral2/files/0x0008000000023160-182.dat	pyinstaller
behavioral2/files/0x0008000000023160-181.dat	pyinstaller
behavioral2/files/0x0008000000023160-248.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5080	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
716	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4512	powershell.exe
4512	powershell.exe
1564	powershell.exe
1564	powershell.exe
4608	Process not Found
4608	Process not Found
3368	powershell.exe
3368	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
3368	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	payload123.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	4608	Process not Found
Token: SeDebugPrivilege	716	tasklist.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeDebugPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe
Token: 33	2440	Payload.exe
Token: SeIncBasePriorityPrivilege	2440	Payload.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4512	4292	payload123.exe	83
PID 4292 wrote to memory of 4512	4292	payload123.exe	83
PID 4292 wrote to memory of 228	4292	payload123.exe	87
PID 4292 wrote to memory of 228	4292	payload123.exe	87
PID 4292 wrote to memory of 228	4292	payload123.exe	87
PID 4292 wrote to memory of 1564	4292	payload123.exe	88
PID 4292 wrote to memory of 1564	4292	payload123.exe	88
PID 4292 wrote to memory of 3632	4292	payload123.exe	91
PID 4292 wrote to memory of 3632	4292	payload123.exe	91
PID 4292 wrote to memory of 4608	4292	payload123.exe	92
PID 4292 wrote to memory of 4608	4292	payload123.exe	92
PID 3632 wrote to memory of 964	3632	Built.exe	94
PID 3632 wrote to memory of 964	3632	Built.exe	94
PID 964 wrote to memory of 5004	964	Built.exe	95
PID 964 wrote to memory of 5004	964	Built.exe	95
PID 4292 wrote to memory of 2728	4292	payload123.exe	100
PID 4292 wrote to memory of 2728	4292	payload123.exe	100
PID 4292 wrote to memory of 2728	4292	payload123.exe	100
PID 4292 wrote to memory of 804	4292	payload123.exe	99
PID 4292 wrote to memory of 804	4292	payload123.exe	99
PID 5004 wrote to memory of 4208	5004	cmd.exe	101
PID 5004 wrote to memory of 4208	5004	cmd.exe	101
PID 804 wrote to memory of 5080	804	cmd.exe	102
PID 804 wrote to memory of 5080	804	cmd.exe	102
PID 4208 wrote to memory of 3200	4208	net.exe	103
PID 4208 wrote to memory of 3200	4208	net.exe	103
PID 964 wrote to memory of 3452	964	Built.exe	105
PID 964 wrote to memory of 3452	964	Built.exe	105
PID 964 wrote to memory of 4904	964	Built.exe	104
PID 964 wrote to memory of 4904	964	Built.exe	104
PID 964 wrote to memory of 3816	964	Built.exe	107
PID 964 wrote to memory of 3816	964	Built.exe	107
PID 964 wrote to memory of 3288	964	Built.exe	110
PID 964 wrote to memory of 3288	964	Built.exe	110
PID 3816 wrote to memory of 716	3816	cmd.exe	112
PID 3816 wrote to memory of 716	3816	cmd.exe	112
PID 3452 wrote to memory of 3368	3452	cmd.exe	113
PID 3452 wrote to memory of 3368	3452	cmd.exe	113
PID 4904 wrote to memory of 4356	4904	cmd.exe	114
PID 4904 wrote to memory of 4356	4904	cmd.exe	114
PID 3288 wrote to memory of 712	3288	cmd.exe	115
PID 3288 wrote to memory of 712	3288	cmd.exe	115
PID 228 wrote to memory of 2440	228	ddddddddddddddddddddddddddddddd.exe	118
PID 228 wrote to memory of 2440	228	ddddddddddddddddddddddddddddddd.exe	118
PID 228 wrote to memory of 2440	228	ddddddddddddddddddddddddddddddd.exe	118
PID 228 wrote to memory of 2580	228	ddddddddddddddddddddddddddddddd.exe	119
PID 228 wrote to memory of 2580	228	ddddddddddddddddddddddddddddddd.exe	119
PID 228 wrote to memory of 2580	228	ddddddddddddddddddddddddddddddd.exe	119
PID 2440 wrote to memory of 3020	2440	Payload.exe	121
PID 2440 wrote to memory of 3020	2440	Payload.exe	121
PID 2440 wrote to memory of 3020	2440	Payload.exe	121
PID 2440 wrote to memory of 4208	2440	Payload.exe	122
PID 2440 wrote to memory of 4208	2440	Payload.exe	122
PID 2440 wrote to memory of 4208	2440	Payload.exe	122

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2580	attrib.exe
3020	attrib.exe
4208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\payload123.exe
"C:\Users\Admin\AppData\Local\Temp\payload123.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ddddddddddddddddddddddddddddddd.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\ddddddddddddddddddddddddddddddd.exe
  "C:\Users\Admin\AppData\Local\Temp\ddddddddddddddddddddddddddddddd.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\Payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
      4⤵
      Views/modifies file attributes
      PID:4208
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - Views/modifies file attributes
    PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net session"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Mixcraft9-64Bit-installer.exe'
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA127.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5080
- C:\Users\Admin\AppData\Local\Temp\Mixcraft9-64Bit-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Mixcraft9-64Bit-installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
9.3MB

MD5
3ef267a0ac18924d48b23a2f905a54ae

SHA1
e96ca7f66c721fd0d21d07e1d9276a8cea2ed552

SHA256
04b4fd92e12df86c747982a7db134f4b98bf2d7640783618466062f4e3da4bba

SHA512
5b29326634d98a1fafb0eeebb7fce64e9f88ba6488f4260fb15b6823fa005adb11bc75d68235768452409c7a140338d583cc5cc342bb3302dfaa7f23d6dcc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
9.3MB

MD5
3ef267a0ac18924d48b23a2f905a54ae

SHA1
e96ca7f66c721fd0d21d07e1d9276a8cea2ed552

SHA256
04b4fd92e12df86c747982a7db134f4b98bf2d7640783618466062f4e3da4bba

SHA512
5b29326634d98a1fafb0eeebb7fce64e9f88ba6488f4260fb15b6823fa005adb11bc75d68235768452409c7a140338d583cc5cc342bb3302dfaa7f23d6dcc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
9.3MB

MD5
3ef267a0ac18924d48b23a2f905a54ae

SHA1
e96ca7f66c721fd0d21d07e1d9276a8cea2ed552

SHA256
04b4fd92e12df86c747982a7db134f4b98bf2d7640783618466062f4e3da4bba

SHA512
5b29326634d98a1fafb0eeebb7fce64e9f88ba6488f4260fb15b6823fa005adb11bc75d68235768452409c7a140338d583cc5cc342bb3302dfaa7f23d6dcc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
9.3MB

MD5
3ef267a0ac18924d48b23a2f905a54ae

SHA1
e96ca7f66c721fd0d21d07e1d9276a8cea2ed552

SHA256
04b4fd92e12df86c747982a7db134f4b98bf2d7640783618466062f4e3da4bba

SHA512
5b29326634d98a1fafb0eeebb7fce64e9f88ba6488f4260fb15b6823fa005adb11bc75d68235768452409c7a140338d583cc5cc342bb3302dfaa7f23d6dcc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mixcraft9-64Bit-installer.exe

Filesize
137KB

MD5
6b31e4f99beec7d7e9efcd474a892e1b

SHA1
3fde9c399db16b02ec67ab289e8fdff308c96961

SHA256
7d683437915e69ea0c4c094324d836f9ef3c51cfac8ecdf8b8f81479a0858abc

SHA512
596cddc2bb9753cd098e5391976de84b2e3a2dd36aa31fb94142031788a4fdf543447ff134490773b4b7e0f11d606e2fcc514603b8d4014d7ec4734dd909789d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mixcraft9-64Bit-installer.exe

Filesize
137KB

MD5
6b31e4f99beec7d7e9efcd474a892e1b

SHA1
3fde9c399db16b02ec67ab289e8fdff308c96961

SHA256
7d683437915e69ea0c4c094324d836f9ef3c51cfac8ecdf8b8f81479a0858abc

SHA512
596cddc2bb9753cd098e5391976de84b2e3a2dd36aa31fb94142031788a4fdf543447ff134490773b4b7e0f11d606e2fcc514603b8d4014d7ec4734dd909789d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mixcraft9-64Bit-installer.exe

Filesize
137KB

MD5
6b31e4f99beec7d7e9efcd474a892e1b

SHA1
3fde9c399db16b02ec67ab289e8fdff308c96961

SHA256
7d683437915e69ea0c4c094324d836f9ef3c51cfac8ecdf8b8f81479a0858abc

SHA512
596cddc2bb9753cd098e5391976de84b2e3a2dd36aa31fb94142031788a4fdf543447ff134490773b4b7e0f11d606e2fcc514603b8d4014d7ec4734dd909789d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
157KB

MD5
aaaa71ede7fde18a72e15d3a201c2652

SHA1
0445d18e628acb19b26a6020f7303c1ee7a82f9c

SHA256
20ca8b45370e86f764dab1044e9b592ce1669d38b8d3166bb3086d2349d1a7f8

SHA512
966cba4ee8aeb0feab16f5661bc3e462e8d4e80d48baacc687dd9f94e93eab9df40c6a29231a4b832de334edd16a4fd610d13f94279d585f456c692b707491d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
157KB

MD5
aaaa71ede7fde18a72e15d3a201c2652

SHA1
0445d18e628acb19b26a6020f7303c1ee7a82f9c

SHA256
20ca8b45370e86f764dab1044e9b592ce1669d38b8d3166bb3086d2349d1a7f8

SHA512
966cba4ee8aeb0feab16f5661bc3e462e8d4e80d48baacc687dd9f94e93eab9df40c6a29231a4b832de334edd16a4fd610d13f94279d585f456c692b707491d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\PIL\_imaging.cp311-win_amd64.pyd

Filesize
732KB

MD5
e382184096e78544c3d9eb9df61d6200

SHA1
e928c6f4bfd58f743c903289c09166dfa1b3207f

SHA256
f89c546766e5e309b8b16240bd139b47956951507cf9b5382f7baee00606961e

SHA512
a96c7f6553cde4789c5209e6790880fa89069a466e155f121d1ed67d28c3ce7846e3efabcc089d512c8c24f3f3e0dee2fb9b9ae4d6883176b53e19e85f8bfa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\PIL\_imaging.cp311-win_amd64.pyd

Filesize
732KB

MD5
e382184096e78544c3d9eb9df61d6200

SHA1
e928c6f4bfd58f743c903289c09166dfa1b3207f

SHA256
f89c546766e5e309b8b16240bd139b47956951507cf9b5382f7baee00606961e

SHA512
a96c7f6553cde4789c5209e6790880fa89069a466e155f121d1ed67d28c3ce7846e3efabcc089d512c8c24f3f3e0dee2fb9b9ae4d6883176b53e19e85f8bfa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_bz2.pyd

Filesize
48KB

MD5
d93494d8b15f82a7239152da4317738c

SHA1
750551fb66e54095958789260eba07bc683d1eec

SHA256
a9765376a387eebc94a188d72b7c60eeb34001ab207eae15352a433951b44bca

SHA512
57268150835a3360e70d5d45dda4b8894e6ec438efd7bfbae2e94a5c42745c9725f8191b2ea33dd7772a80fe9424854c76a75e2bf41a4292cf566a54020f1a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_bz2.pyd

Filesize
48KB

MD5
d93494d8b15f82a7239152da4317738c

SHA1
750551fb66e54095958789260eba07bc683d1eec

SHA256
a9765376a387eebc94a188d72b7c60eeb34001ab207eae15352a433951b44bca

SHA512
57268150835a3360e70d5d45dda4b8894e6ec438efd7bfbae2e94a5c42745c9725f8191b2ea33dd7772a80fe9424854c76a75e2bf41a4292cf566a54020f1a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ctypes.pyd

Filesize
58KB

MD5
2167d956107c5558018a11ec581e5944

SHA1
3e35a2e210d09d571dfcf2164e3ce7276be3bfea

SHA256
039826771d5a8f009075322ff2676f90e831c536dce874e110740411f1713758

SHA512
ea8042d4c9e026ed8f069fa1824ebca7f5d1f81388d601f97e877ea7352e8d887a7358959d1d236fae2ff338d0b6aa78eabd73ff9d0c0e98872a2b2da3de0eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ctypes.pyd

Filesize
58KB

MD5
2167d956107c5558018a11ec581e5944

SHA1
3e35a2e210d09d571dfcf2164e3ce7276be3bfea

SHA256
039826771d5a8f009075322ff2676f90e831c536dce874e110740411f1713758

SHA512
ea8042d4c9e026ed8f069fa1824ebca7f5d1f81388d601f97e877ea7352e8d887a7358959d1d236fae2ff338d0b6aa78eabd73ff9d0c0e98872a2b2da3de0eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_hashlib.pyd

Filesize
35KB

MD5
7e8bdc9ebafe727307664be2883fbbc1

SHA1
a0609ddf9616d82ce147f452f26f53100a776b58

SHA256
3606be88a4b0b3eed8b2c1599b08304276cc1338a760b59c38b11beb25ac16d9

SHA512
db60010834213914f0366dc4a7cc96f39d44a5600675dad3760a2debba96854c1c4baba9389d3a85d0e286a0835a04df0e3825987622a12d66191fd1b6294cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_hashlib.pyd

Filesize
35KB

MD5
7e8bdc9ebafe727307664be2883fbbc1

SHA1
a0609ddf9616d82ce147f452f26f53100a776b58

SHA256
3606be88a4b0b3eed8b2c1599b08304276cc1338a760b59c38b11beb25ac16d9

SHA512
db60010834213914f0366dc4a7cc96f39d44a5600675dad3760a2debba96854c1c4baba9389d3a85d0e286a0835a04df0e3825987622a12d66191fd1b6294cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_lzma.pyd

Filesize
85KB

MD5
14406a6e97aa7bbc6c5b3ffe8d66eb72

SHA1
7f7cdea656e427b1fbdd58f9628db1a2b24b34ee

SHA256
92bc0b51c9922c151953a7d286f751a1ad6a8be4c33fc3ab6ef8f29362f5da98

SHA512
a6d221cd54862fbb966e814ae20b8efc97a430f50ae63dcd6b1f0a43de2b95e996b662c10f15720106ef8839b3a9be137f05f13dfc8f6602624dbee8bf5c6d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_lzma.pyd

Filesize
85KB

MD5
14406a6e97aa7bbc6c5b3ffe8d66eb72

SHA1
7f7cdea656e427b1fbdd58f9628db1a2b24b34ee

SHA256
92bc0b51c9922c151953a7d286f751a1ad6a8be4c33fc3ab6ef8f29362f5da98

SHA512
a6d221cd54862fbb966e814ae20b8efc97a430f50ae63dcd6b1f0a43de2b95e996b662c10f15720106ef8839b3a9be137f05f13dfc8f6602624dbee8bf5c6d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_queue.pyd

Filesize
25KB

MD5
31b10478bc4a57f59e46cc6dd649767c

SHA1
7b29b247a93c853d2180245cf6832dd04f652c66

SHA256
aac58d419336877e154ce48780a7f9c7d0c66170baa04c6acc090ef222640d5d

SHA512
1a783e54d887defcb7ca1a82f6e454de4700acecef5b18c1a1ccc8ec44d5232430c8be442c6892fafd21ba0db171b333f9f6e6c45e6ad7c4507e87c100d7b902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_queue.pyd

Filesize
25KB

MD5
31b10478bc4a57f59e46cc6dd649767c

SHA1
7b29b247a93c853d2180245cf6832dd04f652c66

SHA256
aac58d419336877e154ce48780a7f9c7d0c66170baa04c6acc090ef222640d5d

SHA512
1a783e54d887defcb7ca1a82f6e454de4700acecef5b18c1a1ccc8ec44d5232430c8be442c6892fafd21ba0db171b333f9f6e6c45e6ad7c4507e87c100d7b902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_socket.pyd

Filesize
43KB

MD5
b2358bb6290d013cefad0ce78172c6ac

SHA1
6396da821d54151e0210d3a255f4f6e3305102f7

SHA256
9cf8f5a1a808ac5d313b1b06646abc3ffdf47ce14acbdb1fe93bd07039cd9be2

SHA512
e7ba831053426afbe2a8137b6a13b3ad59415d5693c0b8cabfa05249f5c1f8a5d0666728141c79c2d9ebba9feb79cc389006f5a3900ce34ddd7563e0adfb0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_socket.pyd

Filesize
43KB

MD5
b2358bb6290d013cefad0ce78172c6ac

SHA1
6396da821d54151e0210d3a255f4f6e3305102f7

SHA256
9cf8f5a1a808ac5d313b1b06646abc3ffdf47ce14acbdb1fe93bd07039cd9be2

SHA512
e7ba831053426afbe2a8137b6a13b3ad59415d5693c0b8cabfa05249f5c1f8a5d0666728141c79c2d9ebba9feb79cc389006f5a3900ce34ddd7563e0adfb0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_sqlite3.pyd

Filesize
56KB

MD5
c68e020a9bc940373458c7988e70dacb

SHA1
28b1b978cd03fe39e43a5cfde9a6a838d1cbbb8d

SHA256
92b04e3848eccca216e412f44e026865ddadc8e325654f1521f161cb10b73b13

SHA512
964b9ab2b5261ffd450eab42d452ee802ce3efbae40bf3336e9ea6b4d7e10d85725a70c1ca15a26f1d2d6ecd5fbbd7068022cae1cb2559c2bd265ee1051b100e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_sqlite3.pyd

Filesize
56KB

MD5
c68e020a9bc940373458c7988e70dacb

SHA1
28b1b978cd03fe39e43a5cfde9a6a838d1cbbb8d

SHA256
92b04e3848eccca216e412f44e026865ddadc8e325654f1521f161cb10b73b13

SHA512
964b9ab2b5261ffd450eab42d452ee802ce3efbae40bf3336e9ea6b4d7e10d85725a70c1ca15a26f1d2d6ecd5fbbd7068022cae1cb2559c2bd265ee1051b100e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ssl.pyd

Filesize
62KB

MD5
732184a29212bcd8239e5bef55b2eb3d

SHA1
696bd71999b1edc46b6a161dac9c08de447520d1

SHA256
6036672ed2aef6dec52847ffb7b4b721a8f585f3dca88e44281d2daf6f6b769b

SHA512
273d1551e96c9c77a1acaaaabfc23508981c175afd6d732f40756ced008ed964d7c004c3e8c8aaf538b924d8045d42b7ec45096d497f13cd9ed72bdb28564515

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\_ssl.pyd

Filesize
62KB

MD5
732184a29212bcd8239e5bef55b2eb3d

SHA1
696bd71999b1edc46b6a161dac9c08de447520d1

SHA256
6036672ed2aef6dec52847ffb7b4b721a8f585f3dca88e44281d2daf6f6b769b

SHA512
273d1551e96c9c77a1acaaaabfc23508981c175afd6d732f40756ced008ed964d7c004c3e8c8aaf538b924d8045d42b7ec45096d497f13cd9ed72bdb28564515

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\base_library.zip

Filesize
1.7MB

MD5
ebb4f1a115f0692698b5640869f30853

SHA1
9ba77340a6a32af08899e7f3c97841724dd78c3f

SHA256
4ab0deb6a298d14a0f50d55dc6ce5673b6c5320817ec255acf282191642a4576

SHA512
3f6ba7d86c9f292344f4ad196f4ae863bf936578dd7cfac7dc4aaf05c2c78e68d5f813c4ed36048b6678451f1717deeb77493d8557ee6778c6a70beb5294d21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4edb3f0d95b2717a094aa0156cf5fe18

SHA1
46b7395c57e228411c3a29cfd5267a62581b214f

SHA256
bc4359c134cc7bca1de4c8365cbcec6236d75c1b572ef97c4b59e2387144e83a

SHA512
66b159d5ac54b604c452273ea76cc2cb1e2e0dfb71f18768010d6d86643ea3cf7d4cfbf5a2e5c3ff67d5773cf9ea7467e001b5e85aa9c92f0efa77abe0aa1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4edb3f0d95b2717a094aa0156cf5fe18

SHA1
46b7395c57e228411c3a29cfd5267a62581b214f

SHA256
bc4359c134cc7bca1de4c8365cbcec6236d75c1b572ef97c4b59e2387144e83a

SHA512
66b159d5ac54b604c452273ea76cc2cb1e2e0dfb71f18768010d6d86643ea3cf7d4cfbf5a2e5c3ff67d5773cf9ea7467e001b5e85aa9c92f0efa77abe0aa1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4edb3f0d95b2717a094aa0156cf5fe18

SHA1
46b7395c57e228411c3a29cfd5267a62581b214f

SHA256
bc4359c134cc7bca1de4c8365cbcec6236d75c1b572ef97c4b59e2387144e83a

SHA512
66b159d5ac54b604c452273ea76cc2cb1e2e0dfb71f18768010d6d86643ea3cf7d4cfbf5a2e5c3ff67d5773cf9ea7467e001b5e85aa9c92f0efa77abe0aa1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libffi-8.dll

Filesize
29KB

MD5
b57999a839ce4e268bffc6da47c657af

SHA1
7fa7d4f2bfa15f09068216af70319cdf107625c7

SHA256
a98c456292c5d6c52e2c03d59b57456fd8a85abc774e5ce183f9259905948f0f

SHA512
2e22f8d518849dfcb4dc28611d176ec49f424f1fa9736bec60783fd658e7ad7a484e746d3271da2380343d142dd9d8e1794fbbb20e205e1e531094e23d7e7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libffi-8.dll

Filesize
29KB

MD5
b57999a839ce4e268bffc6da47c657af

SHA1
7fa7d4f2bfa15f09068216af70319cdf107625c7

SHA256
a98c456292c5d6c52e2c03d59b57456fd8a85abc774e5ce183f9259905948f0f

SHA512
2e22f8d518849dfcb4dc28611d176ec49f424f1fa9736bec60783fd658e7ad7a484e746d3271da2380343d142dd9d8e1794fbbb20e205e1e531094e23d7e7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libssl-1_1.dll

Filesize
204KB

MD5
fe32b4e972e3cb418a397461ae3a646c

SHA1
bc28e4538f920d7601455a5171e43eb2820be41a

SHA256
65f20fca13e614bbcedf1445fe521b5f9a3fbc2895e0b28dde73d5d33406a38b

SHA512
36e35f440e7e6a7737d7c55266639709580167c38661fad6017b94deb339d67bec469edd6d29b61d1a3d56138685df76b73713c75b192df690d8108e5caa0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\libssl-1_1.dll

Filesize
204KB

MD5
fe32b4e972e3cb418a397461ae3a646c

SHA1
bc28e4538f920d7601455a5171e43eb2820be41a

SHA256
65f20fca13e614bbcedf1445fe521b5f9a3fbc2895e0b28dde73d5d33406a38b

SHA512
36e35f440e7e6a7737d7c55266639709580167c38661fad6017b94deb339d67bec469edd6d29b61d1a3d56138685df76b73713c75b192df690d8108e5caa0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\python311.dll

Filesize
1.6MB

MD5
bd41a26e89fc6bc661c53a2d4af35e3e

SHA1
8b52f7ab62ddb8c484a7da16efad33ce068635f6

SHA256
3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359

SHA512
b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\python311.dll

Filesize
1.6MB

MD5
bd41a26e89fc6bc661c53a2d4af35e3e

SHA1
8b52f7ab62ddb8c484a7da16efad33ce068635f6

SHA256
3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359

SHA512
b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\select.pyd

Filesize
25KB

MD5
ca2f76d9e63a8f9ebcbba11fe8438231

SHA1
6a1824554baacc5771c02c358286ba660f7e00a7

SHA256
db2723d473510f66c81366436fe2e9399b42b6e02da31a8800101f37da3093c0

SHA512
ed64407e44ad9ed16f4ba7dc86ccaf834c3e53a11dbe4459655ddbb9461ddeea4e14febf1086eb3f19b89d40c03fee06190c1cec9292626228b33886a1f00d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\select.pyd

Filesize
25KB

MD5
ca2f76d9e63a8f9ebcbba11fe8438231

SHA1
6a1824554baacc5771c02c358286ba660f7e00a7

SHA256
db2723d473510f66c81366436fe2e9399b42b6e02da31a8800101f37da3093c0

SHA512
ed64407e44ad9ed16f4ba7dc86ccaf834c3e53a11dbe4459655ddbb9461ddeea4e14febf1086eb3f19b89d40c03fee06190c1cec9292626228b33886a1f00d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\sqlite3.dll

Filesize
610KB

MD5
dd8effdccb50e9967fe83c6cabedc06b

SHA1
a3fa1cfa7ce262d3ca5650d26f803113964b039e

SHA256
56ea0a361ccea4bfc1c51457c8b5c9d3d2182c14e428b74302cbe375e57d41f1

SHA512
6b9f9ba31b1c3e8ffc35f942227fe40d8d423fc1b2a65a2f83bf0122b5c2698d88863334449640c205484daa761403e3cadff09dfee536e41625cdeaa2453923

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\sqlite3.dll

Filesize
610KB

MD5
dd8effdccb50e9967fe83c6cabedc06b

SHA1
a3fa1cfa7ce262d3ca5650d26f803113964b039e

SHA256
56ea0a361ccea4bfc1c51457c8b5c9d3d2182c14e428b74302cbe375e57d41f1

SHA512
6b9f9ba31b1c3e8ffc35f942227fe40d8d423fc1b2a65a2f83bf0122b5c2698d88863334449640c205484daa761403e3cadff09dfee536e41625cdeaa2453923

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
e058c833777e27d6b46a4aa4244f840a

SHA1
f3e144cee4fcaa09f7c0f7a2f1d124b3740f95e9

SHA256
72d221dc53979820e152436b1fff307ba55a9f8fd3b208645b6b52c3676dd64e

SHA512
29680311bd40ecd85db6d1727852005ab44c48475e80cc28a5eb2f7d879d28b6c0b43f11fce67432b4aa34da2c31804fce5dea2f2657854997c43702b67d4a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
e058c833777e27d6b46a4aa4244f840a

SHA1
f3e144cee4fcaa09f7c0f7a2f1d124b3740f95e9

SHA256
72d221dc53979820e152436b1fff307ba55a9f8fd3b208645b6b52c3676dd64e

SHA512
29680311bd40ecd85db6d1727852005ab44c48475e80cc28a5eb2f7d879d28b6c0b43f11fce67432b4aa34da2c31804fce5dea2f2657854997c43702b67d4a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\ucrtbase.dll

Filesize
987KB

MD5
c9441142696e8bb09bc70b9605e3a39b

SHA1
f172463c4fa5e8692274cd41ef608519bfde38f7

SHA256
a8f9a12b1b6374f84380090eb396630a3409c7ec3bdeee3930ac6ca6cebe423e

SHA512
53dc0f88e0c180ccd67d3da51bb6a79a5000407bf1a7a48c8d70e0138df2f90c8fca138548408b3e9b6f520346d4be26b3cfe815719e3f581c068f4a025734dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\ucrtbase.dll

Filesize
987KB

MD5
c9441142696e8bb09bc70b9605e3a39b

SHA1
f172463c4fa5e8692274cd41ef608519bfde38f7

SHA256
a8f9a12b1b6374f84380090eb396630a3409c7ec3bdeee3930ac6ca6cebe423e

SHA512
53dc0f88e0c180ccd67d3da51bb6a79a5000407bf1a7a48c8d70e0138df2f90c8fca138548408b3e9b6f520346d4be26b3cfe815719e3f581c068f4a025734dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\unicodedata.pyd

Filesize
295KB

MD5
c28e16246d294440ad615e235e66da0d

SHA1
1cb86a41d8e52dcb90fabaddaa7df5d425851abf

SHA256
3189e4c8d66e203583de419e9d5e4b12b7f8034bafe3d22bb7ddc3e6705ae8dc

SHA512
32f9af74b33c5ed6c2315905300c7af070bc91ba974b08a0260dfa2bbb763fc1e3358699e864edcd4bbab73f76b836d3013be6301320f164e545badf7908096b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36322\unicodedata.pyd

Filesize
295KB

MD5
c28e16246d294440ad615e235e66da0d

SHA1
1cb86a41d8e52dcb90fabaddaa7df5d425851abf

SHA256
3189e4c8d66e203583de419e9d5e4b12b7f8034bafe3d22bb7ddc3e6705ae8dc

SHA512
32f9af74b33c5ed6c2315905300c7af070bc91ba974b08a0260dfa2bbb763fc1e3358699e864edcd4bbab73f76b836d3013be6301320f164e545badf7908096b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w51n1g2d.14t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddddddddddddddddddddddddddddddd.exe

Filesize
157KB

MD5
aaaa71ede7fde18a72e15d3a201c2652

SHA1
0445d18e628acb19b26a6020f7303c1ee7a82f9c

SHA256
20ca8b45370e86f764dab1044e9b592ce1669d38b8d3166bb3086d2349d1a7f8

SHA512
966cba4ee8aeb0feab16f5661bc3e462e8d4e80d48baacc687dd9f94e93eab9df40c6a29231a4b832de334edd16a4fd610d13f94279d585f456c692b707491d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddddddddddddddddddddddddddddddd.exe

Filesize
157KB

MD5
aaaa71ede7fde18a72e15d3a201c2652

SHA1
0445d18e628acb19b26a6020f7303c1ee7a82f9c

SHA256
20ca8b45370e86f764dab1044e9b592ce1669d38b8d3166bb3086d2349d1a7f8

SHA512
966cba4ee8aeb0feab16f5661bc3e462e8d4e80d48baacc687dd9f94e93eab9df40c6a29231a4b832de334edd16a4fd610d13f94279d585f456c692b707491d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddddddddddddddddddddddddddddddd.exe

Filesize
157KB

MD5
aaaa71ede7fde18a72e15d3a201c2652

SHA1
0445d18e628acb19b26a6020f7303c1ee7a82f9c

SHA256
20ca8b45370e86f764dab1044e9b592ce1669d38b8d3166bb3086d2349d1a7f8

SHA512
966cba4ee8aeb0feab16f5661bc3e462e8d4e80d48baacc687dd9f94e93eab9df40c6a29231a4b832de334edd16a4fd610d13f94279d585f456c692b707491d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA127.tmp.bat

Filesize
162B

MD5
7789ad171d69e359f35fe174e00bea81

SHA1
117c0d710d8ad02158ae7a26019f09f752de8c9c

SHA256
e079a6d938eb19ea1db50e3fe749f0666d5cf9d444d1401222f8d1c302890b49

SHA512
e1a5b8841f13f146be607933c17598281f4d7cef1607ef4c27e92b813e29a588ed7bc3bd5e1587879287c5329cf4efe39e6181d14533325e65aff111d414c220

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Filesize
157KB

MD5
aaaa71ede7fde18a72e15d3a201c2652

SHA1
0445d18e628acb19b26a6020f7303c1ee7a82f9c

SHA256
20ca8b45370e86f764dab1044e9b592ce1669d38b8d3166bb3086d2349d1a7f8

SHA512
966cba4ee8aeb0feab16f5661bc3e462e8d4e80d48baacc687dd9f94e93eab9df40c6a29231a4b832de334edd16a4fd610d13f94279d585f456c692b707491d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
b62f059943dd042c58eaafdab33f6276

SHA1
dfd914aaf75e49c1acbe133dff338fb326e323be

SHA256
1b5b28b03cae6e0d43123293bbea03c252265232a8a9091df9daca2b7b8d3a6f

SHA512
28776350b6b7926f50dac56863a15d91176a17f2ef04e8ab8e3be72d4f543c2b71f5e28b3c95e74184f4c93266b7667b6a0df85621db215d19fe28790e7c928c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
5c62d9f50cf3f9a11c483ba49e7868d5

SHA1
360e8fc9d005a78d3c5ea3c46d17e3e3e25bf846

SHA256
79663ffac0e0dc3240d621736854e1f4b663d0333758aaedbc54175e0e597ec7

SHA512
4099f0b2c1c820458bfc684f85148e831b3c13157f3f4e9b6559171ca9e7691e0a1872c9d178c15f9397f089cc9bdc5abb3dd719f3f815881095b1b2c5acefc7

Download Submit
memory/228-179-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/964-327-0x00007FFF51F80000-0x00007FFF51F99000-memory.dmp

Filesize
100KB

Download
memory/964-378-0x00007FFF667C0000-0x00007FFF667CD000-memory.dmp

Filesize
52KB

Download
memory/964-317-0x00007FFF60700000-0x00007FFF60710000-memory.dmp

Filesize
64KB

Download
memory/964-381-0x00007FFF52170000-0x00007FFF523C2000-memory.dmp

Filesize
2.3MB

Download
memory/964-365-0x00007FFF57F50000-0x00007FFF5806C000-memory.dmp

Filesize
1.1MB

Download
memory/964-325-0x00007FFF51550000-0x00007FFF5157D000-memory.dmp

Filesize
180KB

Download
memory/964-328-0x00007FFF51520000-0x00007FFF51543000-memory.dmp

Filesize
140KB

Download
memory/964-329-0x00007FFF50170000-0x00007FFF502E0000-memory.dmp

Filesize
1.4MB

Download
memory/964-330-0x00007FFF52170000-0x00007FFF523C2000-memory.dmp

Filesize
2.3MB

Download
memory/964-331-0x00007FFF51BA0000-0x00007FFF51BB9000-memory.dmp

Filesize
100KB

Download
memory/964-333-0x00007FFF5E400000-0x00007FFF5E40D000-memory.dmp

Filesize
52KB

Download
memory/964-334-0x00007FFF514F0000-0x00007FFF5151E000-memory.dmp

Filesize
184KB

Download
memory/964-335-0x00007FFF500B0000-0x00007FFF50168000-memory.dmp

Filesize
736KB

Download
memory/964-324-0x00007FFF5E680000-0x00007FFF5E68F000-memory.dmp

Filesize
60KB

Download
memory/964-337-0x00007FFF4F700000-0x00007FFF4FA79000-memory.dmp

Filesize
3.5MB

Download
memory/964-320-0x00007FFF53880000-0x00007FFF538A3000-memory.dmp

Filesize
140KB

Download
memory/964-315-0x00007FFF667C0000-0x00007FFF667CD000-memory.dmp

Filesize
52KB

Download
memory/964-314-0x00007FFF5DC20000-0x00007FFF5DC34000-memory.dmp

Filesize
80KB

Download
memory/964-359-0x00007FFF4C440000-0x00007FFF4CA29000-memory.dmp

Filesize
5.9MB

Download
memory/964-360-0x00007FFF60700000-0x00007FFF60710000-memory.dmp

Filesize
64KB

Download
memory/964-361-0x00007FFF53880000-0x00007FFF538A3000-memory.dmp

Filesize
140KB

Download
memory/964-363-0x00007FFF5E680000-0x00007FFF5E68F000-memory.dmp

Filesize
60KB

Download
memory/964-364-0x00007FFF51550000-0x00007FFF5157D000-memory.dmp

Filesize
180KB

Download
memory/964-377-0x00007FFF5DC20000-0x00007FFF5DC34000-memory.dmp

Filesize
80KB

Download
memory/964-367-0x00007FFF51F80000-0x00007FFF51F99000-memory.dmp

Filesize
100KB

Download
memory/964-369-0x00007FFF51520000-0x00007FFF51543000-memory.dmp

Filesize
140KB

Download
memory/964-371-0x00007FFF50170000-0x00007FFF502E0000-memory.dmp

Filesize
1.4MB

Download
memory/964-271-0x00007FFF4C440000-0x00007FFF4CA29000-memory.dmp

Filesize
5.9MB

Download
memory/964-308-0x0000014822D40000-0x00000148230B9000-memory.dmp

Filesize
3.5MB

Download
memory/964-372-0x00007FFF51BA0000-0x00007FFF51BB9000-memory.dmp

Filesize
100KB

Download
memory/964-373-0x00007FFF5E400000-0x00007FFF5E40D000-memory.dmp

Filesize
52KB

Download
memory/964-374-0x00007FFF514F0000-0x00007FFF5151E000-memory.dmp

Filesize
184KB

Download
memory/964-376-0x00007FFF4F700000-0x00007FFF4FA79000-memory.dmp

Filesize
3.5MB

Download
memory/964-375-0x00007FFF500B0000-0x00007FFF50168000-memory.dmp

Filesize
736KB

Download
memory/2440-441-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/2440-446-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/2440-445-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/2440-444-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/3368-370-0x000001ACE6E40000-0x000001ACE6E50000-memory.dmp

Filesize
64KB

Download
memory/3368-368-0x000001ACE6E40000-0x000001ACE6E50000-memory.dmp

Filesize
64KB

Download
memory/3368-366-0x000001ACE6E40000-0x000001ACE6E50000-memory.dmp

Filesize
64KB

Download
memory/4292-326-0x000000001CC10000-0x000000001CD12000-memory.dmp

Filesize
1.0MB

Download
memory/4292-134-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/4292-133-0x0000000000950000-0x00000000012BE000-memory.dmp

Filesize
9.4MB

Download
memory/4512-137-0x00000173E0420000-0x00000173E0442000-memory.dmp

Filesize
136KB

Download
memory/4608-268-0x0000025B64E80000-0x0000025B64E90000-memory.dmp

Filesize
64KB

Download
memory/4608-267-0x0000025B64E80000-0x0000025B64E90000-memory.dmp

Filesize
64KB

Download
memory/4608-269-0x0000025B64E80000-0x0000025B64E90000-memory.dmp

Filesize
64KB

Download