80a71b8d04074a8fdabe7377c05b89e2bc7c8aa6665409f710406de67b5eb7f7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2023, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PS99.exe
Size

85.1MB
MD5

4cf6731e323a1b0a9e03842dd552442c
SHA1

81e5523cbd0a8fd9cb7f3e4c24ce4c276c98b30e
SHA256

80a71b8d04074a8fdabe7377c05b89e2bc7c8aa6665409f710406de67b5eb7f7
SHA512

27d09036bf5f3d5f3f060ee719196b7dfddf86257158aff1d615a67061fcc4d4ae762b8b33fcecb0c3218a610d9046960b4fffdf0f7b41ba42605699acf10c35
SSDEEP

1572864:F2MXiJDePU1e4iamkhLDyPl4QiZST/tQE88nZGjSYukZg7q+XaE76ZNiTWZaQ6BA:FZXj4e4iadhLDy943K/tQonZODzZgO+w

Score

8^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	PS99.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4752	netsh.exe

Loads dropped DLL 64 IoCs

pid	Process
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-2-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp	upx
behavioral2/files/0x0006000000023383-1285.dat	upx
behavioral2/memory/2936-1286-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp	upx
behavioral2/files/0x0006000000023383-1287.dat	upx
behavioral2/memory/2936-1290-0x00007FFE26DF0000-0x00007FFE273DE000-memory.dmp	upx
behavioral2/files/0x0006000000023322-1299.dat	upx
behavioral2/files/0x00060000000232d8-1301.dat	upx
behavioral2/files/0x000600000002332b-1316.dat	upx
behavioral2/files/0x00060000000232e2-1344.dat	upx
behavioral2/files/0x0006000000023387-1345.dat	upx
behavioral2/files/0x00060000000232e1-1347.dat	upx
behavioral2/memory/2936-1357-0x00007FFE36720000-0x00007FFE36756000-memory.dmp	upx
behavioral2/memory/2936-1358-0x00007FFE37110000-0x00007FFE3711D000-memory.dmp	upx
behavioral2/memory/2936-1359-0x00007FFE366F0000-0x00007FFE3671E000-memory.dmp	upx
behavioral2/memory/2936-1363-0x00007FFE36920000-0x00007FFE36939000-memory.dmp	upx
behavioral2/memory/2936-1365-0x00007FFE27A30000-0x00007FFE27AFD000-memory.dmp	upx
behavioral2/memory/2936-1367-0x00007FFE268C0000-0x00007FFE26DE2000-memory.dmp	upx
behavioral2/memory/3908-1369-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp	upx
behavioral2/memory/2936-1372-0x00007FFE26640000-0x00007FFE268B8000-memory.dmp	upx
behavioral2/memory/2936-1375-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp	upx
behavioral2/memory/2936-1376-0x00007FFE33A10000-0x00007FFE33A26000-memory.dmp	upx
behavioral2/memory/2936-1378-0x00007FFE366E0000-0x00007FFE366EC000-memory.dmp	upx
behavioral2/memory/2936-1377-0x00007FFE26DF0000-0x00007FFE273DE000-memory.dmp	upx
behavioral2/memory/2936-1374-0x00007FFE368A0000-0x00007FFE368AF000-memory.dmp	upx
behavioral2/memory/2936-1379-0x00007FFE33830000-0x00007FFE33841000-memory.dmp	upx
behavioral2/memory/2936-1383-0x0000000068B40000-0x0000000068B81000-memory.dmp	upx
behavioral2/memory/2936-1385-0x00007FFE2DD00000-0x00007FFE2DD0E000-memory.dmp	upx
behavioral2/memory/2936-1395-0x00007FFE278F0000-0x00007FFE278FE000-memory.dmp	upx
behavioral2/memory/2936-1398-0x00007FFE33300000-0x00007FFE3331B000-memory.dmp	upx
behavioral2/memory/2936-1400-0x00007FFE33250000-0x00007FFE33294000-memory.dmp	upx
behavioral2/memory/2936-1402-0x00007FFE2DD20000-0x00007FFE2DD31000-memory.dmp	upx
behavioral2/memory/2936-1404-0x00007FFE27A10000-0x00007FFE27A26000-memory.dmp	upx
behavioral2/memory/2936-1406-0x00007FFE27980000-0x00007FFE2798F000-memory.dmp	upx
behavioral2/memory/2936-1405-0x00007FFE264B0000-0x00007FFE26636000-memory.dmp	upx
behavioral2/memory/2936-1403-0x0000000062E80000-0x0000000062EA8000-memory.dmp	upx
behavioral2/memory/2936-1407-0x00007FFE240D0000-0x00007FFE261C3000-memory.dmp	upx
behavioral2/memory/2936-1409-0x00007FFE23D20000-0x00007FFE23D42000-memory.dmp	upx
behavioral2/memory/2936-1413-0x00007FFE23BF0000-0x00007FFE23C04000-memory.dmp	upx
behavioral2/memory/2936-1412-0x00007FFE23C10000-0x00007FFE23C43000-memory.dmp	upx
behavioral2/memory/2936-1411-0x00007FFE23C50000-0x00007FFE23C80000-memory.dmp	upx
behavioral2/memory/2936-1410-0x00007FFE23C80000-0x00007FFE23D1C000-memory.dmp	upx
behavioral2/memory/2936-1408-0x00007FFE23D50000-0x00007FFE23D71000-memory.dmp	upx
behavioral2/memory/2936-1401-0x00007FFE2E380000-0x00007FFE2E394000-memory.dmp	upx
behavioral2/memory/2936-1399-0x00007FFE332E0000-0x00007FFE332F5000-memory.dmp	upx
behavioral2/memory/2936-1397-0x00007FFE36DA0000-0x00007FFE36DC4000-memory.dmp	upx
behavioral2/memory/2936-1396-0x00007FFE261D0000-0x00007FFE264AF000-memory.dmp	upx
behavioral2/memory/2936-1394-0x00007FFE27900000-0x00007FFE27914000-memory.dmp	upx
behavioral2/memory/2936-1393-0x00007FFE27920000-0x00007FFE27974000-memory.dmp	upx
behavioral2/memory/2936-1392-0x00007FFE279B0000-0x00007FFE279BF000-memory.dmp	upx
behavioral2/memory/2936-1391-0x00007FFE279C0000-0x00007FFE279D7000-memory.dmp	upx
behavioral2/memory/2936-1390-0x00007FFE279E0000-0x00007FFE279F5000-memory.dmp	upx
behavioral2/memory/2936-1389-0x00007FFE27A00000-0x00007FFE27A10000-memory.dmp	upx
behavioral2/memory/2936-1388-0x00007FFE2DCD0000-0x00007FFE2DCDE000-memory.dmp	upx
behavioral2/memory/2936-1387-0x00007FFE2DCE0000-0x00007FFE2DCEE000-memory.dmp	upx
behavioral2/memory/2936-1386-0x00007FFE2DCF0000-0x00007FFE2DCFF000-memory.dmp	upx
behavioral2/memory/2936-1384-0x000000006A880000-0x000000006A8AB000-memory.dmp	upx
behavioral2/memory/2936-1382-0x00007FFE2DD10000-0x00007FFE2DD1E000-memory.dmp	upx
behavioral2/memory/2936-1381-0x00007FFE332C0000-0x00007FFE332D6000-memory.dmp	upx
behavioral2/memory/2936-1380-0x00007FFE36440000-0x00007FFE3644E000-memory.dmp	upx
behavioral2/memory/2936-1373-0x00007FFE33850000-0x00007FFE33865000-memory.dmp	upx
behavioral2/memory/2936-1371-0x00007FFE33A80000-0x00007FFE33A91000-memory.dmp	upx
behavioral2/memory/2936-1370-0x00007FFE33AA0000-0x00007FFE33AB2000-memory.dmp	upx
behavioral2/memory/2936-1368-0x00007FFE362E0000-0x00007FFE362F5000-memory.dmp	upx
behavioral2/memory/2936-1364-0x00007FFE33AC0000-0x00007FFE33AF3000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rose = "C:\\Users\\Admin\\AppData\\Roaming\\rose\\rose.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org
29	api.ipify.org
41	api.ipify.org
215	ipinfo.io
217	ipinfo.io
219	api.ipify.org
220	api.ipify.org

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{8C7F9435-E94C-4A05-B4D3-05C72245DE14}	PS99.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2936	PS99.exe
2936	PS99.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe
2936	PS99.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	PS99.exe
Token: SeIncreaseQuotaPrivilege	408	wmic.exe
Token: SeSecurityPrivilege	408	wmic.exe
Token: SeTakeOwnershipPrivilege	408	wmic.exe
Token: SeLoadDriverPrivilege	408	wmic.exe
Token: SeSystemProfilePrivilege	408	wmic.exe
Token: SeSystemtimePrivilege	408	wmic.exe
Token: SeProfSingleProcessPrivilege	408	wmic.exe
Token: SeIncBasePriorityPrivilege	408	wmic.exe
Token: SeCreatePagefilePrivilege	408	wmic.exe
Token: SeBackupPrivilege	408	wmic.exe
Token: SeRestorePrivilege	408	wmic.exe
Token: SeShutdownPrivilege	408	wmic.exe
Token: SeDebugPrivilege	408	wmic.exe
Token: SeSystemEnvironmentPrivilege	408	wmic.exe
Token: SeRemoteShutdownPrivilege	408	wmic.exe
Token: SeUndockPrivilege	408	wmic.exe
Token: SeManageVolumePrivilege	408	wmic.exe
Token: 33	408	wmic.exe
Token: 34	408	wmic.exe
Token: 35	408	wmic.exe
Token: 36	408	wmic.exe
Token: SeIncreaseQuotaPrivilege	408	wmic.exe
Token: SeSecurityPrivilege	408	wmic.exe
Token: SeTakeOwnershipPrivilege	408	wmic.exe
Token: SeLoadDriverPrivilege	408	wmic.exe
Token: SeSystemProfilePrivilege	408	wmic.exe
Token: SeSystemtimePrivilege	408	wmic.exe
Token: SeProfSingleProcessPrivilege	408	wmic.exe
Token: SeIncBasePriorityPrivilege	408	wmic.exe
Token: SeCreatePagefilePrivilege	408	wmic.exe
Token: SeBackupPrivilege	408	wmic.exe
Token: SeRestorePrivilege	408	wmic.exe
Token: SeShutdownPrivilege	408	wmic.exe
Token: SeDebugPrivilege	408	wmic.exe
Token: SeSystemEnvironmentPrivilege	408	wmic.exe
Token: SeRemoteShutdownPrivilege	408	wmic.exe
Token: SeUndockPrivilege	408	wmic.exe
Token: SeManageVolumePrivilege	408	wmic.exe
Token: 33	408	wmic.exe
Token: 34	408	wmic.exe
Token: 35	408	wmic.exe
Token: 36	408	wmic.exe
Token: SeIncreaseQuotaPrivilege	3464	WMIC.exe
Token: SeSecurityPrivilege	3464	WMIC.exe
Token: SeTakeOwnershipPrivilege	3464	WMIC.exe
Token: SeLoadDriverPrivilege	3464	WMIC.exe
Token: SeSystemProfilePrivilege	3464	WMIC.exe
Token: SeSystemtimePrivilege	3464	WMIC.exe
Token: SeProfSingleProcessPrivilege	3464	WMIC.exe
Token: SeIncBasePriorityPrivilege	3464	WMIC.exe
Token: SeCreatePagefilePrivilege	3464	WMIC.exe
Token: SeBackupPrivilege	3464	WMIC.exe
Token: SeRestorePrivilege	3464	WMIC.exe
Token: SeShutdownPrivilege	3464	WMIC.exe
Token: SeDebugPrivilege	3464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3464	WMIC.exe
Token: SeRemoteShutdownPrivilege	3464	WMIC.exe
Token: SeUndockPrivilege	3464	WMIC.exe
Token: SeManageVolumePrivilege	3464	WMIC.exe
Token: 33	3464	WMIC.exe
Token: 34	3464	WMIC.exe
Token: 35	3464	WMIC.exe
Token: 36	3464	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2936	3908	PS99.exe	94
PID 3908 wrote to memory of 2936	3908	PS99.exe	94
PID 2936 wrote to memory of 4472	2936	PS99.exe	96
PID 2936 wrote to memory of 4472	2936	PS99.exe	96
PID 2936 wrote to memory of 408	2936	PS99.exe	101
PID 2936 wrote to memory of 408	2936	PS99.exe	101
PID 2936 wrote to memory of 4836	2936	PS99.exe	130
PID 2936 wrote to memory of 4836	2936	PS99.exe	130
PID 4836 wrote to memory of 3464	4836	Conhost.exe	103
PID 4836 wrote to memory of 3464	4836	Conhost.exe	103
PID 2936 wrote to memory of 2032	2936	PS99.exe	106
PID 2936 wrote to memory of 2032	2936	PS99.exe	106
PID 2936 wrote to memory of 2860	2936	PS99.exe	113
PID 2936 wrote to memory of 2860	2936	PS99.exe	113
PID 2860 wrote to memory of 3944	2860	cmd.exe	112
PID 2860 wrote to memory of 3944	2860	cmd.exe	112
PID 2936 wrote to memory of 1592	2936	PS99.exe	111
PID 2936 wrote to memory of 1592	2936	PS99.exe	111
PID 1592 wrote to memory of 1472	1592	cmd.exe	124
PID 1592 wrote to memory of 1472	1592	cmd.exe	124
PID 2936 wrote to memory of 2772	2936	PS99.exe	136
PID 2936 wrote to memory of 2772	2936	PS99.exe	136
PID 2936 wrote to memory of 1304	2936	PS99.exe	134
PID 2936 wrote to memory of 1304	2936	PS99.exe	134
PID 1304 wrote to memory of 4752	1304	reg.exe	118
PID 1304 wrote to memory of 4752	1304	reg.exe	118
PID 2936 wrote to memory of 1472	2936	PS99.exe	124
PID 2936 wrote to memory of 1472	2936	PS99.exe	124
PID 2936 wrote to memory of 4700	2936	PS99.exe	121
PID 2936 wrote to memory of 4700	2936	PS99.exe	121
PID 4700 wrote to memory of 4496	4700	cmd.exe	122
PID 4700 wrote to memory of 4496	4700	cmd.exe	122
PID 2936 wrote to memory of 3932	2936	PS99.exe	127
PID 2936 wrote to memory of 3932	2936	PS99.exe	127
PID 3932 wrote to memory of 2760	3932	cmd.exe	125
PID 3932 wrote to memory of 2760	3932	cmd.exe	125
PID 2936 wrote to memory of 4580	2936	PS99.exe	142
PID 2936 wrote to memory of 4580	2936	PS99.exe	142
PID 4580 wrote to memory of 3624	4580	cmd.exe	128
PID 4580 wrote to memory of 3624	4580	cmd.exe	128
PID 2936 wrote to memory of 2852	2936	PS99.exe	141
PID 2936 wrote to memory of 2852	2936	PS99.exe	141
PID 2852 wrote to memory of 4640	2852	cmd.exe	140
PID 2852 wrote to memory of 4640	2852	cmd.exe	140
PID 2936 wrote to memory of 2636	2936	PS99.exe	139
PID 2936 wrote to memory of 2636	2936	PS99.exe	139
PID 2636 wrote to memory of 512	2636	cmd.exe	138
PID 2636 wrote to memory of 512	2636	cmd.exe	138
PID 2936 wrote to memory of 4548	2936	PS99.exe	137
PID 2936 wrote to memory of 4548	2936	PS99.exe	137
PID 4548 wrote to memory of 2772	4548	cmd.exe	136
PID 4548 wrote to memory of 2772	4548	cmd.exe	136
PID 2936 wrote to memory of 2188	2936	PS99.exe	135
PID 2936 wrote to memory of 2188	2936	PS99.exe	135
PID 2188 wrote to memory of 1304	2188	cmd.exe	134
PID 2188 wrote to memory of 1304	2188	cmd.exe	134
PID 2936 wrote to memory of 1232	2936	PS99.exe	144
PID 2936 wrote to memory of 1232	2936	PS99.exe	144
PID 2936 wrote to memory of 1384	2936	PS99.exe	147
PID 2936 wrote to memory of 1384	2936	PS99.exe	147
PID 1384 wrote to memory of 884	1384	cmd.exe	145
PID 1384 wrote to memory of 884	1384	cmd.exe	145
PID 2936 wrote to memory of 384	2936	PS99.exe	151
PID 2936 wrote to memory of 384	2936	PS99.exe	151

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
512	attrib.exe
4640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PS99.exe
"C:\Users\Admin\AppData\Local\Temp\PS99.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\PS99.exe
  "C:\Users\Admin\AppData\Local\Temp\PS99.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4472
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get MUILanguages /format:list"
    3⤵
    PID:4836
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get MUILanguages /format:list
    3⤵
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get name
    3⤵
    PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh advfirewall set domainprofile state off"
    3⤵
    PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rose','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Value 1"
    3⤵
    PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rose\rose.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile name="The Wireless AutoConfig Service (wlansvc) is not running." key=clear"
    3⤵
    PID:384

C:\Windows\System32\Wbem\WMIC.exe
wmic os get MUILanguages /format:list
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\Wbem\WMIC.exe
wmic path softwarelicensingservice get OA3xOriginalProductKey
1⤵
PID:1472

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption /format:list
1⤵
PID:3944

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
1⤵
- Modifies Windows Firewall
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
1⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rose\rose.exe" /f
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v rose /f
1⤵
PID:2772

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
1⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:512

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
1⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4640

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:884

C:\Windows\system32\netsh.exe
netsh wlan show profile name="The Wireless AutoConfig Service (wlansvc) is not running." key=clear
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39082\SDL2.dll

Filesize
615KB

MD5
a36b7f503c06eb627a2e25d3070b2d9c

SHA1
e7d637c73e0923c5b79590c5b80fef15881ec997

SHA256
ed26f4fd6af608587af73df39744fcee10e6140d111f2175e1fed2af22ca9cf7

SHA512
dcdd774cdccb52245f754a441e028a9e691d74df3a6dc341d946d1f6eccb475d3df2727ca7b275b8e362e21720d239053d3420d2866ed1d8ff3291dea16cad5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\SDL2_image.dll

Filesize
58KB

MD5
71780d5b9aedb54b990b975aff28bbf3

SHA1
dd59dfd88255e26e9f6fc2c96972f37f175189c1

SHA256
f670f630df5dbdf0a6e19f7bbb5cb280db519a72ddef8567a1e9315591604e96

SHA512
959edf08748a00e0c2f84c352119def05b4c4da884a178cae47b6e776eefbc87534f084b5a279c4a778a99f84ea7b98c71fb259a54ca9a12ffa506c5824f48e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\SDL2_mixer.dll

Filesize
124KB

MD5
4bf8a0231b35b804cdd002ca6ec234eb

SHA1
f6e2192e02ce714612c6aaa3fe85e3c9adb6447b

SHA256
867ea749aa6b8432c69c43b9606d8e6de19e88aef3aea2faf1b0643e0c6c516f

SHA512
420c45ff39491814e56fc6b4bf4eb99bb2b31eb4d8ead4d25fd84ef00b8b17973eb3a7bf7b31a0c100b813b717fcefe4245c403ec36038158c87bf24faf46623

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\SDL2_ttf.dll

Filesize
601KB

MD5
e3913036bdb469d933c658737dd05464

SHA1
30fd6b3571472d50d4a87b4908daef1c5516afd5

SHA256
e85aa1b2a8d7624973f9f0db7ff502e615b57edf38b0af7b030ee9cb01561416

SHA512
df6837512de2e3d03a4ce00ad20f72100139e15c80ae7062d12e4b266e4b6670b30889778621ecc869fcca691a03263158f2fa57a6bcaac9b3bda952bf88b749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_asyncio.pyd

Filesize
36KB

MD5
68fa92b5436187769b3329f6769bf615

SHA1
85f389c4fb4937d4446bc00588ba271b646cf2c4

SHA256
ecaa987c664099ef5543ea66a1f4328e250ab1d6d1c80fe0485a7ae337f58df2

SHA512
4de86a72b494068fc768c6d183ec90f798f64817720790cd97a5387fac697d7147db31274637f58b6d9511a59e86d43215a940585e0b28d02683071bad3c5b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_bz2.pyd

Filesize
48KB

MD5
6498efac807cf8c4130eae25de641486

SHA1
81d326ea5b94244094ffa6d3556be546f416f8bd

SHA256
0e39ca8d6b34e21683ef233d1fcef47fff65fe38a07559fff6e6eb91fb4148f9

SHA512
d3a694f71a6497c3818d0ae6d8849b8344777fb4974f44d61cc6ea1eb270382c1efb66a1c62287854a63717cb30b80b29e923ff6b0ac47c31a6761fe70f2bca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
c1cd1d53ddfe5033a341f0c2051c4357

SHA1
b205344ada67dc82d208baf2d6b9cda4a497abea

SHA256
44381ffef40a5e344ca951de08f13fb4e25096c240d965acfaa47221b9f9ef52

SHA512
d4f509cfb8fa1f044ff4b0b55c5298ead40fd635cfb5a6c7d779a66eeb5f52d3e30a5b3e61507f2891e9ef1070e0c8eea1b698b680048fbb7cb5f15f4e26d309

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_ctypes.pyd

Filesize
58KB

MD5
d67580e43c241f83ba454e40ed0cc94a

SHA1
797f85c2193bec674f5c7958bd7237ec4b11106e

SHA256
cdcf7a666d30629a592f49412171885c64297967857df5c7d5d8ce2dcab8f4e6

SHA512
bb67accfe7ab822ec13663a615f14287c3e2cd3301dcfd3e2bf4e192a956fd11aaabd7a2ca258e4e4fd1782664aaf0f3aa7a154ba9686655837a571e3d7c47ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_decimal.pyd

Filesize
106KB

MD5
7fd62bacefd4b051c95988da90c175d8

SHA1
c8798d58afc049f0658ed74702782fd4d5119986

SHA256
62441c3fb41553f8e4f33812db96f42b4795a0689c5f61280ae9a9c55dd633ad

SHA512
9ade3a9b889af01d6702048f26ba70f17cfdf6026e89e17704f53bbf1273285efaf426b92f2961888a29a12f62064561d104e03c9d37d3d158fd0eb4b2812935

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_elementtree.pyd

Filesize
57KB

MD5
f089372012c57dd7ec2409874386e7df

SHA1
c4ab2c662789333002b9e9764e3311fc7924a10a

SHA256
5315478bc498046f24b76bc933cc2b0c24b68ac00f1aacf480a30de9f39992f7

SHA512
d26b75c019d1c99f886da1c3636a24ca05ac1bd6b131bafc22d5df1153eb77a26a0a812cae71456f05a8e8806753c72eec42be5afbaca3bc9789efe328c7e54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_hashlib.pyd

Filesize
35KB

MD5
2b256e58de68e1a6161d7383a532e5f6

SHA1
e7f06d37c2b488fc299c7ef08f493eada9efb6b0

SHA256
fe341973a7e4c798d723d0c706bb50e20f0511a37e1c8f5e3a738e1edda8053a

SHA512
561f7620349b1e3b648aeb8f81a066c57a779384f060a1f55d329d93e367e9707168dc8abec149272e4b65f4e7faa0b50d326e2ac0c717e417c0a0f784ea24c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_lzma.pyd

Filesize
86KB

MD5
7cac772bbbeb5af96e00b131076e392d

SHA1
71cd69897ce3e46641a47eea1d883da91c376bdd

SHA256
c04a8fa26f5b8699872b6bd3762cd632bc79774514878f7582dd47624243ed22

SHA512
da2124a224d971748627a55f0d585d0744a2e3b1e724891a96d13a64e20848373ed7be705bd917b2f47117f88bd726273aa8f638e3d32338b7497b91973fc952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_multiprocessing.pyd

Filesize
26KB

MD5
c1826ec8626942da8522544235f49f35

SHA1
bcc961286c5ebe503832d0768dbf45c12a54fb23

SHA256
e53ee02599f7966838b312606fee45c11e4558e5bbd5fe7083fcff93c4177aa4

SHA512
7b1ae2a7a3bd9f97c41c4b00d8e2ad343c58cfc35796e5e11cfc5cc4028115532d69c853fa5ff5d25441bad4e4ca1d8ba85646e72c752f264bfb7fda594c6a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_overlapped.pyd

Filesize
32KB

MD5
13ec7391cc6efb4af790a3413b9f44e9

SHA1
f73684329143950be45ee55441aa156d7d908c64

SHA256
66d63b2caef7fa3e0f3933d8af1b0ce8177df1c2de9dc29e7eca41302b1a1c65

SHA512
e61562ef4127e4c1b935fe5ca8d2fb37d95e987e4f586d26dd514c8df84d5228ac60ffe7de24fbb77291c9cdc844db96255118a724429f01ef75cc239b9c9cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_queue.pyd

Filesize
25KB

MD5
0c0860caf45609b6a7606a3a9b6d32f0

SHA1
e64da4aba6fcf76a2c10647ba95a046c83db1f00

SHA256
a1ebe9623c9c82981c9e62d4ba028a0579960c39c52aad9fbec95d75f1276966

SHA512
26a63f99f886aa53257d5d08ad14f028eabb09144b551dcb8504d34e5bdd5d4f5375ad67f5d2a05a400b2576cbe2c5d941c988f03c390ab99313311541d84901

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_socket.pyd

Filesize
43KB

MD5
6c65caeadd7015d9bdc2dc8092b3053d

SHA1
81c29733ef0178e2e094a2e89507bca86f461ca2

SHA256
8b0569baa5537a634d6cc009fd935e8137753bd8bb915b356b06437e49c9f7f0

SHA512
5f6682bf1ccab59a8d298e91390c5e91df1b7841398011140ff5cdeb7773bb9fa65f106cb98a4a09ebdd84cb89c441f343961a3208c6372c7aa81406f5bd94cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_sqlite3.pyd

Filesize
56KB

MD5
b0c4e59f86ba3e1f57d8365d77836d63

SHA1
c68b3958df02a6230a9b71c13ccdad9a5bceb616

SHA256
7b1540331adc1bf1d55f76d9402faeafcfd4c371ed97766beb36e76e6b2922eb

SHA512
53ed99bcf0e57eb273d849b568aa3a71c8bfb907433d55fbb0a911d24115642fcd7569b3c4b7f8cc925679f4956094e14c80aef0a831159bd19325783662f244

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_ssl.pyd

Filesize
65KB

MD5
ae7bd3dfc02a01f33604a5893d95e76c

SHA1
5e323eb930b460e89734bb2357f3d6ef359a0404

SHA256
aeaecbddad89521d68b0a90320d2f3695cbd383c81e917abed4b261ced9c1c92

SHA512
72f8c98ed26e2051b68fcfa8a342accbb5f2db039dee3aabf2a6409b73527b9d32a310ac442b1688c2f93360a5523fb506e963147be54e8916d7bd00907d332c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_tkinter.pyd

Filesize
38KB

MD5
36e755800ee759cf33ca389356d0e367

SHA1
b7678abf22c91e005742221b44b84d7d5324e107

SHA256
7fc67140e8aca4d619df54b6d7c518901c93f572a882d56e5843fe2269fe9994

SHA512
48c297bd11ed190e8fc554a97e695c5bbf4fc515d4e79cf53c3eb5e52bc7beb9ec960d219961c71b660d3b06cc0f57d6cf3a0baabf83264b7b64eafd918dcce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_uuid.pyd

Filesize
24KB

MD5
4ba1fcf5f12ebc514e86d7e02901b3c3

SHA1
0fd88df618da41cdeb4afdaded039932a66ce5f6

SHA256
51cb69267f77c094d687af5b80c560eaf325d0990304baf20242d477d8b156a1

SHA512
3601331a84a9dcf62bbdadfc5c273853acf229931e70f5ff6f541d5f23474373f9366c606534ffdbf73c1044e98e464877b395f2e285821f264a57cd90021705

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_zoneinfo.pyd

Filesize
31KB

MD5
0059f41005e1d260a66e55c965e6b07f

SHA1
3908c8b8199ee487f0e2b89ca0c9dbdb3d8a45e1

SHA256
dba608300a74ab40bbe433ad1edecfd215e1ca91299e8f996963cbe7f34df3d4

SHA512
d3fd1b68d27e3379aedcfb114af476db8f149778fea2044309cde3e169736b316f57e08afd22b521532850337b73fa11b962884c1cdb57256d95a3ee3c333e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\base_library.zip

Filesize
1.3MB

MD5
f89865627381da3a5e9817f00dd50b95

SHA1
80c4c2494a57dd3d9be71b1c12eea516a922725b

SHA256
82f3ffae6cc12c31020da3ec42984b489e3d7fc825ba3c92d485bbf8ccb2ff62

SHA512
29bde110ac745ca36c5c38fb9c9512f9d6479ffbbf2f372c0c608ba5a604002a9ee87b5c0d8e9c78963ed40624707b0d265ad55f22673ce2d3ca721dcb6c4b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\freetype.dll

Filesize
292KB

MD5
82f05dbb0f1cce48f7c3983e8c214e34

SHA1
019d790608c0676ea7f02bc2eb89c949196a1249

SHA256
f9f58cb7bd727fde30c3c63638a5e701cf74e4d73fd8a0ed65da3e889fd4ebb4

SHA512
393f8cc9fb76b44cfb252a7a03ba7bcb9b01952b03f861a4b8cd3287d795ad5d1bbe1379d18b7a62547851d70c1eb8e1c5756c53a5de7da7a5c5f918ddd37a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libcrypto-3.dll

Filesize
588KB

MD5
a2c70cdd45c317f77e0488a4f69dbc8a

SHA1
78a8297ab3408fb3e1c39c279b4b10a3d72f4ee2

SHA256
3299fb615e2d16444a4b152e85a93c201a194184530ddfe34712e76ecdfb9534

SHA512
705769d8d782d7048b6492a3c04ca618ea2e8cdb88ce20dbaa1e82633c0dfbbc460a98f5d62df98bb375b6891969c06acd07cdf610d40590e1f1a5c748977af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libffi-8.dll

Filesize
29KB

MD5
bb1feaa818eba7757ada3d06f5c57557

SHA1
f2de5f06dc6884166de165d34ef2b029bb0acf8b

SHA256
a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29

SHA512
95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libjpeg-9.dll

Filesize
108KB

MD5
41633e0912bf97cacb5651e2fd2ad506

SHA1
d9382c55247244fc38c253490e71498fcd469182

SHA256
2919f523293c03c48debe55d338f3d17002e8e185bbf9d1978d8d8f765f9502a

SHA512
2cd6fc9f5da6f925c4ae2351882c853af46cbd1fe8d99788640afbfc89054f95ec05ddbbfb51965d7141647295b3993cc6d73c94d6f63ecd15fd88748d89a34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libmodplug-1.dll

Filesize
117KB

MD5
0c985da17c6c82e61ea96d20ac0eab4d

SHA1
ee703038cae84749ea0c69c95f33497cb3ab33eb

SHA256
68c95b609f4464b34f0beca377fffaa02316655ddb18e208cf92fef486d2a42a

SHA512
cb6d4d8f15540e2ea3c1588c8893e951efba125ce85af5efc2aed09d7f33873a2675e15b2746c45c6978b3d2a6b97d9bcfb437b31d54b7bad3fcbdcea408dd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libogg-0.dll

Filesize
16KB

MD5
ab504a0ac020045ad44a8f6f5f9bc783

SHA1
19fead3f5bfd83915915516c13fc44133adcd12f

SHA256
6d0c00699e42ef9f79e2accd1fa6129dd032473cd81248e1a6c65ad3cb147a51

SHA512
9a2a3278ef8a0b53fec8549a528b22d1686206a30f5e9afc1b888a1a15de16e0a3aa497cc6873655feddf13a7b1623d13b2a4aa7e422ceed8f836974b1e7d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libopus-0.dll

Filesize
181KB

MD5
94fd9860bede297d3c77eaa40511f549

SHA1
6d22c1e12a6cbaaaf4ec9938dec29827f2d6df33

SHA256
554707828c21a5cacfa2af347be15caeff205a9c772b7c72a0292be410f1d458

SHA512
268561cee431918cba7f0531068674c59ba7234179026ee0084e06a7d493f5f46b0d5c9029ea83ef7d97fa29772b54f2431513bba5bd9dbbe5d76bfc0ff3d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libopusfile-0.dll

Filesize
26KB

MD5
d669449f8a7dfdc0c7c8dddd95ea6855

SHA1
11f9cf6210ce8b4311f047a800f37feb901b402a

SHA256
5f0b18d22b566a05ccba829649314e14a59ff59055f1a6d0f1c8eb7700c8bdba

SHA512
7750cbaecbe489eb0a1649951f4b01c54341cdfe43dc3736450b466f574c30d23ba37d1c313b065a8f76e717d571134ea5befb86920b7643a363ea265ccf6954

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libpng16-16.dll

Filesize
98KB

MD5
3175d904587f59af989251a2c2fc63e2

SHA1
770688d85522c647588ba2fc004c3ef48997819b

SHA256
16a2f6da537545f45757b5fa261b90dd87ee6a0f46d0326b270514648f43a253

SHA512
2a9e426f87a75b7efacebafbfe153015dd47498ce9578b65a43ca8042299110dd89ef37c4eebfac552d9ac196e9ae9d99381aed7935d8d715c28210be84c43af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libssl-3.dll

Filesize
223KB

MD5
be89dde1ed204a5e32cd9f0b2cd8cb0f

SHA1
053fd1853482b2f7c7c62bd947852992e84bb899

SHA256
8f559bd71d0d422a2d44ffb9f489bd0a9764b31b6c8e265809d9f483fe75399d

SHA512
7dbdc1417661845b85582f0b63c6f0d84e66e5d29aad404b9c87270f6552f7babc9736340effebdee7573816e735b306c430f2ea122c06ed806de1669d2b3b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libtiff-5.dll

Filesize
127KB

MD5
dbc84c57a4a0eac0b72d890c34eaa9e9

SHA1
bbb475ccd76b12a820a02b12e9ac4ef2662eb04d

SHA256
ccc783f4877936cd92e0a5db05209be92984cf2140ae523f084179fc16f93000

SHA512
89014963ccf7071f0f40d296239c9cf0879375d94c89d191d0f8fcfd09ed50a634ca58b11184225a1c8a738b5b946b457cf2d6da66a890eefda9b9ac78b852db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libwebp-7.dll

Filesize
192KB

MD5
8a188af3c4037da968dc8b72e62c438f

SHA1
07de31918ca8a3f5d75431acc6ffee5570b3cdb7

SHA256
f744f63142e189ef8e1693bc89ff81008263f97cfe38a94e47b31119b761c7fa

SHA512
0500c5d7cdca551d91121812db24ae2cda604f9a84dfa0b43a32870905115a9e1ca741ffcf0081f77e782257fc415bbda8a0508c9244d077f040b883654a8f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\portmidi.dll

Filesize
18KB

MD5
38f1fec9bf5e3ffdd22074ad246f3b7d

SHA1
ba6d0d842f5707c8678a9bcff4502cb0b3810eb8

SHA256
8cbfeb763ff321d7d1bc3d238bcd20f62fc7301611a4808d7daa11dfac408b4b

SHA512
566966ea6ada58dd6cf4c04f17e52db127d94b868cda160e6c953ccb0962d43f3946bcec199b37e1329ec5a502213791e6e8c8c099b512517a96ab5bef4fbf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\pyexpat.pyd

Filesize
87KB

MD5
6e071e8542a5f478f495779c391c9ff6

SHA1
31165a08b630ad59e1afebaa6caa772903d8e7e4

SHA256
4a74aa30c7219724b8c716b597ced7b813303f9bb7a3eb8fbb2c294d59cf8b94

SHA512
978fdf334338e914e6dc31cec90f8bde0ed901d62e6ee9f93ee689141be9c94dc6c935d72dfc4a7a16af808d3e5a284b9b3430091673e048dbeb5682e905a4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python3.dll

Filesize
65KB

MD5
ff319d24153238249adea18d8a3e54a7

SHA1
0474faa64826a48821b7a82ad256525aa9c5315e

SHA256
a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991

SHA512
0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python311.dll

Filesize
1.2MB

MD5
7e97e24c0467747904b91f6b41744408

SHA1
b04c6eb32162590caacaffb9ace2b448303eb749

SHA256
b6bf515cdc1f303f1461e5b7e708b926754cdf032fd8dc106ae633164a5ae2a4

SHA512
e08e1eca30355c961dab525c9e79d78bfb8c8e488145f2a417a2b540b4b9b59ec2a2c003dfa0258c42c92f28acaa7ed6ab828eec08cd41448216f59ad75f9a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python311.dll

Filesize
1.6MB

MD5
fbefa551ddc600b040cb8d19f8f3252b

SHA1
6aa101766fd47b3c14b4f2620636244db57bb7b7

SHA256
ddfa913006d4e3fade978be3c73241f93995e2eef60d28ed33b7a66e3ffd9cbe

SHA512
592d4c96c37d11ac46704cb0301d10b994a27fff44a5c229c75292bdfcadee8fdd95126643d44fe6801b0aa5fa3cb1db2a800b1aa51e3314acbfc611ffaafbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\pywin32_system32\pythoncom311.dll

Filesize
193KB

MD5
6aeb23912e08d018d7f32a28127e5494

SHA1
27e6c869b7b24757f7cb18ee2925d5e74024e8e2

SHA256
e1e3b7040846de45406e96585fc2baaca1853efcdf4fd402909a0b7f78d1ed7a

SHA512
4c24dae64a49b11af61882570607ad7d14ac794799904951221bf5c82b503768d018d13e24d1c66f70a43d0d900c596d60870eb26244812191a1d1ed36ba469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
51771d430061cf437733c45dd877d20d

SHA1
56d61b080e7c943978a43af77fef30c21d7b7455

SHA256
79e3a80f9d6a44d7cb466b51e6e23a862d8c1908a0cb32f9996ea6ebbfc12aa8

SHA512
3b30cfff85157167af8c6eb3d83547f03c9cea93fe796243451484a2f74b510fd8246639832cbb286be0019295e1a575dd69543b956393cac5b953ee52882de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\select.pyd

Filesize
25KB

MD5
e6df8ca34b47fd1bdd1c4c3c0e7b79c0

SHA1
37ad2323f0ea5954a509b6d086c468f9e1aaf528

SHA256
ad23c3a442f6f921907b58ed6a38881678831bbbeb1c2e673d3023a555af10d8

SHA512
20f0853f5db2299682c81b57f6c716b8ed4ebf8a9827e2ae7f93343340a082e05fe406e11106c78b2b41543fbce17845244c150f8f9bb3ee79e51782f8d807c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\sqlite3.dll

Filesize
557KB

MD5
71218c3e0954643d38a9156df0dbe74c

SHA1
f8b9c2029dee12f1c68c98919f6e1b1cb6b3b871

SHA256
95a4184f3c4678d88eebdb3e0766198d84ea70706b7515a10d1590c88d0514a2

SHA512
fe283bd62e08f722a488ff2b5109edcc011e9b9a36c5300a0ad22ad654437d5e73b2eb619081cf2c2264d3996370211ace4cbb61650d902d553bc8476ffc6018

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\tcl86t.dll

Filesize
460KB

MD5
5293a0a54b68db31718893a4f11a9e5e

SHA1
1d34e63a76e2d05963a847cf03d47ae95bf43687

SHA256
6302b3606c09e258742072cce3f319374b41c63a0640668db4d687d003ff1a70

SHA512
2da6cdbd628d84e888d23844881f1299ac1120400b3c4c65c8755dee9c7625c18798509adb458e4afc6dc0495995356ccf7fa394fb37ba38eaf44bab1c76a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\tk86t.dll

Filesize
576KB

MD5
bd263392938eab03dc3e1e50c00aa37b

SHA1
bc5b8f6bd9e166bdb59da540a9889256a02a00c8

SHA256
ff1ef708667cb019dcd36fad1183e4260d5429d17fafd2465527f139745bedd5

SHA512
afe5d49d8f0e0d162cf75f465a7c66f2209789600602ccbc34591f7ab8607ac32a4329c5f5052905ee90a6b998b680c2c8e4333629e095dbd13cc1c13901620c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\unicodedata.pyd

Filesize
295KB

MD5
6fe0e326b8fe124c444d706234d3199d

SHA1
be1703668bc32595a1ef1f91f3056c8bab4eaf57

SHA256
7ecfd7c3bf1c4a8ad6d9c606edecf87ccc7360f50b2b9c2677f39c9af8ef2f7a

SHA512
72637146bb5dac0ff39758770c071ab9ce5a6f98cfe8d9144fffafa1e32596c32129bd65e7cfd4f8d907e68f8bc76432d91411192d701bb83e6096ce03d95603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\win32\win32api.pyd

Filesize
48KB

MD5
d054b5a8a6f8cbcb6e3d339cc5b4fe97

SHA1
410c291809844c411324b5935b3dd11b1a718fe4

SHA256
03d2f3a3a0ed71a3a929c44aa6cd3cbd6543e9c1a490aa1ce079dacff7f7dfe5

SHA512
004b51f3c11a2571fa62f8d8601351f8529125c5e5b2ebcd816aa5295c2d0b133edad7778d7f22d722e6f8a5e09391ae4e37eb5dfb86887cb7ba322b75ed686b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\zlib1.dll

Filesize
52KB

MD5
7ec6cb7d2b2abe92446de11d6485ebbc

SHA1
972a44c57865a3247f0d7d17c932ea25de336cdd

SHA256
5ec6e34c0e0ee5e09a87802f305531e34e3d0c7166ed751d82766a7b9fcd4176

SHA512
c09ceea5eab2e368cc9d7872985556a513bc9a31d5f289d81aa81c13b3a8c6381b8efd5a731beb80d76df4b480518334bd8641b423b99ebce43ddf01d128cf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rdoqwzae.cpm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
memory/2936-1400-0x00007FFE33250000-0x00007FFE33294000-memory.dmp

Filesize
272KB

Download
memory/2936-1405-0x00007FFE264B0000-0x00007FFE26636000-memory.dmp

Filesize
1.5MB

Download
memory/2936-1387-0x00007FFE2DCE0000-0x00007FFE2DCEE000-memory.dmp

Filesize
56KB

Download
memory/2936-1386-0x00007FFE2DCF0000-0x00007FFE2DCFF000-memory.dmp

Filesize
60KB

Download
memory/2936-1384-0x000000006A880000-0x000000006A8AB000-memory.dmp

Filesize
172KB

Download
memory/2936-1382-0x00007FFE2DD10000-0x00007FFE2DD1E000-memory.dmp

Filesize
56KB

Download
memory/2936-1381-0x00007FFE332C0000-0x00007FFE332D6000-memory.dmp

Filesize
88KB

Download
memory/2936-1380-0x00007FFE36440000-0x00007FFE3644E000-memory.dmp

Filesize
56KB

Download
memory/2936-1373-0x00007FFE33850000-0x00007FFE33865000-memory.dmp

Filesize
84KB

Download
memory/2936-1371-0x00007FFE33A80000-0x00007FFE33A91000-memory.dmp

Filesize
68KB

Download
memory/2936-1370-0x00007FFE33AA0000-0x00007FFE33AB2000-memory.dmp

Filesize
72KB

Download
memory/2936-1368-0x00007FFE362E0000-0x00007FFE362F5000-memory.dmp

Filesize
84KB

Download
memory/2936-1364-0x00007FFE33AC0000-0x00007FFE33AF3000-memory.dmp

Filesize
204KB

Download
memory/2936-1362-0x00007FFE368C0000-0x00007FFE368ED000-memory.dmp

Filesize
180KB

Download
memory/2936-1361-0x00007FFE36610000-0x00007FFE3663B000-memory.dmp

Filesize
172KB

Download
memory/2936-1360-0x00007FFE338A0000-0x00007FFE3395C000-memory.dmp

Filesize
752KB

Download
memory/2936-1356-0x00007FFE37EF0000-0x00007FFE37EFD000-memory.dmp

Filesize
52KB

Download
memory/2936-1389-0x00007FFE27A00000-0x00007FFE27A10000-memory.dmp

Filesize
64KB

Download
memory/2936-1390-0x00007FFE279E0000-0x00007FFE279F5000-memory.dmp

Filesize
84KB

Download
memory/2936-1391-0x00007FFE279C0000-0x00007FFE279D7000-memory.dmp

Filesize
92KB

Download
memory/2936-1392-0x00007FFE279B0000-0x00007FFE279BF000-memory.dmp

Filesize
60KB

Download
memory/2936-1393-0x00007FFE27920000-0x00007FFE27974000-memory.dmp

Filesize
336KB

Download
memory/2936-1394-0x00007FFE27900000-0x00007FFE27914000-memory.dmp

Filesize
80KB

Download
memory/2936-1396-0x00007FFE261D0000-0x00007FFE264AF000-memory.dmp

Filesize
2.9MB

Download
memory/2936-1397-0x00007FFE36DA0000-0x00007FFE36DC4000-memory.dmp

Filesize
144KB

Download
memory/2936-1399-0x00007FFE332E0000-0x00007FFE332F5000-memory.dmp

Filesize
84KB

Download
memory/2936-1401-0x00007FFE2E380000-0x00007FFE2E394000-memory.dmp

Filesize
80KB

Download
memory/2936-1408-0x00007FFE23D50000-0x00007FFE23D71000-memory.dmp

Filesize
132KB

Download
memory/2936-1410-0x00007FFE23C80000-0x00007FFE23D1C000-memory.dmp

Filesize
624KB

Download
memory/2936-1411-0x00007FFE23C50000-0x00007FFE23C80000-memory.dmp

Filesize
192KB

Download
memory/2936-1412-0x00007FFE23C10000-0x00007FFE23C43000-memory.dmp

Filesize
204KB

Download
memory/2936-1413-0x00007FFE23BF0000-0x00007FFE23C04000-memory.dmp

Filesize
80KB

Download
memory/2936-1409-0x00007FFE23D20000-0x00007FFE23D42000-memory.dmp

Filesize
136KB

Download
memory/2936-1407-0x00007FFE240D0000-0x00007FFE261C3000-memory.dmp

Filesize
32.9MB

Download
memory/2936-1403-0x0000000062E80000-0x0000000062EA8000-memory.dmp

Filesize
160KB

Download
memory/2936-1388-0x00007FFE2DCD0000-0x00007FFE2DCDE000-memory.dmp

Filesize
56KB

Download
memory/2936-1406-0x00007FFE27980000-0x00007FFE2798F000-memory.dmp

Filesize
60KB

Download
memory/2936-1404-0x00007FFE27A10000-0x00007FFE27A26000-memory.dmp

Filesize
88KB

Download
memory/2936-1402-0x00007FFE2DD20000-0x00007FFE2DD31000-memory.dmp

Filesize
68KB

Download
memory/2936-1286-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp

Filesize
420KB

Download
memory/2936-1398-0x00007FFE33300000-0x00007FFE3331B000-memory.dmp

Filesize
108KB

Download
memory/2936-1395-0x00007FFE278F0000-0x00007FFE278FE000-memory.dmp

Filesize
56KB

Download
memory/2936-1385-0x00007FFE2DD00000-0x00007FFE2DD0E000-memory.dmp

Filesize
56KB

Download
memory/2936-1383-0x0000000068B40000-0x0000000068B81000-memory.dmp

Filesize
260KB

Download
memory/2936-1379-0x00007FFE33830000-0x00007FFE33841000-memory.dmp

Filesize
68KB

Download
memory/2936-1374-0x00007FFE368A0000-0x00007FFE368AF000-memory.dmp

Filesize
60KB

Download
memory/2936-1377-0x00007FFE26DF0000-0x00007FFE273DE000-memory.dmp

Filesize
5.9MB

Download
memory/2936-1378-0x00007FFE366E0000-0x00007FFE366EC000-memory.dmp

Filesize
48KB

Download
memory/2936-1376-0x00007FFE33A10000-0x00007FFE33A26000-memory.dmp

Filesize
88KB

Download
memory/2936-1375-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp

Filesize
420KB

Download
memory/2936-1372-0x00007FFE26640000-0x00007FFE268B8000-memory.dmp

Filesize
2.5MB

Download
memory/2936-1290-0x00007FFE26DF0000-0x00007FFE273DE000-memory.dmp

Filesize
5.9MB

Download
memory/2936-1367-0x00007FFE268C0000-0x00007FFE26DE2000-memory.dmp

Filesize
5.1MB

Download
memory/2936-1366-0x000001D432AF0000-0x000001D433012000-memory.dmp

Filesize
5.1MB

Download
memory/2936-1305-0x00007FFE36D80000-0x00007FFE36D99000-memory.dmp

Filesize
100KB

Download
memory/2936-1365-0x00007FFE27A30000-0x00007FFE27AFD000-memory.dmp

Filesize
820KB

Download
memory/2936-1300-0x00007FFE37F00000-0x00007FFE37F0F000-memory.dmp

Filesize
60KB

Download
memory/2936-1298-0x00007FFE36DA0000-0x00007FFE36DC4000-memory.dmp

Filesize
144KB

Download
memory/2936-1363-0x00007FFE36920000-0x00007FFE36939000-memory.dmp

Filesize
100KB

Download
memory/2936-1359-0x00007FFE366F0000-0x00007FFE3671E000-memory.dmp

Filesize
184KB

Download
memory/2936-1358-0x00007FFE37110000-0x00007FFE3711D000-memory.dmp

Filesize
52KB

Download
memory/2936-1520-0x00007FFE268C0000-0x00007FFE26DE2000-memory.dmp

Filesize
5.1MB

Download
memory/2936-1519-0x00007FFE27A30000-0x00007FFE27AFD000-memory.dmp

Filesize
820KB

Download
memory/2936-1518-0x00007FFE33AC0000-0x00007FFE33AF3000-memory.dmp

Filesize
204KB

Download
memory/2936-1516-0x00007FFE338A0000-0x00007FFE3395C000-memory.dmp

Filesize
752KB

Download
memory/2936-1515-0x00007FFE366F0000-0x00007FFE3671E000-memory.dmp

Filesize
184KB

Download
memory/2936-1507-0x00007FFE36DA0000-0x00007FFE36DC4000-memory.dmp

Filesize
144KB

Download
memory/2936-1506-0x00007FFE26DF0000-0x00007FFE273DE000-memory.dmp

Filesize
5.9MB

Download
memory/2936-1357-0x00007FFE36720000-0x00007FFE36756000-memory.dmp

Filesize
216KB

Download
memory/3908-1369-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp

Filesize
420KB

Download
memory/3908-2-0x00007FF776D40000-0x00007FF776DA9000-memory.dmp

Filesize
420KB

Download