e4ced8bc2a89472505b522fe4245420e821dfa02e9624d8f32e4d8d1296e1cc8

Resubmissions

04/04/2024, 16:05

240404-tjt6lacf92 7

04/04/2024, 15:56

240404-tdtmwabh31 7

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

15.7MB
MD5

7327729a164a1f1e3ed2385833923a96
SHA1

44d64eae30c7fcf10db081dcfb90b7319b91bb7e
SHA256

e4ced8bc2a89472505b522fe4245420e821dfa02e9624d8f32e4d8d1296e1cc8
SHA512

e16d487fc5767da14db252957aa63646d3baf7bf1b2caa9ac95dc267e874379fe4f54ad0179505ceb000a54a8b3a6b0a9da0e20bc83e4db3093ae9020f593e60
SSDEEP

393216:FoVRsuM+sInEroXy/m3pQ14S27J4Kn8hJV4a3t7zB07:FoHsOHErUyK314ICdt7F07

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Builder.exe	Builder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Builder.exe	Builder.exe

Loads dropped DLL 49 IoCs

pid	Process
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe
3264	Builder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 45 IoCs

Web Service

T1102

flow	ioc
46	discord.com
63	discord.com
94	discord.com
56	discord.com
59	discord.com
64	discord.com
71	discord.com
88	discord.com
89	discord.com
74	discord.com
78	discord.com
50	discord.com
53	discord.com
55	discord.com
60	discord.com
66	discord.com
72	discord.com
82	discord.com
87	discord.com
14	pastebin.com
73	discord.com
85	discord.com
90	discord.com
58	discord.com
68	discord.com
69	discord.com
86	discord.com
93	discord.com
13	pastebin.com
47	discord.com
48	discord.com
91	discord.com
92	discord.com
95	discord.com
51	discord.com
52	discord.com
77	discord.com
79	discord.com
80	discord.com
84	discord.com
54	discord.com
57	discord.com
75	discord.com
76	discord.com
83	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipinfo.io
17	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Builder.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Builder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3264	Builder.exe
3264	Builder.exe
2656	powershell.exe
2656	powershell.exe
1856	powershell.exe
1856	powershell.exe
4208	powershell.exe
4208	powershell.exe
60	powershell.exe
60	powershell.exe
3624	powershell.exe
3624	powershell.exe
988	powershell.exe
988	powershell.exe
2864	powershell.exe
2864	powershell.exe
1224	powershell.exe
1224	powershell.exe
1724	powershell.exe
1724	powershell.exe
312	powershell.exe
312	powershell.exe
1896	powershell.exe
1896	powershell.exe
4544	powershell.exe
4544	powershell.exe
4220	powershell.exe
4220	powershell.exe
2752	powershell.exe
2752	powershell.exe
2924	powershell.exe
2924	powershell.exe
3408	powershell.exe
3408	powershell.exe
4160	powershell.exe
4160	powershell.exe
2456	powershell.exe
2456	powershell.exe
3624	powershell.exe
3624	powershell.exe
1824	powershell.exe
1824	powershell.exe
232	powershell.exe
232	powershell.exe
4628	powershell.exe
4628	powershell.exe
3376	powershell.exe
3376	powershell.exe
3768	powershell.exe
3768	powershell.exe
4152	powershell.exe
4152	powershell.exe
2452	powershell.exe
2452	powershell.exe
3120	powershell.exe
3120	powershell.exe
3308	powershell.exe
3308	powershell.exe
4696	powershell.exe
4696	powershell.exe
4840	powershell.exe
4840	powershell.exe
3408	powershell.exe
3408	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	Builder.exe
Token: SeIncreaseQuotaPrivilege	5052	wmic.exe
Token: SeSecurityPrivilege	5052	wmic.exe
Token: SeTakeOwnershipPrivilege	5052	wmic.exe
Token: SeLoadDriverPrivilege	5052	wmic.exe
Token: SeSystemProfilePrivilege	5052	wmic.exe
Token: SeSystemtimePrivilege	5052	wmic.exe
Token: SeProfSingleProcessPrivilege	5052	wmic.exe
Token: SeIncBasePriorityPrivilege	5052	wmic.exe
Token: SeCreatePagefilePrivilege	5052	wmic.exe
Token: SeBackupPrivilege	5052	wmic.exe
Token: SeRestorePrivilege	5052	wmic.exe
Token: SeShutdownPrivilege	5052	wmic.exe
Token: SeDebugPrivilege	5052	wmic.exe
Token: SeSystemEnvironmentPrivilege	5052	wmic.exe
Token: SeRemoteShutdownPrivilege	5052	wmic.exe
Token: SeUndockPrivilege	5052	wmic.exe
Token: SeManageVolumePrivilege	5052	wmic.exe
Token: 33	5052	wmic.exe
Token: 34	5052	wmic.exe
Token: 35	5052	wmic.exe
Token: 36	5052	wmic.exe
Token: SeIncreaseQuotaPrivilege	5052	wmic.exe
Token: SeSecurityPrivilege	5052	wmic.exe
Token: SeTakeOwnershipPrivilege	5052	wmic.exe
Token: SeLoadDriverPrivilege	5052	wmic.exe
Token: SeSystemProfilePrivilege	5052	wmic.exe
Token: SeSystemtimePrivilege	5052	wmic.exe
Token: SeProfSingleProcessPrivilege	5052	wmic.exe
Token: SeIncBasePriorityPrivilege	5052	wmic.exe
Token: SeCreatePagefilePrivilege	5052	wmic.exe
Token: SeBackupPrivilege	5052	wmic.exe
Token: SeRestorePrivilege	5052	wmic.exe
Token: SeShutdownPrivilege	5052	wmic.exe
Token: SeDebugPrivilege	5052	wmic.exe
Token: SeSystemEnvironmentPrivilege	5052	wmic.exe
Token: SeRemoteShutdownPrivilege	5052	wmic.exe
Token: SeUndockPrivilege	5052	wmic.exe
Token: SeManageVolumePrivilege	5052	wmic.exe
Token: 33	5052	wmic.exe
Token: 34	5052	wmic.exe
Token: 35	5052	wmic.exe
Token: 36	5052	wmic.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1364	wmic.exe
Token: SeSecurityPrivilege	1364	wmic.exe
Token: SeTakeOwnershipPrivilege	1364	wmic.exe
Token: SeLoadDriverPrivilege	1364	wmic.exe
Token: SeSystemProfilePrivilege	1364	wmic.exe
Token: SeSystemtimePrivilege	1364	wmic.exe
Token: SeProfSingleProcessPrivilege	1364	wmic.exe
Token: SeIncBasePriorityPrivilege	1364	wmic.exe
Token: SeCreatePagefilePrivilege	1364	wmic.exe
Token: SeBackupPrivilege	1364	wmic.exe
Token: SeRestorePrivilege	1364	wmic.exe
Token: SeShutdownPrivilege	1364	wmic.exe
Token: SeDebugPrivilege	1364	wmic.exe
Token: SeSystemEnvironmentPrivilege	1364	wmic.exe
Token: SeRemoteShutdownPrivilege	1364	wmic.exe
Token: SeUndockPrivilege	1364	wmic.exe
Token: SeManageVolumePrivilege	1364	wmic.exe
Token: 33	1364	wmic.exe
Token: 34	1364	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3264	1808	Builder.exe	86
PID 1808 wrote to memory of 3264	1808	Builder.exe	86
PID 3264 wrote to memory of 920	3264	Builder.exe	87
PID 3264 wrote to memory of 920	3264	Builder.exe	87
PID 3264 wrote to memory of 5052	3264	Builder.exe	91
PID 3264 wrote to memory of 5052	3264	Builder.exe	91
PID 3264 wrote to memory of 2656	3264	Builder.exe	94
PID 3264 wrote to memory of 2656	3264	Builder.exe	94
PID 3264 wrote to memory of 1856	3264	Builder.exe	97
PID 3264 wrote to memory of 1856	3264	Builder.exe	97
PID 3264 wrote to memory of 3832	3264	Builder.exe	100
PID 3264 wrote to memory of 3832	3264	Builder.exe	100
PID 3264 wrote to memory of 1364	3264	Builder.exe	101
PID 3264 wrote to memory of 1364	3264	Builder.exe	101
PID 3832 wrote to memory of 2248	3832	cmd.exe	104
PID 3832 wrote to memory of 2248	3832	cmd.exe	104
PID 3264 wrote to memory of 408	3264	Builder.exe	105
PID 3264 wrote to memory of 408	3264	Builder.exe	105
PID 3264 wrote to memory of 4208	3264	Builder.exe	107
PID 3264 wrote to memory of 4208	3264	Builder.exe	107
PID 408 wrote to memory of 864	408	cmd.exe	109
PID 408 wrote to memory of 864	408	cmd.exe	109
PID 3264 wrote to memory of 60	3264	Builder.exe	110
PID 3264 wrote to memory of 60	3264	Builder.exe	110
PID 3264 wrote to memory of 2456	3264	Builder.exe	114
PID 3264 wrote to memory of 2456	3264	Builder.exe	114
PID 3264 wrote to memory of 3624	3264	Builder.exe	116
PID 3264 wrote to memory of 3624	3264	Builder.exe	116
PID 3264 wrote to memory of 988	3264	Builder.exe	118
PID 3264 wrote to memory of 988	3264	Builder.exe	118
PID 3264 wrote to memory of 3116	3264	Builder.exe	120
PID 3264 wrote to memory of 3116	3264	Builder.exe	120
PID 3264 wrote to memory of 2864	3264	Builder.exe	122
PID 3264 wrote to memory of 2864	3264	Builder.exe	122
PID 3264 wrote to memory of 1224	3264	Builder.exe	124
PID 3264 wrote to memory of 1224	3264	Builder.exe	124
PID 3264 wrote to memory of 1404	3264	Builder.exe	126
PID 3264 wrote to memory of 1404	3264	Builder.exe	126
PID 3264 wrote to memory of 1724	3264	Builder.exe	128
PID 3264 wrote to memory of 1724	3264	Builder.exe	128
PID 3264 wrote to memory of 312	3264	Builder.exe	130
PID 3264 wrote to memory of 312	3264	Builder.exe	130
PID 3264 wrote to memory of 4792	3264	Builder.exe	132
PID 3264 wrote to memory of 4792	3264	Builder.exe	132
PID 3264 wrote to memory of 1896	3264	Builder.exe	134
PID 3264 wrote to memory of 1896	3264	Builder.exe	134
PID 3264 wrote to memory of 4544	3264	Builder.exe	137
PID 3264 wrote to memory of 4544	3264	Builder.exe	137
PID 3264 wrote to memory of 3720	3264	Builder.exe	139
PID 3264 wrote to memory of 3720	3264	Builder.exe	139
PID 3264 wrote to memory of 4220	3264	Builder.exe	141
PID 3264 wrote to memory of 4220	3264	Builder.exe	141
PID 3264 wrote to memory of 2752	3264	Builder.exe	143
PID 3264 wrote to memory of 2752	3264	Builder.exe	143
PID 3264 wrote to memory of 2680	3264	Builder.exe	145
PID 3264 wrote to memory of 2680	3264	Builder.exe	145
PID 3264 wrote to memory of 2924	3264	Builder.exe	147
PID 3264 wrote to memory of 2924	3264	Builder.exe	147
PID 3264 wrote to memory of 3408	3264	Builder.exe	149
PID 3264 wrote to memory of 3408	3264	Builder.exe	149
PID 3264 wrote to memory of 4500	3264	Builder.exe	151
PID 3264 wrote to memory of 4500	3264	Builder.exe	151
PID 3264 wrote to memory of 4160	3264	Builder.exe	153
PID 3264 wrote to memory of 4160	3264	Builder.exe	153

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:920
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
      4⤵
      PID:2248
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
      4⤵
      PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:60
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:988
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1224
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:312
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4544
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2752
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1824
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1428
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3376
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4152
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3120
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3536
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5024
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4396
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4848
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4112
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3956
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4468
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:536
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2748
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3956
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2856
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
e8af5bdf9b56fc0dc73007467484aecc

SHA1
15a446ce13abcda72276c77a82fccc83c51e7a17

SHA256
784b715e8b281e7ff4e427043828bec8765acf36d152a48e37692c8296445d46

SHA512
f03406130cd6402bd04f999e5ef5429fca28f0791f2e7a38ce867631e1758ad848e06ebaa975f4731c3d4df44b500eb41479b0c4d3d28e52a5f307e0b09db833

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
7d405981c46bbc578bf46ee2fdd3079c

SHA1
e93869e798812ab850c4fde58d152f989f5ecd38

SHA256
d90115ed4dac2871c94ad732d312d767df0d0c2d63aaeed880fc85db7d53d963

SHA512
e3c7375ea8294ae7abe3cbf82c1cdd86ae89591046e36e23448628c1c6ed84c952837b1cde650e482fb68850ec93d15d6818ce629c8797820d1f9840a395057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
335f119a67efd51c2d6fd959915ffbb3

SHA1
b7d69a873ce9747528c977c87a1f1cec870fc094

SHA256
9c149aade4e4a724c3945fed423300c41bb77ceebf61c9acf29d1b97d98260a2

SHA512
285494499a16267abc0be756cb6ef9012ec8b26960f1d4c72ef950f6fee783144dfb4a6ea5b5788a444dbd7c93e084369fdf1012a2140fb90d17f8f46a3b92e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
7435accde789b701a1df37462cc4e1ed

SHA1
7b3c8207f8a699cd2cd9428cd9740490555f7eed

SHA256
37a05109296a76194baa7bb7473cdb032a83b73b4c5b2d5f67d93a35ab97b9b6

SHA512
f9c5ca857be746ddc0587fe28d05840e9d72255f1ed001a74a0f8d25f97e5516d9e6ae3f58c8022832d663810969202efbe5d9dbdc40a1d4ab82f8fcd0bba67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
49d3bc1462b7ee111103a0d15b90ff96

SHA1
231f9e03eabe4169f66c6da0a71ac39d67e62b2e

SHA256
d2634c15a52b56868f9231a5aaf22f17367746a9991a0eb22fff0f6af0b9caa0

SHA512
cb85a2b0e89999ad55fcb2bba17d077cf5bf521b36ddd1c6fc46b01abdee00d686fa7a8874fce4c71d6bce9e62192b6c555b6977dad5f3621877e2fe60b68875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_asyncio.pyd

Filesize
59KB

MD5
6c2a86342ade2fac9454b83a49d17694

SHA1
52946875ad946e4a170072f38e28e10f6037fab9

SHA256
cf0edfd508d11bffb63d1b104b6099e0f14ea0fada762f88364e7163f2185f06

SHA512
48d8eb8d20d041df37c4a6f243056607754046ed5f497260751270b42e9eea6f22fb1fb62d015e841d0263534f50bf6c812a6ade0e8bb0a0f79226bc64d05c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
6f1b90884343f717c5dc14f94ef5acea

SHA1
cca1a4dcf7a32bf698e75d58c5f130fb3572e423

SHA256
2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1

SHA512
e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_overlapped.pyd

Filesize
44KB

MD5
5bfe7d9e1877fdde718bb84b67d8be68

SHA1
ebc7389ccca80d92d7b891815843e4c7d066cd51

SHA256
fe5666c1c8215cd2773744c815fb4a3b2f52f64cf0dde25d458441da22bf5568

SHA512
9fbf4c77784677957b8ade962cc0730ef6cfa865c14c712fd2a978903596a92e359a5234095b2a23d9e4daf7abb4029cd855b91cba696fde448668ccf4a1efea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_sqlite3.pyd

Filesize
91KB

MD5
6486e5c8512bddc5f5606d11fe8f21e0

SHA1
650861b2c4a1d6689ff0a49bb916f8ff278bb387

SHA256
728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439

SHA512
f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\base_library.zip

Filesize
1.0MB

MD5
5412de21d348c0618dbc6c63d51712d8

SHA1
014635adaaebbba6faa5778f8b8c73842c2ca3e3

SHA256
e0842bdbe2afbd1c23d4f2a9c664ce3a5cdf9acda76b310a65d2c74f86d87edf

SHA512
e70207b12effb0c2b8d2ce3c7e36bb75b9cf696546fdd301574186051f21e22e960cc782f8c81574803ea7ac78c34f357efaf984758c7137a9b7987579d7577e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\pyexpat.pyd

Filesize
187KB

MD5
983d8e003e772e9c078faad820d14436

SHA1
1c90ad33dc4fecbdeb21f35ca748aa0094601c07

SHA256
e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e

SHA512
e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\pywin32_system32\pythoncom310.dll

Filesize
674KB

MD5
e3b435bc314f27638f5a729e3f3bb257

SHA1
fd400fc8951ea9812864455aef4b91b42ba4e145

SHA256
568982769735d04d7cc4bdd5c7b2b85ec0880230b36267ce14114639307b7bca

SHA512
c94baffbec5cadf98e97e84ba2561269ee6ad60a47cc8661f7c544a5179f9e260fbec1c41548379587b3807670b0face9e640e1d6bca621e78ef93e0bb43efcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\pywin32_system32\pywintypes310.dll

Filesize
134KB

MD5
a44f3026baf0b288d7538c7277ddaf41

SHA1
c23fbdd6a1b0dc69753a00108dce99d7ec7f5ee3

SHA256
2984df073a029acf46bcaed4aa868c509c5129555ed70cac0fe2235abdba6e6d

SHA512
9699a2629f9f8c74a7d078ae10c9ffe5f30b29c4a2c92d3fcd2096dc2edceb71c59fd84e9448bb0c2fb970e2f4ade8b3c233ebf673c47d83ae40d12a2317ca98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\sqlite3.dll

Filesize
1.4MB

MD5
7bb1d577405f1129faf3ea0225c9d083

SHA1
60472de4b1c7a12468d79994d6d0d684c91091ef

SHA256
831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2

SHA512
33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\win32api.pyd

Filesize
136KB

MD5
931c91f4f25841115e284b08954c2ad9

SHA1
973ea53c89fee686930396eb58d9ff5464b4c892

SHA256
7ab0d714e44093649551623b93cc2aea4b30915adcb114bc1b75c548c3135b59

SHA512
4a048a7a0949d853ac7568eb4ad4bba8d7165ec4191ce8bc67b0954080364278908001dbce0f4d39a84a1c2295f12d22a7311893f6b2e985c3ad96bd421aa3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18082\win32gui.pyd

Filesize
237KB

MD5
a80585794613ee13180e111487748cc6

SHA1
d330bec7de11ac770769ea15d1e4b4689e6ea958

SHA256
a96364e69c959e7ff0c88f7e10ee91e2d9fe6fa8ddedad5020349b3c4a9b173c

SHA512
a6e6bc1b8e5b1a05cd59d7fe1486b0ffd0c016c4e9801ae417acb00200a94d75bd37447a2e7284dc85d78351fea6f9c30134e2d19981c792796fb30d7bc3bb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqkfe2x0.loc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6LKPrmKKyFbYpnYQbxz

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc_allcookies.txt

Filesize
48B

MD5
16ec538da91401ace8655ab6fcdd4265

SHA1
f4540b4019cb5241180a331011cbdd629f072858

SHA256
e6944d433ec03ca60dc7dfba7e29480644042ff3451d15e70a8abc8e7dd31da0

SHA512
cc5b06ccf021a23eeeef5f902603efcca3ed4946e8d1a993e3369b4de97140b0f87562e4c464c24803e47792ce2cdfdbd2c45f85ef74c256f4b8b84a63beb0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0J7QmsJdcoNt1rM7T

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqzfIRud5FkZoPiPifC

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Tempblackcapeduxwogpdd.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/60-208-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/60-216-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/60-214-0x000002001AA30000-0x000002001AA40000-memory.dmp

Filesize
64KB

Download
memory/60-213-0x000002001AA30000-0x000002001AA40000-memory.dmp

Filesize
64KB

Download
memory/312-300-0x0000023F00B30000-0x0000023F00B40000-memory.dmp

Filesize
64KB

Download
memory/312-288-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/312-302-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/312-289-0x0000023F00B30000-0x0000023F00B40000-memory.dmp

Filesize
64KB

Download
memory/312-290-0x0000023F00B30000-0x0000023F00B40000-memory.dmp

Filesize
64KB

Download
memory/988-245-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/988-242-0x000001E79B9E0000-0x000001E79B9F0000-memory.dmp

Filesize
64KB

Download
memory/988-243-0x000001E79B9E0000-0x000001E79B9F0000-memory.dmp

Filesize
64KB

Download
memory/988-232-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1224-271-0x000001F41E5E0000-0x000001F41E5F0000-memory.dmp

Filesize
64KB

Download
memory/1224-273-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1224-260-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1224-261-0x000001F41E5E0000-0x000001F41E5F0000-memory.dmp

Filesize
64KB

Download
memory/1724-287-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1724-276-0x0000025758B60000-0x0000025758B70000-memory.dmp

Filesize
64KB

Download
memory/1724-275-0x0000025758B60000-0x0000025758B70000-memory.dmp

Filesize
64KB

Download
memory/1724-274-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1856-172-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1856-185-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1856-178-0x0000029E7B6F0000-0x0000029E7B700000-memory.dmp

Filesize
64KB

Download
memory/1856-183-0x0000029E7B6F0000-0x0000029E7B700000-memory.dmp

Filesize
64KB

Download
memory/1896-315-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1896-303-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/1896-304-0x00000238E1D80000-0x00000238E1D90000-memory.dmp

Filesize
64KB

Download
memory/2656-171-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2656-167-0x000001B1C91B0000-0x000001B1C91C0000-memory.dmp

Filesize
64KB

Download
memory/2656-168-0x000001B1C91B0000-0x000001B1C91C0000-memory.dmp

Filesize
64KB

Download
memory/2656-166-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2656-161-0x000001B1B0BE0000-0x000001B1B0C02000-memory.dmp

Filesize
136KB

Download
memory/2752-344-0x0000021AE6520000-0x0000021AE6530000-memory.dmp

Filesize
64KB

Download
memory/2752-356-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2752-345-0x0000021AE6520000-0x0000021AE6530000-memory.dmp

Filesize
64KB

Download
memory/2752-343-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2864-259-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2864-254-0x000001FFDF090000-0x000001FFDF0A0000-memory.dmp

Filesize
64KB

Download
memory/2864-253-0x000001FFDF090000-0x000001FFDF0A0000-memory.dmp

Filesize
64KB

Download
memory/2864-251-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2924-367-0x0000023EDB1A0000-0x0000023EDB1B0000-memory.dmp

Filesize
64KB

Download
memory/2924-370-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2924-362-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/2924-368-0x0000023EDB1A0000-0x0000023EDB1B0000-memory.dmp

Filesize
64KB

Download
memory/3408-379-0x00000200C2F40000-0x00000200C2F50000-memory.dmp

Filesize
64KB

Download
memory/3408-378-0x00000200C2F40000-0x00000200C2F50000-memory.dmp

Filesize
64KB

Download
memory/3408-373-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/3624-231-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/3624-229-0x0000020BBB8C0000-0x0000020BBB8D0000-memory.dmp

Filesize
64KB

Download
memory/3624-219-0x0000020BBB8C0000-0x0000020BBB8D0000-memory.dmp

Filesize
64KB

Download
memory/3624-218-0x0000020BBB8C0000-0x0000020BBB8D0000-memory.dmp

Filesize
64KB

Download
memory/3624-217-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/4208-202-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/4208-200-0x0000027FBF610000-0x0000027FBF620000-memory.dmp

Filesize
64KB

Download
memory/4208-198-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/4208-199-0x0000027FBF610000-0x0000027FBF620000-memory.dmp

Filesize
64KB

Download
memory/4220-342-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/4220-331-0x000002363D5E0000-0x000002363D5F0000-memory.dmp

Filesize
64KB

Download
memory/4220-330-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/4544-329-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download
memory/4544-327-0x0000022551EE0000-0x0000022551EF0000-memory.dmp

Filesize
64KB

Download
memory/4544-326-0x0000022551EE0000-0x0000022551EF0000-memory.dmp

Filesize
64KB

Download
memory/4544-325-0x00007FFEED1C0000-0x00007FFEEDC81000-memory.dmp

Filesize
10.8MB

Download