hxxp://mined[.]to

Resubmissions

08/04/2024, 18:07

240408-wqfynaff57 10

08/04/2024, 18:05

240408-wn5t1afe95 7

08/04/2024, 17:58

240408-wkllysfd84 7

Analysis

max time kernel
64s
max time network
59s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/04/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mined.to

Score

10^/10

evasion upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4392	MpCmdRun.exe

Executes dropped EXE 2 IoCs

pid	Process
4164	Resource.exe
2844	Resource.exe

Loads dropped DLL 17 IoCs

pid	Process
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe
2844	Resource.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001aca9-400.dat	upx
behavioral1/memory/2844-404-0x00007FFA66E00000-0x00007FFA673E9000-memory.dmp	upx
behavioral1/files/0x000800000001ac6c-406.dat	upx
behavioral1/files/0x000700000001aca7-408.dat	upx
behavioral1/files/0x000700000001aca3-426.dat	upx
behavioral1/files/0x000700000001aca2-425.dat	upx
behavioral1/memory/2844-427-0x00007FFA769B0000-0x00007FFA769BF000-memory.dmp	upx
behavioral1/files/0x000900000001aca0-424.dat	upx
behavioral1/files/0x000900000001ac95-423.dat	upx
behavioral1/files/0x000800000001ac94-422.dat	upx
behavioral1/files/0x000800000001ac91-421.dat	upx
behavioral1/files/0x000a00000001ac83-420.dat	upx
behavioral1/files/0x000800000001ac26-419.dat	upx
behavioral1/files/0x000700000001acae-418.dat	upx
behavioral1/files/0x000700000001acad-417.dat	upx
behavioral1/files/0x000700000001acac-416.dat	upx
behavioral1/files/0x000700000001aca8-413.dat	upx
behavioral1/files/0x000700000001aca6-412.dat	upx
behavioral1/memory/2844-410-0x00007FFA76480000-0x00007FFA764A3000-memory.dmp	upx
behavioral1/memory/2844-433-0x00007FFA76450000-0x00007FFA7647D000-memory.dmp	upx
behavioral1/memory/2844-435-0x00007FFA75E30000-0x00007FFA75E49000-memory.dmp	upx
behavioral1/memory/2844-438-0x00007FFA67C70000-0x00007FFA67DE7000-memory.dmp	upx
behavioral1/memory/2844-439-0x00007FFA74D10000-0x00007FFA74D33000-memory.dmp	upx
behavioral1/memory/2844-442-0x00007FFA75E10000-0x00007FFA75E29000-memory.dmp	upx
behavioral1/memory/2844-447-0x00007FFA768A0000-0x00007FFA768AD000-memory.dmp	upx
behavioral1/memory/2844-448-0x00007FFA67BA0000-0x00007FFA67C6D000-memory.dmp	upx
behavioral1/memory/2844-449-0x00007FFA668D0000-0x00007FFA66DF2000-memory.dmp	upx
behavioral1/memory/2844-451-0x00007FFA690E0000-0x00007FFA69113000-memory.dmp	upx
behavioral1/memory/2844-453-0x00007FFA74CB0000-0x00007FFA74CC4000-memory.dmp	upx
behavioral1/memory/2844-455-0x00007FFA766A0000-0x00007FFA766AD000-memory.dmp	upx
behavioral1/memory/2844-458-0x00007FFA76480000-0x00007FFA764A3000-memory.dmp	upx
behavioral1/memory/2844-457-0x00007FFA66E00000-0x00007FFA673E9000-memory.dmp	upx
behavioral1/memory/2844-459-0x00007FFA67A20000-0x00007FFA67B3C000-memory.dmp	upx
behavioral1/memory/2844-489-0x00007FFA66E00000-0x00007FFA673E9000-memory.dmp	upx
behavioral1/memory/2844-490-0x00007FFA76480000-0x00007FFA764A3000-memory.dmp	upx
behavioral1/memory/2844-500-0x00007FFA769B0000-0x00007FFA769BF000-memory.dmp	upx
behavioral1/memory/2844-502-0x00007FFA76450000-0x00007FFA7647D000-memory.dmp	upx
behavioral1/memory/2844-504-0x00007FFA75E30000-0x00007FFA75E49000-memory.dmp	upx
behavioral1/memory/2844-506-0x00007FFA74D10000-0x00007FFA74D33000-memory.dmp	upx
behavioral1/memory/2844-507-0x00007FFA67C70000-0x00007FFA67DE7000-memory.dmp	upx
behavioral1/memory/2844-510-0x00007FFA75E10000-0x00007FFA75E29000-memory.dmp	upx
behavioral1/memory/2844-513-0x00007FFA768A0000-0x00007FFA768AD000-memory.dmp	upx
behavioral1/memory/2844-517-0x00007FFA67BA0000-0x00007FFA67C6D000-memory.dmp	upx
behavioral1/memory/2844-515-0x00007FFA690E0000-0x00007FFA69113000-memory.dmp	upx
behavioral1/memory/2844-520-0x00007FFA766A0000-0x00007FFA766AD000-memory.dmp	upx
behavioral1/memory/2844-519-0x00007FFA74CB0000-0x00007FFA74CC4000-memory.dmp	upx
behavioral1/memory/2844-521-0x00007FFA67A20000-0x00007FFA67B3C000-memory.dmp	upx
behavioral1/memory/2844-518-0x00007FFA668D0000-0x00007FFA66DF2000-memory.dmp	upx

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1980	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570732547034307"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4360	chrome.exe
4360	chrome.exe
2340	powershell.exe
2340	powershell.exe
4380	powershell.exe
4380	powershell.exe
2340	powershell.exe
4380	powershell.exe
2340	powershell.exe
4380	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1664	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeShutdownPrivilege	4360	chrome.exe
Token: SeCreatePagefilePrivilege	4360	chrome.exe
Token: SeRestorePrivilege	1664	7zFM.exe
Token: 35	1664	7zFM.exe
Token: SeSecurityPrivilege	1664	7zFM.exe
Token: SeSecurityPrivilege	1664	7zFM.exe
Token: SeDebugPrivilege	1980	tasklist.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeIncreaseQuotaPrivilege	4460	WMIC.exe
Token: SeSecurityPrivilege	4460	WMIC.exe
Token: SeTakeOwnershipPrivilege	4460	WMIC.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
1664	7zFM.exe
1664	7zFM.exe
1664	7zFM.exe
1664	7zFM.exe
1664	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 1884	4360	chrome.exe	75
PID 4360 wrote to memory of 1884	4360	chrome.exe	75
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3604	4360	chrome.exe	77
PID 4360 wrote to memory of 3916	4360	chrome.exe	78
PID 4360 wrote to memory of 3916	4360	chrome.exe	78
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79
PID 4360 wrote to memory of 1276	4360	chrome.exe	79

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mined.to
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa76829758,0x7ffa76829768,0x7ffa76829778
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:2
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2700 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2708 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4460 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5092 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5504 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5560 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5780 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5776 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6040 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 --field-trial-handle=2164,i,4290796341387699776,4614161052687274388,131072 /prefetch:8
  2⤵
  PID:4660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3320

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Resource.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1664

C:\Users\Admin\Desktop\Resource.exe
"C:\Users\Admin\Desktop\Resource.exe"
1⤵
- Executes dropped EXE
PID:4164
- C:\Users\Admin\Desktop\Resource.exe
  "C:\Users\Admin\Desktop\Resource.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Resource.exe'"
    3⤵
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Resource.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4380
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()""
    3⤵
    PID:760
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"
      4⤵
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2828
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
76c2366b902302c021a8cc371cc85ee4

SHA1
1e64f410763ce595a071b1b88b8e39117f817e7b

SHA256
81c13c559428d8898d526f85a5593f1ab113fcb2417122782d6b1d230b6a9017

SHA512
71c87682f69f493cdd94328308c1bf3a2602d592181a516451ccd78a2899d547549d3975a4ce1a82480cfda260885c65af301a5058b077b840294690bb9c0b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
5df92a5e9b77eefbd75e837a8c4f2203

SHA1
ad240590114cf77875a3d5ba5150ad7c434c2965

SHA256
1825c07263261e4c7afeeb065c8acd46baba94fa195e6e0060e518aaabbc6be6

SHA512
b5c46cd3084ff461db15cf7cc981003ff7f74cd8ed2c953d8ccd801d96e5acf7a6e732bb84a6d863814d99685befb52921fc1ec738550efda3c57e454c05a363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6aa9609c1b4809c79ed8b88614700846

SHA1
5cb9e607fa5c4b13d375e2d44dbc344bba42eae8

SHA256
eedec12985d8dccd347bcd81c97647c7ad4905fa90b276a18399986a09d5b6bf

SHA512
330af22b6e4e4a988bbfa6020be868002216271de18e9af9a1042267726405c7167dabdac41f1b99e40174f6f8629264c699c8849909d60c80a4f4cc88fc1a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
487cef77f0236c447331cf62a1470bc1

SHA1
c16a98756d1b29b47ee79283ffce5a98c392102c

SHA256
b01da3c391f5d4005412d7800d8097f6fa08d0942622ba1fcc085c67f95cee41

SHA512
60410888698c35ee9c94533f5e38543a231be8d1ccaca35eff25c2858df4bd32b1820633ddadb2aa54d25c03df3548ec326f2a0fb7bc6eea1a38a41c8db16d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0cabd2909a3293c1350925e758d1b0ec

SHA1
89057dc84698c3028f8a83b78579be15118cbc65

SHA256
9d277769981101dd070d6e10475822b1547c53c5a183f5901a3019f3e6448758

SHA512
a9e191760d2ce7d76f2e336463f573ea8d516e5abe040065b0361e9ec89e2dc7236d507b73fe2b1dd2a844d90781b717a36c1ae1665bb21d4284f080b698b917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c8f6278e9a0519ff466da5fd3a74c929

SHA1
966f11ac36d15cac4d84b939a5f347f0f203bb41

SHA256
8239408a3097d9ad93200a3060c5062fb6d3b3ba9bdc62423e8ef12ebd1196d1

SHA512
c2c9328a61079a7111312be72d53da48718c95af1b3336099644f587c1c3af89287074991ca78de695ece37e622eccd2526f5fbacbfc049edbf469ad37efd041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a170708ebe19e55579c7b2e9f2faa31e9998043b\e2eb2f2d-2e0b-4e7a-bc0a-27b8b5fafa53\index-dir\the-real-index

Filesize
72B

MD5
128f0f5c450f93404b411cb83577ef2b

SHA1
c13d02580c8c3d8f40e3efcdb3b7f154f935214d

SHA256
74288c1056fff9df8bbe704d7821e17c7c9ce30b0961ba0ab9618bb5a7a73a0b

SHA512
53eaa9ab4c073b53d057696f662d8bc37f6d40df8f172a6ad1d1886d087b2294f7c3eab4a1ac69ca61bd2683b58a02d41399014dac606ff0b5db671c8c688976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a170708ebe19e55579c7b2e9f2faa31e9998043b\e2eb2f2d-2e0b-4e7a-bc0a-27b8b5fafa53\index-dir\the-real-index~RFe57b8f0.TMP

Filesize
48B

MD5
eb3e46174539168787d2df7ccb5db01a

SHA1
6058f4905c001bc871e63d0726bd87163e09528d

SHA256
349fbe09972fb8adcb476a0fafc0734b8cea1b48d1b81b0cd21b6cbe73807638

SHA512
44bed57cb6cb8cd0b78b658d9ed0de28ad72e594e9e98ec8df5ddde593aee2cd9717019411af0bedb1c6b8ef7a7504fffd00b225205f0344fb314102365e4149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a170708ebe19e55579c7b2e9f2faa31e9998043b\index.txt

Filesize
101B

MD5
bf2f3394ee01acc5a5e1b7c3b9098bad

SHA1
f22d054b3bc83c756d93caf7fbda2245b4c3f722

SHA256
ea9f5fb3244b614f31fd212af58758de5fbfe2e9e0108b45b11c0ee1bf900ebe

SHA512
bbf2c3fd8ad276e88014be4698b6fcffe4ec6c5bf6d169a50a4b885d0b6ea92c0db853d64d8e57449eeae589003e7c355ca0fde77f36c74550a95a8aa1b366f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a170708ebe19e55579c7b2e9f2faa31e9998043b\index.txt~RFe57b91e.TMP

Filesize
107B

MD5
2d7f2ef360b8f85aca221c18015b3882

SHA1
c3a361b2d6afc602408141e5b86a76a1f5521189

SHA256
3a67a573ae43463cbea958bb5ed7e2f7f9d56762e6c8c4719529684aee8e2ee4

SHA512
84145d78f4aeae4b62322bfdd91bc4ac84189261d91fa6aede160eded3101d1996b1969fc642a25b952d144865c35941a6d4650ff1af9e45c62f67899d743c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
59989dfff9ea48f14d4ed786ecf49383

SHA1
81447435b65162d6e5b5acc74caaa2f1110f0f6c

SHA256
04e5587c1b75ba962d5e2c772b428173e85e25a4e9563b73daee2f8953e0d8d9

SHA512
0a5ce15d4664291f96009c498871f7c6cbf50f52172bc0237b9df3f414ae4579064ac15bf60937baaafdc1cb1b123c4614ddb4b716bffea3b99c63335476ac87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b805.TMP

Filesize
48B

MD5
2b545bf792ca7392633c4081e9d93769

SHA1
9b102e9a66f76d7e247d462469f14c1daa3591ed

SHA256
fc47ea06983cc1e942f62794375077cd1a1faee8c08793e1a64fcf0876a2c4c1

SHA512
c70f1c507bef9c37d4ab4762b03074b8d424243b0e7a5d29ac19acc46b603db4d551442e6e18fdeb13bfd7c68f24de33f4a7cbb6350a3348027170c40b838502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
3cb78e2867bdf88a8732b73a84aaaca7

SHA1
d89e27af990333f75d5365356894e17f72348ea0

SHA256
c2f7041033993eb91df740410ab3e144542d80b13fec4de3c03dd1afdc5b85c2

SHA512
719ce9e971c9e551764077ccb7d12766b8827c5efbc6d5c9cb97485c7b7a29bc4c1db780e8b43bfdc91bdb27e6fd5d37a0cad52e311469c570f2f64995237177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e6cd22ad5e0a5a001585c5a163460249

SHA1
71affda37d195062829ed1b0b921e30af8dbd8de

SHA256
e2fa752b5dd0701f3a99dd90beac5463bb3d9057098c78bbc5fb4fa75f0c32a6

SHA512
0070d827ee824823822741da57582146d86df0d6e363aae7b9c4c76f3bee44ab2ec9b364b5c4531c56914f64167a8bae91d5a511b93753b76e2d7f2e959f6e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
cd5b15b46b9fe0d89c2b8d351c303d2a

SHA1
e1d30a8f98585e20c709732c013e926c7078a3c2

SHA256
0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

SHA512
d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ffb72b561a34eeaa1941baa80eaece2e

SHA1
a61080eae99d03416f7aa76a7d938234f4862c41

SHA256
21c75c50eebc9532176937cdfe4525b661dcf458d1613b30f96c1a16df48162e

SHA512
5e2aae4d9df503efbcd38fc040a5663aa3a3d05887e92c4955d5d1d61d9a0abe44d6c43f41a984cc2512acae15b69a6364b1cd750c523b862c04e98fd10603fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\base_library.zip

Filesize
1.4MB

MD5
d220b7e359810266fe6885a169448fa0

SHA1
556728b326318b992b0def059eca239eb14ba198

SHA256
ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d

SHA512
8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\blank.aes

Filesize
114KB

MD5
f2f35d02211defd527b7628193f06664

SHA1
af45762bdbb9bb3a6b1f7f5702cd95f05cb9c4b1

SHA256
bd227341619d34a4693bcca15e8025cf555584c127bd488a58f5b838c60c2646

SHA512
36a41385634c9841f7e5a615397fce417d9043f0b0680fb3e999d40a0c673a5cae3a4c84406ccba1d23a3b2728b6ae931c130156d76fc4fa2976b5a181b828ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\blank.aes

Filesize
114KB

MD5
f2cc0c763ba120c2c1420682cdaa7a99

SHA1
2b077f7c760ad047247aad1e18b2f8e3c420bb67

SHA256
e188238654636dc8727a82a72a09e1299f3fb4a3e0e2fe527abcd6f5aa6cd163

SHA512
dbf5cfc35fb8ffc9f7deee90c764b77b1628ab376fe2ade05f688799bd3507a62379add66d20a5e38c75b9959564115b22351907ee2b8e2a4ae8b3c0abf68a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\sqlite3.dll

Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\unicodedata.pyd

Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4i4y5zp4.d2n.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\Resource.exe

Filesize
7.4MB

MD5
cd56d1639c638ef44a1cbcf6756ef2ba

SHA1
784970f33b026fe770d8c0f8938d17b26c428327

SHA256
79041d419f813d07403d5ea0e190c09f63c0e9339bcf225b4588388de34aaa88

SHA512
c00a3be6d4cbc672b4fe3b4afb5072832a870c99d795656380e23d33e9b7b45f2d0851ba86e1d35fe502af2d001cf13e13ff6d431349dc166cfbdcc54bb19b39

Download Submit
C:\Users\Admin\Downloads\Resource.zip.crdownload

Filesize
7.4MB

MD5
d24b898f2506af3a6cd444a110faaadd

SHA1
95fcb063fe3612dd11ca044f8f1c7c71d06cb5b4

SHA256
a08e9a0631aaa7aeabcae9a963476e3d7447e75214696e19b51c1ab88b85766e

SHA512
8e9beacd2757148d063761554acc0631e4323890498bcbe273279403be6a8f31b8c3ca93d56d7e698344f485e5e1961a7d77721e433a64cb2e24b4a9aef2280a

Download Submit
memory/2340-593-0x000002827EB40000-0x000002827EB50000-memory.dmp

Filesize
64KB

Download
memory/2340-600-0x00007FFA65C20000-0x00007FFA6660C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-523-0x000002827EB40000-0x000002827EB50000-memory.dmp

Filesize
64KB

Download
memory/2340-474-0x00007FFA65C20000-0x00007FFA6660C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-479-0x000002827EB40000-0x000002827EB50000-memory.dmp

Filesize
64KB

Download
memory/2340-475-0x000002827EA90000-0x000002827EB06000-memory.dmp

Filesize
472KB

Download
memory/2340-476-0x000002827EB40000-0x000002827EB50000-memory.dmp

Filesize
64KB

Download
memory/2844-435-0x00007FFA75E30000-0x00007FFA75E49000-memory.dmp

Filesize
100KB

Download
memory/2844-519-0x00007FFA74CB0000-0x00007FFA74CC4000-memory.dmp

Filesize
80KB

Download
memory/2844-453-0x00007FFA74CB0000-0x00007FFA74CC4000-memory.dmp

Filesize
80KB

Download
memory/2844-455-0x00007FFA766A0000-0x00007FFA766AD000-memory.dmp

Filesize
52KB

Download
memory/2844-458-0x00007FFA76480000-0x00007FFA764A3000-memory.dmp

Filesize
140KB

Download
memory/2844-457-0x00007FFA66E00000-0x00007FFA673E9000-memory.dmp

Filesize
5.9MB

Download
memory/2844-459-0x00007FFA67A20000-0x00007FFA67B3C000-memory.dmp

Filesize
1.1MB

Download
memory/2844-404-0x00007FFA66E00000-0x00007FFA673E9000-memory.dmp

Filesize
5.9MB

Download
memory/2844-450-0x00000217DAD40000-0x00000217DB262000-memory.dmp

Filesize
5.1MB

Download
memory/2844-427-0x00007FFA769B0000-0x00007FFA769BF000-memory.dmp

Filesize
60KB

Download
memory/2844-410-0x00007FFA76480000-0x00007FFA764A3000-memory.dmp

Filesize
140KB

Download
memory/2844-449-0x00007FFA668D0000-0x00007FFA66DF2000-memory.dmp

Filesize
5.1MB

Download
memory/2844-448-0x00007FFA67BA0000-0x00007FFA67C6D000-memory.dmp

Filesize
820KB

Download
memory/2844-447-0x00007FFA768A0000-0x00007FFA768AD000-memory.dmp

Filesize
52KB

Download
memory/2844-442-0x00007FFA75E10000-0x00007FFA75E29000-memory.dmp

Filesize
100KB

Download
memory/2844-433-0x00007FFA76450000-0x00007FFA7647D000-memory.dmp

Filesize
180KB

Download
memory/2844-489-0x00007FFA66E00000-0x00007FFA673E9000-memory.dmp

Filesize
5.9MB

Download
memory/2844-490-0x00007FFA76480000-0x00007FFA764A3000-memory.dmp

Filesize
140KB

Download
memory/2844-500-0x00007FFA769B0000-0x00007FFA769BF000-memory.dmp

Filesize
60KB

Download
memory/2844-502-0x00007FFA76450000-0x00007FFA7647D000-memory.dmp

Filesize
180KB

Download
memory/2844-504-0x00007FFA75E30000-0x00007FFA75E49000-memory.dmp

Filesize
100KB

Download
memory/2844-506-0x00007FFA74D10000-0x00007FFA74D33000-memory.dmp

Filesize
140KB

Download
memory/2844-507-0x00007FFA67C70000-0x00007FFA67DE7000-memory.dmp

Filesize
1.5MB

Download
memory/2844-510-0x00007FFA75E10000-0x00007FFA75E29000-memory.dmp

Filesize
100KB

Download
memory/2844-513-0x00007FFA768A0000-0x00007FFA768AD000-memory.dmp

Filesize
52KB

Download
memory/2844-517-0x00007FFA67BA0000-0x00007FFA67C6D000-memory.dmp

Filesize
820KB

Download
memory/2844-515-0x00007FFA690E0000-0x00007FFA69113000-memory.dmp

Filesize
204KB

Download
memory/2844-520-0x00007FFA766A0000-0x00007FFA766AD000-memory.dmp

Filesize
52KB

Download
memory/2844-451-0x00007FFA690E0000-0x00007FFA69113000-memory.dmp

Filesize
204KB

Download
memory/2844-439-0x00007FFA74D10000-0x00007FFA74D33000-memory.dmp

Filesize
140KB

Download
memory/2844-521-0x00007FFA67A20000-0x00007FFA67B3C000-memory.dmp

Filesize
1.1MB

Download
memory/2844-518-0x00007FFA668D0000-0x00007FFA66DF2000-memory.dmp

Filesize
5.1MB

Download
memory/2844-438-0x00007FFA67C70000-0x00007FFA67DE7000-memory.dmp

Filesize
1.5MB

Download
memory/4380-529-0x000001FE08F00000-0x000001FE08F10000-memory.dmp

Filesize
64KB

Download
memory/4380-589-0x000001FE08F00000-0x000001FE08F10000-memory.dmp

Filesize
64KB

Download
memory/4380-488-0x000001FE08F00000-0x000001FE08F10000-memory.dmp

Filesize
64KB

Download
memory/4380-478-0x000001FE08F00000-0x000001FE08F10000-memory.dmp

Filesize
64KB

Download
memory/4380-471-0x00007FFA65C20000-0x00007FFA6660C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-468-0x000001FE08F30000-0x000001FE08F52000-memory.dmp

Filesize
136KB

Download
memory/4380-594-0x00007FFA65C20000-0x00007FFA6660C000-memory.dmp

Filesize
9.9MB

Download